From owner-freebsd-questions@FreeBSD.ORG Sat Jun 11 09:14:52 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBC8E106566B for ; Sat, 11 Jun 2011 09:14:52 +0000 (UTC) (envelope-from freebsd@snap.net.nz) Received: from unit0.ironport.snap.net.nz (unit0.ironport.snap.net.nz [202.37.100.104]) by mx1.freebsd.org (Postfix) with ESMTP id 7D78F8FC0C for ; Sat, 11 Jun 2011 09:14:51 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnYHAGUv803KfG1m/2dsb2JhbABQA5Z/gReON6kEnxiDOYJrBJE0j3I X-IronPort-AV: E=Sophos;i="4.65,351,1304251200"; d="scan'208";a="60079312" Received: from rupert.snap.net.nz ([202.37.100.140]) by smtp0.ironport.snap.net.nz with ESMTP; 11 Jun 2011 21:04:15 +1200 X-Sender-IP: 202.124.109.102 Received: from akllappt.local (102.109.124.202.static.snap.net.nz [202.124.109.102]) by rupert.snap.net.nz (Postfix) with SMTP id 6E004201E5 for ; Sat, 11 Jun 2011 21:04:14 +1200 (NZST) Message-ID: <4DF32F8D.8090804@snap.net.nz> Date: Sat, 11 Jun 2011 21:04:13 +1200 From: Peter Toth User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.15) Gecko/20110421 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: geli boot password + aesni X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jun 2011 09:14:52 -0000 Hi there, Before filing a bug report (and to confirm my sanity) thought will share my experiences with AESNI and GELI. Also, hopefully this will save someone else a couple of days of running in a circle... I was trying to set up an encrypted root zpool on a laptop (core i7) with AESNI enabled and boot time password prompt for the encryption key. All is OK until the boot password prompt comes up. Entering the correct password will result in password rejection. Traced down the problem to AESNI(4). If I set up the root disk without AESNI loaded in the kernel and boot without AESNI everything works as expected. As soon as AESNI is loaded during geli init and during boot time, the password fails no matter what. Also encountered an other problem: if AESNI is used for geli init, zpool (data) is not accessible later if AESNI is disabled. geli mounts the encrypted provider but no data is available on it. For summary there are 2 problems: 1. GELI boot time password fails no matter what if AESNI is enabled and AESNI was used during geli init. 2. If AESNI was loaded and used for geli init - disabling AESNI later will result in inaccessible data on the provider. Both of these problems are fully reproducible. The system is FreeBSD 8.2 amd64 running on corei7 with AHCI and zpool v15. Anyone seen this behavior before or has some ideas what else to check? Many thanks