From nobody Fri Aug 19 08:20:21 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M8F7M1Rysz4Zs7N
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Fri, 19 Aug 2022 08:20:31 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: from gvr.gvr.org (81-206-207-166.fixed.kpn.net [81.206.207.166])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "gvr.gvr.org", Issuer "Gandi Standard SSL CA 2" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M8F7L1NZ4z3fj5
	for <freebsd-hackers@freebsd.org>; Fri, 19 Aug 2022 08:20:29 +0000 (UTC)
	(envelope-from guido@gvr.org)
Received: from gvr.gvr.org (localhost [127.0.0.1])
	by gvr.gvr.org (Postfix) with ESMTP id 218D541496;
	Fri, 19 Aug 2022 10:20:22 +0200 (CEST)
X-Virus-Scanned: amavisd-new at gvr.org
Received: from gvr.gvr.org ([127.0.0.1])
	by gvr.gvr.org (gvr.gvr.org [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id F_kGZTSJrANB; Fri, 19 Aug 2022 10:20:22 +0200 (CEST)
Received: by gvr.gvr.org (Postfix, from userid 657)
	id F15CD41604; Fri, 19 Aug 2022 10:20:21 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gvr.org; s=20220114;
	t=1660897221; bh=nvNRTXofo7lMylUz3nB1cVKWzzfpAeXuj1dNqIo6tR8=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=sOwqqDInUJb/nOt9fjz2wIdsFhQbkV1OKKvyrK3yDmAQBPyLiY1x/A9JQGeEpf1K2
	 jZGoia2PQUF0A6pFnEfme6hX1OWxf7J1Jy8WW9jz47TU0LTIT+P1D2aP9KXwgZQYK3
	 5OWJNXyiNBg8kBaXVH15wUD5gTWzMOcjVQ55p+5zxDUPeHU+5/p+pmAzVwFnHCUag6
	 gNUZeb2yvFwmtrHfczpFREuwCfdCB23vCK0OX4Ykin8qoxWqDxPzIXQ9dgd1Pd4676
	 BWia4BEkt00qe6O6FPvllTJtuRPy/FapSRprnlZju4LNyxiw6MeTTKKKVwb4ycGSuz
	 qDjVNJgx76bOg==
Date: Fri, 19 Aug 2022 10:20:21 +0200
From: Guido van Rooij <guido@gvr.org>
To: Warner Losh <imp@bsdimp.com>
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject: Re: How to use serial console to enter GELI password to boot kernel
 on a GELI encrypted ZFS pool
Message-ID: <Yv9Hxa6e+quafbQT@gvr.gvr.org>
References: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com>
 <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org>
 <CANCZdfrS+CmWAUF4EukrJ2qOH+0mCZjjq_3b=8t=oSwv_UcgUg@mail.gmail.com>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CANCZdfrS+CmWAUF4EukrJ2qOH+0mCZjjq_3b=8t=oSwv_UcgUg@mail.gmail.com>
X-Rspamd-Queue-Id: 4M8F7L1NZ4z3fj5
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gvr.org header.s=20220114 header.b=sOwqqDIn;
	dmarc=pass (policy=none) header.from=gvr.org;
	spf=pass (mx1.freebsd.org: domain of guido@gvr.org designates 81.206.207.166 as permitted sender) smtp.mailfrom=guido@gvr.org
X-Spamd-Result: default: False [-3.34 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	R_MIXED_CHARSET(0.66)[];
	DMARC_POLICY_ALLOW(-0.50)[gvr.org,none];
	R_SPF_ALLOW(-0.20)[+a];
	R_DKIM_ALLOW(-0.20)[gvr.org:s=20220114];
	MIME_GOOD(-0.10)[text/plain];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	ARC_NA(0.00)[];
	TO_DN_ALL(0.00)[];
	DKIM_TRACE(0.00)[gvr.org:+];
	FROM_HAS_DN(0.00)[];
	FREEFALL_USER(0.00)[guido];
	RCPT_COUNT_TWO(0.00)[2];
	RCVD_COUNT_THREE(0.00)[4];
	ASN(0.00)[asn:1136, ipnet:81.204.0.0/14, country:NL];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	RCVD_TLS_LAST(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On Wed, Aug 17, 2022 at 09:19:42AM -0600, Warner Losh wrote:
>    On Wed, Aug 17, 2022 at 7:35 AM Guido van Rooij <[1]guido@gvr.org>
>    wrote:
> 
>      On 16 Aug 2022, at 19:09, Warner Losh <[2]imp@bsdimp.com> wrote:
> 
>    ļ»æ
>    On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <[3]guido@gvr.org>
>    wrote:
> 
>      On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>      >Ā  Ā  On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij
