[patch] GELI Boot-time unlock failure
CyberLeo Kitsana
cyberleo at cyberleo.net
Mon Nov 17 23:25:38 UTC 2014
On 11/16/2014 11:29 PM, Pawel Jakub Dawidek wrote:
> On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote:
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624
>>
>> I've reworked the patch to apply to 10.1-RELEASE, and am now using it
>> successfully.
>>
>> The proper fix for this issue is most likely a new metadata version to
>> set the md_iterations per-keyslot instead of per-container, but I didn't
>> want to introduce incompatibility without input from the current GELI
>> maintainers; this patch works with the layout as-is.
>>
>> If a GELI container has a keyfile in one slot and a passphrase in the
>> other (to implement automatic boot-time unlock with offline key escrow,
>> for example), the boot-time unlock code will get confused and assume the
>> key and passphrase are to be combined, resulting in a container that
>> cannot be unlocked during boot when its keyfile is preloaded. The
>> included patch attempts to unlock using only the keyfile first.
>
> Hi,
>
> thanks for the patch, but I'd prefer to fix it properly, ie. allow for
> each key slot to have its dedicated iterations counter. Do you think
> this is something you could work on?
I think so. I'll see what I can do.
It might take a bit, though, as, for that, I must familiarize myself
with the userland portions as well.
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://www.fur.com/peace/
More information about the freebsd-geom
mailing list