From nobody Tue Aug 16 17:08:51 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M6d0c0sp4z4Yvbq for ; Tue, 16 Aug 2022 17:09:04 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-ua1-x931.google.com (mail-ua1-x931.google.com [IPv6:2607:f8b0:4864:20::931]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M6d0b0Qgtz3lkW for ; Tue, 16 Aug 2022 17:09:03 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-ua1-x931.google.com with SMTP id s5so3379729uar.1 for ; Tue, 16 Aug 2022 10:09:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=AJxb66+tn0B6075EJJqdPsaszbMRKlGemenFjjRnpzI=; b=7Klv0UyHknJnOhC2lLoDeSW077MPk7Tycdh6YbtnPOurf5uH0xTnrSUy6/EwVJuFly XEXCkQxcDReneFSKvrnhU3aiQFnkJpK49r2leLzc0K9Kpbuas/W5o2N73NgxK63pN5Jd ReRkfeWR24AotXHfvj0c1RGDXG4b6v7bplYSL4Rc916LBo7GF9Xr4X5Gl9RShGTfBfqU sfBg3cPrGcaPCTxu0NT3a52Cx+cVVzDDrAnVoIQigmJ+zLtjB11Rm4Brx+hkFKYssoxh JFVm29/KccA940RySJKsJH1mEmeNCo72Ll93GgdwWV1OiLSpv17NgUEkbcstbeOY9OCm JZxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=AJxb66+tn0B6075EJJqdPsaszbMRKlGemenFjjRnpzI=; b=2ziF5bo++bKibKTvofYCCS5BAJCzkNbhwJVpuw9veNkUXrFw6aCCFCE1xkJ8hQVppb R9dny298sNmklsdU+xD6xL++3QeBqMIPFykKIalYpqTYhD4bBysBHnMy3ajSKIC095kq mW4q5Cjn68OGtL9Eo8Wkt0waLXz/6uNa/KqIvL+UDR8Eux0R64Ed14WX4kKJ8AVepRRX Y6IoiwRozh+fJeU8HqOKb9armhaJuksPOAFhzaWeAZPYeXDI2Z+FIIoyXrfhMVAuqK69 8hdDgPmv6g3RBy+we6/64rVfXZt1jUyqbfJYK7A90XHCTz+kbjAB0WQOcb5QrclUgxRm 0Hlw== X-Gm-Message-State: ACgBeo23Wb8zzfcE+d+CygsoA05ysGUcqC1mmiclaOqvBMTBZ7q8rw50 joohgME3CKfxrXkulhAEPyL4gKVSAHvut3uUSv1KUxwjr94= X-Google-Smtp-Source: AA6agR70ie12MolBR5hiQOgZElOsuec02Tym8oKQoLhMFTXfEnHdgdRx1ybYTVe0Fn6WZ6XxIkRh58fYQj+oDh9ni4k= X-Received: by 2002:ab0:15ed:0:b0:365:f250:7384 with SMTP id j42-20020ab015ed000000b00365f2507384mr8974198uae.44.1660669742109; Tue, 16 Aug 2022 10:09:02 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Warner Losh Date: Tue, 16 Aug 2022 11:08:51 -0600 Message-ID: Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool To: Guido van Rooij Cc: FreeBSD Hackers Content-Type: multipart/alternative; boundary="00000000000011715a05e65ece16" X-Rspamd-Queue-Id: 4M6d0b0Qgtz3lkW X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdimp-com.20210112.gappssmtp.com header.s=20210112 header.b=7Klv0UyH; dmarc=none; spf=none (mx1.freebsd.org: domain of wlosh@bsdimp.com has no SPF policy when checking 2607:f8b0:4864:20::931) smtp.mailfrom=wlosh@bsdimp.com X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.998]; FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com]; R_DKIM_ALLOW(-0.20)[bsdimp-com.20210112.gappssmtp.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::931:from]; DKIM_TRACE(0.00)[bsdimp-com.20210112.gappssmtp.com:+]; FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[bsdimp.com]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --00000000000011715a05e65ece16 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij wrote: > On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote: > > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org> > > wrote: > > > > Currently I have a system with ZFS on GELI. I use the ability in > > the EFI loader to enter the GELI password. > > Is it possible somehow to use a serial console to enter the > > password? > > My system does have a COM1 port but it isn't recognised at the ear= ly > > bot stage. There I only see: > > =C3=82 =C3=82 Consoles: EFI console > > =C3=82 =C3=82 GELI Passphrase for disk0p4: > > (Note: this is early in the boot process so there is no access to > > boot.config (or any other file in the ZFS pool) as it still on > > encrypted storage at that time). > > > > The boot loader.efi will read ESP:/efi/freebsd/loader.env for > > environment > > variables. You can use that to set the COM1 port since it appears yo= ur > > EFI system doesn't do console redirection. > > If you want it to only prompt COM1 for the password, but everything > > else is > > on the efi console, that's a lot harder. > > Hi Warner, > > Thanks, but somehow I still cannot get it to work properly. > Content of /efi/freebsd/loader.env: > boot_multicons=3D"YES" > console=3D"efi