Re: Patch to support GELI passphrase passthrough

[Kris Moore]

On 11/28/2014 14:36, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> On 27.10.2014 16:56, Kris Moore wrote:
>> On 10/22/2014 13:50, Kris Moore wrote:
>>> On 10/22/2014 13:47, Andrei Borzenkov wrote:
>>>> В Wed, 22 Oct 2014 13:12:32 -0400
>>>> Kris Moore <address@hidden> пишет:
>>>>
>>>>> Hey, just a small patch to submit today. If you rather I send this to
>>>>> the bug tracker then I can do that also.
>>>>>
>>>>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>>>>> environment, which we will be doing in PC-BSD to avoid prompting for the
>>>>> passphrase a second time at bootup.
>>>>>
>>>>>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>>>>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>>>>  
>>>>> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel 
>>>>> */
>>>>> +  grub_env_set ("gelipassphrase", passphrase);
>>>>> +
>>>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
>>>> Is geli freebsd-specific?
>>>>
>>>>>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>>>>>    if (grub_le_to_cpu32 (header.niter) != 0)
>>>>>      {
>>>> It sounds more logical to export it after it has been verified?
>>>>
>>>> I tried to find out about this "gelipassphrase" kernel variable but did
>>>> not find anything. Is it already used anywhere?
>>>>
>>>>> Let me know if you have any suggestions or need any changes. I'm
>>>>> currently hacking on support for EFI framebuffer settings to be passed
>>>>> to FreeBSD kernel as well, will send patches once I get things working
>>>>> there.
>>>>>
>>>> _______________________________________________
>>>> Grub-devel mailing list
>>>> address@hidden
>>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>> Well, this patch just makes the variable available to grub.cfg file,
>>> then we do some stuff there like this:
>>>
>>> set kFreeBSD.kern.geom.eli.passphrase=<passphrase>
>>>
>>> The patch for support in FreeBSD should be in HEAD soon, but here it is
>>> if you want to take a look:
>>>
>>> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d
>>>
>> Any further thoughts on this patch? The FreeBSD integration hit HEAD a
>> few days back.
>>
>> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293
>>
>> The reason I don't export the variable directly is so that when GRUB is
>> used to boot older versions of FreeBSD we don't set that variable, where
>> it isn't cleared from kernel memory. I would rather users enable it in
>> their grub.cfg manually, just so they know what it is doing.
>>
> How do you propose to handle the case of multiple geli disks? Perhaps it
> makes more sense to add a command line flag to cryptomount to save
> passphrase? Or to have the name of variable derived from UUID and/or
> disk name (both can coexist)
>

At the moment the FreeBSD system doesn't have a way to pass through
multiple keys for different disks. It will just try the single key
provided and prompt for others if that doesn't match.

If they change this in the future, then I would probably amend the grub
patches to export multiple variables from the UUID's.

-- 
Kris Moore
PC-BSD Software
iXsystems

signature.asc
Description: OpenPGP digital signature