Date: Tue, 16 Aug 2022 11:08:51 -0600 From: Warner Losh <imp@bsdimp.com> To: Guido van Rooij <guido@gvr.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool Message-ID: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com> In-Reply-To: <YvtnFeFc/vmXnPcx@gvr.gvr.org> References: <YvpW59mY6eK5KOQ0@gvr.gvr.org> <CANCZdfoR9TcF71O0O7K2KT-_hsDG_6kxKK9KHpHdoowCoS709g@mail.gmail.com> <YvtnFeFc/vmXnPcx@gvr.gvr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000011715a05e65ece16 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote: > On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote: > > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org> > > wrote: > > > > Currently I have a system with ZFS on GELI. I use the ability in > > the EFI loader to enter the GELI password. > > Is it possible somehow to use a serial console to enter the > > password? > > My system does have a COM1 port but it isn't recognised at the ear= ly > > bot stage. There I only see: > > =C3=82 =C3=82 Consoles: EFI console > > =C3=82 =C3=82 GELI Passphrase for disk0p4: > > (Note: this is early in the boot process so there is no access to > > boot.config (or any other file in the ZFS pool) as it still on > > encrypted storage at that time). > > > > The boot loader.efi will read ESP:/efi/freebsd/loader.env for > > environment > > variables. You can use that to set the COM1 port since it appears yo= ur > > EFI system doesn't do console redirection. > > If you want it to only prompt COM1 for the password, but everything > > else is > > on the efi console, that's a lot harder. > > Hi Warner, > > Thanks, but somehow I still cannot get it to work properly. > Content of /efi/freebsd/loader.env: > boot_multicons=3D"YES" > console=3D"efi comconsole" > > The boot prompt still only shows "Consoles: EFI console". > Yes. That's printed before we process the ESP file and switch to the new console... > When I boot I get the GELI passphrase prompt at the EFI console only. But > when the kernel starts > to run I do get output to the serial console, staring with: > ---<<BOOT>>--- > Copyright (c) 1992-2021 The FreeBSD Project. > > So it seems the loader.env file is read correctly (it didn't output > anything to the serial > console before I created efi/freebsd/loader.env). But looking at the > source I see in > efi/loader/main.c:read_loader_env(): > if (fn) { > printf(" Reading loader env vars from %s\n", fn); > parse_loader_efi_config(boot_img->DeviceHandle, fn); > } > I never saw the printf appearing. I do not understand this. > It should have appeared on the video console of the EFI console (assuming no serial redirect is going on in that BIOS). I'd have to delve more deeply into the prompts for the GELI password than I have time to do this morning. What if you type the password blind into the serial port? Warner --00000000000011715a05e65ece16 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">= <div dir=3D"ltr" class=3D"gmail_attr">On Tue, Aug 16, 2022 at 3:44 AM Guido= van Rooij <<a href=3D"mailto:guido@gvr.org">guido@gvr.org</a>> wrote= :<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.= 8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Aug 15= , 2022 at 02:20:32PM -0600, Warner Losh wrote:<br> >=C2=A0 =C2=A0 On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]<a= href=3D"mailto:guido@gvr.org" target=3D"_blank">guido@gvr.org</a>><br> >=C2=A0 =C2=A0 wrote:<br> > <br> >=C2=A0 =C2=A0 =C2=A0 Currently I have a system with ZFS on GELI. I use = the ability in<br> >=C2=A0 =C2=A0 =C2=A0 the EFI loader to enter the GELI password.<br> >=C2=A0 =C2=A0 =C2=A0 Is it possible somehow to use a serial console to = enter the<br> >=C2=A0 =C2=A0 =C2=A0 password?<br> >=C2=A0 =C2=A0 =C2=A0 My system does have a COM1 port but it isn't r= ecognised at the early<br> >=C2=A0 =C2=A0 =C2=A0 bot stage. There I only see:<br> >=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 Consoles: EFI console<br= > >=C2=A0 =C2=A0 =C2=A0 =C3=82=C2=A0 =C3=82=C2=A0 GELI Passphrase for disk= 0p4:<br> >=C2=A0 =C2=A0 =C2=A0 (Note: this is early in the boot process so there = is no access to<br> >=C2=A0 =C2=A0 =C2=A0 boot.config (or any other file in the ZFS pool) as= it still on<br> >=C2=A0 =C2=A0 =C2=A0 encrypted storage at that time).<br> > <br> >=C2=A0 =C2=A0 The boot loader.efi will read ESP:/efi/freebsd/loader.env= for<br> >=C2=A0 =C2=A0 environment<br> >=C2=A0 =C2=A0 variables. You can use that to set the COM1 port since it= appears your<br> >=C2=A0 =C2=A0 EFI system doesn't do console redirection.<br> >=C2=A0 =C2=A0 If you want it to only prompt COM1 for the password, but = everything<br> >=C2=A0 =C2=A0 else is<br> >=C2=A0 =C2=A0 on the efi console, that's a lot harder.<br> <br> Hi Warner,<br> <br> Thanks, but somehow I still cannot get it to work properly.<br> Content of /efi/freebsd/loader.env:<br> boot_multicons=3D"YES"<br> console=3D"efi comconsole"<br> <br> The boot prompt still only shows "Consoles: EFI console".<br></bl= ockquote><div><br></div><div>Yes. That's printed before we process the = ESP file and switch to the new console...</div><div>=C2=A0</div><blockquote= class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so= lid rgb(204,204,204);padding-left:1ex"> When I boot I get the GELI passphrase prompt at the EFI console only. But w= hen the kernel starts<br> to run I do get output to the serial console, staring with:<br> ---<<BOOT>>---<br> Copyright (c) 1992-2021 The FreeBSD Project.<br> <br> So it seems the loader.env file is read correctly (it didn't output any= thing to the serial<br> console before I created efi/freebsd/loader.env). But looking at the source= I see in <br> efi/loader/main.c:read_loader_env():<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 if (fn) {<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 printf("=C2=A0= =C2=A0 Reading loader env vars from %s\n", fn);<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 parse_loader_efi_co= nfig(boot_img->DeviceHandle, fn);<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0 }<br> I never saw the printf appearing. I do not understand this.<br></blockquote= ><div><br></div><div>It should have appeared on the video console of the EF= I console (assuming no serial</div><div>redirect is going on in that BIOS).= </div><div><br></div><div>I'd have to delve more deeply into the prompt= s for the GELI password than I have</div><div>time to do this morning. What= if you type the password blind into the serial port?</div><div><br></div><= div>Warner</div></div></div> --00000000000011715a05e65ece16--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg>