Skip to content

Instantly share code, notes, and snippets.

@grahamc grahamc/darwin-cases.md Secret
Created May 9, 2020

Embed
What would you like to do?

Here is some pseudocode as to what I'm thinking is the right flow:

if root is writable
  make the directory
  continue to install
otherwise the root is read only:
  if anything is encrypted with filevault:
    if the system has a T2 chip:
      print a notice about the non-filevault Nix store
      create an non-filevault volume
      continue to install
    otherwise:
      abort
  otherwise:
    create the non-filevault volume
    continue to install

I've asked a couple people to take a look at this for their feedback.

A few idle things:

  • is it possible for a user to create the volume, with filevault, encrypted, and then use that for the Nix installation?
  • flags which don't do scary things shouldn't be scary
  • flags which do scary things should be scary
  • the Nix installer should probably avoid doing scary things

Notes about APFS volumes:

  • these volumes are like ZFS datasets,
  • not like a dmg on the root partition,
  • and not like its own partition.
  • each volume is encrypted separately

User / Hardware cases

Old Hardware, Old Software, Filevault: Irrelevant

  • Root: writable
  • T2 chip: absent

We can create the /nix directory, and it will be as safe as the root filesystem.

Old Hardware, Catalina, No Filevault

  • Root: immutable
  • T2 chip: absent

We'll create the /nix volume unencrypted, which matches the rest of the system.

Currently: the user needs to pass --create-volume.

Old Hardware, Catalina, Uses Filevault

  • Root: immutable
  • T2 chip: absent

In this case:

  • the user has NO hardware level protection
  • The user has chosen to use FileVault to protect their data

In my opinion, violating the user's choice in this case would be basically malpractice. At this point I think we should NOT attempt to do an installation, and instead tell the user a quick reason why, and direct the user to documentation about how to go about doing this safely.

New Hardware, Catalina, No Filevault

  • Root: immutable
  • T2 chip: present

We'll create a /nix volume, unencrypted. The /nix volume is encrypted by the hardware, and this matches the "Old Hardware, Catalina No Filevault" case with the exception that the user has a base level of hardware encryption.

New Hardware, Catalina, Uses Filevault

  • Root: immutable
  • T2 chip: present

This is a tricky one for me. Creating an unencrypted volume is still encrypted by the T2 hardware, meaning volume-level encryption is NOT the user's only protection.

My opinion here is creating the volume (unencrypted at the software, but encrypted by the T2) is not ideal, but may be a fine trade-off.

In this case I think we should proceed with the installation, but print out a notice saying something to this effect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.