From owner-freebsd-questions@FreeBSD.ORG  Tue Feb  5 10:59:15 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 9E9CD6D4
 for <freebsd-questions@freebsd.org>; Tue,  5 Feb 2013 10:59:15 +0000 (UTC)
 (envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de
 [80.67.18.14]) by mx1.freebsd.org (Postfix) with ESMTP id 15C3BDE7
 for <freebsd-questions@freebsd.org>; Tue,  5 Feb 2013 10:59:14 +0000 (UTC)
Received: from [78.35.132.50] (helo=fabiankeil.de)
 by smtprelay02.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128)
 (Exim 4.68) (envelope-from <freebsd-listen@fabiankeil.de>)
 id 1U2g3L-0003or-EU; Tue, 05 Feb 2013 11:47:03 +0100
Date: Tue, 5 Feb 2013 11:17:20 +0100
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: mhca12 <mhca12@gmail.com>
Subject: Re: vfs.root.mountfrom with geli
Message-ID: <20130205111720.024ec14a@fabiankeil.de>
In-Reply-To: <CAHUOman57P3-E51pOMCYM268PgdSM8XWgZ4m0JnP+xVjcGN4YA@mail.gmail.com>
References: <CAHUOmamNgfe3k2rp0tN1toc9U9LGkmsyh6XJCGBwD_ZqBpBakw@mail.gmail.com>
 <20130204130635.3a66d412@fabiankeil.de>
 <CAHUOmami4D01OpUiFqkb8F8Cjmt=yTA_qgwHYnNdshyiE_tXDQ@mail.gmail.com>
 <20130204182303.59c9ac72@fabiankeil.de>
 <CAHUOman57P3-E51pOMCYM268PgdSM8XWgZ4m0JnP+xVjcGN4YA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=PGP-SHA1;
 boundary="Sig_/koj5fZ3XIJq_Mq8czgdN9KF"; protocol="application/pgp-signature"
X-Df-Sender: Nzc1MDY3
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2013 10:59:15 -0000

--Sig_/koj5fZ3XIJq_Mq8czgdN9KF
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

mhca12 <mhca12@gmail.com> wrote:

> On Mon, Feb 4, 2013 at 6:23 PM, Fabian Keil wrote:
> > mhca12 <mhca12@gmail.com> wrote:
> >
> >> On Mon, Feb 4, 2013 at 1:06 PM, Fabian Keil wrote:
> >> > mhca12 <mhca12@gmail.com> wrote:
> >> >
> >> >> I followed the guide on dan.me.uk to install FreeBSD 9.1 amd64
> >> >> but I get always stuck because the kernel doesn't ask me for the
> >> >> passphrase and doesn't find the /dev/gpt/enc.eli where enc is the
> >> >> label I gave to the root partition. I also tried with /dev/ada0p3.e=
li
> >> >> without success.
> >> >>
> >> >> Tried the following two /boot/loader.config variations:
> >> >> 1:
> >> >> geom_eli_load=3D"YES"
> >> >> vfs.root.mountfrom=3D=E2=80=9Dufs:/dev/gpt/enc.eli=E2=80=9D
> >> >> 2:
> >> >> geom_eli_load=3D"YES"
> >> >> vfs.root.mountfrom=3D=E2=80=9Dufs:/dev/ada0p3.eli=E2=80=9D
> >> >>
> >> >> I can geli attach /dev/gpt/enc or /dev/ada0p3 successfully from
> >> >> the livecd.
> >> >>
> >> >> Can you advise me what I might have done wrong or what I
> >> >> should try?
> >> >>
> >> >> https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freeb=
sd-9-x-well-almost/
> >> >
> >> > This guide doesn't seem to match your configuration.
> >> > It uses ada0p3.eli for swapping and additionally uses keyfiles.
> >> >
> >> > Without knowing your actual configuration it's impossible to
> >> > give proper advice. You could check with "geli list ada0p3" if
> >> > the boot flag is set, but that's obviously just a wild guess ...
> >>
> >> Forgot to list my simpler setup:
> >> ada0p1 freebsd-boot
> >> ada0p2 freebsd-ufs label boot /boot
> >> ada0p3 geli freebsd-ufs label enc /
> >>
> >> Do I have to set the boot flag for any of them?
> >
> > The geli passphrase is only requested at boot time for providers that
> > have the geli boot flag set (for details see geli(8)). If it isn't set
> > on ada0p3 it would explain the described behaviour.
>=20
> Fabian thanks a lot. Maybe I forgot -b during geli init but a
> geli configure -b /dev/ada0p3.eli fixed it. FreeBSD is so
> well structured and logical in this regard and hopefully
> in many others as I heard.
>=20
> In vfs.root.mountfrom only =E2=80=9Dufs:/dev/ada0p3.eli=E2=80=9D works and
> the /dev/gpt/enc.eli doesn't. Is it supposed to?

"doesn't" isn't a particular helpful problem description.

Probably geli tastes ada0p3 before gpt/enc and once ada0p3
has been attached gpt/enc is hidden and thus can't be attached
anymore.

gpt labels aren't intentionally designed not to work with
geli, but tasting races at boot time are a known limitation
and also affect other geom classes.

As a workaround you could use glabel labels instead.

I use them for external disks to be able to geli attach them
automatically using a known name, but for internal disks whose
names don't frequently change I usually don't bother.

Fabian

--Sig_/koj5fZ3XIJq_Mq8czgdN9KF
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlEQ3DgACgkQBYqIVf93VJ0vzwCgpAx54xTq6ielQP9MGTj0EMGV
4f8AoJ7dC/2nmSYIC0OPKSheKgvCZ+Zl
=YypM
-----END PGP SIGNATURE-----

--Sig_/koj5fZ3XIJq_Mq8czgdN9KF--