design for enabling FDE on first boot
@calebccff and I have talked about using buffybox/unl0kr (or a new app?) to handle setting up FDE on first boot, this is a rough draft of what the design could look like for that. cc @cherrypicker
In the notes below, fde-setup
is a stand-in for unl0kr --setup
, or some new app, but the logic in pmaports/initramfs should largely be unchanged
- pmos-initramfs should run
fde-setup
if it detects the rootfs is not encrypted AND it is "first boot" of an install, users can elect to set up FDE for the rootfs (incl. set passphrase), or skip to not enable FDE - pmos-initramfs should run
unl0kr
as it does today if it's not "first boot" and rootfs is locked/FDEd - "first boot" should be detected by checking the contents of
/etc/machine-id
in the initramfs, if that file is empty then this is "first boot" - /etc/machine-id should be added to the initramfs (pmos-base's mkinitfs files list)
- after the rootfs boots during "first boot", /etc/machine-id should be populated, see: https://www.freedesktop.org/software/systemd/man/latest/machine-id.html (for openrc, it can be generated randomly in a boot service)
- mkinitfs should be run after machine-id is generated, so that it's set in subsequent boots