Site Navigation

Date:      Sun, 10 Feb 2019 13:43:13 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Geli prompts on gptzfsboot (Was:: Serious ZFS Bootcode Problem (GPT NON-UEFI -- RESOLVED)
Message-ID:  <ef143cb8-e674-cc06-4569-e5fa66676f25@denninger.net>
In-Reply-To: <2f5e28f7f48fa34e60e6225d63cdb2bf357313aa.camel@freebsd.org>
References:  <911d001f-9e33-0521-51fe-f7d1383dfc62@denninger.net> <CANCZdfp0QaXodmYBp9Eox9Ca5kyQibCXw5rRTwsO-mCjApYswA@mail.gmail.com> <b11ec38c-1c6a-6e92-810c-4d2fe3e8df3d@freebsd.org> <a107a4f5-2851-191a-5f8c-a4cd44c98458@denninger.net> <16c56c89ff8a3d89164d9152f6c38687dcba99b5.camel@freebsd.org> <3fd7f001-879c-7b1e-3d1a-d2939ac07d9c@denninger.net> <398cae11ff6b81d0bc1dbdcd54f64eb97b2c812a.camel@freebsd.org> <df021c0b-ef2c-df61-7042-303dbadaab75@denninger.net> <2f5e28f7f48fa34e60e6225d63cdb2bf357313aa.camel@freebsd.org>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]

On 2/10/2019 12:40, Ian Lepore wrote:
> On Sun, 2019-02-10 at 12:35 -0600, Karl Denninger wrote:
>> On 2/10/2019 12:01, Ian Lepore wrote:
>>> On Sun, 2019-02-10 at 11:54 -0600, Karl Denninger wrote:
>>>> On 2/10/2019 11:50, Ian Lepore wrote:
>>>>> On Sun, 2019-02-10 at 11:37 -0600, Karl Denninger wrote:
>>>>>
>>>>>> [...]
>>>>>>
>>>>>> BTW am I correct that gptzfsboot did *not* get the ability to
>>>>>> read
>>>>>> geli-encrypted pools in 12.0?  The UEFI loader does know how
>>>>>> (which I'm
>>>>>> using on my laptop) but I was under the impression that for
>>>>>> non-
>>>>>> UEFI
>>>>>> systems you still needed the unencrypted boot partition from
>>>>>> which to
>>>>>> load the kernel.
>>>>>>
>>>>> Nope, that's not correct. GELI support was added to the boot
>>>>> and
>>>>> loader
>>>>> programs for both ufs and zfs in freebsd 12. You must set the
>>>>> geli
>>>>> '-g' 
>>>>> option to be prompted for the passphrase while booting (this is
>>>>> separate from the '-b' flag that enables mounting the encrypted
>>>>> partition as the rootfs). You can use "geli configure -g" to
>>>>> turn
>>>>> on
>>>>> the flag on any existing geli partition.
>>>>>
>>>>> -- Ian
>>>> Excellent - this will eliminate the need for me to run down the
>>>> foot-shooting that occurred in my update script since the
>>>> unencrypted
>>>> kernel partition is no longer needed at all.  That also
>>>> significantly
>>>> reduces the attack surface on such a machine (although you could
>>>> still
>>>> tamper with the contents of freebsd-boot of course.)
>>>>
>>>> The "-g" flag I knew about from experience in putting 12 on my X1
>>>> Carbon
>>>> (which works really well incidentally; the only issue I'm aware
>>>> of is
>>>> that there's no 5Ghz WiFi support.)
>>>>
>>> One thing that is rather unfortunate... if you have multiple geli
>>> encrypted partitions that all have the same passphrase, you will be
>>> required to enter that passphrase twice while booting -- once in
>>> gpt[zfs]boot, then again during kernel startup when the rest of the
>>> drives/partitions get tasted by geom. This is because APIs within
>>> the
>>> boot process got changed to pass keys instead of the passphrase
>>> itself
>>> from one stage of booting to the next, and the fallout of that is
>>> the
>>> key for the rootfs is available to the kernel for mountroot, but
>>> the
>>> passphrase is not available to the system when geom is probing all
>>> the
>>> devices, so you get prompted for it again.
>>>
>>> -- Ian
>> Let me see if I understand this before I do it then... :-)
>>
>> I have the following layout:
>>
>> 1. Two SSDs that contain the OS as a two-provider ZFS pool, which has
>> "-b" set on both members; I get the "GELI Passphrase:" prompt from
>> the
>> loader and those two providers (along with encrypted swap) attach
>> early
>> in the boot process.  The same SSDs contain a mirrored non-encrypted
>> pool that has /boot (and only /boot) on it because previously you
>> couldn't boot from an EFI-encrypted pool at all.
>>
>> Thus:
>>
>> [\u@NewFS /root]# gpart show da1
>> =>       34  468862061  da1  GPT  (224G)
>>          34       2014       - free -  (1.0M)
>>        2048       1024    1  freebsd-boot  (512K)
>>        3072       1024       - free -  (512K)
>>        4096   20971520    2  freebsd-zfs  [bootme]  (10G)
>>    20975616  134217728    3  freebsd-swap  (64G)
>>   155193344  313667584    4  freebsd-zfs  (150G)
>>   468860928       1167       - free -  (584K)
>>
>> There is of course a "da2" that is identical.  The actual encrypted
>> root
>> pool is on partition 4 with "-b" set at present.  I get prompted from
>> loader as a result after the unencrypted partition (#2) boots.
>>
>> 2. Multiple additional "user space" pools on a bunch of other disks.
>>
>> Right now #2 is using geli groups.  Prior to 12.0 they were handled
>> using a custom /etc/rc.d script I wrote that did basically the same
>> thing that geli groups does because all use the same passphrase and
>> entering the same thing over and over on a boot was a pain in the
>> butt. 
>> It prompted cleanly with no echo, took a password and then iterated
>> over
>> a list of devices attaching them one at a time.  That requirement is
>> now
>> gone with geli groups, which is nice since mergemaster always
>> complained
>> about it being a "non-standard" thing; it *had* to go in /etc/rc.d
>> and
>> not in /usr/etc/rc.d else I couldn't get it to run early enough --
>> unfortunately.
>>
>> So if I remove the non-encrypted freebsd-zfs mirror that the system
>> boots from in favor of setting "-g" on the root pool (both providers)
>> gptzfsboot will find and prompt for the password to boot before
>> loader
>> gets invoked at all, much like the EFI loader does.  That's good. 
>> (My
>> assumption is that the "-g" is sufficient; I don't need (or want)
>> "bootme" set -- correct?)
>>
>> /However, /once the kernel boots somewhere in the mishmash of boot-
>> time
>> messages, and probably not where it's instantly obvious nor where it
>> will halt the cascade display on the console, I'm going to get asked
>> for
>> that passphrase again?  I assume I want to remove
>> 'geom_eli_passphrase_prompt="YES"' from loader.conf as well -- or
>> would
>> leaving it in there save me from the prompt that's hard to find in
>> the
>> cascade?
>>
>> Or, even better, would that situation of a double-prompt only apply
>> if I
>> had "-b" set on something /other than /the boot device pool vdevs (I
>> don't -- those are handled by #2 for this exact reason.)
>>
> I think at this point I have to ease out of the conversation, because I
> know almost nothing about zfs, despite having somehow managed to add
> geli support to the zfs code in loader. I did so without understanding
> zfs in any way, because I added the support at a more generic "disk
> drive support" layer in loader, and did all my testing using automated
> scripts Alan and Warner created to test zfs booting using qemu.
>
> -- Ian

