On Mon, Sep 04, 2023 at 09:57:40PM +0000, Klemens Nanni wrote:
> Extend the yes/no question to no/passphrase/keydisk and have users pick an
> existing, preformated RAID partition; no support (yet) for creating one.
>
> Thanks to how ask_which() works, users can always say 'done' to land back
> at question to either skip crypto or use a passphrase instead.
>
> All code remains contained behind interactive non-default installations.
> Code is straight forward, I've not been able to break it; rest unchanged.
>
> Example install with root disk sd0 and ready-to-use key disk sd1:
>
> Available disks are: sd0 sd1.
> Which disk is the root disk? ('?' for details) [sd0]
> Encrypt the root disk with a (p)assphrase or (k)eydisk? [no] k
> Available disks are: sd1.
> Which disk contains the key disk? (or 'done') [sd1]
> Available sd1 partitions are: a.
> Which sd1 partition is the key disk? (or 'done') [a]
>
> Configuring the crypto chunk sd0...
>
> No valid MBR or GPT.
> Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
> Setting OpenBSD MBR partition to whole sd0...done.
> sd2 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
> sd2: 1023MB, 512 bytes/sector, 2096560 sectors
>
> Configuring the root disk sd2...
>
> No valid MBR or GPT.
> Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [whole]
>
>
> Feedback? OK?
Ping.
Index: install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.1255
diff -u -p -r1.1255 install.sub
--- install.sub 21 Aug 2023 14:33:55 -0000 1.1255
+++ install.sub 16 Oct 2023 19:36:55 -0000
@@ -3074,8 +3074,32 @@ do_autoinstall() {
exec reboot
}
+# Chose an existing partition as key disk and set global $KEYDISK on success,
+# otherwise return non-zero.
+pick_keydisk() {
+ KEYDISK=
+ local _disk _label
+
+ ask_which disk 'contains the key disk' '$(rmel $ROOTDISK $(get_dkdevs))'
+ [[ $resp == done ]] && return 1
+ _disk=$resp
+
+ make_dev $_disk
+ if disklabel $_disk 2>/dev/null | ! grep -qw RAID; then
+ echo "$_disk must contain a RAID partition."
+ return 1
+ fi
+
+ ask_which "$_disk partition" 'is the key disk' \
+ "\$(disklabel $_disk 2>/dev/null |
+ sed -En 's/^ ([a-p]):.*RAID.*$/\1/p')"
+ [[ $resp == done ]] && return 1
+ _label=$resp
+ KEYDISK=$_disk$_label
+}
+
encrypt_root() {
- local _chunk=$ROOTDISK
+ local _args _chunk=$ROOTDISK
[[ $MDBOOTSR == y ]] || return
@@ -3088,13 +3112,30 @@ encrypt_root() {
# e.g. auto-assembled at boot or done in (S)hell.
[[ -z $(get_softraid_volumes) ]] || return
- ask_yn 'Encrypt the root disk with a passphrase?' || return
+ while :; do
+ ask 'Encrypt the root disk with a (p)assphrase or (k)eydisk?' no
+ case $resp in
+ # Retry on failure to allow passphrase or skip.
+ [kK]*)
+ pick_keydisk || continue
+ _args=-k$KEYDISK
+ break
+ ;;
+ # Do nothing, bioctl(8) will handle the passphrase.
+ [pP]*) break
+ ;;
+ [nN]*) return
+ ;;
+ *) echo "'$resp' is not a valid choice."
+ ;;
+ esac
+ done
echo "\nConfiguring the crypto chunk $_chunk...\n"
md_prep_fdisk $_chunk
echo 'RAID *' | disklabel -w -A -T- $_chunk
- bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null
+ bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
# No volumes existed before asking, but we just created one.
ROOTDISK=$(get_softraid_volumes)
