Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool

Reply: Guido van Rooij : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
In reply to: Guido van Rooij : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Warner Losh <imp_at_bsdimp.com>
Date: Wed, 17 Aug 2022 15:19:42 UTC

On Wed, Aug 17, 2022 at 7:35 AM Guido van Rooij <guido@gvr.org> wrote:

>
>
> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:
>
> 
>
>
> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
>
>> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>> >    On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>> >    wrote:
>> >
>> >      Currently I have a system with ZFS on GELI. I use the ability in
>> >      the EFI loader to enter the GELI password.
>> >      Is it possible somehow to use a serial console to enter the
>> >      password?
>> >      My system does have a COM1 port but it isn't recognised at the
>> early
>> >      bot stage. There I only see:
>> >      Â  Â  Consoles: EFI console
>> >      Â  Â  GELI Passphrase for disk0p4:
>> >      (Note: this is early in the boot process so there is no access to
>> >      boot.config (or any other file in the ZFS pool) as it still on
>> >      encrypted storage at that time).
>> >
>> >    The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>> >    environment
>> >    variables. You can use that to set the COM1 port since it appears
>> your
>> >    EFI system doesn't do console redirection.
>> >    If you want it to only prompt COM1 for the password, but everything
>> >    else is
>> >    on the efi console, that's a lot harder.
>>
>> Hi Warner,
>>
>> Thanks, but somehow I still cannot get it to work properly.
>> Content of /efi/freebsd/loader.env:
>> boot_multicons="YES"
>> console="efi comconsole"
>>
>> The boot prompt still only shows "Consoles: EFI console".
>>
>
> Yes. That's printed before we process the ESP file and switch to the new
> console...
>
>
>> When I boot I get the GELI passphrase prompt at the EFI console only. But
>> when the kernel starts
>> to run I do get output to the serial console, staring with:
>> ---<<BOOT>>---
>> Copyright (c) 1992-2021 The FreeBSD Project.
>>
>> So it seems the loader.env file is read correctly (it didn't output
>> anything to the serial
>> console before I created efi/freebsd/loader.env). But looking at the
>> source I see in
>> efi/loader/main.c:read_loader_env():
>>         if (fn) {
>>                 printf("    Reading loader env vars from %s\n", fn);
>>                 parse_loader_efi_config(boot_img->DeviceHandle, fn);
>>         }
>> I never saw the printf appearing. I do not understand this.
>>
>
> It should have appeared on the video console of the EFI console (assuming
> no serial
> redirect is going on in that BIOS).
>
>
> It surely did not.
>
> I'd have to delve more deeply into the prompts for the GELI password than
> I have
> time to do this morning. What if you type the password blind into the
> serial port?
>
>
> Tried that but nothing happened. When I
> enter the passphrase after typing it in via
> the serial port, it worked immediately so
> we can conclude that no single keystroke
> got through.
>

OK. I'll have to delve a little more deeply then...

Warner