From nobody Wed Aug 17 15:19:42 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M7BXD1NwPz4ZhG8 for ; Wed, 17 Aug 2022 15:19:56 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M7BXC4BBKz3Xvh for ; Wed, 17 Aug 2022 15:19:55 +0000 (UTC) (envelope-from wlosh@bsdimp.com) Received: by mail-lj1-x233.google.com with SMTP id by6so13850416ljb.11 for ; Wed, 17 Aug 2022 08:19:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdimp-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=s0ptzqhYZcun7Ee17C5x1Vewk7k6v6A0rrJod0O3nL0=; b=b3HOs0zGyydHeaO/2iXuq93B5UdLpbt9zX6be91axHc10TbxL9Z4hQwnJ6yp7zlk2s jnDrJasK3LTx4aUN5utDftC01k+u+XDgcNHDT3nh8ld3uTv7GYEwbPvwUCf9gjLKuOw/ eGSFtQlyNioZ5QgJenMLAe1g0qSi/Pr/xjXTO9Ma/3zHoZM+UVaZNQlt4wlUaPJWYluh Tkg0a3+H/rHJAcvTpBnDPd7pKsxU33rI/IV62tJnSsBcueeA1pGoz/5DfBcxtWGxSOPm j246hHCcF3UsTHNDYVzkU0BRn/00FXbwJXHJVkuA30rktaYZg8Ak6kPTe2IKZR8DVC/7 wmng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=s0ptzqhYZcun7Ee17C5x1Vewk7k6v6A0rrJod0O3nL0=; b=JBh1u0RosmYPapz40t3sXx0k3hyKNO0gHv9XgRxmqpjV3DMwgMO4ALoie8xfMG9pM/ vTi75rPF9Dq/oq1iiyVkcPFBpY4FY6x9FGTAgyBbLceNPkcbHnM47xqMfgSD6SbB6CkF U+pXmvqswSXa6WElsQmCvTT5aCCKCr4GsTls9J83e/0H1ay+ekwbE7Q89VEXRZ5M/Z7y Bhv3F1xMiSYaHhpRKvSGPE9XcMoBxFvjyN5QDOzcEbqcM1IQxBSrZtKweBHVLpS/0WFX qPC+/aaTmZ4tMkWU8EoM1uS9m+LBzy/KubF1bwdmYwRMyFaAvpMOG7bXF8JLe7CqsoEU 9Gzw== X-Gm-Message-State: ACgBeo2IMmdCo3ue+f2rH9XdL2y8azfUBowwCfika2F1k1EUFEkf8D+x /jWRJghdYNc80uiQacrTyvo+B8PpCMLeJ2De9cr/AScK9j8= X-Google-Smtp-Source: AA6agR75R467OQO1C023+E3Dhssi06GH5MOhbNoRsPEPYFId2lLuyW3tZBtTXUCLdHTQIs/cLEZYMN0eBnkelOTXBk0= X-Received: by 2002:a05:651c:201:b0:25e:695d:2b4 with SMTP id y1-20020a05651c020100b0025e695d02b4mr8146581ljn.87.1660749593739; Wed, 17 Aug 2022 08:19:53 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 References: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> In-Reply-To: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> From: Warner Losh Date: Wed, 17 Aug 2022 09:19:42 -0600 Message-ID: Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool To: Guido van Rooij Cc: FreeBSD Hackers Content-Type: multipart/alternative; boundary="000000000000989dcf05e67165f4" X-Rspamd-Queue-Id: 4M7BXC4BBKz3Xvh X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bsdimp-com.20210112.gappssmtp.com header.s=20210112 header.b=b3HOs0zG; dmarc=none; spf=none (mx1.freebsd.org: domain of wlosh@bsdimp.com has no SPF policy when checking 2a00:1450:4864:20::233) smtp.mailfrom=wlosh@bsdimp.com X-Spamd-Result: default: False [-3.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FORGED_SENDER(0.30)[imp@bsdimp.com,wlosh@bsdimp.com]; R_DKIM_ALLOW(-0.20)[bsdimp-com.20210112.gappssmtp.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::233:from]; DKIM_TRACE(0.00)[bsdimp-com.20210112.gappssmtp.com:+]; FROM_NEQ_ENVFROM(0.00)[imp@bsdimp.com,wlosh@bsdimp.com]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DMARC_NA(0.00)[bsdimp.com]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N --000000000000989dcf05e67165f4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Aug 17, 2022 at 7:35 AM Guido van Rooij wrote: > > > On 16 Aug 2022, at 19:09, Warner Losh wrote: > > =EF=BB=BF > > > On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij wrote: > >> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote: >> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org> >> > wrote: >> > >> > Currently I have a system with ZFS on GELI. I use the ability in >> > the EFI loader to enter the GELI password. >> > Is it possible somehow to use a serial console to enter the >> > password? >> > My system does have a COM1 port but it isn't recognised at the >> early >> > bot stage. There I only see: >> > =C3=82 =C3=82 Consoles: EFI console >> > =C3=82 =C3=82 GELI Passphrase for disk0p4: >> > (Note: this is early in the boot process so there is no access to >> > boot.config (or any other file in the ZFS pool) as it still on >> > encrypted storage at that time). >> > >> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for >> > environment >> > variables. You can use that to set the COM1 port since it appears >> your >> > EFI system doesn't do console redirection. >> > If you want it to only prompt COM1 for the password, but everything >> > else is >> > on the efi console, that's a lot harder. >> >> Hi Warner, >> >> Thanks, but somehow I still cannot get it to work properly. >> Content of /efi/freebsd/loader.env: >> boot_multicons=3D"YES" >> console=3D"efi comconsole" >> >> The boot prompt still only shows "Consoles: EFI console". >> > > Yes. That's printed before we process the ESP file and switch to the new > console... > > >> When I boot I get the GELI passphrase prompt at the EFI console only. Bu= t >> when the kernel starts >> to run I do get output to the serial console, staring with: >> ---<>--- >> Copyright (c) 1992-2021 The FreeBSD Project. >> >> So it seems the loader.env file is read correctly (it didn't output >> anything to the serial >> console before I created efi/freebsd/loader.env). But looking at the >> source I see in >> efi/loader/main.c:read_loader_env(): >> if (fn) { >> printf(" Reading loader env vars from %s\n", fn); >> parse_loader_efi_config(boot_img->DeviceHandle, fn); >> } >> I never saw the printf appearing. I do not understand this. >> > > It should have appeared on the video console of the EFI console (assuming > no serial > redirect is going on in that BIOS). > > > It surely did not. > > I'd have to delve more deeply into the prompts for the GELI password than > I have > time to do this morning. What if you type the password blind into the > serial port? > > > Tried that but nothing happened. When I > enter the passphrase after typing it in via > the serial port, it worked immediately so > we can conclude that no single keystroke > got through. > OK. I'll have to delve a little more deeply then... Warner --000000000000989dcf05e67165f4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Aug 17, 2022 at 7:35 AM Guido= van Rooij <guido@gvr.org> wrote= :


