Date: Wed, 17 Aug 2022 09:19:42 -0600 From: Warner Losh <imp@bsdimp.com> To: Guido van Rooij <guido@gvr.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool Message-ID: <CANCZdfrS%2BCmWAUF4EukrJ2qOH%2B0mCZjjq_3b=8t=oSwv_UcgUg@mail.gmail.com> In-Reply-To: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> References: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com> <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000989dcf05e67165f4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Wed, Aug 17, 2022 at 7:35 AM Guido van Rooij <guido@gvr.org> wrote:
>
>
> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:
>
> =EF=BB=BF
>
>
> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
>
>> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>> > wrote:
>> >
>> > Currently I have a system with ZFS on GELI. I use the ability in
>> > the EFI loader to enter the GELI password.
>> > Is it possible somehow to use a serial console to enter the
>> > password?
>> > My system does have a COM1 port but it isn't recognised at the
>> early
>> > bot stage. There I only see:
>> > =C3=82 =C3=82 Consoles: EFI console
>> > =C3=82 =C3=82 GELI Passphrase for disk0p4:
>> > (Note: this is early in the boot process so there is no access to
>> > boot.config (or any other file in the ZFS pool) as it still on
>> > encrypted storage at that time).
>> >
>> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>> > environment
>> > variables. You can use that to set the COM1 port since it appears
>> your
>> > EFI system doesn't do console redirection.
>> > If you want it to only prompt COM1 for the password, but everything
>> > else is
>> > on the efi console, that's a lot harder.
>>
>> Hi Warner,
>>
>> Thanks, but somehow I still cannot get it to work properly.
>> Content of /efi/freebsd/loader.env:
>> boot_multicons=3D"YES"
>> console=3D"efi comconsole"
>>
>> The boot prompt still only shows "Consoles: EFI console".
>>
>
> Yes. That's printed before we process the ESP file and switch to the new
> console...
>
>
>> When I boot I get the GELI passphrase prompt at the EFI console only. Bu=
t
>> when the kernel starts
>> to run I do get output to the serial console, staring with:
>> ---<<BOOT>>---
>> Copyright (c) 1992-2021 The FreeBSD Project.
>>
>> So it seems the loader.env file is read correctly (it didn't output
>> anything to the serial
>> console before I created efi/freebsd/loader.env). But looking at the
>> source I see in
>> efi/loader/main.c:read_loader_env():
>> if (fn) {
>> printf(" Reading loader env vars from %s\n", fn);
>> parse_loader_efi_config(boot_img->DeviceHandle, fn);
>> }
>> I never saw the printf appearing. I do not understand this.
>>
>
> It should have appeared on the video console of the EFI console (assuming
> no serial
> redirect is going on in that BIOS).
>
>
> It surely did not.
>
> I'd have to delve more deeply into the prompts for the GELI password than
> I have
> time to do this morning. What if you type the password blind into the
> serial port?
>
>
> Tried that but nothing happened. When I
> enter the passphrase after typing it in via
> the serial port, it worked immediately so
> we can conclude that no single keystroke
> got through.
>
OK. I'll have to delve a little more deeply then...
