From nobody Wed Aug 17 13:35:36 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M78D32gRrz4ZTS3 for ; Wed, 17 Aug 2022 13:35:47 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (2a02-a44b-36d-100--2.fixed6.kpn.net [IPv6:2a02:a44b:36d:100::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gvr.gvr.org", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M78D243CFz3Dqx for ; Wed, 17 Aug 2022 13:35:46 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (localhost [127.0.0.1]) by gvr.gvr.org (Postfix) with ESMTP id 734194055A; Wed, 17 Aug 2022 15:35:37 +0200 (CEST) X-Virus-Scanned: amavisd-new at gvr.org Received: from gvr.gvr.org ([127.0.0.1]) by gvr.gvr.org (gvr.gvr.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ll6TFlRTek17; Wed, 17 Aug 2022 15:35:37 +0200 (CEST) Received: from smtpclient.apple (unknown [192.168.100.129]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: guido) by gvr.gvr.org (Postfix) with ESMTPSA id 252B24050F; Wed, 17 Aug 2022 15:35:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gvr.org; s=20220114; t=1660743337; bh=KZEjaazm2OJSlBryfSuwQpdnpWCY7FDz5UFpdtF/0Jg=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=uQGQTm92X9Vaq+UDS7PCrp/inaO78F/hy+MkmDpiQ9ppjJ8+70pVHSHjtHBTLLNGa ic3PvpBBRUF5KHctl3BYgwEas987bT0bWHIXw61duDgVEP0FoKJnotIbB8YC66R0EM KdpTspIEscrf0n3ezkKHgInE22gMAjv8fkk1ekiCczFoWiBVQ5Q5CphqQWH871QE+H 0iSaB1H00oiuTx5rWtX49i/Wd1qvh85L9B7aymFg42Vr95tYsmyuy5Sy8GOPewS2of A5Lrbph8eMFZBtQfXft6TV5sZ+g5KSVsPs0DV71qgBnX4M8W8ifsP04jeL1GzBfb0M Hz3fhn2biTFJQ== Content-Type: multipart/alternative; boundary=Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217 Content-Transfer-Encoding: 7bit From: Guido van Rooij List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org Mime-Version: 1.0 (1.0) Subject: Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool Date: Wed, 17 Aug 2022 15:35:36 +0200 Message-Id: <1BFD8C02-370F-4E59-BC89-EEF970B44934@gvr.org> References: Cc: FreeBSD Hackers In-Reply-To: To: Warner Losh X-Mailer: iPhone Mail (19G71) X-Rspamd-Queue-Id: 4M78D243CFz3Dqx X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gvr.org header.s=20220114 header.b=uQGQTm92; dmarc=pass (policy=none) header.from=gvr.org; spf=pass (mx1.freebsd.org: domain of guido@gvr.org designates 2a02:a44b:36d:100::2 as permitted sender) smtp.mailfrom=guido@gvr.org X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[gvr.org,none]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+a]; R_DKIM_ALLOW(-0.20)[gvr.org:s=20220114]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_ALL(0.00)[]; ASN(0.00)[asn:1136, ipnet:2a02:a400::/25, country:NL]; FREEFALL_USER(0.00)[guido]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[gvr.org:+]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On 16 Aug 2022, at 19:09, Warner Losh wrote: >=20 > =EF=BB=BF >=20 >=20 >> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij wrote: >> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote: >> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org> >> > wrote: >> >=20 >> > Currently I have a system with ZFS on GELI. I use the ability in >> > the EFI loader to enter the GELI password. >> > Is it possible somehow to use a serial console to enter the >> > password? >> > My system does have a COM1 port but it isn't recognised at the ear= ly >> > bot stage. There I only see: >> > =C3=82 =C3=82 Consoles: EFI console >> > =C3=82 =C3=82 GELI Passphrase for disk0p4: >> > (Note: this is early in the boot process so there is no access to >> > boot.config (or any other file in the ZFS pool) as it still on >> > encrypted storage at that time). >> >=20 >> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for >> > environment >> > variables. You can use that to set the COM1 port since it appears yo= ur >> > EFI system doesn't do console redirection. >> > If you want it to only prompt COM1 for the password, but everything >> > else is >> > on the efi console, that's a lot harder. >>=20 >> Hi Warner, >>=20 >> Thanks, but somehow I still cannot get it to work properly. >> Content of /efi/freebsd/loader.env: >> boot_multicons=3D"YES" >> console=3D"efi comconsole" >>=20 >> The boot prompt still only shows "Consoles: EFI console". >=20 > Yes. That's printed before we process the ESP file and switch to the new c= onsole... > =20 >> When I boot I get the GELI passphrase prompt at the EFI console only. But= when the kernel starts >> to run I do get output to the serial console, staring with: >> ---<>--- >> Copyright (c) 1992-2021 The FreeBSD Project. >>=20 >> So it seems the loader.env file is read correctly (it didn't output anyth= ing to the serial >> console before I created efi/freebsd/loader.env). But looking at the sour= ce I see in=20 >> efi/loader/main.c:read_loader_env(): >> if (fn) { >> printf(" Reading loader env vars from %s\n", fn); >> parse_loader_efi_config(boot_img->DeviceHandle, fn); >> } >> I never saw the printf appearing. I do not understand this. >=20 > It should have appeared on the video console of the EFI console (assuming n= o serial > redirect is going on in that BIOS). >=20 It surely did not. > I'd have to delve more deeply into the prompts for the GELI password than I= have > time to do this morning. What if you type the password blind into the seri= al port? >=20 Tried that but nothing happened. When I enter the passphrase after typing it in via the serial port, it worked immediately so we can conclude that no single keystroke=20 got through. -Guido=20 --Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

