> On Apr 6, 2015, at 10:24 AM, Eric van Gyzen <e...@vangyzen.net> wrote:
> On 04/06/2015 12:58, Devin Teske wrote:
>> Hi -current,
>> I have a pending enhancement to the boot loader that Colin P. and I
>> have been working on together.
>> URL: https://reviews.freebsd.org/D2105 <https://reviews.freebsd.org/D2105>
>> The nature of the patch is to cause the boot loader to prompt for the
>> GELI passphrase and then pass that on (through a kenv(1) variable)
>> to Colin’s code in geom_eli.ko where it will be:
>> (a) picked up for-use as the initial passphrase attempt(s)
>> (b) zeroed after being picked-up so “kenv kern.geom.eli.passphrase”
>> returns nothing
>> NB: Actually, “kenv kern.geom.eli.passphrase” generates the error
>> “kenv: unable to get kern.geom.eli.passphrase”
>> The problem that I (we) need help in solving is:
>> If the geom_eli.ko module doesn’t get loaded, then the variable
>> (kern.geom.eli.passphrase) is not zeroed.
>> While I do think that this is of minimal concern (not loading the GELI
>> module means you won’t be able to get past the mountroot prompt in
>> the case where GELI is required to boot), I discussed with Colin and
>> I think we are in consensus that the resetting of the variable should
>> perhaps be moved to another section of the kernel to prevent leakage
>> of this sensitive information being passed through kenv(1) variable(s).
>> Issue for me is, I’m not sure where the best place to move this to.
>> Here’s the code that needs to be moved (Lines 108-109 of g_eli.c):
>> https://svnweb.freebsd.org/base?view=revision&revision=273489 
>> <https://svnweb.freebsd.org/base?view=revision&revision=273489>
>> 108 
>> <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l108>
>>                            /* Wipe the passphrase from the environment. */
>> 109 
>> <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=273489&pathrev=273489#l109>
>>                            kern_unsetenv("kern.geom.eli.passphrase");
>> Need to move that preferably to some place in the kernel that is NOT
>> optional in the compilation process. Suggestions?
> How about putting it right after a successful mount of the root file system? 
> (I've never used GELI, so this could be as "right out" as five.)

I think that’s an excellent idea.

/me rummages through source

I’m thinking that the best place might be where we deal with the registered
event handler for mountroot.

One place that I crawled upon that looks particularly sexy is in start_init()
of sys/kern/init_main.c:

 * Start the initial user process; try exec’ing each pathname in init_path.
 * The program is invoked with one argument containing the boot flags.
static void
start_init(void *dummy)
        vm_offset_t addr;
        struct execve_args args;
        int options, error;
        char *var, *path, *next, *s;
        char *ucp, **uap, *arg0, *arg1;
        struct thread *td;
        struct proc *p;



        td = furthered;
        p = td->td_proc;


        ### RFC for code placement ###
        /* XXX Put reset of kern.geom.eli.passphrase here XXX */

         * Need just enough stack to hold the faked-up “execve()” arguments.
        // snip rest //

Or can you think of a better place?
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to