From owner-freebsd-current@FreeBSD.ORG  Mon Apr  6 17:52:40 2015
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 556145AC;
 Mon,  6 Apr 2015 17:52:40 +0000 (UTC)
Received: from smtp.vangyzen.net (hotblack.vangyzen.net [199.48.133.146])
 by mx1.freebsd.org (Postfix) with ESMTP id 8F67DB9A;
 Mon,  6 Apr 2015 17:52:39 +0000 (UTC)
Received: from marvin.lab.vangyzen.net (c-73-147-253-17.hsd1.va.comcast.net
 [73.147.253.17])
 by smtp.vangyzen.net (Postfix) with ESMTPSA id B3AB856467;
 Mon,  6 Apr 2015 12:52:38 -0500 (CDT)
Message-ID: <5522C7E5.4090609@FreeBSD.org>
Date: Mon, 06 Apr 2015 13:52:37 -0400
From: Eric van Gyzen <vangyzen@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Devin Teske <dteske@FreeBSD.org>
Subject: Re: [RFC] Add "GELI Passphrase:" prompt to boot loader
References: <0D7CA1BF-3052-41FD-A3E7-5BBAA51B214A@FreeBSD.org>
 <5522C167.6090408@vangyzen.net>
 <72AB2A13-8DA5-4320-8302-598B6672DA25@FreeBSD.org>
In-Reply-To: <72AB2A13-8DA5-4320-8302-598B6672DA25@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: freebsd-current@freebsd.org, cperciva@freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Apr 2015 17:52:40 -0000

On 04/06/2015 13:39, Devin Teske wrote:
> 
>> On Apr 6, 2015, at 10:24 AM, Eric van Gyzen <eric@vangyzen.net> wrote:
>>
>> On 04/06/2015 12:58, Devin Teske wrote:
>>> Hi -current,
>>>
>>> I have a pending enhancement to the boot loader that Colin P. and I
>>> have been working on together.
>>>
>>> URL: https://reviews.freebsd.org/D2105 <https://reviews.freebsd.org/D2105>
>>>
>>> The nature of the patch is to cause the boot loader to prompt for the
>>> GELI passphrase and then pass that on (through a kenv(1) variable)
>>> to Colin’s code in geom_eli.ko where it will be:
>>>
>>> (a) picked up for-use as the initial passphrase attempt(s)
>>> (b) zeroed after being picked-up so “kenv kern.geom.eli.passphrase”
>>> returns nothing
>>>
>>> NB: Actually, “kenv kern.geom.eli.passphrase” generates the error
>>> “kenv: unable to get kern.geom.eli.passphrase”
>>>
>>> The problem that I (we) need help in solving is:
>>>
>>> If the geom_eli.ko module doesn’t get loaded, then the variable
>>> (kern.geom.eli.passphrase) is not zeroed.
>>>
>>> While I do think that this is of minimal concern (not loading the GELI
>>> module means you won’t be able to get past the mountroot prompt in
>>> the case where GELI is required to boot), I discussed with Colin and
>>> I think we are in consensus that the resetting of the variable should
>>> perhaps be moved to another section of the kernel to prevent leakage
>>> of this sensitive information being passed through kenv(1) variable(s).
>>>
>>> Issue for me is, I’m not sure where the best place to move this to.
>>> Here’s the code that needs to be moved (Lines 108-109 of g_eli.c):
>>>
>>> https://svnweb.freebsd.org/base?view=revision&revision=273489 <https://svnweb.freebsd.org/base?view=revision&revision=273489>
>>>
>>>
>>> 108 <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l108>	 	                 /* Wipe the passphrase from the environment. */
>>> 109 <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l109>	 	                 kern_unsetenv("kern.geom.eli.passphrase");
>>>
>>> Need to move that preferably to some place in the kernel that is NOT
>>> optional in the compilation process. Suggestions?
>>
>> How about putting it right after a successful mount of the root file system? 
>> (I've never used GELI, so this could be as "right out" as five.)
>>
> 
> I think that’s an excellent idea.
> 
> /me rummages through source
> 
> I’m thinking that the best place might be where we deal with the registered
> event handler for mountroot.
> 
> 
> One place that I crawled upon that looks particularly sexy is in start_init()
> of sys/kern/init_main.c:
> 
> ### BEGIN SNIPPET ###
> /*
>  * Start the initial user process; try exec’ing each pathname in init_path.
>  * The program is invoked with one argument containing the boot flags.
>  */
> static void
> start_init(void *dummy)
> {
> 	vm_offset_t addr;
> 	struct execve_args args;
> 	int options, error;
> 	char *var, *path, *next, *s;
> 	char *ucp, **uap, *arg0, *arg1;
> 	struct thread *td;
> 	struct proc *p;
> 
> 	mtx_lock(&Giant);
> 
> 	GIANT_REQUIRED;
> 
> 	td = furthered;
> 	p = td->td_proc;
> 
> 	vfs_mountroot();
> 
> 	### RFC for code placement ###
> 	/* XXX Put reset of kern.geom.eli.passphrase here XXX */
> 	##########################
> 
> 	/*
> 	 * Need just enough stack to hold the faked-up “execve()” arguments.
> 	 */
> 	// snip rest //
> ### END SNIPPET ###
> 
> Or can you think of a better place?

That looks good to me, although I'm no expert in this area, so you might wait
for more opinions.

Eric