installer: refuse apfs volume creation when FileVault is enabled

domenkozar · May 21, 2020 · 477d7c2 · 477d7c2
1 parent 3386575
commit 477d7c2
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/doc/manual/installation/installing-binary.xml b/doc/manual/installation/installing-binary.xml
@@ -230,8 +230,10 @@ LABEL=Nix\040Store /nix apfs rw
       </para>
 
       <para>
-        This new volume also won't be encrypted by default, and enabling is
-        only possible interactively?
+        This new volume also won't be encrypted by default, and enabling it
+        requires extra setup.  For machines with a <link xlink:href="https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf">T2 chip</link>
+        all data is already entrypted at rest, older hardware won't even when
+        FileVault is enabled for the rest of the system.
       </para>
 
 <screen>

diff --git a/scripts/create-darwin-volume.sh b/scripts/create-darwin-volume.sh
@@ -14,7 +14,12 @@ disk_identifier() {
     xpath "/plist/dict/key[text()='ParentWholeDisk']/following-sibling::string[1]/text()" 2>/dev/null
 }
 
-volume_get() {
+volume_list_true() {
+    key=$1 t=$2
+    xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict/key[text()='$key']/following-sibling::true[1]" 2> /dev/null
+}
+
+volume_get_string() {
     key=$1 i=$2
     xpath "/plist/dict/array/dict/key[text()='Volumes']/following-sibling::array/dict[$i]/key[text()='$key']/following-sibling::string[1]/text()" 2> /dev/null
 }
@@ -24,7 +29,7 @@ find_nix_volume() {
     i=1
     volumes=$(apfs_volumes_for "$disk")
     while true; do
-        name=$(echo "$volumes" | volume_get "Name" "$i")
+        name=$(echo "$volumes" | volume_get_string "Name" "$i")
         if [ -z "$name" ]; then
             break
         fi
@@ -54,6 +59,12 @@ test_nix() {
     test -d "/nix"
 }
 
+test_filevault() {
+    disk=$1
+    apfs_volumes_for "$disk" | volume_list_true FileVault | grep -q true || return
+    ! sudo xartutil --list >/dev/null 2>/dev/null
+}
+
 main() {
     (
         echo ""
@@ -99,6 +110,13 @@ main() {
     volume=$(find_nix_volume "$disk")
     if [ -z "$volume" ]; then
         echo "Creating a Nix Store volume..." >&2
+
+        if test_filevault "$disk"; then
+            echo "error: FileVault detected, refusing to create unencrypted volume" >&2
+            echo "See https://nixos.org/nix/manual/#sect-apfs-volume-installation" >&2
+            exit 1
+        fi
+
         sudo diskutil apfs addVolume "$disk" APFS 'Nix Store' -mountpoint /nix
         volume="Nix Store"
     else