From owner-freebsd-hackers@freebsd.org Tue Apr 5 12:02:37 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1C54B04AD5 for ; Tue, 5 Apr 2016 12:02:37 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id BFF6713A2 for ; Tue, 5 Apr 2016 12:02:37 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id BF4E9B04AD4; Tue, 5 Apr 2016 12:02:37 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BEED6B04AD3 for ; Tue, 5 Apr 2016 12:02:37 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 71D2B13A1 for ; Tue, 5 Apr 2016 12:02:37 +0000 (UTC) (envelope-from etnapierala@gmail.com) Received: by mail-wm0-x22a.google.com with SMTP id f198so28970586wme.0 for ; Tue, 05 Apr 2016 05:02:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=AQjWzV2U9mXmS67HVLJ/kfG4Gg8OJcBGuRDqLMYkFAc=; b=HYtYWW1XRthNF525v0j51/TOT9+yFsxfkix0iEWhu9Rm/VdS0393XLc542D3MWqq06 dRq3e7EgWdpq1GeQU50D+KEtK4Ug5yWtNOhQhddsRAN0anThIQFCobCd+21bTX8R/5Ju fJvYFcr2RMHkI0QoddR7pyy6+3ZDarU37mNKEdUkt82eb7YwmY+6YwbhzEm7N+v3CYaC JUG7CFekwoIyaYuHPMSuox60fkOL8GrCTmRb1HMTI99n5m0TilvJHU3VPeLmBXSoUUrr CLn0d7kQqJ7N+xtjhvBaGvaugpjgjbf4jZ6p+cYkgzCnYAyTQWdwgG2KcTn1jmeHlcnr 027g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=AQjWzV2U9mXmS67HVLJ/kfG4Gg8OJcBGuRDqLMYkFAc=; b=hAUsSUmYNCijOl1b6dwoAdjymwjw1KHqfcVDgKT61SD3FBQI29QdLbwWS/ywLuthp2 YEPQpy+zbSQ6RMhKAPu08UKOIjMGfhl8LGCQXBfEBOpgIHB8AZ6V+p6XPtH5dwwGt6nm GLG/faGDqzV22BirghLJiSqtokQ+eLTQUf+CMZapJhovmUc9+Y0FoAIGe+8yATb6pJ/5 DJ+Bg4+zrTMycuBTPF+JNBQw9kIhngjWsZtnT5gkGTR6SWhF5DF5++ln4ONGWZ2RWOiz R9GJ+gP5MD+MdvfvrlfgWjpcgYVokhu+AW6ygFHswW0XBrQo7IjpjI0awZv/FYpahIZp t/kw== X-Gm-Message-State: AD7BkJL0MQNqIz5sJvDd3GbGUeduR0MCjZJV1L+g2c9zOfuE6YtJztTjhsB6nS/QZdY+Ig== X-Received: by 10.28.100.132 with SMTP id y126mr13628663wmb.91.1459857756009; Tue, 05 Apr 2016 05:02:36 -0700 (PDT) Received: from brick.home (eum237.neoplus.adsl.tpnet.pl. [83.20.184.237]) by smtp.gmail.com with ESMTPSA id w184sm19166885wmb.1.2016.04.05.05.02.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Apr 2016 05:02:35 -0700 (PDT) Sender: =?UTF-8?Q?Edward_Tomasz_Napiera=C5=82a?= Date: Tue, 5 Apr 2016 14:02:31 +0200 From: Edward Tomasz =?utf-8?Q?Napiera=C5=82a?= To: Dirk-Willem van Gulik Cc: FreeBSD Hackers Subject: Re: reboot with reroot / 10.3 Message-ID: <20160405120231.GB47120@brick.home> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2016 12:02:38 -0000 On 0404T1350, Dirk-Willem van Gulik wrote: > Trasz, > > Thanks for the wonderful reroot present in 10.3 :) First tries work well for us for a couple of scenario’s around pivoting early from an ro-mounted bootup to mount the ‘real' encrypted root FS that has its key stored on remote hardware (previously we used Adrian Steinmann / ast his work on Pivot Root with a lot of care/order puzzles). > > I gather that it creates a /de/reroot tempfs; copies the, at that time, on-disk version of init (as learned from a trusted kern.proc.pathname); executes init with a new -r; that essentially does (just) a kill (as only init can kill init) - and then things are mounted/cleaned up from there after attempting to run at least something from ‘kern.init_path’ > > Where would one go to understand the trust-chain/security aspects of this ? I.e. what locks the kill(1, SIGEMT) to the copy of the real init(8) ? Where are the places most at risk ? There shouldn't be any security aspects - only the root can trigger it. The source destination for copying the init(8) binary is obtained from the kernel, using KERN_PROC_PATHNAME sysctl - it's the path of on-disk init(8) binary itself.