Patch to support GELI passphrase passthrough

Patch to support GELI passphrase passthrough

[Kris Moore]

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]



Hey, just a small patch to submit today. If you rather I send this to
the bug tracker then I can do that also.

This patch allows exporting the FreeBSD GELI passphrase to the kernel
environment, which we will be doing in PC-BSD to avoid prompting for the
passphrase a second time at bootup.

Let me know if you have any suggestions or need any changes. I'm
currently hacking on support for EFI framebuffer settings to be passed
to FreeBSD kernel as well, will send patches once I get things working
there.

-- 
Kris Moore
PC-BSD Software
iXsystems


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: patch-grub-core_disk_geli.c --]
[-- Type: text/x-csrc; name="patch-grub-core_disk_geli.c", Size: 536 bytes --]

--- grub-core/disk/geli.c.orig	2014-05-15 14:00:10.000000000 -0400
+++ grub-core/disk/geli.c	2014-09-26 10:18:53.325111693 -0400
@@ -430,6 +430,9 @@
   if (!grub_password_get (passphrase, MAX_PASSPHRASE))
     return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
 
+  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
+  grub_env_set ("gelipassphrase", passphrase);
+
   /* Calculate the PBKDF2 of the user supplied passphrase.  */
   if (grub_le_to_cpu32 (header.niter) != 0)
     {

Re: Patch to support GELI passphrase passthrough

[Andrei Borzenkov]

В Wed, 22 Oct 2014 13:12:32 -0400
Kris Moore <kris@pcbsd.org> пишет:

> 
> 
> Hey, just a small patch to submit today. If you rather I send this to
> the bug tracker then I can do that also.
> 
> This patch allows exporting the FreeBSD GELI passphrase to the kernel
> environment, which we will be doing in PC-BSD to avoid prompting for the
> passphrase a second time at bootup.
> 

>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>  
> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
> +  grub_env_set ("gelipassphrase", passphrase);
> +

If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
Is geli freebsd-specific?

>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>    if (grub_le_to_cpu32 (header.niter) != 0)
>      {

It sounds more logical to export it after it has been verified?

I tried to find out about this "gelipassphrase" kernel variable but did
not find anything. Is it already used anywhere?

> Let me know if you have any suggestions or need any changes. I'm
> currently hacking on support for EFI framebuffer settings to be passed
> to FreeBSD kernel as well, will send patches once I get things working
> there.
> 

Re: Patch to support GELI passphrase passthrough

[Kris Moore]

On 10/22/2014 13:47, Andrei Borzenkov wrote:
> В Wed, 22 Oct 2014 13:12:32 -0400
> Kris Moore <kris@pcbsd.org> пишет:
>
>>
>> Hey, just a small patch to submit today. If you rather I send this to
>> the bug tracker then I can do that also.
>>
>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>> environment, which we will be doing in PC-BSD to avoid prompting for the
>> passphrase a second time at bootup.
>>
>>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>  
>> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
>> +  grub_env_set ("gelipassphrase", passphrase);
>> +
> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
> Is geli freebsd-specific?
>
>>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>>    if (grub_le_to_cpu32 (header.niter) != 0)
>>      {
> It sounds more logical to export it after it has been verified?
>
> I tried to find out about this "gelipassphrase" kernel variable but did
> not find anything. Is it already used anywhere?
>
>> Let me know if you have any suggestions or need any changes. I'm
>> currently hacking on support for EFI framebuffer settings to be passed
>> to FreeBSD kernel as well, will send patches once I get things working
>> there.
>>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel

Well, this patch just makes the variable available to grub.cfg file,
then we do some stuff there like this:

set kFreeBSD.kern.geom.eli.passphrase=<passphrase>

The patch for support in FreeBSD should be in HEAD soon, but here it is
if you want to take a look:

https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d

-- 
Kris Moore
PC-BSD Software
iXsystems

Re: Patch to support GELI passphrase passthrough

[Kris Moore]

On 10/22/2014 13:50, Kris Moore wrote:
> On 10/22/2014 13:47, Andrei Borzenkov wrote:
>> В Wed, 22 Oct 2014 13:12:32 -0400
>> Kris Moore <kris@pcbsd.org> пишет:
>>
>>> Hey, just a small patch to submit today. If you rather I send this to
>>> the bug tracker then I can do that also.
>>>
>>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>>> environment, which we will be doing in PC-BSD to avoid prompting for the
>>> passphrase a second time at bootup.
>>>
>>>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>>  
>>> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
>>> +  grub_env_set ("gelipassphrase", passphrase);
>>> +
>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
>> Is geli freebsd-specific?
>>
>>>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>>>    if (grub_le_to_cpu32 (header.niter) != 0)
>>>      {
>> It sounds more logical to export it after it has been verified?
>>
>> I tried to find out about this "gelipassphrase" kernel variable but did
>> not find anything. Is it already used anywhere?
>>
>>> Let me know if you have any suggestions or need any changes. I'm
>>> currently hacking on support for EFI framebuffer settings to be passed
>>> to FreeBSD kernel as well, will send patches once I get things working
>>> there.
>>>
>> _______________________________________________
>> Grub-devel mailing list
>> Grub-devel@gnu.org
>> https://lists.gnu.org/mailman/listinfo/grub-devel
> Well, this patch just makes the variable available to grub.cfg file,
> then we do some stuff there like this:
>
> set kFreeBSD.kern.geom.eli.passphrase=<passphrase>
>
> The patch for support in FreeBSD should be in HEAD soon, but here it is
> if you want to take a look:
>
> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d
>

Any further thoughts on this patch? The FreeBSD integration hit HEAD a
few days back.

https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293

The reason I don't export the variable directly is so that when GRUB is
used to boot older versions of FreeBSD we don't set that variable, where
it isn't cleared from kernel memory. I would rather users enable it in
their grub.cfg manually, just so they know what it is doing.




