[patch] GELI Boot-time unlock failure
CyberLeo Kitsana
cyberleo at cyberleo.net
Sun Nov 16 01:12:55 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624
I've reworked the patch to apply to 10.1-RELEASE, and am now using it
successfully.
The proper fix for this issue is most likely a new metadata version to
set the md_iterations per-keyslot instead of per-container, but I didn't
want to introduce incompatibility without input from the current GELI
maintainers; this patch works with the layout as-is.
If a GELI container has a keyfile in one slot and a passphrase in the
other (to implement automatic boot-time unlock with offline key escrow,
for example), the boot-time unlock code will get confused and assume the
key and passphrase are to be combined, resulting in a container that
cannot be unlocked during boot when its keyfile is preloaded. The
included patch attempts to unlock using only the keyfile first.
Thanks!
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://www.fur.com/peace/
More information about the freebsd-geom
mailing list