From owner-freebsd-current@FreeBSD.ORG Tue Nov 4 19:01:32 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5A5AD58E; Tue, 4 Nov 2014 19:01:32 +0000 (UTC) Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0909D38; Tue, 4 Nov 2014 19:01:31 +0000 (UTC) Received: by mail-wg0-f43.google.com with SMTP id y10so11294869wgg.30 for ; Tue, 04 Nov 2014 11:01:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1Ce99OIoVtKkIH5eDAKy+ljf0Vbs/FqBSbbNIQBGXr4=; b=Sxf/pPDrZxg5a6YklQs7XIPUB9JupcvCYPP/xgPLnbOTEFhzPFva9X/WdvqPzw68m8 hJZzrmHOdWPtoXYeq3x1D9iEYorMtOyGfSvfsTm+Q/IIr4VAtrr88AoUr/2YzRCPl8Lr WGKtB4aQZzTtjdcBc8zjegBPpoTXI+llRMZ+F4aydGMVKf/1mZx4TV9QVEm3Yrl2AHGe egaWBzUFj3G6q9QdOlltGGEFb686t8h7uxmZPbgtKoJ+pbtdI4sKkf6XZMSGZYv9uIeJ qTCXkLSeS+/PhSEDUVRlim6SDJlWR837wdolMqrTUbhn/jRDt4MdU82CnHeIZRVkNBDE yllw== X-Received: by 10.180.187.130 with SMTP id fs2mr26064140wic.24.1415127690033; Tue, 04 Nov 2014 11:01:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.157.202 with HTTP; Tue, 4 Nov 2014 11:01:09 -0800 (PST) In-Reply-To: <54590873.8000303@freebsd.org> References: <7e30c7a0f28d63af254422a91b28f18a@dweimer.net> <33b02299.70afc6f7@fabiankeil.de> <20141104152426.GP66862@home.opsec.eu> <5458FC23.40105@pcbsd.org> <54590873.8000303@freebsd.org> From: Miguel Clara Date: Tue, 4 Nov 2014 19:01:09 +0000 Message-ID: Subject: Re: Order of geli "passphrase prompt" on boot To: Allan Jude Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-current X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2014 19:01:32 -0000 On Tue, Nov 4, 2014 at 5:10 PM, Allan Jude wrote: > On 11/04/2014 11:17, Kris Moore wrote: > > On 11/04/2014 10:24, Kurt Jaeger wrote: > >> Hi! > >> > >>> If you don't need any USB devices to boot, you can delay their > >>> detection by loading the modules through /etc/rc.d/kld instead > >>> of the loader: > >>> > >>> fk@r500 ~ $grep kld /etc/rc.conf > >>> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" > >> Does this really help with the GENERIC kernel ? > >> > >> If I add this to /etc/rc.conf and do > >> > >> /etc/rc.d/kld start > >> > >> this spews a load of errors. > >> > > > > Colin added this to HEAD recently: > > > > > https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293 > > > > This will allow setting the passphrase at the boot-loader, so it doesn't > > get prompted for again during boot. I think there was some work by > > dteske@ to add this to the FreeBSD boot menus, but maybe you can use it > > manually for now. > > > > We are using it in PC-BSD to supply the passphrase directly from GRUB, > > so we only get prompted a single time. > > > > (Before somebody asks why we use grub) > > We are using grub to do full-disk encryption, without a unencrypted > > /boot, among other things :) > > > > > > Yes, as Kris mentioned, the solution is being working on here at MeetBSD > by dteske@ (with some advice from jmg@) at the request of cperciva@, > using the functionality Colin added to head for Kris to be able to do > this for PCBSD. > > Hopefully this problem will be solved soon. > > Seems interesting, but if I got it right, for now the boot loader still doesn't have a way to pass this right? Could I for example drop to prompt and set "g_eli_boot_passcache"? and ofc in the future it would be ideal to do it from/during the boot menu. However it should should only do it if "root" is encrypted right (not just if geli is loaded, cause it might not be used for root... say a user just encrypts the /home dir, in that case having this on boot is not needed). But if there's a way to tell the root device is encrypted at boot time, then It would be the perfect solution indeed! Pity is only usable with grub for now, but still nice to see its being worked! Thanks