Skip to content

Instantly share code, notes, and snippets.

@grahamc

grahamc/darwin-cases.md Secret

Created May 9, 2020 16:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grahamc/c112cfe5a6dde8571fdfc0520a27fedb to your computer and use it in GitHub Desktop.
Save grahamc/c112cfe5a6dde8571fdfc0520a27fedb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
darwin-cases.md

Here is some pseudocode as to what I'm thinking is the right flow:

if root is writable
  make the directory
  continue to install
otherwise the root is read only:
  if anything is encrypted with filevault:
    if the system has a T2 chip:
      print a notice about the non-filevault Nix store
      create an non-filevault volume
      continue to install
    otherwise:
      abort
  otherwise:
    create the non-filevault volume
    continue to install

I've asked a couple people to take a look at this for their feedback.

A few idle things:

  • is it possible for a user to create the volume, with filevault, encrypted, and then use that for the Nix installation?
  • flags which don't do scary things shouldn't be scary
  • flags which do scary things should be scary
  • the Nix installer should probably avoid doing scary things

Notes about APFS volumes:

  • these volumes are like ZFS datasets,
  • not like a dmg on the root partition,
  • and not like its own partition.
  • each volume is encrypted separately

User / Hardware cases

Old Hardware, Old Software, Filevault: Irrelevant

  • Root: writable
  • T2 chip: absent

We can create the /nix directory, and it will be as safe as the root filesystem.

Old Hardware, Catalina, No Filevault

  • Root: immutable
  • T2 chip: absent

We'll create the /nix volume unencrypted, which matches the rest of the system.

Currently: the user needs to pass --create-volume.

Old Hardware, Catalina, Uses Filevault

  • Root: immutable
  • T2 chip: absent

In this case:

  • the user has NO hardware level protection
  • The user has chosen to use FileVault to protect their data

In my opinion, violating the user's choice in this case would be basically malpractice. At this point I think we should NOT attempt to do an installation, and instead tell the user a quick reason why, and direct the user to documentation about how to go about doing this safely.

New Hardware, Catalina, No Filevault

  • Root: immutable
  • T2 chip: present

We'll create a /nix volume, unencrypted. The /nix volume is encrypted by the hardware, and this matches the "Old Hardware, Catalina No Filevault" case with the exception that the user has a base level of hardware encryption.

New Hardware, Catalina, Uses Filevault

  • Root: immutable
  • T2 chip: present

This is a tricky one for me. Creating an unencrypted volume is still encrypted by the T2 hardware, meaning volume-level encryption is NOT the user's only protection.

My opinion here is creating the volume (unencrypted at the software, but encrypted by the T2) is not ideal, but may be a fine trade-off.

In this case I think we should proceed with the installation, but print out a notice saying something to this effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment