From owner-freebsd-geom@FreeBSD.ORG  Mon Nov 17 05:29:06 2014
Return-Path: <owner-freebsd-geom@FreeBSD.ORG>
Delivered-To: freebsd-geom@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 033D427A
 for <freebsd-geom@freebsd.org>; Mon, 17 Nov 2014 05:29:06 +0000 (UTC)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
 by mx1.freebsd.org (Postfix) with ESMTP id C2DFCDB6
 for <freebsd-geom@freebsd.org>; Mon, 17 Nov 2014 05:29:04 +0000 (UTC)
Received: from localhost (apn-31-2-12-230.dynamic.gprs.plus.pl [31.2.12.230])
 by mail.dawidek.net (Postfix) with ESMTPSA id AD75E339;
 Mon, 17 Nov 2014 06:29:02 +0100 (CET)
Date: Mon, 17 Nov 2014 06:29:10 +0100
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: CyberLeo Kitsana <cyberleo@cyberleo.net>
Subject: Re: [patch] GELI Boot-time unlock failure
Message-ID: <20141117052910.GE1771@garage.freebsd.pl>
References: <5467F826.3070208@cyberleo.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5467F826.3070208@cyberleo.net>
X-OS: FreeBSD 11.0-CURRENT amd64
User-Agent: Mutt/1.5.23 (2014-03-12)
Cc: FreeBSD Geom <freebsd-geom@freebsd.org>
X-BeenThere: freebsd-geom@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: GEOM-specific discussions and implementations
 <freebsd-geom.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-geom/>
List-Post: <mailto:freebsd-geom@freebsd.org>
List-Help: <mailto:freebsd-geom-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-geom>,
 <mailto:freebsd-geom-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 05:29:06 -0000

On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624
> 
> I've reworked the patch to apply to 10.1-RELEASE, and am now using it
> successfully.
> 
> The proper fix for this issue is most likely a new metadata version to
> set the md_iterations per-keyslot instead of per-container, but I didn't
> want to introduce incompatibility without input from the current GELI
> maintainers; this patch works with the layout as-is.
> 
> If a GELI container has a keyfile in one slot and a passphrase in the
> other (to implement automatic boot-time unlock with offline key escrow,
> for example), the boot-time unlock code will get confused and assume the
> key and passphrase are to be combined, resulting in a container that
> cannot be unlocked during boot when its keyfile is preloaded. The
> included patch attempts to unlock using only the keyfile first.

Hi,

thanks for the patch, but I'd prefer to fix it properly, ie. allow for
each key slot to have its dedicated iterations counter. Do you think
this is something you could work on?

-- 
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com