From owner-svn-src-all@FreeBSD.ORG Wed Apr 1 02:01:36 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 65E15FB9; Wed, 1 Apr 2015 02:01:36 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F0FCD18; Wed, 1 Apr 2015 02:01:36 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t3121aOM057113; Wed, 1 Apr 2015 02:01:36 GMT (envelope-from dteske@FreeBSD.org) Received: (from dteske@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t3121Zoq057109; Wed, 1 Apr 2015 02:01:35 GMT (envelope-from dteske@FreeBSD.org) Message-Id: <201504010201.t3121Zoq057109@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: dteske set sender to dteske@FreeBSD.org using -f From: Devin Teske Date: Wed, 1 Apr 2015 02:01:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r280938 - in head: sys/boot/forth usr.sbin/bsdinstall/scripts X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Apr 2015 02:01:36 -0000 Author: dteske Date: Wed Apr 1 02:01:34 2015 New Revision: 280938 URL: https://svnweb.freebsd.org/changeset/base/280938 Log: Add "GELI Passphrase:" prompt to boot loader. Summary: Add "GELI Passphrase:" prompt to boot loader. A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now allow you to enter your geli(8) root-mount credentials prior to invoking the kernel. See check-password.4th(8) for details. Differential Revision: https://reviews.freebsd.org/D2105 Reviewed by: (your name[s] here) MFC after: 3 days X-MFC-to: stable/10 Relnotes: yes Test Plan: Drop a head copy of check-password.4th into /boot and then apply the patch (only the patch to /boot/check-password.4th is required; no other changes are required but you do have to have a HEAD copy of check-password.4th to apply the patch). NB: The rest of your /boot files can be up to 2 years old but no older. NB: The test won't work unless your kernel has the following change https://svnweb.freebsd.org/base?view=revision&revision=273489 Now, put into /boot/loader.conf: geom_eli_passphrase_prompt="YES" and reboot. You should be prompted for a GELI passphrase before the menu (if enabled), just after loading loader.conf(5). NB: It doesn't matter if you're using GELI or not. However if you are using GELI and a sufficiently new enough release (has SVN r273489) and you entered the proper passphrase to mount your GELI encrypted root device(s), you should notice that the boot process did not stop (you went from loader all the way to login). Reviewers: cperciva, allanjude, scottl, kmoore Subscribers: jkh, imp Differential Revision: https://reviews.freebsd.org/D2105 Modified: head/sys/boot/forth/check-password.4th head/sys/boot/forth/check-password.4th.8 head/sys/boot/forth/loader.conf head/usr.sbin/bsdinstall/scripts/zfsboot Modified: head/sys/boot/forth/check-password.4th ============================================================================== --- head/sys/boot/forth/check-password.4th Wed Apr 1 01:54:28 2015 (r280937) +++ head/sys/boot/forth/check-password.4th Wed Apr 1 02:01:34 2015 (r280938) @@ -146,6 +146,15 @@ only forth definitions also password-pro 2drop read-reset else drop then + \ Prompt for GEOM ELI (geli(4)) passphrase if enabled + s" geom_eli_passphrase_prompt" getenv dup -1 <> if + s" YES" compare-insensitive 0= if + s" GELI Passphrase: " read ( prompt -- ) + readval readlen @ s" kern.geom.eli.passphrase" setenv + read-reset + then + else drop then + \ Exit if a password was not set s" password" getenv -1 = if exit else drop then Modified: head/sys/boot/forth/check-password.4th.8 ============================================================================== --- head/sys/boot/forth/check-password.4th.8 Wed Apr 1 01:54:28 2015 (r280937) +++ head/sys/boot/forth/check-password.4th.8 Wed Apr 1 02:01:34 2015 (r280938) @@ -1,4 +1,4 @@ -.\" Copyright (c) 2011-2012 Devin Teske +.\" Copyright (c) 2011-2015 Devin Teske .