From nobody Mon Aug 15 20:20:32 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M65JF13Stz4Yp6N
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Mon, 15 Aug 2022 20:20:45 +0000 (UTC)
	(envelope-from wlosh@bsdimp.com)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M65JD3vFKz3R94
	for <freebsd-hackers@freebsd.org>; Mon, 15 Aug 2022 20:20:44 +0000 (UTC)
	(envelope-from wlosh@bsdimp.com)
Received: by mail-vs1-xe2a.google.com with SMTP id b124so8228537vsc.9
        for <freebsd-hackers@freebsd.org>; Mon, 15 Aug 2022 13:20:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bsdimp-com.20210112.gappssmtp.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc;
        bh=GCPW5VHwDIkjiKg8ON+OPKlEdxP3Fz2v8xHwtohHHtc=;
        b=zvJHV7B2eWLU3Qelq3tR4pGyky5gHuS2SCtqy+g5I73O9Icu2U3lIy5gOk1rxvUIKp
         DvX02iVVdzAsA4dpXvTq735KAR5Eq65SanRtgRMFbSP51ybNWCVWqx+d9fGigPPzLFFe
         ysPawrMp5LaLpwo0z6shtaqpAgBsV8orJbjGreKCFW5fFX+0PAzlxnTTfIED84t+8LeM
         Fab6CojDeMTbgNh8SNpM9lgFmOw6HqaJuls4+wLlIU5UbvpeHYt0LlRAAHc513c1n2xO
         7vlmfPYy9dZAeSmBKX1iRDQAul5RFtBXpDh/fKuhvdMkQO0zat/T/yt96gKfr2wgohP4
         G1Mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc;
        bh=GCPW5VHwDIkjiKg8ON+OPKlEdxP3Fz2v8xHwtohHHtc=;
        b=UwbAVa7tNiVxY3QFhke/U4/2wfMfxYlKIZe3Bj/tcb8VU0rTgB6V4lGw12uH2ugfuc
         sJwWTrooAIizbpSyoOSYshQo13gCGLNdFcma9X8DHZL2/jq+3LU1ozVP2s8r8eSg5rwZ
         8ttphODqRzgnvGwExtJOuLXJMQjEKM7lZfmerCIo0oqCwcBK2gzTg3Gt1bObbDLn9lwd
         pJXh3LFzWF/49i2wYs8PnpnSubxFxZpi4e1Y/WF+CFa2dt/2IXthZcgQNb8kLobmozHH
         hIV+h8D1U0fw0HSOupF1aPgOu6vC18QfkEQYPBhIlZLBGLIL45DuCMq/dRAUAYfMlmS4
         NXRA==
X-Gm-Message-State: ACgBeo0oxuSlh7U30C1I23WBR9ylNXyq8eQl7FuSVQXpOaVAuadnvcUw
	wILFltNrcgwdkjb2lU8LQSRPVlSONsFERsdaKhigOcTcgxTlLw==
X-Google-Smtp-Source: AA6agR7inyMpUFDHOFtR4diuraUhUgxV3QKpslsGAFqcEoa9SBjHEw55hOMSji8cTF7Us87+ySNI2jQpOV109kh6FSk=
X-Received: by 2002:a67:b208:0:b0:357:e999:441c with SMTP id
 b8-20020a67b208000000b00357e999441cmr6662502vsf.67.1660594843682; Mon, 15 Aug
 2022 13:20:43 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <YvpW59mY6eK5KOQ0@gvr.gvr.org>
In-Reply-To: <YvpW59mY6eK5KOQ0@gvr.gvr.org>
From: Warner Losh <imp@bsdimp.com>
Date: Mon, 15 Aug 2022 14:20:32 -0600
Message-ID: <CANCZdfoR9TcF71O0O7K2KT-_hsDG_6kxKK9KHpHdoowCoS709g@mail.gmail.com>
Subject: Re: How to use serial console to enter GELI password to boot kernel
 on a GELI encrypted ZFS pool
To: Guido van Rooij <guido@gvr.org>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000c61b1305e64d5de3"
X-Rspamd-Queue-Id: 4M65JD3vFKz3R94
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=bsdimp-com.20210112.gappssmtp.com header.s=20210112 header.b=zvJHV7B2;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of wlosh@bsdimp.com has no SPF policy when checking 2607:f8b0:4864:20::e2a) smtp.mailfrom=wlosh@bsdimp.com
X-Spamd-Result: default: False [-3.00 / 15.00];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-0.999];
	FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com];
	R_DKIM_ALLOW(-0.20)[bsdimp-com.20210112.gappssmtp.com:s=20210112];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	ARC_NA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	R_SPF_NA(0.00)[no SPF record];
	RCVD_TLS_LAST(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e2a:from];
	DKIM_TRACE(0.00)[bsdimp-com.20210112.gappssmtp.com:+];
	FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_TWO(0.00)[2];
	DMARC_NA(0.00)[bsdimp.com];
	TO_DN_ALL(0.00)[];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

--000000000000c61b1305e64d5de3
Content-Type: text/plain; charset="UTF-8"

On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <guido@gvr.org> wrote:

> Currently I have a system with ZFS on GELI. I use the ability in
> the EFI loader to enter the GELI password.
>
> Is it possible somehow to use a serial console to enter the password?
> My system does have a COM1 port but it isn't recognised at the early
> bot stage. There I only see:
>
>     Consoles: EFI console
>     GELI Passphrase for disk0p4:
>
> (Note: this is early in the boot process so there is no access to
> boot.config (or any other file in the ZFS pool) as it still on
> encrypted storage at that time).
>

The boot loader.efi will read ESP:/efi/freebsd/loader.env for environment
variables. You can use that to set the COM1 port since it appears your
EFI system doesn't do console redirection.

If you want it to only prompt COM1 for the password, but everything else is
on the efi console, that's a lot harder.

Warner

--000000000000c61b1305e64d5de3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Mon, Aug 15, 2022 at 8:23 AM Guido=
 van Rooij &lt;<a href=3D"mailto:guido@gvr.org">guido@gvr.org</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Currently I ha=
ve a system with ZFS on GELI. I use the ability in<br>
the EFI loader to enter the GELI password.<br>
<br>
Is it possible somehow to use a serial console to enter the password?<br>
My system does have a COM1 port but it isn&#39;t recognised at the early<br=
>
bot stage. There I only see:<br>
<br>
=C2=A0 =C2=A0 Consoles: EFI console<br>
=C2=A0 =C2=A0 GELI Passphrase for disk0p4:<br>
<br>
(Note: this is early in the boot process so there is no access to<br>
boot.config (or any other file in the ZFS pool) as it still on<br>
encrypted storage at that time).<br></blockquote><div><br></div><div>The bo=
ot loader.efi will read ESP:/efi/freebsd/loader.env for environment</div><d=
iv>variables. You can use that to set the COM1 port since it appears your</=
div><div>EFI system doesn&#39;t do console redirection.</div><div><br></div=
><div>If you want it to only prompt COM1 for the password, but everything e=
lse is</div><div>on the efi console, that&#39;s a lot harder.</div><div><br=
></div><div>Warner</div></div></div>

--000000000000c61b1305e64d5de3--