Improving system partition key choice

Author: darrenldl

src/config.ml

@@ -62,24 +62,6 @@ let oali_answer_store_dir = "oali_answers"
 
 let sshd_port = 40010
 
-let gen_mkinitcpio_hooks ~encrypt_sys ~use_lvm =
-  List.filter_map
-    (fun x -> x)
-    [
-      Some "base";
-      Some "udev";
-      Some "autodetect";
-      Some "keyboard";
-      Some "keymap";
-      Some "consolefont";
-      Some "modconf";
-      Some "block";
-      (if encrypt_sys then Some "encrypt" else None);
-      (if use_lvm then Some "lvm2" else None);
-      Some "filesystems";
-      Some "fsck";
-    ]
-
 let lvm_vg_name = "vg_sys"
 
 let lvm_lv_root_name = "lv_root"

src/disk_layout.ml

@@ -20,6 +20,12 @@ type layout_choice =
   | Sys_part_plus_boot_plus_maybe_EFI
   | Sys_part_plus_usb_drive
 
+type sys_part_enc_choice = [
+  | `None
+  | `Passphrase
+  | `Keyfile
+]
+
 (* | Lvm_single_disk
  * | Lvm_boot_plus_maybe_EFI_plus_pv_s
  * | Lvm_usb_drive_plus_pv_s *)
@@ -236,7 +242,7 @@ let make_boot (pool : Storage_unit.pool) ~enc_params ~encrypt ~path =
        let primary_key =
          Misc_utils.ask_string_confirm
            ~is_valid:(fun x -> x <> "")
-           ~no_echo:true "Please enter passphrase for encryption"
+           ~no_echo:true "Please enter passphrase for BOOT (/boot) partition encryption"
        in
        Storage_unit.L1.make_luks ~primary_key ~add_secondary_key:true
          ~version:`LuksV1 ~path ~mapper_name:Config.boot_mapper_name enc_params
@@ -247,14 +253,28 @@ let make_boot (pool : Storage_unit.pool) ~enc_params ~encrypt ~path =
     (Storage_unit.L4.make ~mount_point:Config.boot_mount_point `Ext4);
   Storage_unit.make ~l1_id ~l2_id ~l3_id ~l4_id
 
-let make_root_var_home (pool : Storage_unit.pool) ~enc_params ~encrypt ~use_lvm
+let make_root_var_home (pool : Storage_unit.pool) ~enc_params ~(encrypt : sys_part_enc_choice) ~use_lvm
     path : Storage_unit.t * Storage_unit.t option * Storage_unit.t option =
   (* common components - L1, L2 stuff *)
   Hashtbl.add pool.l1_pool Params.Sys.l1_id
-    (if encrypt then
+    (match encrypt with
+     | `None -> Storage_unit.L1.make_clear ~path
+     | `Passphrase ->
+       let primary_key =
+       Misc_utils.ask_string_confirm
+         ~is_valid:(fun x -> x <> "")
+         ~no_echo:true "Please enter passphrase for ROOT (/) partition encryption"
+       in
+       Storage_unit.L1.make_luks ~primary_key ~path ~mapper_name:Config.sys_mapper_name
+         enc_params
+     | `Keyfile ->
        Storage_unit.L1.make_luks ~path ~mapper_name:Config.sys_mapper_name
          enc_params
-     else Storage_unit.L1.make_clear ~path);
+    );
+    (* (if encrypt then
+     *    Storage_unit.L1.make_luks ~path ~mapper_name:Config.sys_mapper_name
+     *      enc_params
+     *  else Storage_unit.L1.make_clear ~path); *)
   Hashtbl.add pool.l2_pool Params.Sys.l2_id
     (if use_lvm then Storage_unit.L2.make_lvm ~vg_name:Config.lvm_vg_name
      else Storage_unit.L2.make_none ());
@@ -319,7 +339,7 @@ let make_root_var_home (pool : Storage_unit.pool) ~enc_params ~encrypt ~use_lvm
   (root, var, home)
 
 let make_layout ~esp_part_path ~boot_part_path ~boot_part_enc_params
-    ~boot_encrypt ~sys_part_path ~sys_part_enc_params ~sys_encrypt ~use_lvm =
+    ~boot_encrypt ~sys_part_path ~sys_part_enc_params ~(sys_encrypt : sys_part_enc_choice) ~use_lvm =
   let pool = Storage_unit.make_pool () in
   let esp = Option.map (fun path -> make_esp pool ~path) esp_part_path in
   let boot =
@@ -332,7 +352,7 @@ let make_layout ~esp_part_path ~boot_part_path ~boot_part_enc_params
   in
   let lvm_info =
     if use_lvm then
-      if sys_encrypt then
+      if sys_encrypt <> `None then
         Some
           {
             vg_name = Config.lvm_vg_name;

src/mkinitcpio_utils.ml

@@ -0,0 +1,19 @@
+let gen_mkinitcpio_hooks ~(encrypt_sys : Disk_layout.sys_part_enc_choice) ~use_lvm =
+  List.filter_map
+    (fun x -> x)
+    [
+      Some "base";
+      Some "udev";
+      Some "autodetect";
+      Some "keyboard";
+      Some "keymap";
+      Some "consolefont";
+      Some "modconf";
+      Some "block";
+      (match encrypt_sys with
+       | `None -> None
+       | `Passphrase | `Keyfile -> Some "encrypt");
+      (if use_lvm then Some "lvm2" else None);
+      Some "filesystems";
+      Some "fsck";
+    ]

