installer: refuse apfs volume creation when FileVault is enabled
This commit is contained in:
parent
3386575296
commit
477d7c2d07
|
@ -230,8 +230,10 @@ LABEL=Nix\040Store /nix apfs rw
|
|||
</para>
|
||||
|
||||
<para>
|
||||
This new volume also won't be encrypted by default, and enabling is
|
||||
only possible interactively?
|
||||
This new volume also won't be encrypted by default, and enabling it
|
||||
requires extra setup. For machines with a <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>
|
||||
all data is already entrypted at rest, older hardware won't even when
|
||||
FileVault is enabled for the rest of the system.
|
||||
</para>
|
||||
|
||||
<screen>
|
||||
|
|
|
@ -14,7 +14,12 @@ disk_identifier() {
|
|||
xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
|
||||
}
|
||||
|
||||
volume_get() {
|
||||
volume_list_true() {
|
||||
key=$1 t=$2
|
||||
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
|
||||
}
|
||||
|
||||
volume_get_string() {
|
||||
key=$1 i=$2
|
||||
xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
|
||||
}
|
||||
|
@ -24,7 +29,7 @@ find_nix_volume() {
|
|||
i=1
|
||||
volumes=$(apfs_volumes_for "$disk")
|
||||
while true; do
|
||||
name=$(echo "$volumes" | volume_get "Name" "$i")
|
||||
name=$(echo "$volumes" | volume_get_string "Name" "$i")
|
||||
if [ -z "$name" ]; then
|
||||
break
|
||||
fi
|
||||
|
@ -54,6 +59,12 @@ test_nix() {
|
|||
test -d "/nix"
|
||||
}
|
||||
|
||||
test_filevault() {
|
||||
disk=$1
|
||||
apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true || return
|
||||
! sudo xartutil --list >/dev/null 2>/dev/null
|
||||
}
|
||||
|
||||
main() {
|
||||
(
|
||||
echo ""
|
||||
|
@ -99,6 +110,13 @@ main() {
|
|||
volume=$(find_nix_volume "$disk")
|
||||
if [ -z "$volume" ]; then
|
||||
echo "Creating a Nix Store volume..." >&2
|
||||
|
||||
if test_filevault "$disk"; then
|
||||
echo "error: FileVault detected, refusing to create unencrypted volume" >&2
|
||||
echo "See https://nixos.org/nix/manual/#sect-apfs-volume-installation" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
|
||||
volume="Nix Store"
|
||||
else
|
||||
|
|
Loading…
Reference in a new issue