>      <[1][4]guido@gvr.org>
>      >Ā  Ā  wrote:
>      >
>      >Ā  Ā  Ā  Currently I have a system with ZFS on GELI. I use the
>      ability in
>      >Ā  Ā  Ā  the EFI loader to enter the GELI password.
>      >Ā  Ā  Ā  Is it possible somehow to use a serial console to enter
>      the
>      >Ā  Ā  Ā  password?
>      >Ā  Ā  Ā  My system does have a COM1 port but it isn't recognised at
>      the early
>      >Ā  Ā  Ā  bot stage. There I only see:
>      >Ā  Ā  Ā  ĆĀ  ĆĀ  Consoles: EFI console
>      >Ā  Ā  Ā  ĆĀ  ĆĀ  GELI Passphrase for disk0p4:
>      >Ā  Ā  Ā  (Note: this is early in the boot process so there is no
>      access to
>      >Ā  Ā  Ā  boot.config (or any other file in the ZFS pool) as it
>      still on
>      >Ā  Ā  Ā  encrypted storage at that time).
>      >
>      >Ā  Ā  The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>      >Ā  Ā  environment
>      >Ā  Ā  variables. You can use that to set the COM1 port since it
>      appears your
>      >Ā  Ā  EFI system doesn't do console redirection.
>      >Ā  Ā  If you want it to only prompt COM1 for the password, but
>      everything
>      >Ā  Ā  else is
>      >Ā  Ā  on the efi console, that's a lot harder.
>      Hi Warner,
>      Thanks, but somehow I still cannot get it to work properly.
>      Content of /efi/freebsd/loader.env:
>      boot_multicons="YES"
>      console="efi comconsole"
>      The boot prompt still only shows "Consoles: EFI console".
> 
>    Yes. That's printed before we process the ESP file and switch to the
>    new console...
>    Ā
> 
>      When I boot I get the GELI passphrase prompt at the EFI console
>      only. But when the kernel starts
>      to run I do get output to the serial console, staring with:
>      ---<<BOOT>>---
>      Copyright (c) 1992-2021 The FreeBSD Project.
>      So it seems the loader.env file is read correctly (it didn't output
>      anything to the serial
>      console before I created efi/freebsd/loader.env). But looking at the
>      source I see in
>      efi/loader/main.c:read_loader_env():
>      Ā  Ā  Ā  Ā  if (fn) {
>      Ā  Ā  Ā  Ā  Ā  Ā  Ā  Ā  printf("Ā  Ā  Reading loader env vars from
>      %s\n", fn);
>      Ā  Ā  Ā  Ā  Ā  Ā  Ā  Ā
>      parse_loader_efi_config(boot_img->DeviceHandle, fn);
>      Ā  Ā  Ā  Ā  }
>      I never saw the printf appearing. I do not understand this.
> 
>    It should have appeared on the video console of the EFI console
>    (assuming no serial
>    redirect is going on in that BIOS).
> 
>    It surely did not.
> 
>    I'd have to delve more deeply into the prompts for the GELI password
>    than I have
>    time to do this morning. What if you type the password blind into the
>    serial port?
> 
>    Tried that but nothing happened. When I
>    enter the passphrase after typing it in via
>    the serial port, it worked immediately so
>    we can conclude that no single keystrokeĀ
>    got through.
> 
>    OK. I'll have to delve a little more deeply then...

I Think I know why it does not work. The "Consoles:" line is printed in cons_probe()
which is called in main():
        setenv("console", "efi", 1);
        cons_probe();
So that explains why we see Consoles: EFI console
Then we see in main():
        for (i = 0; devsw[i] != NULL; i++)
                if (devsw[i]->dv_init != NULL)
                        (devsw[i]->dv_init)();
The way I understand it, is this the place where the GELI passphrase prompt originates
from.
But only after that, we see the call to load /efi/freebsd/loader.env

Shouldn't the dv_init() calls be moved to after the call to boot_howto_to_env(howto)?

Regards,

-Guido