On Mon, Oct 16, 2023 at 07:46:10PM +0000, Klemens Nanni wrote:
> On Mon, Sep 04, 2023 at 09:57:40PM +0000, Klemens Nanni wrote:
> > Extend the yes/no question to no/passphrase/keydisk and have users pick an
> > existing, preformated RAID partition; no support (yet) for creating one.
> >
> > Thanks to how ask_which() works, users can always say 'done' to land back
> > at question to either skip crypto or use a passphrase instead.
> >
> > All code remains contained behind interactive non-default installations.
> > Code is straight forward, I've not been able to break it; rest unchanged.
> >
> > Example install with root disk sd0 and ready-to-use key disk sd1:
> >
> > Available disks are: sd0 sd1.
> > Which disk is the root disk? ('?' for details) [sd0]
> > Encrypt the root disk with a (p)assphrase or (k)eydisk? [no] k
> > Available disks are: sd1.
> > Which disk contains the key disk? (or 'done') [sd1]
> > Available sd1 partitions are: a.
> > Which sd1 partition is the key disk? (or 'done') [a]
> >
> > Configuring the crypto chunk sd0...
> >
> > No valid MBR or GPT.
> > Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
> > Setting OpenBSD MBR partition to whole sd0...done.
> > sd2 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
> > sd2: 1023MB, 512 bytes/sector, 2096560 sectors
> >
> > Configuring the root disk sd2...
> >
> > No valid MBR or GPT.
> > Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
> >
> >
> > Feedback? OK?
This seems to work well for me and the implementation looks reasonable.
I think we want to update INSTALL with some extra docs as well, likely
pointing folks to how to create a keydisk.
OK afresh1@
>
> Ping.
>
> Index: install.sub
> ===================================================================
> RCS file: /cvs/src/distrib/miniroot/install.sub,v
> retrieving revision 1.1255
> diff -u -p -r1.1255 install.sub
> --- install.sub 21 Aug 2023 14:33:55 -0000 1.1255
> +++ install.sub 16 Oct 2023 19:36:55 -0000
> @@ -3074,8 +3074,32 @@ do_autoinstall() {
> exec reboot
> }
>
> +# Chose an existing partition as key disk and set global $KEYDISK on success,
> +# otherwise return non-zero.
> +pick_keydisk() {
> + KEYDISK=
> + local _disk _label
> +
> + ask_which disk 'contains the key disk' '$(rmel $ROOTDISK $(get_dkdevs))'
> + [[ $resp == done ]] && return 1
> + _disk=$resp
> +
> + make_dev $_disk
> + if disklabel $_disk 2>/dev/null | ! grep -qw RAID; then
> + echo "$_disk must contain a RAID partition."
> + return 1
> + fi
> +
> + ask_which "$_disk partition" 'is the key disk' \
> + "\$(disklabel $_disk 2>/dev/null |
> + sed -En 's/^ ([a-p]):.*RAID.*$/\1/p')"
> + [[ $resp == done ]] && return 1
> + _label=$resp
> + KEYDISK=$_disk$_label
> +}
> +
> encrypt_root() {
> - local _chunk=$ROOTDISK
> + local _args _chunk=$ROOTDISK
>
> [[ $MDBOOTSR == y ]] || return
>
> @@ -3088,13 +3112,30 @@ encrypt_root() {
> # e.g. auto-assembled at boot or done in (S)hell.
> [[ -z $(get_softraid_volumes) ]] || return
>
> - ask_yn 'Encrypt the root disk with a passphrase?' || return
> + while :; do
> + ask 'Encrypt the root disk with a (p)assphrase or (k)eydisk?' no
> + case $resp in
> + # Retry on failure to allow passphrase or skip.
> + [kK]*)
> + pick_keydisk || continue
> + _args=-k$KEYDISK
> + break
> + ;;
> + # Do nothing, bioctl(8) will handle the passphrase.
> + [pP]*) break
> + ;;
> + [nN]*) return
> + ;;
> + *) echo "'$resp' is not a valid choice."
> + ;;
> + esac
> + done
>
> echo "\nConfiguring the crypto chunk $_chunk...\n"
> md_prep_fdisk $_chunk
> echo 'RAID *' | disklabel -w -A -T- $_chunk
>
> - bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null
> + bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
>
> # No volumes existed before asking, but we just created one.
> ROOTDISK=$(get_softraid_volumes)
>
--
andrew
($do || !$do) && undef($try) ; # Master of Perl, Yoda is. Hmmmm?
