From owner-freebsd-current@FreeBSD.ORG Mon Apr 6 18:09:44 2015 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 15175D72; Mon, 6 Apr 2015 18:09:44 +0000 (UTC) Received: from shxd.cx (mail.shxd.cx [64.201.244.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EE57BD24; Mon, 6 Apr 2015 18:09:43 +0000 (UTC) Received: from 50-196-156-133-static.hfc.comcastbusiness.net ([50.196.156.133]:52280 helo=tinkerbell.pixel8networks.com) by shxd.cx with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1Yf4Dv-0001AC-SM; Mon, 06 Apr 2015 03:25:43 -0700 Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\)) Subject: Re: [RFC] Add "GELI Passphrase:" prompt to boot loader From: Devin Teske In-Reply-To: <5522C7E5.4090609@FreeBSD.org> Date: Mon, 6 Apr 2015 11:09:49 -0700 Message-Id: <97538B31-652D-4611-9F92-D1A58004A02C@FreeBSD.org> References: <0D7CA1BF-3052-41FD-A3E7-5BBAA51B214A@FreeBSD.org> <5522C167.6090408@vangyzen.net> <72AB2A13-8DA5-4320-8302-598B6672DA25@FreeBSD.org> <5522C7E5.4090609@FreeBSD.org> To: Eric van Gyzen X-Mailer: Apple Mail (2.1990.1) Sender: devin@shxd.cx Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: Devin Teske , freebsd-current@freebsd.org, cperciva@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2015 18:09:44 -0000 > On Apr 6, 2015, at 10:52 AM, Eric van Gyzen = wrote: >=20 > On 04/06/2015 13:39, Devin Teske wrote: >>=20 >>> On Apr 6, 2015, at 10:24 AM, Eric van Gyzen = wrote: >>>=20 >>> On 04/06/2015 12:58, Devin Teske wrote: >>>> Hi -current, >>>>=20 >>>> I have a pending enhancement to the boot loader that Colin P. and I >>>> have been working on together. >>>>=20 >>>> URL: https://reviews.freebsd.org/D2105 = >>>>=20 >>>> The nature of the patch is to cause the boot loader to prompt for = the >>>> GELI passphrase and then pass that on (through a kenv(1) variable) >>>> to Colin=E2=80=99s code in geom_eli.ko where it will be: >>>>=20 >>>> (a) picked up for-use as the initial passphrase attempt(s) >>>> (b) zeroed after being picked-up so =E2=80=9Ckenv = kern.geom.eli.passphrase=E2=80=9D >>>> returns nothing >>>>=20 >>>> NB: Actually, =E2=80=9Ckenv kern.geom.eli.passphrase=E2=80=9D = generates the error >>>> =E2=80=9Ckenv: unable to get kern.geom.eli.passphrase=E2=80=9D >>>>=20 >>>> The problem that I (we) need help in solving is: >>>>=20 >>>> If the geom_eli.ko module doesn=E2=80=99t get loaded, then the = variable >>>> (kern.geom.eli.passphrase) is not zeroed. >>>>=20 >>>> While I do think that this is of minimal concern (not loading the = GELI >>>> module means you won=E2=80=99t be able to get past the mountroot = prompt in >>>> the case where GELI is required to boot), I discussed with Colin = and >>>> I think we are in consensus that the resetting of the variable = should >>>> perhaps be moved to another section of the kernel to prevent = leakage >>>> of this sensitive information being passed through kenv(1) = variable(s). >>>>=20 >>>> Issue for me is, I=E2=80=99m not sure where the best place to move = this to. >>>> Here=E2=80=99s the code that needs to be moved (Lines 108-109 of = g_eli.c): >>>>=20 >>>> https://svnweb.freebsd.org/base?view=3Drevision&revision=3D273489 = >>>>=20 >>>>=20 >>>> 108 = /* Wipe the = passphrase from the environment. */ >>>> 109 = = kern_unsetenv("kern.geom.eli.passphrase"); >>>>=20 >>>> Need to move that preferably to some place in the kernel that is = NOT >>>> optional in the compilation process. Suggestions? >>>=20 >>> How about putting it right after a successful mount of the root file = system?=20 >>> (I've never used GELI, so this could be as "right out" as five.) >>>=20 >>=20 >> I think that=E2=80=99s an excellent idea. >>=20 >> /me rummages through source >>=20 >> I=E2=80=99m thinking that the best place might be where we deal with = the registered >> event handler for mountroot. >>=20 >>=20 >> One place that I crawled upon that looks particularly sexy is in = start_init() >> of sys/kern/init_main.c: >>=20 >> ### BEGIN SNIPPET ### >> /* >> * Start the initial user process; try exec=E2=80=99ing each pathname = in init_path. >> * The program is invoked with one argument containing the boot flags. >> */ >> static void >> start_init(void *dummy) >> { >> vm_offset_t addr; >> struct execve_args args; >> int options, error; >> char *var, *path, *next, *s; >> char *ucp, **uap, *arg0, *arg1; >> struct thread *td; >> struct proc *p; >>=20 >> mtx_lock(&Giant); >>=20 >> GIANT_REQUIRED; >>=20 >> td =3D furthered; >> p =3D td->td_proc; >>=20 >> vfs_mountroot(); >>=20 >> ### RFC for code placement ### >> /* XXX Put reset of kern.geom.eli.passphrase here XXX */ >> ########################## >>=20 >> /* >> * Need just enough stack to hold the faked-up =E2=80=9Cexecve()=E2= =80=9D arguments. >> */ >> // snip rest // >> ### END SNIPPET ### >>=20 >> Or can you think of a better place? >=20 > That looks good to me, although I'm no expert in this area, so you = might wait > for more opinions. >=20 Kk. In the meantime, I=E2=80=99ve updated the patch in D2105 to reflect = the new potential outcome. Worth noting, that I left the kern_unsetenv() call in = sys/geom/eli/geom_eli.c in-tact (didn=E2=80=99t see any harm in calling kern_unsetenv() on the = same variable twice; no real conerns of removing it, just didn=E2=80=99t see any harm in leaving = it). Would like feedback on phabricator. https://reviews.freebsd.org/D2105 =E2=80=94=20 Cheers, Devin=