From 70731cdddad4e3a609aee2eaf23c34a2149d8b30 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Thu, 25 Jun 2026 05:59:05 +0200 Subject: [PATCH] fix(firstboot): run the password gate before the GPU/KMS switch Reorder the gate to REQUIRE: FILESYSTEMS devfs / BEFORE: clawdie_live_gpu LOGIN so it runs on the plain early boot text console, before clawdie_live_gpu does its KMS/framebuffer mode-switch. That removes the console-flush race entirely, so the sleep 1 + screen-clear workaround is gone. Still before LOGIN, hence before sddm and colibri_daemon (race-free property preserved). Co-Authored-By: Claude Opus 4.8 --- .../operator-session/clawdie-firstboot-rootpw | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/live/operator-session/clawdie-firstboot-rootpw b/live/operator-session/clawdie-firstboot-rootpw index 0b5a6abf..3ac395ed 100644 --- a/live/operator-session/clawdie-firstboot-rootpw +++ b/live/operator-session/clawdie-firstboot-rootpw @@ -24,9 +24,14 @@ # countdown lives only in _start and is not exercised by the logic test. # PROVIDE: clawdie_firstboot_rootpw -# REQUIRE: clawdie_live_gpu FILESYSTEMS -# BEFORE: sddm colibri_daemon +# REQUIRE: FILESYSTEMS devfs +# BEFORE: clawdie_live_gpu LOGIN # KEYWORD: nojail +# +# Ordering: runs on the plain early boot text console, BEFORE clawdie_live_gpu +# does its KMS/framebuffer mode-switch (so there is no console-flush race) and +# BEFORE LOGIN (so before sddm and before colibri_daemon, which REQUIRE LOGIN). +# Needs only FILESYSTEMS + devfs (console, /etc/master.passwd, /var marker, pw). if [ -r /etc/rc.subr ]; then . /etc/rc.subr @@ -103,15 +108,12 @@ _rootpw_prompt_and_set() { clawdie_firstboot_rootpw_start() { _rootpw_secured && return 0 - # Talk to the operator on the system console. + # Talk to the operator on the system console. We run before the GPU/KMS + # mode-switch, so this is the stable early text console — no settle/clear + # workaround needed. exec < "${ROOTPW_CONSOLE}" > "${ROOTPW_CONSOLE}" 2>&1 - # vt(4)/framebuffer may not have flushed right after the GPU rc script; - # settle and clear (terminfo-free) so the prompt is actually visible. - sleep 1 - printf '\033[H\033[2J' - - printf '================ FIRST BOOT — SECURE THIS NODE ================\n\n' + printf '\n================ FIRST BOOT — SECURE THIS NODE ================\n\n' printf ' This stick boots with NO root password. Set one now.\n' printf ' WRITE BOTH PASSWORDS ON PAPER — there is no recovery.\n\n' printf ' Press ENTER within %ss to set passwords' "${ROOTPW_COUNTDOWN}"