Date: Wed, 17 Aug 2022 15:35:36 +0200 From: Guido van Rooij <guido@gvr.org> To: Warner Losh <imp@bsdimp.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool Message-ID: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> In-Reply-To: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com> References: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:
>
>
>
>
>> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
>> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>> > wrote:
>> >
>> > Currently I have a system with ZFS on GELI. I use the ability in
>> > the EFI loader to enter the GELI password.
>> > Is it possible somehow to use a serial console to enter the
>> > password?
>> > My system does have a COM1 port but it isn't recognised at the early
>> > bot stage. There I only see:
>> > Â Â Consoles: EFI console
>> > Â Â GELI Passphrase for disk0p4:
>> > (Note: this is early in the boot process so there is no access to
>> > boot.config (or any other file in the ZFS pool) as it still on
>> > encrypted storage at that time).
>> >
>> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>> > environment
>> > variables. You can use that to set the COM1 port since it appears your
>> > EFI system doesn't do console redirection.
>> > If you want it to only prompt COM1 for the password, but everything
>> > else is
>> > on the efi console, that's a lot harder.
>>
>> Hi Warner,
>>
>> Thanks, but somehow I still cannot get it to work properly.
>> Content of /efi/freebsd/loader.env:
>> boot_multicons="YES"
>> console="efi comconsole"
>>
>> The boot prompt still only shows "Consoles: EFI console".
>
> Yes. That's printed before we process the ESP file and switch to the new console...
>
>> When I boot I get the GELI passphrase prompt at the EFI console only. But when the kernel starts
>> to run I do get output to the serial console, staring with:
>> ---<<BOOT>>---
>> Copyright (c) 1992-2021 The FreeBSD Project.
>>
>> So it seems the loader.env file is read correctly (it didn't output anything to the serial
>> console before I created efi/freebsd/loader.env). But looking at the source I see in
>> efi/loader/main.c:read_loader_env():
>> if (fn) {
>> printf(" Reading loader env vars from %s\n", fn);
>> parse_loader_efi_config(boot_img->DeviceHandle, fn);
>> }
>> I never saw the printf appearing. I do not understand this.
>
> It should have appeared on the video console of the EFI console (assuming no serial
> redirect is going on in that BIOS).
>
It surely did not.
> I'd have to delve more deeply into the prompts for the GELI password than I have
> time to do this morning. What if you type the password blind into the serial port?
>
Tried that but nothing happened. When I
enter the passphrase after typing it in via
the serial port, it worked immediately so
we can conclude that no single keystroke
got through.
-Guido
[-- Attachment #2 --]
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr"><br></div><div dir="ltr"><br><blockquote type="cite">On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <<a href="mailto:guido@gvr.org">guido@gvr.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:<br>
> On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]<a href="mailto:guido@gvr.org" target="_blank">guido@gvr.org</a>><br>
> wrote:<br>
> <br>
> Currently I have a system with ZFS on GELI. I use the ability in<br>
> the EFI loader to enter the GELI password.<br>
> Is it possible somehow to use a serial console to enter the<br>
> password?<br>
> My system does have a COM1 port but it isn't recognised at the early<br>
> bot stage. There I only see:<br>
> Â Â Consoles: EFI console<br>
> Â Â GELI Passphrase for disk0p4:<br>
> (Note: this is early in the boot process so there is no access to<br>
> boot.config (or any other file in the ZFS pool) as it still on<br>
> encrypted storage at that time).<br>
> <br>
> The boot loader.efi will read ESP:/efi/freebsd/loader.env for<br>
> environment<br>
> variables. You can use that to set the COM1 port since it appears your<br>
> EFI system doesn't do console redirection.<br>
> If you want it to only prompt COM1 for the password, but everything<br>
> else is<br>
> on the efi console, that's a lot harder.<br>
<br>
Hi Warner,<br>
<br>
Thanks, but somehow I still cannot get it to work properly.<br>
Content of /efi/freebsd/loader.env:<br>
boot_multicons="YES"<br>
console="efi comconsole"<br>
<br>
The boot prompt still only shows "Consoles: EFI console".<br></blockquote><div><br></div><div>Yes. That's printed before we process the ESP file and switch to the new console...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
When I boot I get the GELI passphrase prompt at the EFI console only. But when the kernel starts<br>
to run I do get output to the serial console, staring with:<br>
---<<BOOT>>---<br>
Copyright (c) 1992-2021 The FreeBSD Project.<br>
<br>
So it seems the loader.env file is read correctly (it didn't output anything to the serial<br>
console before I created efi/freebsd/loader.env). But looking at the source I see in <br>
efi/loader/main.c:read_loader_env():<br>
if (fn) {<br>
printf(" Reading loader env vars from %s\n", fn);<br>
parse_loader_efi_config(boot_img->DeviceHandle, fn);<br>
}<br>
I never saw the printf appearing. I do not understand this.<br></blockquote><div><br></div><div>It should have appeared on the video console of the EFI console (assuming no serial</div><div>redirect is going on in that BIOS).</div><div><br></div></div></div></div></blockquote><div><br></div>It surely did not.<br><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div class="gmail_quote"><div>I'd have to delve more deeply into the prompts for the GELI password than I have</div><div>time to do this morning. What if you type the password blind into the serial port?</div><div><br></div></div></div></div></blockquote><div><br></div>Tried that but nothing happened. When I<div>enter the passphrase after typing it in via</div><div>the serial port, it worked immediately so</div><div>we can conclude that no single keystroke </div><div>got through.</div><div><br></div><div>-Guido <br></div></body></html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1BFD8C02-370F-4E59-BC89-EEF970B44934>