Add support for installing with FDE.

Signed-off-by: Sasha Finkelstein <[email protected]>

build.sh

@@ -8,6 +8,7 @@ cd "$(dirname "$0")"
 PYTHON_VER=3.9.6
 PYTHON_PKG=python-$PYTHON_VER-macos11.pkg
 PYTHON_URI="https://www.python.org/ftp/python/$PYTHON_VER/$PYTHON_PKG"
+ENCRYPTOR_URI="https://github.com/WhatAmISupposedToPutHere/encryptor/releases/download/v0.1/encryptor.tar.gz"
 
 M1N1="$PWD/m1n1"
 ARTWORK="$PWD/artwork"
@@ -44,6 +45,7 @@ echo "Downloading installer components..."
 cd "$DL"
 
 wget -Nc "$PYTHON_URI"
+wget -Nc "$ENCRYPTOR_URI"
 
 echo "Building m1n1..."
 
@@ -54,7 +56,7 @@ make -C "$M1N1" RELEASE=1 CHAINLOADING=1 -j4
 echo "Copying files..."
 
 cp -r "$SRC"/* "$PACKAGE/"
-rm "$PACKAGE/asahi_firmware"
+rm -r "$PACKAGE/asahi_firmware"
 cp -r "$AFW" "$PACKAGE/"
 cp "$ARTWORK/logos/icns/AsahiLinux_logomark.icns" "$PACKAGE/logo.icns"
 mkdir -p "$PACKAGE/boot"
@@ -83,7 +85,7 @@ cd python3.*
 rm -rf test ensurepip idlelib
 cd lib-dynload
 rm -f _test* _tkinter*
-    
+
 
 echo "Copying certificates..."
 
@@ -94,6 +96,8 @@ echo "Packaging installer..."
 
 cd "$PACKAGE"
 
+tar xf "$DL/encryptor.tar.gz"
+
 echo "$VER" > version.tag
 
 if [ "$1" == "prod" ]; then

src/main.py

@@ -239,7 +239,7 @@ def get_admin_credentials(self):
         self.admin_password = getpass.getpass(f'Password for {self.admin_user}: ')
 
     def action_install_into_container(self, avail_parts):
-        template = self.choose_os()
+        template, fde = self.choose_os()
 
         containers = {str(i): p.desc for i,p in enumerate(self.parts) if p in avail_parts}
 
@@ -253,7 +253,7 @@ def action_install_into_container(self, avail_parts):
 
         self.ins = stub.StubInstaller(self.sysinfo, self.dutil, self.osinfo)
         self.ins.load_ipsw(ipsw)
-        self.osins = osinstall.OSInstaller(self.dutil, self.data, template)
+        self.osins = osinstall.OSInstaller(self.dutil, self.data, template, fde)
         self.osins.load_package()
 
         self.do_install()
@@ -266,9 +266,9 @@ def action_wipe(self):
 
         print()
 
-        template = self.choose_os()
+        template, fde = self.choose_os()
 
-        self.osins = osinstall.OSInstaller(self.dutil, self.data, template)
+        self.osins = osinstall.OSInstaller(self.dutil, self.data, template, fde)
         self.osins.load_package()
 
         min_size = STUB_SIZE + self.osins.min_size
@@ -286,9 +286,9 @@ def action_wipe(self):
         self.do_install(os_size)
 
     def action_install_into_free(self, avail_free):
-        template = self.choose_os()
+        template, fde = self.choose_os()
 
-        self.osins = osinstall.OSInstaller(self.dutil, self.data, template)
+        self.osins = osinstall.OSInstaller(self.dutil, self.data, template, fde)
         self.osins.load_package()
 
         min_size = STUB_SIZE + self.osins.min_size
@@ -498,7 +498,10 @@ def choose_os(self):
         idx = self.choice("OS", [i["name"] for i in os_list])
         os = os_list[idx]
         logging.info(f"Chosen OS: {os['name']}")
-        return os
+        fde = False
+        if os.get("supports_fde", False) or True:
+            fde = self.yesno("Enable disk encryption?")
+        return (os, fde)
 
     def set_reduced_security(self):
         while True:

src/osinstall.py

@@ -6,7 +6,7 @@
 
 class OSInstaller(PackageInstaller):
     PART_ALIGNMENT = 1024 * 1024
-    def __init__(self, dutil, data, template):
+    def __init__(self, dutil, data, template, fde):
         super().__init__()
         self.dutil = dutil
         self.data = data
@@ -16,6 +16,7 @@ def __init__(self, dutil, data, template):
         self.efi_part = None
         self.idata_targets = []
         self.install_size = self.min_size
+        self.fde = fde
 
     @property
     def default_os_name(self):
@@ -131,6 +132,7 @@ def install(self, stub_ins):
             self.extract_file(icon, stub_ins.icon_path)
             self.flush_progress()
 
+        raw_images = []
         for part, info in zip(self.template["partitions"], self.part_info):
             logging.info(f"Installing partition {part!r} -> {info.name}")
             image = part.get("image", None)
@@ -139,9 +141,11 @@ def install(self, stub_ins):
                 logging.info(f"Extract: {image}")
                 zinfo = self.pkg.getinfo(image)
                 with self.pkg.open(image) as sfd, \
-                    open(f"/dev/r{info.name}", "r+b") as dfd:
+                     open(f"/dev/r{info.name}", "r+b") as dfd:
                     self.fdcopy(sfd, dfd, zinfo.file_size)
+
                 self.flush_progress()
+
             source = part.get("source", None)
             if source:
                 p_plain(f"  Copying from {source} into {info.name} partition...")
@@ -160,11 +164,36 @@ def install(self, stub_ins):
                 data_path = os.path.join(mountpoint, "asahi")
                 os.makedirs(data_path, exist_ok=True)
                 self.idata_targets.append(data_path)
+            if not (source or part.get("copy_firmware", False) or part.get("copy_installer_data", False)):
+                raw_images.append(info.name)
 
         if "extras" in self.template:
             assert self.efi_part is not None
             self.download_extras()
 
+        if self.fde:
+            p_progress("Encrypting OS image ...")
+            args = [
+                "./encryptor/qemu-system-aarch64",
+                "-nographic",
+                "-L", "./encryptor/qemu/",
+                "-chardev", "stdio,id=term0",
+                "-serial", "chardev:term0",
+                "-cpu", "host",
+                "-smp", "cpus=8,sockets=1,cores=8,threads=1",
+                "-machine", "virt",
+                "-accel", "hvf",
+                "-m", "4096",
+                "-kernel", "./encryptor/vmlinuz-virt",
+                "-initrd", "./encryptor/initramfs",
+                "-device", "virtio-rng-pci",
+                "-monitor", "/dev/null",
+                "-append", "quiet"
+            ]
+            for i, name in enumerate(raw_images):
+                args.extend(["-drive", f"if=virtio,format=raw,index={i + 1},file=/dev/{name}"])
+            subprocess.run(args, check=True)
+
         p_progress("Preparing to finish installation...")
 
         logging.info(f"Building boot object")