On 16 Aug 2022, at 19:= 09, Warner Losh <imp@bsdimp.com> wrote:

=EF=BB=BF


On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warne= r Losh wrote:
>    On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>    wrote:
>
>      Currently I have a system with ZFS on GELI. I use t= he ability in
>      the EFI loader to enter the GELI password.
>      Is it possible somehow to use a serial console to e= nter the
>      password?
>      My system does have a COM1 port but it isn't recogn= ised at the early
>      bot stage. There I only see:
>      =C3=82  =C3=82  Consoles: EFI console
= >      =C3=82  =C3=82  GELI Passphrase for disk0= p4:
>      (Note: this is early in the boot process so there i= s no access to
>      boot.config (or any other file in the ZFS pool) as i= t still on
>      encrypted storage at that time).
>
>    The boot loader.efi will read ESP:/efi/freebsd/loader.env f= or
>    environment
>    variables. You can use that to set the COM1 port since it a= ppears your
>    EFI system doesn't do console redirection.
>    If you want it to only prompt COM1 for the password, but e= verything
>    else is
>    on the efi console, that's a lot harder.

Hi Warner,

Thanks, but somehow I still cannot get it to work properly.
Content of /efi/freebsd/loader.env:
boot_multicons=3D"YES"
console=3D"efi comconsole"

The boot prompt still only shows "Consoles: EFI console".

Yes. That's printed before we process the ESP file and swi= tch to the new console...
 
When I boot I get the GELI passphrase prompt at the EFI console only. But wh= en the kernel starts
to run I do get output to the serial console, staring with:
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.

So it seems the loader.env file is read correctly (it didn't output anything= to the serial
console before I created efi/freebsd/loader.env). But looking at the source I= see in
efi/loader/main.c:read_loader_env():
        if (fn) {
                printf("   = ; Reading loader env vars from %s\n", fn);
                parse_loader_efi_con= fig(boot_img->DeviceHandle, fn);
        }
I never saw the printf appearing. I do not understand this.
=

It should have appeared on the video console of the EFI c= onsole (assuming no serial
redirect is going on in that BIOS).


It surely did= not.
I'd have to delve more deeply into the prompts for t= he GELI password than I have
time to do this morning. What if you t= ype the password blind into the serial port?


Tried that but nothing happened. When Ienter the passphrase after typing it in via
the serial port, it= worked immediately so
we can conclude that no single keystroke&nb= sp;
got through.

-Guido 
= --Apple-Mail-2BE90669-3CE1-409B-95F1-0E243BCB1217--