Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool

Reply: Guido van Rooij : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
In reply to: Guido van Rooij : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Warner Losh <imp_at_bsdimp.com>
Date: Tue, 16 Aug 2022 17:08:51 UTC

On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:

> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
> >    On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
> >    wrote:
> >
> >      Currently I have a system with ZFS on GELI. I use the ability in
> >      the EFI loader to enter the GELI password.
> >      Is it possible somehow to use a serial console to enter the
> >      password?
> >      My system does have a COM1 port but it isn't recognised at the early
> >      bot stage. There I only see:
> >      Â  Â  Consoles: EFI console
> >      Â  Â  GELI Passphrase for disk0p4:
> >      (Note: this is early in the boot process so there is no access to
> >      boot.config (or any other file in the ZFS pool) as it still on
> >      encrypted storage at that time).
> >
> >    The boot loader.efi will read ESP:/efi/freebsd/loader.env for
> >    environment
> >    variables. You can use that to set the COM1 port since it appears your
> >    EFI system doesn't do console redirection.
> >    If you want it to only prompt COM1 for the password, but everything
> >    else is
> >    on the efi console, that's a lot harder.
>
> Hi Warner,
>
> Thanks, but somehow I still cannot get it to work properly.
> Content of /efi/freebsd/loader.env:
> boot_multicons="YES"
> console="efi comconsole"
>
> The boot prompt still only shows "Consoles: EFI console".
>

Yes. That's printed before we process the ESP file and switch to the new
console...


> When I boot I get the GELI passphrase prompt at the EFI console only. But
> when the kernel starts
> to run I do get output to the serial console, staring with:
> ---<<BOOT>>---
> Copyright (c) 1992-2021 The FreeBSD Project.
>
> So it seems the loader.env file is read correctly (it didn't output
> anything to the serial
> console before I created efi/freebsd/loader.env). But looking at the
> source I see in
> efi/loader/main.c:read_loader_env():
>         if (fn) {
>                 printf("    Reading loader env vars from %s\n", fn);
>                 parse_loader_efi_config(boot_img->DeviceHandle, fn);
>         }
> I never saw the printf appearing. I do not understand this.
>

It should have appeared on the video console of the EFI console (assuming
no serial
redirect is going on in that BIOS).

I'd have to delve more deeply into the prompts for the GELI password than I
have
time to do this morning. What if you type the password blind into the
serial port?

Warner