Hi -current, I have a pending enhancement to the boot loader that Colin P. and I have been working on together.
URL: https://reviews.freebsd.org/D2105 <https://reviews.freebsd.org/D2105> The nature of the patch is to cause the boot loader to prompt for the GELI passphrase and then pass that on (through a kenv(1) variable) to Colin’s code in geom_eli.ko where it will be: (a) picked up for-use as the initial passphrase attempt(s) (b) zeroed after being picked-up so “kenv kern.geom.eli.passphrase” returns nothing NB: Actually, “kenv kern.geom.eli.passphrase” generates the error “kenv: unable to get kern.geom.eli.passphrase” The problem that I (we) need help in solving is: If the geom_eli.ko module doesn’t get loaded, then the variable (kern.geom.eli.passphrase) is not zeroed. While I do think that this is of minimal concern (not loading the GELI module means you won’t be able to get past the mountroot prompt in the case where GELI is required to boot), I discussed with Colin and I think we are in consensus that the resetting of the variable should perhaps be moved to another section of the kernel to prevent leakage of this sensitive information being passed through kenv(1) variable(s). Issue for me is, I’m not sure where the best place to move this to. Here’s the code that needs to be moved (Lines 108-109 of g_eli.c): https://svnweb.freebsd.org/base?view=revision&revision=273489 <https://svnweb.freebsd.org/base?view=revision&revision=273489> 108 <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l108> /* Wipe the passphrase from the environment. */ 109 <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l109> kern_unsetenv("kern.geom.eli.passphrase"); Need to move that preferably to some place in the kernel that is NOT optional in the compilation process. Suggestions? — Cheers, Devin _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"