From owner-freebsd-geom@FreeBSD.ORG  Sun Nov 16 01:12:55 2014
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 520EFDC9
 for <freebsd-geom@freebsd.org>; Sun, 16 Nov 2014 01:12:55 +0000 (UTC)
Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180])
 by mx1.freebsd.org (Postfix) with ESMTP id 32C53F66
 for <freebsd-geom@freebsd.org>; Sun, 16 Nov 2014 01:12:54 +0000 (UTC)
Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130])
 by mail.cyberleo.net (Postfix) with ESMTPSA id 9C84618569;
 Sat, 15 Nov 2014 20:04:39 -0500 (EST)
Message-ID: <5467F826.3070208@cyberleo.net>
Date: Sat, 15 Nov 2014 19:04:38 -0600
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Thunderbird/24.8.0
MIME-Version: 1.0
To: FreeBSD Geom <freebsd-geom@freebsd.org>
Subject: [patch] GELI Boot-time unlock failure
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: GEOM-specific discussions and implementations
 <freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom/>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Nov 2014 01:12:55 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624

I've reworked the patch to apply to 10.1-RELEASE, and am now using it
successfully.

The proper fix for this issue is most likely a new metadata version to
set the md_iterations per-keyslot instead of per-container, but I didn't
want to introduce incompatibility without input from the current GELI
maintainers; this patch works with the layout as-is.

If a GELI container has a keyfile in one slot and a passphrase in the
other (to implement automatic boot-time unlock with offline key escrow,
for example), the boot-time unlock code will get confused and assume the
key and passphrase are to be combined, resulting in a container that
cannot be unlocked during boot when its keyfile is preloaded. The
included patch attempts to unlock using only the keyfile first.

Thanks!

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>

Furry Peace! - http://www.fur.com/peace/