From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.71) id 1Xy6fc-000695-IU for mharc-grub-devel@gnu.org; Mon, 08 Dec 2014 17:20:44 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55213) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xy6fV-00065k-QO for grub-devel@gnu.org; Mon, 08 Dec 2014 17:20:42 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Xy6fQ-0006SQ-I7 for grub-devel@gnu.org; Mon, 08 Dec 2014 17:20:37 -0500 Received: from mail.ixsystems.com ([69.198.165.135]:59704 helo=barracuda.ixsystems.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Xy6fP-0006S9-UU for grub-devel@gnu.org; Mon, 08 Dec 2014 17:20:32 -0500 X-ASG-Debug-ID: 1418077213-08ca044762004d0002-Td4drV Received: from [192.168.0.51] (75-130-56-30.static.kgpt.tn.charter.com [75.130.56.30]) by barracuda.ixsystems.com with ESMTP id 71KdLSLIvNE1Ar1c (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Mon, 08 Dec 2014 14:20:14 -0800 (PST) X-Barracuda-Envelope-From: kris@pcbsd.org X-Barracuda-AUTH-User: kris@pcbsd.org X-Barracuda-Apparent-Source-IP: 75.130.56.30 Message-ID: <54862418.8090908@pcbsd.org> Date: Mon, 08 Dec 2014 17:20:08 -0500 From: Kris Moore User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: grub-devel@gnu.org Subject: Re: Patch to support GELI passphrase passthrough References: <5447E580.1010409@pcbsd.org> <20141022214724.19df0c1f@opensuse.site> <5447EE4F.5010002@pcbsd.org> <544E5D16.2070306@pcbsd.org> <5478CEA3.4060108@gmail.com> X-ASG-Orig-Subj: Re: Patch to support GELI passphrase passthrough In-Reply-To: <5478CEA3.4060108@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="l3keMIIxiLbnKUcmH45iqro6KHWoWh9lg" X-Barracuda-Connect: 75-130-56-30.static.kgpt.tn.charter.com[75.130.56.30] X-Barracuda-Start-Time: 1418077213 X-Barracuda-Encrypted: ECDHE-RSA-AES128-GCM-SHA256 X-Barracuda-URL: https://10.2.0.41:443/cgi-mod/mark.cgi X-Virus-Scanned: by bsmtpd at ixsystems.com X-Barracuda-BRTS-Status: 1 X-Barracuda-Spam-Score: 0.50 X-Barracuda-Spam-Status: No, SCORE=0.50 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=BSF_RULE7568M X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.12627 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.50 BSF_RULE7568M Custom Rule 7568M X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 69.198.165.135 X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 22:20:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --l3keMIIxiLbnKUcmH45iqro6KHWoWh9lg Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/28/2014 14:36, Vladimir '=CF=86-coder/phcoder' Serbinenko wrote: > On 27.10.2014 16:56, Kris Moore wrote: >> On 10/22/2014 13:50, Kris Moore wrote: >>> On 10/22/2014 13:47, Andrei Borzenkov wrote: >>>> =D0=92 Wed, 22 Oct 2014 13:12:32 -0400 >>>> Kris Moore =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>>> >>>>> Hey, just a small patch to submit today. If you rather I send this = to >>>>> the bug tracker then I can do that also. >>>>> >>>>> This patch allows exporting the FreeBSD GELI passphrase to the kern= el >>>>> environment, which we will be doing in PC-BSD to avoid prompting fo= r the >>>>> passphrase a second time at bootup. >>>>> >>>>> if (!grub_password_get (passphrase, MAX_PASSPHRASE)) >>>>> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supp= lied"); >>>>> =20 >>>>> + /* Set the GELI passphrase to GRUB env, for passing to FreeBSD k= ernel */ >>>>> + grub_env_set ("gelipassphrase", passphrase); >>>>> + >>>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphra= se. >>>> Is geli freebsd-specific? >>>> >>>>> /* Calculate the PBKDF2 of the user supplied passphrase. */ >>>>> if (grub_le_to_cpu32 (header.niter) !=3D 0) >>>>> { >>>> It sounds more logical to export it after it has been verified? >>>> >>>> I tried to find out about this "gelipassphrase" kernel variable but = did >>>> not find anything. Is it already used anywhere? >>>> >>>>> Let me know if you have any suggestions or need any changes. I'm >>>>> currently hacking on support for EFI framebuffer settings to be pas= sed >>>>> to FreeBSD kernel as well, will send patches once I get things work= ing >>>>> there. >>>>> >>>> _______________________________________________ >>>> Grub-devel mailing list >>>> Grub-devel@gnu.org >>>> https://lists.gnu.org/mailman/listinfo/grub-devel >>> Well, this patch just makes the variable available to grub.cfg file, >>> then we do some stuff there like this: >>> >>> set kFreeBSD.kern.geom.eli.passphrase=3D >>> >>> The patch for support in FreeBSD should be in HEAD soon, but here it = is >>> if you want to take a look: >>> >>> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76e= d9f7f0b685d >>> >> Any further thoughts on this patch? The FreeBSD integration hit HEAD a= >> few days back. >> >> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29= 495b7ee43293 >> >> The reason I don't export the variable directly is so that when GRUB i= s >> used to boot older versions of FreeBSD we don't set that variable, whe= re >> it isn't cleared from kernel memory. I would rather users enable it in= >> their grub.cfg manually, just so they know what it is doing. >> > How do you propose to handle the case of multiple geli disks? Perhaps i= t > makes more sense to add a command line flag to cryptomount to save > passphrase? Or to have the name of variable derived from UUID and/or > disk name (both can coexist) > At the moment the FreeBSD system doesn't have a way to pass through multiple keys for different disks. It will just try the single key provided and prompt for others if that doesn't match. If they change this in the future, then I would probably amend the grub patches to export multiple variables from the UUID's. --=20 Kris Moore PC-BSD Software iXsystems --l3keMIIxiLbnKUcmH45iqro6KHWoWh9lg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJUhiQcAAoJEH/cIgwwV3zXIsMH/iGz1U7rTSGXoAq8AAnBDgVV skwO8MKf8JuQ0lOYsEVDitP0DmX8p5A+G3G8h/wVE3V8Tqe8P0lX6g5QJjUFj3Xz qH94x6tTDYMZn5XQmuLx9NoUfOKG8c9gAkwZMwCduuQhU/Pm4PBGxsgBaJHfh2X4 4BF8eW3marEuzRaNkPklGCJzyLSZdsfzw9627yKRTHVvmWpzHwgQmTMA0f9gYsIP K6985sam0H7m3yBHM3pACt8SN3eKOZjOQ9Ah4+JBLmAoEJhUT+G7v4fCIVufNyg0 nWq6XJmpjrXQnGfqH1kSRNZhgjlWPTV5iUtVac+bB3qVl58TO0WmkTEewb8QDZk= =0WHJ -----END PGP SIGNATURE----- --l3keMIIxiLbnKUcmH45iqro6KHWoWh9lg--