I can confirm that this boots and comes up cleanly without re-prompting
for the boot pool password.

The machines I have in the field in this config, during the next upgrade
cycle, are going to get set up this way.  When it makes sense to replace
these with UEFI boards (likely when Coffee Lake Xeons and Mobos that can
handle them get a bit more reasonable and start showing up with IPMI/kvm
ports) I'll likely start getting rid of these older devices simply on
the performance-for-power equation, but these are likely to be out there
for me, anyway, for the next few years.

In short very nice work -- and thank you!

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


��
�0��0���
�H���^��Ōc!5�
�H0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0�"0
	*�H��



�0�
�
�h�-5B>[���;��o���l�Ӵ��0~͎O9}�9�Y��e������*�������$��g��!uk�vʶ�LzN�`jL�>��MD'7
U4����5C�B�+�kY`bd����~b*�c3�N��y-�78j�u�]9H�e��uέ�sӬD��ؽ�m��gw�ER�?�&U�UR�j����'�}�9n�WD i�`XcbG��z�\g������G=��u�%���\�O�i1���3���ߝ4�
�K4�4p�YQr]�Ie�/r�0+��eEޝݖ0��C15�M��ݚ@J�SZ(zȏ�N�Ta�(2��5�D�D5���.l�<g[[Za��r�Q�Q%�Bu�ȴ
����~~`���I�oh�R�b����ʳ��ڟ���u�2���M�S��8E�dF��UC���l�CM�aѳ����!����}ș�+�2��k
��/�bų�E,��n�当ꖛ\�(8�WV�8	d]�b�	�������y�X��w	܊�:I�39

��

0�
0U]�^§������Q�\ӎ�0��U#��0�����T0�3���9�N0b������0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA�	�@�U��i0U

