Unlocking GELI at boot
CyberLeo Kitsana
cyberleo at cyberleo.net
Sun Apr 27 09:55:47 UTC 2014
Hi!
I'm trying to set up a GELI-encrypted root using a keyfile to unlock
during boot, but I'm running into an issue with the boot-time unlock
when an eli container has a keyfile in keyslot 0 and an escrow
passphrase in keyslot 1.
I labeled a disk with ELI metadata in 10.0-RELEASE and configured it
with the boot flag and a keyfile. When I added the keyfile to
loader.conf, everything worked as expected.
Next, I added a passphrase to the second keyslot of the encrypted root
container. When I did this, I discovered that it was now impossible to
unlock the container during boot as long as the keyfile was preloaded.
A dip through the relevant kernel code suggests that if ANY slot has
ever contained a passphrase (and thus md_iterations is not -1), it will
always prompt for a passphrase and combine it with the preloaded
keyfiles, resulting in a failure to unlock in this circumstance.
I've hacked in a few bits of logic to the g_eli driver[1] to cause it to
attempt an unlock using only the keyfiles on the first try, and only
upon failure does it ask for a passphrase; this seems to correct the
behaviour, but I'm wondering if this is really the best way to attack
the issue.
Thoughts?
[1] http://pb.cyberleo.net/m54aca09a
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://www.fur.com/peace/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: g_eli.c-try_keyfiles_first.patch
Type: text/x-patch
Size: 1533 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-geom/attachments/20140427/72d30413/attachment.bin>
More information about the freebsd-geom
mailing list