etienne.m...@magickarpet.org (Etienne), 2018.05.04 (Fri) 14:03 (CEST): > Hello list, > > What I'm going to describe will most probably sound very silly, but I > believe I have a reasonable use case. I'm trying to setup a machine with > full disk encryption using a partition of the same disk as a keydisk. (take > all the time you want to laugh, then carry on reading). > > So I'm creating two RAID partitions "a" and "p", then run: > > bioctl -c C -l sd0a -k sd0p softraid0 > > and this succeed. I'm then proceeding to a normal installation on sd1, then > reboot, and I'm greeted with the message `ERR M`. > > I have tried this with the p partition at the beginning or at the end of the > disk, tried to change sizes,... no effect. I'm wondering if what I'm trying > is actually supported? Any idea? > > > For those who wonder, my use case is installing 100+ virtual machines in the > cloud with full disk encryption, rebooting them, and using rc.firsttime to > overwrite the key so if the machine is powered down, it can't be booted > anymore. I'm also aware that this is still vulnerable to an attack from > someone who's in control of the host machine.
I'm currently reading https://marc.info/?l=openbsd-misc&m=141435482820277 "crypto softraid and keydisk on same harddrive", 2014-10-26. jsing@ had this patch, which was tested and worked for the OP - but was not commited: https://marc.info/?l=openbsd-misc&m=141450636905550 Index: i386_softraid.c =================================================================== RCS file: /cvs/src/usr.sbin/installboot/i386_softraid.c,v retrieving revision 1.2 diff -u -p -r1.2 i386_softraid.c --- i386_softraid.c 9 Jun 2014 13:13:48 -0000 1.2 +++ i386_softraid.c 28 Oct 2014 14:21:27 -0000 @@ -42,6 +42,7 @@ void sr_install_bootldr(int, char *); void sr_install_bootblk(int devfd, int vol, int disk) { + struct bioc_vol bv; struct bioc_disk bd; struct disklabel dl; struct partition *pp; @@ -56,6 +57,15 @@ sr_install_bootblk(int devfd, int vol, i bd.bd_diskid = disk; if (ioctl(devfd, BIOCDISK, &bd) == -1) err(1, "BIOCDISK"); + + /* Skip CRYPTO key disks. */ + /* XXX - pass volume in rather than volume ID. */ + memset(&bv, 0, sizeof(bv)); + bv.bv_volid = vol; + if (ioctl(devfd, BIOCVOL, &bv) == -1) + err(1, "BIOCVOL"); + if (bv.bv_level == 'C' && bd.bd_size == 0) + return; /* Check disk status. */ if (bd.bd_status != BIOC_SDONLINE && bd.bd_status != BIOC_SDREBUILD) { Marcus