src/oali.ml

@@ -219,10 +219,27 @@ User is allowed to continue said setup if they wishes to however
                   selected to not encrypt root";
              confirm_answer_is_correct_end_retry ~ret:encrypt_sys)
        in
-       { config with encrypt_sys = Some encrypt });
+       if encrypt then (
+         if encrypt_boot then
+           { config with encrypt_sys = Some `Keyfile }
+         else (
+           print_endline "Since boot partition is not encrypted, please specify whether system partition should use passphrase or keyfile";
+           let choices =
+             [
+               ("passphrase", `Passphrase);
+               ("keyfile", `Keyfile);
+             ]
+           in
+           let choice = pick_choice_kv choices in
+           { config with encrypt_sys = Some choice }
+         )
+       )
+       else
+         { config with encrypt_sys = Some `None }
+    );
   reg ~name:"Adjust cryptsetup parameters for root partition" ~doc:luks_doc
     (fun answer_store config ->
-       if Option.get config.encrypt_sys then
+       if Option.get config.encrypt_sys <> `None then
          let iter_time_ms, key_size_bits =
            retry ~answer_store (fun () ->
                let iter_time_ms =
@@ -646,27 +663,31 @@ if using the USB key disk layout|}
        config);
   reg ~name:"Install keyfile for /"
     ~doc:{|Sets up keyfile to be embedded into the initramfs|}
-    (fun _answer_store config ->
-       if Option.get config.encrypt_sys then (
-         let disk_layout = Option.get config.disk_layout in
-         let root = Disk_layout.get_root disk_layout in
-         match root.l1 with
-         | Clear _ -> failwith "Expected LUKS"
-         | Luks { info; _ } ->
-           let keyfile_path =
-             concat_file_names
-               [
-                 Config.root_mount_point;
-                 Config.root_dir;
-                 Config.sys_part_keyfile_name;
-               ]
-           in
-           let oc = open_out_bin keyfile_path in
-           Fun.protect
-             ~finally:(fun () -> close_out oc)
-             (fun () -> output_string oc info.primary_key);
-           Unix.chmod keyfile_path 0o000)
-       else print_endline "Skipped";
+    (fun _answer_store config -> (
+         match Option.get config.encrypt_sys with
+         | `None | `Passphrase ->
+           print_endline "Skipped"
+         | `Keyfile -> (
+             let disk_layout = Option.get config.disk_layout in
+             let root = Disk_layout.get_root disk_layout in
+             match root.l1 with
+             | Clear _ -> failwith "Expected LUKS"
+             | Luks { info; _ } ->
+               let keyfile_path =
+                 concat_file_names
+                   [
+                     Config.root_mount_point;
+                     Config.root_dir;
+                     Config.sys_part_keyfile_name;
+                   ]
+               in
+               let oc = open_out_bin keyfile_path in
+               Fun.protect
+                 ~finally:(fun () -> close_out oc)
+                 (fun () -> output_string oc info.primary_key);
+               Unix.chmod keyfile_path 0o000)
+       )
+;
        config);
   reg ~name:"Install keyfile for unlocking /boot"
     ~doc:
@@ -754,13 +775,14 @@ The line is then commented if disk layout uses USB key|}
            match Re.matches re s with
            | [] -> [ s ]
            | _ ->
-             if encrypt_sys then
+             match encrypt_sys with
+             | `Keyfile ->
                [
                  Printf.sprintf "FILES=(%s)"
                    (concat_file_names
                       [ "/root"; Config.sys_part_keyfile_name ]);
                ]
-             else [ s ]
+             | `None | `Passphrase -> [ s ]
        in
        let fill_in_HOOKS =
          let re = "^HOOKS" |> Re.Posix.re |> Re.compile in
@@ -771,7 +793,7 @@ The line is then commented if disk layout uses USB key|}
              [
                Printf.sprintf "HOOKS=(%s)"
                  (String.concat " "
-                    (Config.gen_mkinitcpio_hooks ~encrypt_sys ~use_lvm));
+                    (Mkinitcpio_utils.gen_mkinitcpio_hooks ~encrypt_sys ~use_lvm));
              ]
        in
        File.filter_map_lines ~file fill_in_FILES;
@@ -1060,10 +1082,10 @@ Recovery kit creation decision is as follows
            concat_file_names [ Config.root_mount_point; Config.root_dir ]
          in
          match (encrypt_boot, encrypt_sys) with
-         | true, true -> [ dst_boot; dst_root ]
-         | true, false -> [ dst_boot ]
-         | false, true -> [ dst_root ]
-         | false, false -> [ dst_boot; dst_root ]
+         | true, `Passphrase | true, `Keyfile -> [ dst_boot; dst_root ]
+         | true, `None -> [ dst_boot ]
+         | false, `Passphrase | false, `Keyfile -> [ dst_root ]
+         | false, `None -> [ dst_boot; dst_root ]
        in
        dst_s
        |> List.iter (fun dst_dir_path ->

src/task_config.ml

@@ -6,7 +6,7 @@ type t = {
   hardened_as_default : bool option;
   use_lvm : bool option;
   encrypt_boot : bool option;
-  encrypt_sys : bool option;
+  encrypt_sys : Disk_layout.sys_part_enc_choice option;
   boot_part_enc_params : Storage_unit.Luks_info.enc_params option;
   sys_part_enc_params : Storage_unit.Luks_info.enc_params option;
   editor : string option;