Date: Fri, 29 Nov 2024 20:10:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 283043] gptboot fails to read the encrypted rootfs if geli authentication (geli -a) is used Message-ID: <bug-283043-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283043 Bug ID: 283043 Summary: gptboot fails to read the encrypted rootfs if geli authentication (geli -a) is used Product: Base System Version: 14.1-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: nospam@mgedv.net abstract: when using geli init [-b] -g -a <HMAC>, gptboot cannot access the encrypted rootfs properly. imho this can be a code or documentation error. freebsd version: FreeBSD-14.1-STABLE-amd64-20240926-4f4860c9b07c-268821-disc1.iso (1401502) debugging env was vmware esxi 8.0u3, Releasebuild-24022510, pvscsi adapter failing boot output: GELI Passphrase for disk0p2: *** Calculating GELI Decryption Key for disk0p2: 3124135 iterations... gptboot: No /boot/loader on 0:ad(0p2) gptboot: No /boot/kernel/kernel on 0:ad(0p2) FreeBSD/x86 boot Default: 0:ad(0p2)/boot/kernel/kernel boot: reproduce (live system based install): gpart create -s gpt da0; gpart add -t freebsd-boot -l geli01_boot -s 512K da0; gpart add -t freebsd-ufs -a 1m -l geli01_root -s 40G da0; gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 da0; ==> WORKS: geli init -v -b -g -B "/tmp/geli01_root.meta" -d -e 'AES-XTS' -l 256 -s 4096 "/dev/gpt/geli01_root"; ==> FAILS: geli init -v -b -g -a 'HMAC/SHA256' -B "/tmp/geli01_root.meta" -d -e 'AES-XTS' -l 256 -s 4096 "/dev/gpt/geli01_root"; geli attach -v /dev/gpt/geli01_root newfs -j -L root -O 2 -o time -U -i 32768 -b 65536 -f 8192 -c 262144 -m 8 /dev/gpt/geli01_root.eli; mount /dev/gpt/geli01_root.eli /mnt tar xfC /usr/freebsd-dist/base.txz /mnt tar xfC /usr/freebsd-dist/kernel.txz /mnt echo "/dev/da0p2.eli / ufs rw,noatime 1 1" >/mnt/etc/fstab echo "geom_eli_load=\"YES\"" >/mnt/boot/loader.conf echo "cryptodev_load=\"YES\"" >>/mnt/boot/loader.conf umount /mnt geli detach /dev/gpt/geli01_root there's an old bug going into a similar direction, which might be related: bug #161013 -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283043-227>