comconsole" > > The boot prompt still only shows "Consoles: EFI console". > Yes. That's printed before we process the ESP file and switch to the new console... > When I boot I get the GELI passphrase prompt at the EFI console only. But > when the kernel starts > to run I do get output to the serial console, staring with: > ---<>--- > Copyright (c) 1992-2021 The FreeBSD Project. > > So it seems the loader.env file is read correctly (it didn't output > anything to the serial > console before I created efi/freebsd/loader.env). But looking at the > source I see in > efi/loader/main.c:read_loader_env(): > if (fn) { > printf(" Reading loader env vars from %s\n", fn); > parse_loader_efi_config(boot_img->DeviceHandle, fn); > } > I never saw the printf appearing. I do not understand this. > It should have appeared on the video console of the EFI console (assuming no serial redirect is going on in that BIOS). I'd have to delve more deeply into the prompts for the GELI password than I have time to do this morning. What if you type the password blind into the serial port? Warner --00000000000011715a05e65ece16 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Tue, Aug 16, 2022 at 3:44 AM Guido= van Rooij <guido@gvr.org> wrote= :
On Mon, Aug 15= , 2022 at 02:20:32PM -0600, Warner Losh wrote:
>=C2=A0 =C2=A0 On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>=C2=A0 =C2=A0 wrote:
>
>=C2=A0 =C2=A0 =C2=A0 Currently I have a system with ZFS on GELI. I use = the ability in
>=C2=A0 =C2=A0 =C2=A0 the EFI loader to enter the GELI password.
>=C2=A0 =C2=A0 =C2=A0 Is it possible somehow to use a serial console to = enter the
>=C2=A0 =C2=A0 =C2=A0 password?
>=C2=A0 =C2=A0 =C2=A0 My system does have a COM1 port but it isn't r= ecognised at the early
>=C2=A0 =C2=A0 =C2=A0 bot stage. There I only see:
>=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 Consoles: EFI console >=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 GELI Passphrase for disk= 0p4:
>=C2=A0 =C2=A0 =C2=A0 (Note: this is early in the boot process so there = is no access to
>=C2=A0 =C2=A0 =C2=A0 boot.config (or any other file in the ZFS pool) as= it still on
>=C2=A0 =C2=A0 =C2=A0 encrypted storage at that time).
>
>=C2=A0 =C2=A0 The boot loader.efi will read ESP:/efi/freebsd/loader.env= for
>=C2=A0 =C2=A0 environment
>=C2=A0 =C2=A0 variables. You can use that to set the COM1 port since it= appears your
>=C2=A0 =C2=A0 EFI system doesn't do console redirection.
>=C2=A0 =C2=A0 If you want it to only prompt COM1 for the password, but = everything
>=C2=A0 =C2=A0 else is
>=C2=A0 =C2=A0 on the efi console, that's a lot harder.

Hi Warner,

Thanks, but somehow I still cannot get it to work properly.
Content of /efi/freebsd/loader.env:
boot_multicons=3D"YES"
console=3D"efi comconsole"

The boot prompt still only shows "Consoles: EFI console".

Yes. That's printed before we process the = ESP file and switch to the new console...
=C2=A0
When I boot I get the GELI passphrase prompt at the EFI console only. But w= hen the kernel starts
to run I do get output to the serial console, staring with:
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.

So it seems the loader.env file is read correctly (it didn't output any= thing to the serial
console before I created efi/freebsd/loader.env). But looking at the source= I see in
efi/loader/main.c:read_loader_env():
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (fn) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 printf("=C2=A0= =C2=A0 Reading loader env vars from %s\n", fn);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 parse_loader_efi_co= nfig(boot_img->DeviceHandle, fn);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }
I never saw the printf appearing. I do not understand this.

It should have appeared on the video console of the EF= I console (assuming no serial
redirect is going on in that BIOS).=

I'd have to delve more deeply into the prompt= s for the GELI password than I have
time to do this morning. What= if you type the password blind into the serial port?

<= div>Warner
--00000000000011715a05e65ece16--