From owner-freebsd-questions@FreeBSD.ORG  Sun Dec  7 19:59:46 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6EC52106564A
	for <freebsd-questions@freebsd.org>;
	Sun,  7 Dec 2008 19:59:46 +0000 (UTC)
	(envelope-from vinny-mail-01+f.questions20081120@palaceofretention.ca)
Received: from www.giovannetti.ca (www.giovannetti.ca [206.248.136.48])
	by mx1.freebsd.org (Postfix) with ESMTP id 1552F8FC12
	for <freebsd-questions@freebsd.org>;
	Sun,  7 Dec 2008 19:59:45 +0000 (UTC)
	(envelope-from vinny-mail-01+f.questions20081120@palaceofretention.ca)
Received: from the.palaceofretention.ca (intgateway.palaceofretention.ca
	[10.10.10.42])
	by www.giovannetti.ca (Postfix) with ESMTP id D95E911438
	for <freebsd-questions@freebsd.org>;
	Sun,  7 Dec 2008 15:02:33 -0500 (EST)
Message-ID: <493C2B37.7070700@palaceofretention.ca>
Date: Sun, 07 Dec 2008 14:59:51 -0500
From: Vinny <vinny-mail-01+f.questions20081120@palaceofretention.ca>
User-Agent: Thunderbird 2.0.0.14 (X11/20080513)
MIME-Version: 1.0
To: User Questions <freebsd-questions@freebsd.org>
References: <48D45F98.6030504@palaceofretention.ca>
In-Reply-To: <48D45F98.6030504@palaceofretention.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: geli authentication algo and newfs weirdness
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2008 19:59:46 -0000

Vinny wrote:
> Hello Everyone,
> 
> I've been reading up on geli and decided I wanted to
> use data authentication.  This involves the -a switch
> on the geli init command.  Here's what I've found:
> 
> ===== No authentication (the disk size is correct @ 152G):
> 
> the/root{143}~# geli init  da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{144}~# geli attach da1
> Enter passphrase:
> 
> the/root{147}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
> size 2048
>         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, ...
> 
> the/root{148}~# newfs  /dev/da1.eli
> /dev/da1.eli: 152627.8MB (312581804 sectors) block size 16384, fragment 
> size 2048
>         using 831 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, 1129216, ...
> 
> ===== With hmac/sha256 (or any other) authentication
> (small disk size 76G) :
> 
> the/root{156}~# geli init -a hmac/sha256 /dev/da1
> Enter new passphrase:
> Reenter new passphrase:
> the/root{157}~#
> the/root{157}~# geli attach da1
> Enter passphrase:
> 
> the/root{159}~# newfs -N /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
> size 2048
>         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> super-block backups (for fsck -b #) at:
>  160, 376512, 752864, ...
> 
> the/root{163}~# newfs  /dev/da1.eli
> /dev/da1.eli: 76313.9MB (156290900 sectors) block size 16384, fragment 
> size 2048
>         using 416 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
> newfs: can't read old UFS1 superblock: read error from block device: 
> Invalid argument
> 
> the/root{110}~# geli dump -v da1
> Metadata on da1:
>      magic: GEOM::ELI
>    version: 3
>      flags: 0x10
>      ealgo: AES-CBC
>     keylen: 128
>      aalgo: HMAC/SHA256
>   provsize: 160041885696
> sectorsize: 512
>       keys: 0x01
> iterations: 67988
>       Salt: c708
> 
> =====
> 
> Anyone know what I've done wrong?  Is data authentication working?
> 
> Thanks!
> Vinny
> 
> 

The eventual solution came from Richard Farr.  A few messages
later and here are the results:

I Wrote;

 > Hello Richard and Thanks!  Sorry for my late reply.
 >
 > Richard Farr wrote:
 >> Hi Vinny,
 >>
 >> I had this problem as well when trying to initialize a disk with GELI
 >> and create slices/partitions/fs.
 >>
 >> I believe the problem is caused because the sectors of the newly
 >> created GELI device still have whatever data was in them from before
 >> the "geli init" command.  Therefore, this data will not have the
 >> correct mac inside of the sector.  It looks like newfs attempts to
 >> read from some of these unitialized sectors - causing a mac
 >> verification failure and a read error.  In order to fix this, simply
 >> attach the geli device and then use dd to write to all sectors of the
 >> device to update them with a correct mac:
 >>
 >> dd if=/dev/random of=/dev/da1.eli bs=8M
 >>
 >> Once this is done newfs should work like a charm.


 > Indeed, the results follow, but I'd like to thank you
 > for the solution.  I had habitually used dd on
 > the raw device before running geli init.  That is,
 >
 > dd if=/dev/random of=/dev/da2 bs=1m
 >
 > Then I'd init it.  Didn't occur to me that doing
 > that on the da2.eli device would solve the newfs
 > problem.
 >
 > The results:
 >
 > the/root{120}~# geli init -a hmac/sha256 /dev/da2
 > Enter new passphrase:
 > Reenter new passphrase:
 > the/root{121}~# geli attach da2
 > Enter passphrase:
 >
 > the/root{122}~# newfs -N /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > the/root{123}~# newfs  /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > newfs: can't read old UFS1 superblock: read error from block device:
 > Invalid argument
 >
 >
 >
 > the/root{124}~# dd if=/dev/random of=/dev/da2.eli bs=1m
 > load: 1.15  cmd: dd 96350 [physwr] 0.00u 30.56s 9% 1668k
 > 747+0 records in
 > 746+0 records out
 > 782237696 bytes transferred in 322.992946 secs (2421841 bytes/sec)
 > dd: /dev/da2.eli: short write on character device
 > dd: /dev/da2.eli: end of device
 > 977+0 records in
 > 976+1 records out
 > 1024450048 bytes transferred in 422.242968 secs (2426210 bytes/sec)
 >
 >
 > the/root{125}~# newfs -N /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > the/root{126}~# newfs /dev/da2.eli
 > /dev/da2.eli: 977.0MB (2000876 sectors) block size 16384, fragment 
size 2048
 >          using 6 cylinder groups of 183.77MB, 11761 blks, 23552 inodes.
 > super-block backups (for fsck -b #) at:
 >   160, 376512, 752864, 1129216, 1505568, 1881920
 >
 > Success!
 >
 > Vinny