diff options
author | Klemens Nanni <kn@cvs.openbsd.org> | 2023-10-19 02:39:07 +0000 |
---|---|---|
committer | Klemens Nanni <kn@cvs.openbsd.org> | 2023-10-19 02:39:07 +0000 |
commit | a5677d65048906f8f0cc245380310518bfdee449 (patch) | |
tree | aa2c96c27a3b0608bff2cc4f4a631295eb290cef /distrib/miniroot/install.sub | |
parent | 43ac8f9ad1774d40c23939209e0dd08a97378053 (diff) |
Support encrypting the root disk with a key disk
Extend the yes/no question to no/passphrase/keydisk and have users pick an
existing, preformated RAID partition; no support (yet) for creating one.
OK tb afresh1
Diffstat (limited to 'distrib/miniroot/install.sub')
-rw-r--r-- | distrib/miniroot/install.sub | 49 |
1 files changed, 45 insertions, 4 deletions
diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 73ff787e662..5994920de56 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,5 +1,5 @@ #!/bin/ksh -# $OpenBSD: install.sub,v 1.1255 2023/08/21 14:33:55 kn Exp $ +# $OpenBSD: install.sub,v 1.1256 2023/10/19 02:39:06 kn Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer <rpe@openbsd.org> @@ -3074,8 +3074,32 @@ do_autoinstall() { exec reboot } +# Chose an existing partition as key disk and set global $KEYDISK on success, +# otherwise return non-zero. +pick_keydisk() { + KEYDISK= + local _disk _label + + ask_which disk 'contains the key disk' '$(rmel $ROOTDISK $(get_dkdevs))' + [[ $resp == done ]] && return 1 + _disk=$resp + + make_dev $_disk + if disklabel $_disk 2>/dev/null | ! grep -qw RAID; then + echo "$_disk must contain a RAID partition." + return 1 + fi + + ask_which "$_disk partition" 'is the key disk' \ + "\$(disklabel $_disk 2>/dev/null | + sed -En 's/^ ([a-p]):.*RAID.*$/\1/p')" + [[ $resp == done ]] && return 1 + _label=$resp + KEYDISK=$_disk$_label +} + encrypt_root() { - local _chunk=$ROOTDISK + local _args _chunk=$ROOTDISK [[ $MDBOOTSR == y ]] || return @@ -3088,13 +3112,30 @@ encrypt_root() { # e.g. auto-assembled at boot or done in (S)hell. [[ -z $(get_softraid_volumes) ]] || return - ask_yn 'Encrypt the root disk with a passphrase?' || return + while :; do + ask 'Encrypt the root disk with a (p)assphrase or (k)eydisk?' no + case $resp in + # Retry on failure to allow passphrase or skip. + [kK]*) + pick_keydisk || continue + _args=-k$KEYDISK + break + ;; + # Do nothing, bioctl(8) will handle the passphrase. + [pP]*) break + ;; + [nN]*) return + ;; + *) echo "'$resp' is not a valid choice." + ;; + esac + done echo "\nConfiguring the crypto chunk $_chunk...\n" md_prep_fdisk $_chunk echo 'RAID *' | disklabel -w -A -T- $_chunk - bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null + bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes) |