Warner
--000000000000989dcf05e67165f4
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Wed, Aug 17, 2022 at 7:35 AM Guido=
van Rooij <<a href=3D"mailto:guido@gvr.org">guido@gvr.org</a>> wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"au=
to"><div dir=3D"ltr"></div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><br>=
<blockquote type=3D"cite">On 16 Aug 2022, at 19:09, Warner Losh <<a href=
=3D"mailto:imp@bsdimp.com" target=3D"_blank">imp@bsdimp.com</a>> wrote:<=
br><br></blockquote></div><blockquote type=3D"cite"><div dir=3D"ltr">=EF=BB=
=BF<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quot=
e"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Aug 16, 2022 at 3:44 AM Gu=
ido van Rooij <<a href=3D"mailto:guido@gvr.org" target=3D"_blank">guido@=
gvr.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex">On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:<br>
>=C2=A0 =C2=A0 On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]<a=
href=3D"mailto:guido@gvr.org" target=3D"_blank">guido@gvr.org</a>><br>
>=C2=A0 =C2=A0 wrote:<br>
> <br>
>=C2=A0 =C2=A0 =C2=A0 Currently I have a system with ZFS on GELI. I use =
the ability in<br>
>=C2=A0 =C2=A0 =C2=A0 the EFI loader to enter the GELI password.<br>
>=C2=A0 =C2=A0 =C2=A0 Is it possible somehow to use a serial console to =
enter the<br>
>=C2=A0 =C2=A0 =C2=A0 password?<br>
>=C2=A0 =C2=A0 =C2=A0 My system does have a COM1 port but it isn't r=
ecognised at the early<br>
>=C2=A0 =C2=A0 =C2=A0 bot stage. There I only see:<br>
>=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 Consoles: EFI console<br=
>
>=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 GELI Passphrase for disk=
0p4:<br>
>=C2=A0 =C2=A0 =C2=A0 (Note: this is early in the boot process so there =
is no access to<br>
>=C2=A0 =C2=A0 =C2=A0 boot.config (or any other file in the ZFS pool) as=
it still on<br>
>=C2=A0 =C2=A0 =C2=A0 encrypted storage at that time).<br>
> <br>
>=C2=A0 =C2=A0 The boot loader.efi will read ESP:/efi/freebsd/loader.env=
for<br>
>=C2=A0 =C2=A0 environment<br>
>=C2=A0 =C2=A0 variables. You can use that to set the COM1 port since it=
appears your<br>
>=C2=A0 =C2=A0 EFI system doesn't do console redirection.<br>
>=C2=A0 =C2=A0 If you want it to only prompt COM1 for the password, but =
everything<br>
>=C2=A0 =C2=A0 else is<br>
>=C2=A0 =C2=A0 on the efi console, that's a lot harder.<br>
<br>
Hi Warner,<br>
<br>
Thanks, but somehow I still cannot get it to work properly.<br>
Content of /efi/freebsd/loader.env:<br>
boot_multicons=3D"YES"<br>
console=3D"efi comconsole"<br>
<br>
The boot prompt still only shows "Consoles: EFI console".<br></bl=
ockquote><div><br></div><div>Yes. That's printed before we process the =
ESP file and switch to the new console...</div><div>=C2=A0</div><blockquote=
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex">
When I boot I get the GELI passphrase prompt at the EFI console only. But w=
hen the kernel starts<br>
to run I do get output to the serial console, staring with:<br>
---<<BOOT>>---<br>
Copyright (c) 1992-2021 The FreeBSD Project.<br>
<br>
So it seems the loader.env file is read correctly (it didn't output any=
thing to the serial<br>
console before I created efi/freebsd/loader.env). But looking at the source=
I see in <br>
efi/loader/main.c:read_loader_env():<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (fn) {<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 printf("=C2=A0=
=C2=A0 Reading loader env vars from %s\n", fn);<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 parse_loader_efi_co=
nfig(boot_img->DeviceHandle, fn);<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br>
I never saw the printf appearing. I do not understand this.<br></blockquote=
><div><br></div><div>It should have appeared on the video console of the EF=
I console (assuming no serial</div><div>redirect is going on in that BIOS).=
</div><div><br></div></div></div></div></blockquote><div><br></div>It surel=
y did not.<br><blockquote type=3D"cite"><div dir=3D"ltr"><div dir=3D"ltr"><=
div class=3D"gmail_quote"><div>I'd have to delve more deeply into the p=
rompts for the GELI password than I have</div><div>time to do this morning.=
What if you type the password blind into the serial port?</div><div><br></=
div></div></div></div></blockquote><div><br></div>Tried that but nothing ha=
ppened. When I<div>enter the passphrase after typing it in via</div><div>th=
e serial port, it worked immediately so</div><div>we can conclude that no s=
ingle keystroke=C2=A0</div><div>got through.</div></div></blockquote><div><=
br></div><div>OK. I'll have to delve a little more deeply then...</div>=
<div><br></div><div>Warner=C2=A0</div></div></div>
--000000000000989dcf05e67165f4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfrS%2BCmWAUF4EukrJ2qOH%2B0mCZjjq_3b=8t=oSwv_UcgUg>