Date: Sun, 16 Oct 2011 23:36:29 -0700 From: Garrett Cooper <yanegomi@gmail.com> To: Xin LI <delphij@gmail.com> Cc: freebsd-geom@freebsd.org Subject: Re: GELI devices produced with 9.0+ fail when mounted on 8.2, etc? Message-ID: <EDE63E3A-A2BF-4422-B0F5-8DB4AFE5B573@gmail.com> In-Reply-To: <CAGMYy3veJQ-pBg1BuAZyH3rvMxEaFQOYPTJYgWPteohw-HE%2BuA@mail.gmail.com> References: <924643A0-0798-4FAC-8F82-4AFBC56DC8D7@gmail.com> <CAGMYy3tX=Xr1k%2B=7FqV5=Ddooopodtmv1hG=zy5G2Ye5KCuO_Q@mail.gmail.com> <7EC93C28-6405-443F-92C6-0291F8D88995@gmail.com> <CAGMYy3veJQ-pBg1BuAZyH3rvMxEaFQOYPTJYgWPteohw-HE%2BuA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 16, 2011, at 7:51 PM, Xin LI wrote: > On Sun, Oct 16, 2011 at 7:43 PM, Garrett Cooper <yanegomi@gmail.com> wrote: >> On Oct 16, 2011, at 5:32 PM, Xin LI wrote: >> >>> On Sun, Oct 16, 2011 at 5:01 PM, Garrett Cooper <yanegomi@gmail.com> wrote: >>> [...] >>>> The attach will fail with the following message: >>>> >>>> geli: MD5 hash mismatch for /dev/md0. >>> >>> I'm pretty sure that this is from userland, and because FreeBSD 9.x >>> have support of GELI metadata version 6, while 8.2 have support up to >>> metadata version 5. It's not a regression IMHO. >> >> In other words this is a design flaw, because geli metadata is only forwards compatible. One of FreeBSD's claims to fame is its backwards compatibility -- why aren't geom developers adhering to this? > > Backward compatibility is that you can expect what's working in an > older version of FreeBSD would just work on a newer version of > FreeBSD, not the contrary. Perhaps, but the fact that this behavior / set of expectations isn't clearly called out in the geli manpage -- and the fact that there isn't official versioning (or at the very least this isn't made a requirement based on the output above) associated with each metadata format is a fault that should be corrected. Otherwise, how can GELI be considered a viable mechanism for encrypting data across multiple versions of FreeBSD? It seems very shortsighted that there isn't at least a mechanism for reading -- or at least rejecting -- later versions of metadata in an intuitive manner. FWIW if you use geli from an earlier version of FreeBSD (hint: chroot, jail), it does the right thing.. which means that I have a means for producing encrypted images on later versions of FreeBSD now. Nevertheless, having to do so in such a roundabout manner is annoying and I'm sure I won't be the only one that will be affected by this. Thanks, -Garrett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EDE63E3A-A2BF-4422-B0F5-8DB4AFE5B573>