Here is some pseudocode as to what I'm thinking is the right flow:
if root is writable
make the directory
continue to install
otherwise the root is read only:
if anything is encrypted with filevault:
if the system has a T2 chip:
print a notice about the non-filevault Nix store
create an non-filevault volume
continue to install
otherwise:
abort
otherwise:
create the non-filevault volume
continue to install
I've asked a couple people to take a look at this for their feedback.
A few idle things:
- is it possible for a user to create the volume, with filevault, encrypted, and then use that for the Nix installation?
- flags which don't do scary things shouldn't be scary
- flags which do scary things should be scary
- the Nix installer should probably avoid doing scary things
- these volumes are like ZFS datasets,
- not like a dmg on the root partition,
- and not like its own partition.
- each volume is encrypted separately
- Root: writable
- T2 chip: absent
We can create the /nix
directory, and it will be as safe as the
root filesystem.
- Root: immutable
- T2 chip: absent
We'll create the /nix
volume unencrypted, which matches the rest
of the system.
Currently: the user needs to pass --create-volume
.
- Root: immutable
- T2 chip: absent
In this case:
- the user has NO hardware level protection
- The user has chosen to use FileVault to protect their data
In my opinion, violating the user's choice in this case would be basically malpractice. At this point I think we should NOT attempt to do an installation, and instead tell the user a quick reason why, and direct the user to documentation about how to go about doing this safely.
- Root: immutable
- T2 chip: present
We'll create a /nix
volume, unencrypted. The /nix
volume is
encrypted by the hardware, and this matches the "Old Hardware,
Catalina No Filevault" case with the exception that the user has a
base level of hardware encryption.
- Root: immutable
- T2 chip: present
This is a tricky one for me. Creating an unencrypted volume is still encrypted by the T2 hardware, meaning volume-level encryption is NOT the user's only protection.
My opinion here is creating the volume (unencrypted at the software, but encrypted by the T2) is not ideal, but may be a fine trade-off.
In this case I think we should proceed with the installation, but print out a notice saying something to this effect.