On 27.10.2014 16:56, Kris Moore wrote:
> On 10/22/2014 13:50, Kris Moore wrote:
>> On 10/22/2014 13:47, Andrei Borzenkov wrote:
>>> В Wed, 22 Oct 2014 13:12:32 -0400
>>> Kris Moore <k...@pcbsd.org> пишет:
>>>
>>>> Hey, just a small patch to submit today. If you rather I send this to
>>>> the bug tracker then I can do that also.
>>>>
>>>> This patch allows exporting the FreeBSD GELI passphrase to the kernel
>>>> environment, which we will be doing in PC-BSD to avoid prompting for the
>>>> passphrase a second time at bootup.
>>>>
>>>> if (!grub_password_get (passphrase, MAX_PASSPHRASE))
>>>> return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
>>>>
>>>> + /* Set the GELI passphrase to GRUB env, for passing to FreeBSD kernel */
>>>> + grub_env_set ("gelipassphrase", passphrase);
>>>> +
>>> If I read BSD loader correctly, this should be kFreeBSD.gelipassphrase.
>>> Is geli freebsd-specific?
>>>
>>>> /* Calculate the PBKDF2 of the user supplied passphrase. */
>>>> if (grub_le_to_cpu32 (header.niter) != 0)
>>>> {
>>> It sounds more logical to export it after it has been verified?
>>>
>>> I tried to find out about this "gelipassphrase" kernel variable but did
>>> not find anything. Is it already used anywhere?
>>>
>>>> Let me know if you have any suggestions or need any changes. I'm
>>>> currently hacking on support for EFI framebuffer settings to be passed
>>>> to FreeBSD kernel as well, will send patches once I get things working
>>>> there.
>>>>
>>> _______________________________________________
>>> Grub-devel mailing list
>>> Grub-devel@gnu.org
>>> https://lists.gnu.org/mailman/listinfo/grub-devel
>> Well, this patch just makes the variable available to grub.cfg file,
>> then we do some stuff there like this:
>>
>> set kFreeBSD.kern.geom.eli.passphrase=<passphrase>
>>
>> The patch for support in FreeBSD should be in HEAD soon, but here it is
>> if you want to take a look:
>>
>> https://github.com/pcbsd/freebsd/commit/79f4efcf6a7d4268781adc227d76ed9f7f0b685d
>>
>
> Any further thoughts on this patch? The FreeBSD integration hit HEAD a
> few days back.
>
> https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293
>
> The reason I don't export the variable directly is so that when GRUB is
> used to boot older versions of FreeBSD we don't set that variable, where
> it isn't cleared from kernel memory. I would rather users enable it in
> their grub.cfg manually, just so they know what it is doing.
>
How do you propose to handle the case of multiple geli disks? Perhaps it
makes more sense to add a command line flag to cryptomount to save
passphrase? Or to have the name of variable derived from UUID and/or
disk name (both can coexist)
>
>
> 
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
