Date: Wed, 17 Aug 2022 15:35:36 +0200 From: Guido van Rooij <guido@gvr.org> To: Warner Losh <imp@bsdimp.com> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool Message-ID: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> In-Reply-To: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com> References: <CANCZdfoMjg2GmUjZAeQ_phZnn4tKSKEOcPq6-h==s==idzmjBg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:
>=20
> =EF=BB=BF
>=20
>=20
>> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
>> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>> > wrote:
>> >=20
>> > Currently I have a system with ZFS on GELI. I use the ability in
>> > the EFI loader to enter the GELI password.
>> > Is it possible somehow to use a serial console to enter the
>> > password?
>> > My system does have a COM1 port but it isn't recognised at the ear=
ly
>> > bot stage. There I only see:
>> > =C3=82 =C3=82 Consoles: EFI console
>> > =C3=82 =C3=82 GELI Passphrase for disk0p4:
>> > (Note: this is early in the boot process so there is no access to
>> > boot.config (or any other file in the ZFS pool) as it still on
>> > encrypted storage at that time).
>> >=20
>> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>> > environment
>> > variables. You can use that to set the COM1 port since it appears yo=
ur
>> > EFI system doesn't do console redirection.
>> > If you want it to only prompt COM1 for the password, but everything
>> > else is
>> > on the efi console, that's a lot harder.
>>=20
>> Hi Warner,
>>=20
>> Thanks, but somehow I still cannot get it to work properly.
>> Content of /efi/freebsd/loader.env:
>> boot_multicons=3D"YES"
>> console=3D"efi comconsole"
>>=20
>> The boot prompt still only shows "Consoles: EFI console".
>=20
> Yes. That's printed before we process the ESP file and switch to the new c=
onsole...
> =20
>> When I boot I get the GELI passphrase prompt at the EFI console only. But=
when the kernel starts
>> to run I do get output to the serial console, staring with:
>> ---<<BOOT>>---
>> Copyright (c) 1992-2021 The FreeBSD Project.
>>=20
>> So it seems the loader.env file is read correctly (it didn't output anyth=
ing to the serial
>> console before I created efi/freebsd/loader.env). But looking at the sour=
ce I see in=20
>> efi/loader/main.c:read_loader_env():
>> if (fn) {
>> printf(" Reading loader env vars from %s\n", fn);
>> parse_loader_efi_config(boot_img->DeviceHandle, fn);
>> }
>> I never saw the printf appearing. I do not understand this.
>=20
> It should have appeared on the video console of the EFI console (assuming n=
o serial
> redirect is going on in that BIOS).
>=20
It surely did not.
> I'd have to delve more deeply into the prompts for the GELI password than I=
have
> time to do this morning. What if you type the password blind into the seri=
al port?
>=20
Tried that but nothing happened. When I
enter the passphrase after typing it in via
the serial port, it worked immediately so
we can conclude that no single keystroke=20
got through.
-Guido=20
--Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div dir=3D"ltr"></div><div dir=3D"ltr"><br=
></div><div dir=3D"ltr"><br><blockquote type=3D"cite">On 16 Aug 2022, at 19:=
09, Warner Losh <imp@bsdimp.com> wrote:<br><br></blockquote></div><blo=
ckquote type=3D"cite"><div dir=3D"ltr">=EF=BB=BF<div dir=3D"ltr"><div dir=3D=
"ltr"><br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gma=
il_attr">On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <<a href=3D"mail=
to:guido@gvr.org">guido@gvr.org</a>> wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex">On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warne=
r Losh wrote:<br>
> On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]<a h=
ref=3D"mailto:guido@gvr.org" target=3D"_blank">guido@gvr.org</a>><br>
> wrote:<br>
> <br>
> Currently I have a system with ZFS on GELI. I use t=
he ability in<br>
> the EFI loader to enter the GELI password.<br>
> Is it possible somehow to use a serial console to e=
nter the<br>
> password?<br>
> My system does have a COM1 port but it isn't recogn=
ised at the early<br>
> bot stage. There I only see:<br>
> =C3=82 =C3=82 Consoles: EFI console<br>=
> =C3=82 =C3=82 GELI Passphrase for disk0=
p4:<br>
> (Note: this is early in the boot process so there i=
s no access to<br>
> boot.config (or any other file in the ZFS pool) as i=
t still on<br>
> encrypted storage at that time).<br>
> <br>
> The boot loader.efi will read ESP:/efi/freebsd/loader.env f=
or<br>
> environment<br>
> variables. You can use that to set the COM1 port since it a=
ppears your<br>
> EFI system doesn't do console redirection.<br>
> If you want it to only prompt COM1 for the password, but e=
verything<br>
> else is<br>
> on the efi console, that's a lot harder.<br>
<br>
Hi Warner,<br>
<br>
Thanks, but somehow I still cannot get it to work properly.<br>
Content of /efi/freebsd/loader.env:<br>
boot_multicons=3D"YES"<br>
console=3D"efi comconsole"<br>
<br>
The boot prompt still only shows "Consoles: EFI console".<br></blockquote><d=
iv><br></div><div>Yes. That's printed before we process the ESP file and swi=
tch to the new console...</div><div> </div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex">
When I boot I get the GELI passphrase prompt at the EFI console only. But wh=
en the kernel starts<br>
to run I do get output to the serial console, staring with:<br>
---<<BOOT>>---<br>
Copyright (c) 1992-2021 The FreeBSD Project.<br>
<br>
So it seems the loader.env file is read correctly (it didn't output anything=
to the serial<br>
console before I created efi/freebsd/loader.env). But looking at the source I=
see in <br>
efi/loader/main.c:read_loader_env():<br>
if (fn) {<br>
printf("  =
; Reading loader env vars from %s\n", fn);<br>
parse_loader_efi_con=
fig(boot_img->DeviceHandle, fn);<br>
}<br>
I never saw the printf appearing. I do not understand this.<br></blockquote>=
<div><br></div><div>It should have appeared on the video console of the EFI c=
onsole (assuming no serial</div><div>redirect is going on in that BIOS).</di=
v><div><br></div></div></div></div></blockquote><div><br></div>It surely did=
not.<br><blockquote type=3D"cite"><div dir=3D"ltr"><div dir=3D"ltr"><div cl=
ass=3D"gmail_quote"><div>I'd have to delve more deeply into the prompts for t=
he GELI password than I have</div><div>time to do this morning. What if you t=
ype the password blind into the serial port?</div><div><br></div></div></div=
></div></blockquote><div><br></div>Tried that but nothing happened. When I<d=
iv>enter the passphrase after typing it in via</div><div>the serial port, it=
worked immediately so</div><div>we can conclude that no single keystroke&nb=
sp;</div><div>got through.</div><div><br></div><div>-Guido <br></div></=
body></html>=
--Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1BFD8C02-370F-4E59-BC89-EEF970B44934>