[patch] GELI Boot-time unlock failure
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Nov 17 05:29:06 UTC 2014
On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624
>
> I've reworked the patch to apply to 10.1-RELEASE, and am now using it
> successfully.
>
> The proper fix for this issue is most likely a new metadata version to
> set the md_iterations per-keyslot instead of per-container, but I didn't
> want to introduce incompatibility without input from the current GELI
> maintainers; this patch works with the layout as-is.
>
> If a GELI container has a keyfile in one slot and a passphrase in the
> other (to implement automatic boot-time unlock with offline key escrow,
> for example), the boot-time unlock code will get confused and assume the
> key and passphrase are to be combined, resulting in a container that
> cannot be unlocked during boot when its keyfile is preloaded. The
> included patch attempts to unlock using only the keyfile first.
Hi,
thanks for the patch, but I'd prefer to fix it properly, ie. allow for
each key slot to have its dedicated iterations counter. Do you think
this is something you could work on?
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
More information about the freebsd-geom
mailing list