Date: Sun, 10 Feb 2019 13:43:13 -0600 From: Karl Denninger <karl@denninger.net> To: freebsd-stable@freebsd.org Subject: Re: Geli prompts on gptzfsboot (Was:: Serious ZFS Bootcode Problem (GPT NON-UEFI -- RESOLVED) Message-ID: <ef143cb8-e674-cc06-4569-e5fa66676f25@denninger.net> In-Reply-To: <2f5e28f7f48fa34e60e6225d63cdb2bf357313aa.camel@freebsd.org> References: <911d001f-9e33-0521-51fe-f7d1383dfc62@denninger.net> <CANCZdfp0QaXodmYBp9Eox9Ca5kyQibCXw5rRTwsO-mCjApYswA@mail.gmail.com> <b11ec38c-1c6a-6e92-810c-4d2fe3e8df3d@freebsd.org> <a107a4f5-2851-191a-5f8c-a4cd44c98458@denninger.net> <16c56c89ff8a3d89164d9152f6c38687dcba99b5.camel@freebsd.org> <3fd7f001-879c-7b1e-3d1a-d2939ac07d9c@denninger.net> <398cae11ff6b81d0bc1dbdcd54f64eb97b2c812a.camel@freebsd.org> <df021c0b-ef2c-df61-7042-303dbadaab75@denninger.net> <2f5e28f7f48fa34e60e6225d63cdb2bf357313aa.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms020808030001000309060003 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2/10/2019 12:40, Ian Lepore wrote: > On Sun, 2019-02-10 at 12:35 -0600, Karl Denninger wrote: >> On 2/10/2019 12:01, Ian Lepore wrote: >>> On Sun, 2019-02-10 at 11:54 -0600, Karl Denninger wrote: >>>> On 2/10/2019 11:50, Ian Lepore wrote: >>>>> On Sun, 2019-02-10 at 11:37 -0600, Karl Denninger wrote: >>>>> >>>>>> [...] >>>>>> >>>>>> BTW am I correct that gptzfsboot did *not* get the ability to >>>>>> read >>>>>> geli-encrypted pools in 12.0? The UEFI loader does know how >>>>>> (which I'm >>>>>> using on my laptop) but I was under the impression that for >>>>>> non- >>>>>> UEFI >>>>>> systems you still needed the unencrypted boot partition from >>>>>> which to >>>>>> load the kernel. >>>>>> >>>>> Nope, that's not correct. GELI support was added to the boot >>>>> and >>>>> loader >>>>> programs for both ufs and zfs in freebsd 12. You must set the >>>>> geli >>>>> '-g'=20 >>>>> option to be prompted for the passphrase while booting (this is >>>>> separate from the '-b' flag that enables mounting the encrypted >>>>> partition as the rootfs). You can use "geli configure -g" to >>>>> turn >>>>> on >>>>> the flag on any existing geli partition. >>>>> >>>>> -- Ian >>>> Excellent - this will eliminate the need for me to run down the >>>> foot-shooting that occurred in my update script since the >>>> unencrypted >>>> kernel partition is no longer needed at all. That also >>>> significantly >>>> reduces the attack surface on such a machine (although you could >>>> still >>>> tamper with the contents of freebsd-boot of course.) >>>> >>>> The "-g" flag I knew about from experience in putting 12 on my X1 >>>> Carbon >>>> (which works really well incidentally; the only issue I'm aware >>>> of is >>>> that there's no 5Ghz WiFi support.) >>>> >>> One thing that is rather unfortunate... if you have multiple geli >>> encrypted partitions that all have the same passphrase, you will be >>> required to enter that passphrase twice while booting -- once in >>> gpt[zfs]boot, then again during kernel startup when the rest of the >>> drives/partitions get tasted by geom. This is because APIs within >>> the >>> boot process got changed to pass keys instead of the passphrase >>> itself >>> from one stage of booting to the next, and the fallout of that is >>> the >>> key for the rootfs is available to the kernel for mountroot, but >>> the >>> passphrase is not available to the system when geom is probing all >>> the >>> devices, so you get prompted for it again. >>> >>> -- Ian >> Let me see if I understand this before I do it then... :-) >> >> I have the following layout: >> >> 1. Two SSDs that contain the OS as a two-provider ZFS pool, which has >> "-b" set on both members; I get the "GELI Passphrase:" prompt from >> the >> loader and those two providers (along with encrypted swap) attach >> early >> in the boot process. The same SSDs contain a mirrored non-encrypted >> pool that has /boot (and only /boot) on it because previously you >> couldn't boot from an EFI-encrypted pool at all. >> >> Thus: >> >> [\u@NewFS /root]# gpart show da1 >> =3D> 34 468862061 da1 GPT (224G) >> 34 2014 - free - (1.0M) >> 2048 1024 1 freebsd-boot (512K) >> 3072 1024 - free - (512K) >> 4096 20971520 2 freebsd-zfs [bootme] (10G) >> 20975616 134217728 3 freebsd-swap (64G) >> 155193344 313667584 4 freebsd-zfs (150G) >> 468860928 1167 - free - (584K) >> >> There is of course a "da2" that is identical. The actual encrypted >> root >> pool is on partition 4 with "-b" set at present. I get prompted from >> loader as a result after the unencrypted partition (#2) boots. >> >> 2. Multiple additional "user space" pools on a bunch of other disks. >> >> Right now #2 is using geli groups. Prior to 12.0 they were handled >> using a custom /etc/rc.d script I wrote that did basically the same >> thing that geli groups does because all use the same passphrase and >> entering the same thing over and over on a boot was a pain in the >> butt.