From ffea1c3a08c0a59cf461f460ad974c12812054f4 Mon Sep 17 00:00:00 2001 From: kn Date: Sun, 11 Feb 2024 21:56:10 +0000 Subject: [PATCH] Enable disk encryption in unattended installations Interactively keeps using bioctl(8)'s own prompt, in unattended mode ask_passphrase() ensures non-empty responses or fails. Unlike user passwords, autoinstall(8) only supports plaintext passphrases: Encrypt the root disk with a (p)assphrase or (k)eydisk = passphrase New passphrase = secret Make sure to trust the install network or use a pre-configured key disk: Encrypt the root disk with a (p)assphrase or (k)eydisk = keydisk Which disk contains the key disk = sd2 Which sd2 partition is the key disk = a initial diff from Chris Narkiewicz OK afresh1 Feedback sthen --- distrib/miniroot/install.sub | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 81c8c258f94..c15feb93c3e 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,5 +1,5 @@ #!/bin/ksh -# $OpenBSD: install.sub,v 1.1258 2024/01/26 16:35:58 sthen Exp $ +# $OpenBSD: install.sub,v 1.1259 2024/02/11 21:56:10 kn Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer @@ -917,7 +917,7 @@ ask_password() { } # Ask for a passphrase once showing prompt $1. Ensure input is not empty -# save it in $_passphrase. +# and save it in $_passphrase. ask_passphrase() { local _q=$1 @@ -3106,9 +3106,6 @@ encrypt_root() { [[ $MDBOOTSR == y ]] || return - # The interactive bioctl(8) passphrase prompt requires a TTY. - $AI && return - [[ -x /sbin/bioctl ]] || return # Do not even try if softraid is in use already, @@ -3124,8 +3121,12 @@ encrypt_root() { _args=-k$KEYDISK break ;; - # Do nothing, bioctl(8) will handle the passphrase. - [pP]*) break + [pP]*) $AI || break + ask_passphrase 'New passphrase?' + PASSFILE=/tmp/i/passfile + (umask 077 && print -r -- "$_passphrase" >$PASSFILE) + _args=-p$PASSFILE + break ;; [nN]*) return ;; @@ -3139,6 +3140,7 @@ encrypt_root() { echo 'RAID *' | disklabel -w -A -T- $_chunk bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null + rm -fP $PASSFILE # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes) -- 2.20.1