=
On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:<= br>
=EF=BB= =BF


On Tue, Aug 16, 2022 at 3:44 AM Gu= ido van Rooij <guido@= gvr.org> wrote:
On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>=C2=A0 =C2=A0 On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>=C2=A0 =C2=A0 wrote:
>
>=C2=A0 =C2=A0 =C2=A0 Currently I have a system with ZFS on GELI. I use = the ability in
>=C2=A0 =C2=A0 =C2=A0 the EFI loader to enter the GELI password.
>=C2=A0 =C2=A0 =C2=A0 Is it possible somehow to use a serial console to = enter the
>=C2=A0 =C2=A0 =C2=A0 password?
>=C2=A0 =C2=A0 =C2=A0 My system does have a COM1 port but it isn't r= ecognised at the early
>=C2=A0 =C2=A0 =C2=A0 bot stage. There I only see:
>=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 Consoles: EFI console >=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 GELI Passphrase for disk= 0p4:
>=C2=A0 =C2=A0 =C2=A0 (Note: this is early in the boot process so there = is no access to
>=C2=A0 =C2=A0 =C2=A0 boot.config (or any other file in the ZFS pool) as= it still on
>=C2=A0 =C2=A0 =C2=A0 encrypted storage at that time).
>
>=C2=A0 =C2=A0 The boot loader.efi will read ESP:/efi/freebsd/loader.env= for
>=C2=A0 =C2=A0 environment
>=C2=A0 =C2=A0 variables. You can use that to set the COM1 port since it= appears your
>=C2=A0 =C2=A0 EFI system doesn't do console redirection.
>=C2=A0 =C2=A0 If you want it to only prompt COM1 for the password, but = everything
>=C2=A0 =C2=A0 else is
>=C2=A0 =C2=A0 on the efi console, that's a lot harder.

Hi Warner,

Thanks, but somehow I still cannot get it to work properly.
Content of /efi/freebsd/loader.env:
boot_multicons=3D"YES"
console=3D"efi comconsole"

The boot prompt still only shows "Consoles: EFI console".

Yes. That's printed before we process the = ESP file and switch to the new console...
=C2=A0
When I boot I get the GELI passphrase prompt at the EFI console only. But w= hen the kernel starts
to run I do get output to the serial console, staring with:
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.

So it seems the loader.env file is read correctly (it didn't output any= thing to the serial
console before I created efi/freebsd/loader.env). But looking at the source= I see in
efi/loader/main.c:read_loader_env():
=C2=A0 =C2=A0 =C2=A0 =C2=A0 if (fn) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 printf("=C2=A0= =C2=A0 Reading loader env vars from %s\n", fn);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 parse_loader_efi_co= nfig(boot_img->DeviceHandle, fn);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }
I never saw the printf appearing. I do not understand this.

It should have appeared on the video console of the EF= I console (assuming no serial
redirect is going on in that BIOS).=


It surel= y did not.
<= div class=3D"gmail_quote">
I'd have to delve more deeply into the p= rompts for the GELI password than I have
time to do this morning.= What if you type the password blind into the serial port?


Tried that but nothing ha= ppened. When I
enter the passphrase after typing it in via
th= e serial port, it worked immediately so
we can conclude that no s= ingle keystroke=C2=A0
got through.
<= br>
OK. I'll have to delve a little more deeply then...
=

Warner=C2=A0
--000000000000989dcf05e67165f4--