From 477d7c2d07e146c91950401b8b9d9380ce6787e5 Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Thu, 26 Mar 2020 21:51:13 +0100
Subject: [PATCH] installer: refuse apfs volume creation when FileVault is
 enabled

---
 doc/manual/installation/installing-binary.xml |  6 +++--
 scripts/create-darwin-volume.sh               | 22 +++++++++++++++++--
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/doc/manual/installation/installing-binary.xml b/doc/manual/installation/installing-binary.xml
index c11ba9cce..498248662 100644
--- a/doc/manual/installation/installing-binary.xml
+++ b/doc/manual/installation/installing-binary.xml
@@ -230,8 +230,10 @@ LABEL=Nix\040Store /nix apfs rw
       </para>
 
       <para>
-        This new volume also won't be encrypted by default, and enabling is
-        only possible interactively?
+        This new volume also won't be encrypted by default, and enabling it
+        requires extra setup.  For machines with a <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>
+        all data is already entrypted at rest, older hardware won't even when
+        FileVault is enabled for the rest of the system.
       </para>
 
 <screen>
diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
index ea4133444..a0da85f43 100755
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@@ -14,7 +14,12 @@ disk_identifier() {
     xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
 }
 
-volume_get() {
+volume_list_true() {
+    key=$1 t=$2
+    xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
+}
+
+volume_get_string() {
     key=$1 i=$2
     xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
 }
@@ -24,7 +29,7 @@ find_nix_volume() {
     i=1
     volumes=$(apfs_volumes_for "$disk")
     while true; do
-        name=$(echo "$volumes" | volume_get "Name" "$i")
+        name=$(echo "$volumes" | volume_get_string "Name" "$i")
         if [ -z "$name" ]; then
             break
         fi
@@ -54,6 +59,12 @@ test_nix() {
     test -d "/nix"
 }
 
+test_filevault() {
+    disk=$1
+    apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true || return
+    ! sudo xartutil --list >/dev/null 2>/dev/null
+}
+
 main() {
     (
         echo ""
@@ -99,6 +110,13 @@ main() {
     volume=$(find_nix_volume "$disk")
     if [ -z "$volume" ]; then
         echo "Creating a Nix Store volume..." >&2
+
+        if test_filevault "$disk"; then
+            echo "error: FileVault detected, refusing to create unencrypted volume" >&2
+            echo "See https://nixos.org/nix/manual/#sect-apfs-volume-installation" >&2
+            exit 1
+        fi
+
         sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
         volume="Nix Store"
     else