On Mon, Oct 16, 2023 at 07:46:10PM +0000, Klemens Nanni wrote: > On Mon, Sep 04, 2023 at 09:57:40PM +0000, Klemens Nanni wrote: > > Extend the yes/no question to no/passphrase/keydisk and have users pick an > > existing, preformated RAID partition; no support (yet) for creating one. > > > > Thanks to how ask_which() works, users can always say 'done' to land back > > at question to either skip crypto or use a passphrase instead. > > > > All code remains contained behind interactive non-default installations. > > Code is straight forward, I've not been able to break it; rest unchanged. > > > > Example install with root disk sd0 and ready-to-use key disk sd1: > > > > Available disks are: sd0 sd1. > > Which disk is the root disk? ('?' for details) [sd0] > > Encrypt the root disk with a (p)assphrase or (k)eydisk? [no] k > > Available disks are: sd1. > > Which disk contains the key disk? (or 'done') [sd1] > > Available sd1 partitions are: a. > > Which sd1 partition is the key disk? (or 'done') [a] > > > > Configuring the crypto chunk sd0... > > > > No valid MBR or GPT. > > Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] > > Setting OpenBSD MBR partition to whole sd0...done. > > sd2 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> > > sd2: 1023MB, 512 bytes/sector, 2096560 sectors > > > > Configuring the root disk sd2... > > > > No valid MBR or GPT. > > Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole] > > > > > > Feedback? OK?
This seems to work well for me and the implementation looks reasonable. I think we want to update INSTALL with some extra docs as well, likely pointing folks to how to create a keydisk. OK afresh1@ > > Ping. > > Index: install.sub > =================================================================== > RCS file: /cvs/src/distrib/miniroot/install.sub,v > retrieving revision 1.1255 > diff -u -p -r1.1255 install.sub > --- install.sub 21 Aug 2023 14:33:55 -0000 1.1255 > +++ install.sub 16 Oct 2023 19:36:55 -0000 > @@ -3074,8 +3074,32 @@ do_autoinstall() { > exec reboot > } > > +# Chose an existing partition as key disk and set global $KEYDISK on success, > +# otherwise return non-zero. > +pick_keydisk() { > + KEYDISK= > + local _disk _label > + > + ask_which disk 'contains the key disk' '$(rmel $ROOTDISK $(get_dkdevs))' > + [[ $resp == done ]] && return 1 > + _disk=$resp > + > + make_dev $_disk > + if disklabel $_disk 2>/dev/null | ! grep -qw RAID; then > + echo "$_disk must contain a RAID partition." > + return 1 > + fi > + > + ask_which "$_disk partition" 'is the key disk' \ > + "\$(disklabel $_disk 2>/dev/null | > + sed -En 's/^ ([a-p]):.*RAID.*$/\1/p')" > + [[ $resp == done ]] && return 1 > + _label=$resp > + KEYDISK=$_disk$_label > +} > + > encrypt_root() { > - local _chunk=$ROOTDISK > + local _args _chunk=$ROOTDISK > > [[ $MDBOOTSR == y ]] || return > > @@ -3088,13 +3112,30 @@ encrypt_root() { > # e.g. auto-assembled at boot or done in (S)hell. > [[ -z $(get_softraid_volumes) ]] || return > > - ask_yn 'Encrypt the root disk with a passphrase?' || return > + while :; do > + ask 'Encrypt the root disk with a (p)assphrase or (k)eydisk?' no > + case $resp in > + # Retry on failure to allow passphrase or skip. > + [kK]*) > + pick_keydisk || continue > + _args=-k$KEYDISK > + break > + ;; > + # Do nothing, bioctl(8) will handle the passphrase. > + [pP]*) break > + ;; > + [nN]*) return > + ;; > + *) echo "'$resp' is not a valid choice." > + ;; > + esac > + done > > echo "\nConfiguring the crypto chunk $_chunk...\n" > md_prep_fdisk $_chunk > echo 'RAID *' | disklabel -w -A -T- $_chunk > > - bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null > + bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null > > # No volumes existed before asking, but we just created one. > ROOTDISK=$(get_softraid_volumes) > -- andrew ($do || !$do) && undef($try) ; # Master of Perl, Yoda is. Hmmmm?