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 10, 2012 +.Dd March 20, 2015 .Dt CHECK-PASSWORD.4TH 8 .Os .Sh NAME @@ -33,8 +33,12 @@ .Sh DESCRIPTION The file that goes by the name of .Nm -is a set of commands designed to either prevent booting or prevent modification -of boot options without an appropriately configured password. +is a set of commands designed to do one or more of the following: +.Pp +.Dl o Prevent booting without password +.Dl o Prevent modification of boot options without password +.Dl o Provide a password to mount geli(8) encrypted root disk(s) +.Pp The commands of .Nm by themselves are not enough for most uses. @@ -58,14 +62,23 @@ The commands provided by it are: .Pp .Bl -tag -width disable-module_module -compact -offset indent .It Ic check-password -Dual-purpose function that can either protect the interactive boot menu or -prevent boot without password (separately). +Multi-purpose function that can protect the interactive boot menu, +prevent boot without password, or prompt for geli(8) passphrase +.Pq depending on Xr loader.conf 5 settings . .Pp First checks .Va bootlock_password and if-set, the user cannot continue until the correct password is entered. .Pp -Next checks +Next, checks +.Va geom_eli_passphrase_prompt +and if set to +.Li YES +.Pq case-insensitive +prompts the user to enter their GELI password for later mounting of the root +device(s) during boot. +.Pp +Last, checks .Va password and if-set, tries to .Ic autoboot @@ -81,6 +94,11 @@ The environment variables that effect it Sets the bootlock password (up to 16 characters long) that is required by .Ic check-password to be entered before the system is allowed to boot. +.It Va geom_eli_passphrase_prompt +Selects whether loader(8) will prompt for GELI credentials, handing-off to the +kernel for later mounting of +.Xr geli 8 +encrypted root device(s). .It Va password Sets the password (up to 16 characters long) that is required by .Ic check-password @@ -122,6 +140,16 @@ to prevent booting without password: .Bd -literal -offset indent -compact bootlock_password="boot" .Ed +.Pp +Add the following to +.Xr loader.conf 5 +to generate a prompt at boot to collect GELI credentials for mounting +.Xr geli 8 +encrypted root device(s): +.Pp +.Bd -literal -offset indent -compact +geom_eli_passphrase_prompt="YES" +.Ed .Sh SEE ALSO .Xr loader.conf 5 , .Xr loader 8 , Modified: head/sys/boot/forth/loader.conf ============================================================================== --- head/sys/boot/forth/loader.conf Wed Apr 1 01:54:28 2015 (r280937) +++ head/sys/boot/forth/loader.conf Wed Apr 1 02:01:34 2015 (r280938) @@ -62,6 +62,7 @@ entropy_cache_type="/boot/entropy" # "NO" to disable autobooting #password="" # Prevent changes to boot options #bootlock_password="" # Prevent booting (see check-password.4th(8)) +#geom_eli_passphrase_prompt="NO" # Prompt for geli(8) passphrase to mount root #beastie_disable="NO" # Turn the beastie boot menu on and off #kernels="kernel kernel.old" # Kernels to display in the boot menu #loader_logo="orbbw" # Desired logo: orbbw, orb, fbsdbw, beastiebw, beastie, none Modified: head/usr.sbin/bsdinstall/scripts/zfsboot ============================================================================== --- head/usr.sbin/bsdinstall/scripts/zfsboot Wed Apr 1 01:54:28 2015 (r280937) +++ head/usr.sbin/bsdinstall/scripts/zfsboot Wed Apr 1 02:01:34 2015 (r280938) @@ -1343,6 +1343,9 @@ zfs_create_boot() $BSDINSTALL_TMPBOOT/loader.conf.aesni || return $FAILURE f_eval_catch $funcname echo "$ECHO_APPEND" 'geom_eli_load=\"YES\"' \ $BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE + f_eval_catch $funcname echo "$ECHO_APPEND" \ + 'geom_eli_passphrase_prompt=\"YES\"' \ + $BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE for disk in $disks; do f_eval_catch $funcname printf "$PRINTF_CONF" \ geli_%s_keyfile0_load "$disk$targetpart YES" \