From owner-svn-src-all@freebsd.org Tue Jul 7 18:52:24 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04ED1994BB0; Tue, 7 Jul 2015 18:52:24 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E89EE155A; Tue, 7 Jul 2015 18:52:23 +0000 (UTC) (envelope-from gjb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t67IqN1Z050407; Tue, 7 Jul 2015 18:52:23 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t67IqNdj050406; Tue, 7 Jul 2015 18:52:23 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201507071852.t67IqNdj050406@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Tue, 7 Jul 2015 18:52:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r285249 - stable/10/sys/geom/eli X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2015 18:52:24 -0000 Author: gjb Date: Tue Jul 7 18:52:22 2015 New Revision: 285249 URL: https://svnweb.freebsd.org/changeset/base/285249 Log: MFC r273489 (cperciva): Populate the GELI passphrase cache with the kern.geom.eli.passphrase variable (if any) provided in the boot environment. Unset it from the kernel environment after doing this, so that the passphrase is no longer present in kernel memory once we enter userland. This will make it possible to provide a GELI passphrase via the boot loader. PR: 200448 Approved by: re (kib) Sponsored by: The FreeBSD Foundation Modified: stable/10/sys/geom/eli/g_eli.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/geom/eli/g_eli.c ============================================================================== --- stable/10/sys/geom/eli/g_eli.c Tue Jul 7 18:46:41 2015 (r285248) +++ stable/10/sys/geom/eli/g_eli.c Tue Jul 7 18:52:22 2015 (r285249) @@ -99,6 +99,25 @@ SYSCTL_UINT(_kern_geom_eli, OID_AUTO, bo &g_eli_boot_passcache, 0, "Passphrases are cached during boot process for possible reuse"); static void +fetch_loader_passphrase(void * dummy) +{ + char * env_passphrase; + + KASSERT(dynamic_kenv, ("need dynamic kenv")); + + if ((env_passphrase = kern_getenv("kern.geom.eli.passphrase")) != NULL) { + /* Extract passphrase from the environment. */ + strlcpy(cached_passphrase, env_passphrase, + sizeof(cached_passphrase)); + freeenv(env_passphrase); + + /* Wipe the passphrase from the environment. */ + kern_unsetenv("kern.geom.eli.passphrase"); + } +} +SYSINIT(geli_fetch_loader_passphrase, SI_SUB_KMEM + 1, SI_ORDER_ANY, + fetch_loader_passphrase, NULL); +static void zero_boot_passcache(void * dummy) {