installer: refuse apfs volume creation when FileVault is enabled
This commit is contained in:
parent
3386575296
commit
477d7c2d07
2 changed files with 24 additions and 4 deletions
|
@ -230,8 +230,10 @@ LABEL=Nix\040Store /nix apfs rw
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
This new volume also won't be encrypted by default, and enabling is
|
This new volume also won't be encrypted by default, and enabling it
|
||||||
only possible interactively?
|
requires extra setup. For machines with a <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>
|
||||||
|
all data is already entrypted at rest, older hardware won't even when
|
||||||
|
FileVault is enabled for the rest of the system.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<screen>
|
<screen>
|
||||||
|
|
|
@ -14,7 +14,12 @@ disk_identifier() {
|
||||||
xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
|
xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
volume_get() {
|
volume_list_true() {
|
||||||
|
key=$1 t=$2
|
||||||
|
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
|
||||||
|
}
|
||||||
|
|
||||||
|
volume_get_string() {
|
||||||
key=$1 i=$2
|
key=$1 i=$2
|
||||||
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
|
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
|
||||||
}
|
}
|
||||||
|
@ -24,7 +29,7 @@ find_nix_volume() {
|
||||||
i=1
|
i=1
|
||||||
volumes=$(apfs_volumes_for "$disk")
|
volumes=$(apfs_volumes_for "$disk")
|
||||||
while true; do
|
while true; do
|
||||||
name=$(echo "$volumes" | volume_get "Name" "$i")
|
name=$(echo "$volumes" | volume_get_string "Name" "$i")
|
||||||
if [ -z "$name" ]; then
|
if [ -z "$name" ]; then
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
|
@ -54,6 +59,12 @@ test_nix() {
|
||||||
test -d "/nix"
|
test -d "/nix"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
test_filevault() {
|
||||||
|
disk=$1
|
||||||
|
apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true || return
|
||||||
|
! sudo xartutil --list >/dev/null 2>/dev/null
|
||||||
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
(
|
(
|
||||||
echo ""
|
echo ""
|
||||||
|
@ -99,6 +110,13 @@ main() {
|
||||||
volume=$(find_nix_volume "$disk")
|
volume=$(find_nix_volume "$disk")
|
||||||
if [ -z "$volume" ]; then
|
if [ -z "$volume" ]; then
|
||||||
echo "Creating a Nix Store volume..." >&2
|
echo "Creating a Nix Store volume..." >&2
|
||||||
|
|
||||||
|
if test_filevault "$disk"; then
|
||||||
|
echo "error: FileVault detected, refusing to create unencrypted volume" >&2
|
||||||
|
echo "See https://nixos.org/nix/manual/#sect-apfs-volume-installation" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
|
sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
|
||||||
volume="Nix Store"
|
volume="Nix Store"
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in a new issue