�0

�
0U

�
�0
	*�H��


�
��:P U!>v�����J�ni��o�-����#�ן�]Wyu�j���ǑR̀��Q�
�nƇ�!GѦF��g\�yLx�g�w=�O�P��yceh�f[���}�ܷ�['4�ڝ�\[p6\o.
��B&�JF���"�ZC{;�*o�*�mc��Cc�LY߾�`
�t�*�S!����񫶭�(���`�]D�HP�5���A~/�N���Pp�����6�=�m��h�k�밣'd���oA$�86hm����5���Ӛ��S@�j���ެE���gl��
�)�0JG���`%�k�3�5��P��a��C?���σ
׳HE�t
}!�P���㏏%*���B�xb��Q�waKG����$6h�¦��M�v��e;��[o��-�Iی��&
���I,��T��c�ߎ#t �wPA�@��l0�P�+�KXB��պT	z���G�v;N��c��I3��&��JĬ���UP�N��a��?�/�%�W��6G۟N�0�00��
��k���#X��d��\�=0
	*�H��


0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W10	UUS10UFlorida10U
Cuda Systems LLC10Ukarl@denninger.net0�"0
	*�H��



�0�
�
�T��[I�-ΆϏdn;�Å�@שy���.u�s�~_�Z�G%<��M��Y��d�\g��v�f��n�s�a��1'6����E�gyjs�"C� [�{��~��_���K���Pn+<�*�pv���#Q�����+��H���/���7[-v��qD��V^U>�f��%�GX�)��H.��|l`�M(C�r�>е͇6����#�o��dc"Y�ljҦ�ln8�@�5S�A�0���&ۖ"���OGj?��U��DWZ5	��dDB7k-)�9�����I�zs��-�JA���v
��J��6L���$�Ն����1Sm�Y.��Lqw*��SH;E��F'�D�Ħ��H��]��M��O��������g���Q���Q�|M�ٙ��ג2Z��9y��@���y�]}6ٽe��Y9��Y2�xˆ�$T�=�e�CǺ��ǵb�n֛�{��j��|��@�LL�t�1�[D�k5:$=�	`�	�M

��
�0�
�0<+


00.0,+
0
� http://ocsp.cudasystems.net:88880	U00	`�H
��B

�0U

��0U%0+
+
03	`�H
��B

&$OpenSSL Generated Client Certificate0U�%�՞V
=���؁�;�bzQ0��U#��0���]�^§������Q�\ӎϡ�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA��H���^��Ōc!5�
�H0U0�karl@denninger.net0
	*�H��


�
�۠�A0�-j%-�-$%���g2#ޡ��1�^��>���{K+�u��GE���v1���ş7Af&b�&O�;.��;A5���*U��)N��D2bF��|\=�]<�sˋL!��wrw���٧>��Y���M���Ä���3\mW�R�� h�Sv���!�_�zv�����l�?� ��3_�� �xU%�\�^����#���O*���Gk̍�YI_�&�Fꊛ�����@&�1�n������”�}� ͬ:��{�hT�P3��B.�;���bU�8:Z��=^���Gw�8���!k-��@���x�E��@�i�,+'�Iᐚ:f��hz�tX7/�(h�Y`��� O�.������1}a`�%�RW��^�a�k������ǂp�C�Au�fgDix�UT��Щ/�7��}�%=j��nVZvcF����<�M=
�2^G�KH5魉
�_���O�4ެ�Byʈ�
��y��S��k�w=5�@h�.0�z�>�
W�1�0�

0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	`�H
e��E0	*�H��

	1	*�H��


0	*�H��

	1
190210194313Z0O	*�H��

	1B@Bی
�����䥨��(<&��dNC�m��w[1��@n���*���IL���|$b��o������.�zf�*0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0��*�H��

	1�����0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA��k���#X��d��\�=0
	*�H��



���u�qwY���L����4��\���\s}ߓ�qc�Wø��"��3�A�ɀ6&(f� �|r�\Zpz���ەS7k"��UV�e�	I���v��
Q��h�P:�*K��w�r�3}�Q���FHS����I,E3,�RM��
b�$���UKZ*)��� 2y��.�ڂ_�Z�Ql��*c�$��P�c)l"ް��ц�n�j��W���Y��k����5���,-�zaS1|�=��a�1N���b2��й��-�[��B����A���51���)��Rz�-�K^n]�g�V���A���d�Ǥ��Y�]�`XS)��x�Vd�R���K�N��	�;ů��
9���/O����O�ѝV�'���hc���Z��I�f��l��!/^��r��ed�	�P��,��́�̶��K�F����Ql�bR)C
!��7��f��B���8�ă��sKRgΚS���%t��F��Wz��7�%-�n�G@���;s�����~ȉ�c�

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef143cb8-e674-cc06-4569-e5fa66676f25>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact