Site Navigation

Date:      Thu, 02 Oct 2014 07:52:14 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Encrypted (GELI) root on ZFS troubles
Message-ID:  <542D4A7E.1050407@denninger.net>
In-Reply-To: <542D108D.80603@FreeBSD.org>
References:  <542C71C9.1050907@denninger.net> <d4f3fecfcd8785c41e3658ff34123088@dweimer.net> <542CD992.7050509@denninger.net> <542D108D.80603@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]

On 10/2/2014 3:45 AM, Andriy Gapon wrote:
> On 02/10/2014 07:50, Karl Denninger wrote:
>> 1. Having the kernel able to cross pools and examine the bootfs property
>> would be fairly useful.
> I don't understand your suggestion.  Every pool has bootfs property (if it's not
> explicitly set then that means that it just has its default value).  So which of
> the bootfs properties must be honored and why?  At present we honor bootfs of
> the "current" pool, which is the only distinguished pool.
Except default is "from whence one came" and yes, I understand the
problem if there's a conflict.  I would argue that if the parameter is
set on the pool the kernel booted from it should be honored, but if it
is NOT set (that is, if it is defaulted) then if it is validly set on a
different pool that one should be honored.

We already do this in that if /boot/loader.conf is set that's honored,
and this sounds inviolate but it in fact is not for the below reason.

I do understand the problem in the general sense with "well what happens
if there are two or more bootfs parameters set on other pools but none
on the pool the kernel loaded from" but here's the thing -- that risk is
already there, in that there's already all sorts of "fun" possible with
adapters that don't enumerate reliably in order, especially if the
intended boot device goes offline.  My LSI adapters, in particular
(which are a great example because lots of people use these with SAS
expanders and lots of plugged in drives, myself included, as they work
well and are pretty fast), will happily look for another bootable device
that happens to be plugged in if your primary(s) are offline and, if you
have one in the machine, it will attempt to boot it.  Sucks to be you if
that turns out to be a bootable environment.

So what I think makes sense is the following:

1. If /boot/loader.conf has vfs.root.mountfrom set, honor it (yes, there
is a risk to this too; you might have booted from an unintended disk!)

2. If we booted from zfs and bootfs is set non-default on the pool you
booted from then honor it, otherwise honor the first non-default bootfs
setting you find on any pool that is mounted during kernel init (which
for a geli-encrypted pool means one that had the "-b" flag set on its
members, otherwise it's not available until after init starts.)  I
understand this has risks but so does an adapter deciding to boot from
the "wrong" disk; there's no reason for bootfs to be set non-default on
a pool that isn't used for booting.

3. If neither (1) or (2) is true then mount root from the pool/device
you loaded the kernel from.

I can certainly understand that not being the default (you could get
reamed pretty good if you booted a non-corresponding kernel .vs. the
rest of the environment) but IMHO it violated the principle of least
astonishment when I went to set this up and the implication that bootfs
on *a* pool was sufficient as a hint to the kernel.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��O0�K0�3�

0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net0
130824190344Z
180823190344Z0[10	UUS10UFlorida10UKarl Denninger1!0	*�H��

	
karl@denninger.net0�"0
	*�H��



�0�
�
��b����i՞�]�����MN�Կ���aw�x�?�`�)'�Ҵ�cWg�R@
Bl��Wh+	�u}ApdC���FJV�й���~�FOL��}��EW�^��bچY��p3�K&��ׂ��(R�
��l�xڝ.x��z?�����6��&n�s��J���+1v�9v/�(kq�Īp[�v�jc�K%f�ϻe���?iq]z����������
��lyzF��O'�ppdX//��Lw(���3����������J���IA�*��S�#�����՟��H��[f|CGqJK�o��oy��.oE�����u�Ow$��/��섀$삻J���9b�����������|����AP~8�]D1������Y�I<"�"�"Y^��T�2�iQ�2����b��	yH���)��]�	Ƶ�0y$�_N6X���q�M�C �9�՘	����X�gώj��G�T�P"�#��n���ˋ"B�k��1

���0��0	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U|8�������˴�d�[2�0U#0�]��Af�4U3�x��&^"408	`�H
��B
+)https://cudasystems.net:11443/revoked.crl0
	*�H��


�

gB���wH]����j�\�x�`(�&��g���W�3��2�"��Uf^�.��^Iϱ�
�k!�DQ��Ag{(�w������/��)\N��'[��oRW���@��C���HO���>��)X��r�TNɘ��!�u`��xt5(��=f\-l3��<����@C��6��mn��hv�#����#�����1Ń�b�H�͍���_N�q
a�ʷ?rk���$^�9�TI�a�!�k����h��,D���-ct��1�
0�

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0	+��;0	*�H��

	1	*�H��


0	*�H��

	1
141002125214Z0#	*�H��

	1(j/�I���@� -D[+`Y��0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1/0-	*�H��

	
 customer-service@cudasystems.net
0
	*�H��



����	�U��)���&1s�/���)If?ԧI	��^���Z�.�����$�h;�V�u�C$�]�a�C��(VWx��J@a�p���ʌ����� �0�տ��\������u�<f��H�*j)�Sm)AՐ��5����u�w�Czb��xE#Z��/�1�d{[�'�#�"%1Ğ2��*/묔i����ԫ@[�e�O8����,�Z�}x&
�a�����{_�������•$uE{+�Q���:ƸD��p���x���>z����{����@���� Ă�2�'	��@
�tゅB�>Ѐ"���0���
�c"�&�����:Fw@΍��������-M]N��w��Eн���^%��gPc7���#(x
���u��
(j�!�d ^�5f���a�V x��

�_`@^�r�.���v����?�Ɠ�	�b䔯�l&���V��>�]�����q��
�
��&�͹�@tU)k�z�zʼnB���X�6/����˰H

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542D4A7E.1050407>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact