From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1XuSXk-0005Td-4r for mharc-grub-devel@gnu.org; Fri, 28 Nov 2014 15:53:32 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58915) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XuSXd-0005Gu-Eu for grub-devel@gnu.org; Fri, 28 Nov 2014 15:53:29 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XuSXY-0004UY-Oc for grub-devel@gnu.org; Fri, 28 Nov 2014 15:53:25 -0500 Received: from mail-wg0-x22c.google.com ([2a00:1450:400c:c00::22c]:53919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XuSXY-0004UM-HR for grub-devel@gnu.org; Fri, 28 Nov 2014 15:53:20 -0500 Received: by mail-wg0-f44.google.com with SMTP id b13so9765814wgh.31 for ; Fri, 28 Nov 2014 12:53:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=ytma+4ChvQRoDkpdadbcz/l4Heq6FKNExgk+Fy0e85I=; b=ytJqZ/PetlQJ9rkSOI0Zhv3BG3pYmrz6vgHFNc8K22glC1XDonGPZOi3cJsKwaslLc ldprmR20Ku9/EV9NdHfuyatqtaXsF2UfAaDoe1vMZpY71K+zir12CUvpI6nUjzhwJoI6 1E4C0LVD3RwmeD+sWQVCIyb3oKXP5+i+6rP5d8OJEIUKUv80ce6RSjCCGj1+x7KjhLOy IW14Ts107Tvb7FOLjNwJBIkZREK2J+oP/IQW8qsozQKx/BfeUfTeaR1VDTIs/1DrjqOR YTol8smHG3Qbs4XG+3+PmH1yXrCdfKkTgwZcdaPONCScbaSSaVqDEXsqzB5RgB13pmy0 uhaA== X-Received: by 10.194.77.233 with SMTP id v9mr71113991wjw.24.1417207999889; Fri, 28 Nov 2014 12:53:19 -0800 (PST) Received: from [10.222.38.128] ([212.213.198.101]) by mx.google.com with ESMTPSA id hn2sm16494519wjc.5.2014.11.28.12.53.18 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Nov 2014 12:53:19 -0800 (PST) Message-ID: <5478CEA3.4060108@gmail.com> Date: Fri, 28 Nov 2014 21:36:03 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.2.0 MIME-Version: 1.0 To: The development of GNU GRUB Subject: Re: Patch to support GELI passphrase passthrough References: <5447E580.1010409@pcbsd.org> <20141022214724.19df0c1f@opensuse.site> <5447EE4F.5010002@pcbsd.org> <544E5D16.2070306@pcbsd.org> In-Reply-To: <544E5D16.2070306@pcbsd.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cR2MTExHheD2IXa1caOutf4rwhU9t1TWK" X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2a00:1450:400c:c00::22c X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2014 20:53:30 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --cR2MTExHheD2IXa1caOutf4rwhU9t1TWK Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 27.10.2014 16:56, Kris Moore wrote: > On 10/22/2014 13:50, Kris Moore wrote: >> On 10/22/2014 13:47, Andrei Borzenkov wrote: >>> =D0=92 Wed, 22 Oct 2014 13:12:32 -0400 >>> Kris Moore =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>> >>>> Hey, just a small patch to submit today. If you rather I send this t= o >>>> the bug tracker then I can do that also. >>>> >>>> This patch allows exporting the FreeBSD GELI passphrase to the kerne= l >>>> environment, which we will be doing in PC-BSD to avoid prompting for= the >>>> passphrase a second time at bootup. >>>> >>>> if (!grub_password_get (passphrase, MAX_PASSPHRASE)) >>>> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not suppl= ied"); >>>> =20 >>>> + /* Set the GELI passphrase to GRUB env, for passing to FreeBSD ke= rnel */ >>>> + grub_env_set ("gelipassphrase", passphrase); >>>> + >>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphras= e. >>> Is geli freebsd-specific? >>> >>>> /* Calculate the PBKDF2 of the user supplied passphrase. */ >>>> if (grub_le_to_cpu32 (header.niter) !=3D 0) >>>> { >>> It sounds more logical to export it after it has been verified? >>> >>> I tried to find out about this "gelipassphrase" kernel variable but d= id >>> not find anything. Is it already used anywhere? >>> >>>> Let me know if you have any suggestions or need any changes. I'm >>>> currently hacking on support for EFI framebuffer settings to be pass= ed >>>> to FreeBSD kernel as well, will send patches once I get things worki= ng >>>> there. >>>> >>> _______________________________________________ >>> Grub-devel mailing list >>> Grub-devel@gnu.org >>> https://lists.gnu.org/mailman/listinfo/grub-devel >> Well, this patch just makes the variable available to grub.cfg file, >> then we do some stuff there like this: >> >> set kFreeBSD.kern.geom.eli.passphrase=3D >> >> The patch for support in FreeBSD should be in HEAD soon, but here it i= s >> if you want to take a look: >> >> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed= 9f7f0b685d >> >=20 > Any further thoughts on this patch? The FreeBSD integration hit HEAD a > few days back. >=20 > https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c294= 95b7ee43293 >=20 > The reason I don't export the variable directly is so that when GRUB is= > used to boot older versions of FreeBSD we don't set that variable, wher= e > it isn't cleared from kernel memory. I would rather users enable it in > their grub.cfg manually, just so they know what it is doing. >=20 How do you propose to handle the case of multiple geli disks? Perhaps it makes more sense to add a command line flag to cryptomount to save passphrase? Or to have the name of variable derived from UUID and/or disk name (both can coexist) >=20 >=20 >=20 --cR2MTExHheD2IXa1caOutf4rwhU9t1TWK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iF4EAREKAAYFAlR4zqMACgkQmBXlbbo5nOvqcwD9FIbkWRK3Pu9fDqmncSnzqjT9 qA59ItbOTKtaO2y/XzUA/iMff/zcm/iccvv9hD8eKzkR952oQzQUEzoyqY0C0yo6 =/z1w -----END PGP SIGNATURE----- --cR2MTExHheD2IXa1caOutf4rwhU9t1TWK--