-- 
Kris Moore
PC-BSD Software
iXsystems

Re: Patch to support GELI passphrase passthrough

[Vladimir 'φ-coder/phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2830 bytes --]

On 27.10.2014 16:56, Kris Moore wrote:
> On 10/22/2014 13:50, Kris Moore wrote:
>> On 10/22/2014 13:47, Andrei Borzenkov wrote:
>>> В Wed, 22 Oct 2014 13:12:32 -0400
>>> Kris Moore <kris@pcbsd.org> пишет:
>>>
>>>> Hey, just a small patch to submit today. If you rather I send this to
>>>> the bug tracker then I can do that also.
>>>>
>>>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>>>> environment, which we will be doing in PC-BSD to avoid prompting for the
>>>> passphrase a second time at bootup.
>>>>
>>>>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>>>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>>>  
>>>> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
>>>> +  grub_env_set ("gelipassphrase", passphrase);
>>>> +
>>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
>>> Is geli freebsd-specific?
>>>
>>>>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>>>>    if (grub_le_to_cpu32 (header.niter) != 0)
>>>>      {
>>> It sounds more logical to export it after it has been verified?
>>>
>>> I tried to find out about this "gelipassphrase" kernel variable but did
>>> not find anything. Is it already used anywhere?
>>>
>>>> Let me know if you have any suggestions or need any changes. I'm
>>>> currently hacking on support for EFI framebuffer settings to be passed
>>>> to FreeBSD kernel as well, will send patches once I get things working
>>>> there.
>>>>
>>> _______________________________________________
>>> Grub-devel mailing list
>>> Grub-devel@gnu.org
>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>> Well, this patch just makes the variable available to grub.cfg file,
>> then we do some stuff there like this:
>>
>> set kFreeBSD.kern.geom.eli.passphrase=<passphrase>
>>
>> The patch for support in FreeBSD should be in HEAD soon, but here it is
>> if you want to take a look:
>>
>> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d
>>
> 
> Any further thoughts on this patch? The FreeBSD integration hit HEAD a
> few days back.
> 
> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293
> 
> The reason I don't export the variable directly is so that when GRUB is
> used to boot older versions of FreeBSD we don't set that variable, where
> it isn't cleared from kernel memory. I would rather users enable it in
> their grub.cfg manually, just so they know what it is doing.
> 
How do you propose to handle the case of multiple geli disks? Perhaps it
makes more sense to add a command line flag to cryptomount to save
passphrase? Or to have the name of variable derived from UUID and/or
disk name (both can coexist)
> 
> 
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 213 bytes --]

Re: Patch to support GELI passphrase passthrough

[Kris Moore]

[-- Attachment #1: Type: text/plain, Size: 3321 bytes --]

On 11/28/2014 14:36, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
> On 27.10.2014 16:56, Kris Moore wrote:
>> On 10/22/2014 13:50, Kris Moore wrote:
>>> On 10/22/2014 13:47, Andrei Borzenkov wrote:
>>>> В Wed, 22 Oct 2014 13:12:32 -0400
>>>> Kris Moore <kris@pcbsd.org> пишет:
>>>>
>>>>> Hey, just a small patch to submit today. If you rather I send this to
>>>>> the bug tracker then I can do that also.
>>>>>
>>>>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>>>>> environment, which we will be doing in PC-BSD to avoid prompting for the
>>>>> passphrase a second time at bootup.
>>>>>
>>>>>    if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>>>>      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>>>>  
>>>>> +  /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
>>>>> +  grub_env_set ("gelipassphrase", passphrase);
>>>>> +
>>>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
>>>> Is geli freebsd-specific?
>>>>
>>>>>    /* Calculate the PBKDF2 of the user supplied passphrase.  */
>>>>>    if (grub_le_to_cpu32 (header.niter) != 0)
>>>>>      {
>>>> It sounds more logical to export it after it has been verified?
>>>>
>>>> I tried to find out about this "gelipassphrase" kernel variable but did
>>>> not find anything. Is it already used anywhere?
>>>>
>>>>> Let me know if you have any suggestions or need any changes. I'm
>>>>> currently hacking on support for EFI framebuffer settings to be passed
>>>>> to FreeBSD kernel as well, will send patches once I get things working
>>>>> there.
>>>>>
>>>> _______________________________________________
>>>> Grub-devel mailing list
>>>> Grub-devel@gnu.org
>>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>>> Well, this patch just makes the variable available to grub.cfg file,
>>> then we do some stuff there like this:
>>>
>>> set kFreeBSD.kern.geom.eli.passphrase=<passphrase>
>>>
>>> The patch for support in FreeBSD should be in HEAD soon, but here it is
>>> if you want to take a look:
>>>
>>> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d
>>>
>> Any further thoughts on this patch? The FreeBSD integration hit HEAD a
>> few days back.
>>
>> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293
>>
>> The reason I don't export the variable directly is so that when GRUB is
>> used to boot older versions of FreeBSD we don't set that variable, where
>> it isn't cleared from kernel memory. I would rather users enable it in
>> their grub.cfg manually, just so they know what it is doing.
>>
> How do you propose to handle the case of multiple geli disks? Perhaps it
> makes more sense to add a command line flag to cryptomount to save
> passphrase? Or to have the name of variable derived from UUID and/or
> disk name (both can coexist)
>

At the moment the FreeBSD system doesn't have a way to pass through
multiple keys for different disks. It will just try the single key
provided and prompt for others if that doesn't match.

If they change this in the future, then I would probably amend the grub
patches to export multiple variables from the UUID's.

-- 
Kris Moore
PC-BSD Software
iXsystems



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]