On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624 > > I've reworked the patch to apply to 10.1-RELEASE, and am now using it > successfully. > > The proper fix for this issue is most likely a new metadata version to > set the md_iterations per-keyslot instead of per-container, but I didn't > want to introduce incompatibility without input from the current GELI > maintainers; this patch works with the layout as-is. > > If a GELI container has a keyfile in one slot and a passphrase in the > other (to implement automatic boot-time unlock with offline key escrow, > for example), the boot-time unlock code will get confused and assume the > key and passphrase are to be combined, resulting in a container that > cannot be unlocked during boot when its keyfile is preloaded. The > included patch attempts to unlock using only the keyfile first.
Hi, thanks for the patch, but I'd prefer to fix it properly, ie. allow for each key slot to have its dedicated iterations counter. Do you think this is something you could work on? -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-geom To unsubscribe, send any mail to "[email protected]"
