Date: Tue, 4 Nov 2014 19:01:09 +0000 From: Miguel Clara <miguelmclara@gmail.com> To: Allan Jude <allanjude@freebsd.org> Cc: freebsd-current <freebsd-current@freebsd.org> Subject: Re: Order of geli "passphrase prompt" on boot Message-ID: <CADGo8CXfy3jV8YqzxH1RKCPHz4WhOoe9nqEkM6Mdq%2Badc509iw@mail.gmail.com> In-Reply-To: <54590873.8000303@freebsd.org> References: <CADGo8CW1QT60-Z2hW4NzVVG8yHB8MvqWEJXnG2aF51cjc0jC%2Bw@mail.gmail.com> <BLU436-SMTP135FE2ACDCE9BC1B8D139AFFDA0@phx.gbl> <7e30c7a0f28d63af254422a91b28f18a@dweimer.net> <CADGo8CXrgA0ptdeWqO4-CqBo1aaWHKQcg_7hRD-5Gh79cwe0yA@mail.gmail.com> <33b02299.70afc6f7@fabiankeil.de> <20141104152426.GP66862@home.opsec.eu> <5458FC23.40105@pcbsd.org> <54590873.8000303@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 4, 2014 at 5:10 PM, Allan Jude <allanjude@freebsd.org> wrote: > On 11/04/2014 11:17, Kris Moore wrote: > > On 11/04/2014 10:24, Kurt Jaeger wrote: > >> Hi! > >> > >>> If you don't need any USB devices to boot, you can delay their > >>> detection by loading the modules through /etc/rc.d/kld instead > >>> of the loader: > >>> > >>> fk@r500 ~ $grep kld /etc/rc.conf > >>> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" > >> Does this really help with the GENERIC kernel ? > >> > >> If I add this to /etc/rc.conf and do > >> > >> /etc/rc.d/kld start > >> > >> this spews a load of errors. > >> > > > > Colin added this to HEAD recently: > > > > > https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293 > > > > This will allow setting the passphrase at the boot-loader, so it doesn't > > get prompted for again during boot. I think there was some work by > > dteske@ to add this to the FreeBSD boot menus, but maybe you can use it > > manually for now. > > > > We are using it in PC-BSD to supply the passphrase directly from GRUB, > > so we only get prompted a single time. > > > > (Before somebody asks why we use grub) > > We are using grub to do full-disk encryption, without a unencrypted > > /boot, among other things :) > > > > > > Yes, as Kris mentioned, the solution is being working on here at MeetBSD > by dteske@ (with some advice from jmg@) at the request of cperciva@, > using the functionality Colin added to head for Kris to be able to do > this for PCBSD. > > Hopefully this problem will be solved soon. > > Seems interesting, but if I got it right, for now the boot loader still doesn't have a way to pass this right? Could I for example drop to prompt and set "g_eli_boot_passcache"? and ofc in the future it would be ideal to do it from/during the boot menu. However it should should only do it if "root" is encrypted right (not just if geli is loaded, cause it might not be used for root... say a user just encrypts the /home dir, in that case having this on boot is not needed). But if there's a way to tell the root device is encrypted at boot time, then It would be the perfect solution indeed! Pity is only usable with grub for now, but still nice to see its being worked! Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADGo8CXfy3jV8YqzxH1RKCPHz4WhOoe9nqEkM6Mdq%2Badc509iw>