=20 >> It prompted cleanly with no echo, took a password and then iterated >> over >> a list of devices attaching them one at a time. That requirement is >> now >> gone with geli groups, which is nice since mergemaster always >> complained >> about it being a "non-standard" thing; it *had* to go in /etc/rc.d >> and >> not in /usr/etc/rc.d else I couldn't get it to run early enough -- >> unfortunately. >> >> So if I remove the non-encrypted freebsd-zfs mirror that the system >> boots from in favor of setting "-g" on the root pool (both providers) >> gptzfsboot will find and prompt for the password to boot before >> loader >> gets invoked at all, much like the EFI loader does. That's good.=20 >> (My >> assumption is that the "-g" is sufficient; I don't need (or want) >> "bootme" set -- correct?) >> >> /However, /once the kernel boots somewhere in the mishmash of boot- >> time >> messages, and probably not where it's instantly obvious nor where it >> will halt the cascade display on the console, I'm going to get asked >> for >> that passphrase again? I assume I want to remove >> 'geom_eli_passphrase_prompt=3D"YES"' from loader.conf as well -- or >> would >> leaving it in there save me from the prompt that's hard to find in >> the >> cascade? >> >> Or, even better, would that situation of a double-prompt only apply >> if I >> had "-b" set on something /other than /the boot device pool vdevs (I >> don't -- those are handled by #2 for this exact reason.) >> > I think at this point I have to ease out of the conversation, because I= > know almost nothing about zfs, despite having somehow managed to add > geli support to the zfs code in loader. I did so without understanding > zfs in any way, because I added the support at a more generic "disk > drive support" layer in loader, and did all my testing using automated > scripts Alan and Warner created to test zfs booting using qemu. > > -- Ian I can confirm that this boots and comes up cleanly without re-prompting for the boot pool password. The machines I have in the field in this config, during the next upgrade cycle, are going to get set up this way.=C2=A0 When it makes sense to rep= lace these with UEFI boards (likely when Coffee Lake Xeons and Mobos that can handle them get a bit more reasonable and start showing up with IPMI/kvm ports) I'll likely start getting rid of these older devices simply on the performance-for-power equation, but these are likely to be out there for me, anyway, for the next few years. In short very nice work -- and thank you! --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms020808030001000309060003 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwMjEwMTk0MzEz WjBPBgkqhkiG9w0BCQQxQgRAQtuMDejq28bF5KWo9owoPCbJy2ROQ5Jtm9h3WzG290BuwPLB Ko2Ns0lMmroC73wkYpSAb5b2k/rw9y6Uemb6KjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgAZqsF1t3F3WZqerUyFjwaK3DSxvVzc6dBcc33fkwWDcWPdV8O4wMsi0tszswJB7smA NhEfJihmxQUg+Qd8cptcWnB6p7iN25VTN2siB+Kc61VW8GXhkwlJg6KadqW6AVGUwGiQC1A6 kSpLmvp3vnLZMwR9j1GWxOFGSBVTirWWuUksRTMsiVJNz9ABYuskBZuk/1VLWioplQeA9yAy eQKKky7s2oJfwwVazVFs1tsqY9MLJPDAUB8fmGMpbCIC3rCdkNGG/m7SAGqu1Vf7gBgQGNQZ Wfv5a6LGFISENYWg7iwtF5F6YVMxfKQ994xhwzFOxfywEWIyH63F0Ln35S2ZW5TuQtzA/Y5B 6+zykTUxr9j0KX+b44tSehbrLcpLXm5d2x5ns1aOErnvQYHq+GTmuMekws1ZGfhdtmALWFMp wwfSePKMVmSpUpbky0vyTvKn0AntlzvFr5y4Bg05B5+hvy9PuZuPu0/A0Z1W7Ce2/cloY5MT n8ha/PVJoWakkGyQhiEbL14cwv9ymK5lZB7OCR3TER9QiO8MLMvFzIEfnMy28PVLhEaYpYyP URlsjGJSKUMNIcCkN+zMZh6qmUIIlY+AGziZDwzEg5Kbc0tSZ86aBlOdqq4ldKudRssTkld6 p7I3uiV/LcZusUdAEeT30DtzsuMMEba/2n7Iic5j6QAAAAAAAA== --------------ms020808030001000309060003--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef143cb8-e674-cc06-4569-e5fa66676f25>