From nobody Sun Jun 26 08:08:07 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1BA1B86E75B for ; Sun, 26 Jun 2022 08:08:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LW3Pz4pY6z4gJY for ; Sun, 26 Jun 2022 08:08:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 817D913E3B for ; Sun, 26 Jun 2022 08:08:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 25Q887fZ027181 for ; Sun, 26 Jun 2022 08:08:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 25Q887W1027180 for bugs@FreeBSD.org; Sun, 26 Jun 2022 08:08:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 264898] etc/rc.d/zfskeys should not reject valid keylocations Date: Sun, 26 Jun 2022 08:08:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: colin@fbg22.ksac.uk X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1656230887; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=pUzIjfxNSRlukuE1K3GmViD1iCSt7HbRtEDFyqwHfHs=; b=qGH1NszgheSlO0bJQ2HMBRoMWiHV/tG3Zh0sCuH81H29zzHZKGrsFrnM1PtW1CiTmeZJfq +qXXGeVRkbtx6epO+qLGyrBVb6lWBIgOLBwCyIn7ttlrpofdjH+GByX+/Alm2hXmtQaa51 VdIt8idEGsLRwlHrVEMyjmUN7AOGPMa3jEHMdBFUR7Q7Ulwc6zpukKJ/cyVdkqG5Yuv2hG muVP1cPq0jB3jc2wermCX9iOESIGTtd0yDdG3qCrQsSfMw6pgEcrRa7N5HH3WGNofbiL2W qLcY1CdW+oSiPKcH8pM4KNADKWFli3xY/PaoMKSV02A+nXbwW3pFV+LAplwkuA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1656230887; a=rsa-sha256; cv=none; b=AAr8hPLD52FHx1fQvr9Xua0wbB9/LpLLzMwvlkItPqrNWom945+sg7fjqxzBSOWTx6g7fw C9zEejVXb3JHAO9eUmq70yz1QAvonoTpxFK1/uWHrgYCabuOP2siI33rH5bOKSw8OFf2j6 Ho7HodA04OqY/roYOPVMEoF119ikyzw890k0W+jnpF2AXCxDCoWo8LdRJzkRgQB+Z3gNw7 uIlIAs7VO5wDdJ3NGnh7n2OfbXnZTbBP8wX8Zf2nmwIs62P+NmLVo9z9Pu/zA9k/WDbUCq POife8w/u3ZzTHVw02UlyKlbMEiOwNRU2HXzQJMAcEK8YcWaN/etsk6AGVQtLQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264898 Bug ID: 264898 Summary: etc/rc.d/zfskeys should not reject valid keylocations Product: Base System Version: 13.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: colin@fbg22.ksac.uk Created attachment 234945 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234945&action= =3Dedit Patch to relax keylocation validation test performed by /etc/rc.d/zfskeys OpenZFS issue 6556 (https://github.com/openzfs/zfs/issues/6556) discusses options for loading ZFS encryption keys from raw devices in order that keys= can be held only on removable media without requiring that a filesystem on such devices be mounted first. One way to achieve this effect relies on the fact that zfs load-key will tr= eat a raw partition as a valid key file location and will accept and load keys = from it eg. a single-sector partition containing a 512-byte passphrase (see https://github.com/openzfs/zfs/issues/6556#issuecomment-497010957):- #gpart add -a 2k -i 1 -s 512b -l mykey -t ms-basic-data da0 #tr -d '\n' < /dev/random | dd of=3D/dev/gpt/mykey #zfs create -o encryption=3Daes-256-gcm -o keyformat=3Dpassphrase -o keylocation=3Dfile:///dev/gpt/mykey zpool/crypttest However /etc/rc.d/zfskeys then applies a more stringent test before attempt= ing to load the key, so encrypted ZFS datasets using such keys fail to mount automatically at boot-time. Eg. #service zfskeys restart Unmounted zpool/crypttest. Unloaded key for zpool/crypttest. Key file /dev/gpt/mykey not found, empty or unreadable. Skipping zpool/crypttest.. This is the consequence of /etc/rc.d/zfskeys testing initially whether the keylocation is a *regular* file with non-zero size. Since the script has obtained this keylocation value from the ZFS dataset properties in the first place, there doesn't seem to be much value in validating it independently. Relaxing the initial test performed by the zfskeys script as per the attach= ed patch allows the underlying OpenZFS code to determine whether or not the keylocation is valid. Automount on boot then works as expected. --=20 You are receiving this mail because: You are the assignee for the bug.=