Re: Order of geli "passphrase prompt" on boot
On Tue, Nov 4, 2014 at 5:10 PM, Allan Jude wrote: > On 11/04/2014 11:17, Kris Moore wrote: > > On 11/04/2014 10:24, Kurt Jaeger wrote: > >> Hi! > >> > >>> If you don't need any USB devices to boot, you can delay their > >>> detection by loading the modules through /etc/rc.d/kld instead > >>> of the loader: > >>> > >>> fk@r500 ~ $grep kld /etc/rc.conf > >>> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" > >> Does this really help with the GENERIC kernel ? > >> > >> If I add this to /etc/rc.conf and do > >> > >> /etc/rc.d/kld start > >> > >> this spews a load of errors. > >> > > > > Colin added this to HEAD recently: > > > > > https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293 > > > > This will allow setting the passphrase at the boot-loader, so it doesn't > > get prompted for again during boot. I think there was some work by > > dteske@ to add this to the FreeBSD boot menus, but maybe you can use it > > manually for now. > > > > We are using it in PC-BSD to supply the passphrase directly from GRUB, > > so we only get prompted a single time. > > > > (Before somebody asks why we use grub) > > We are using grub to do full-disk encryption, without a unencrypted > > /boot, among other things :) > > > > > > Yes, as Kris mentioned, the solution is being working on here at MeetBSD > by dteske@ (with some advice from jmg@) at the request of cperciva@, > using the functionality Colin added to head for Kris to be able to do > this for PCBSD. > > Hopefully this problem will be solved soon. > > Seems interesting, but if I got it right, for now the boot loader still doesn't have a way to pass this right? Could I for example drop to prompt and set "g_eli_boot_passcache"? and ofc in the future it would be ideal to do it from/during the boot menu. However it should should only do it if "root" is encrypted right (not just if geli is loaded, cause it might not be used for root... say a user just encrypts the /home dir, in that case having this on boot is not needed). But if there's a way to tell the root device is encrypted at boot time, then It would be the perfect solution indeed! Pity is only usable with grub for now, but still nice to see its being worked! Thanks ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Order of geli "passphrase prompt" on boot
On 11/04/2014 11:17, Kris Moore wrote: > On 11/04/2014 10:24, Kurt Jaeger wrote: >> Hi! >> >>> If you don't need any USB devices to boot, you can delay their >>> detection by loading the modules through /etc/rc.d/kld instead >>> of the loader: >>> >>> fk@r500 ~ $grep kld /etc/rc.conf >>> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" >> Does this really help with the GENERIC kernel ? >> >> If I add this to /etc/rc.conf and do >> >> /etc/rc.d/kld start >> >> this spews a load of errors. >> > > Colin added this to HEAD recently: > > https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293 > > This will allow setting the passphrase at the boot-loader, so it doesn't > get prompted for again during boot. I think there was some work by > dteske@ to add this to the FreeBSD boot menus, but maybe you can use it > manually for now. > > We are using it in PC-BSD to supply the passphrase directly from GRUB, > so we only get prompted a single time. > > (Before somebody asks why we use grub) > We are using grub to do full-disk encryption, without a unencrypted > /boot, among other things :) > > Yes, as Kris mentioned, the solution is being working on here at MeetBSD by dteske@ (with some advice from jmg@) at the request of cperciva@, using the functionality Colin added to head for Kris to be able to do this for PCBSD. Hopefully this problem will be solved soon. -- Allan Jude ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Order of geli "passphrase prompt" on boot
Kurt Jaeger wrote: > > If you don't need any USB devices to boot, you can delay their > > detection by loading the modules through /etc/rc.d/kld instead > > of the loader: > > > > fk@r500 ~ $grep kld /etc/rc.conf > > kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" > > Does this really help with the GENERIC kernel ? I didn't say it did. You need a kernel that doesn't already contain the USB modules in /boot/kernel/kernel, this excludes GENERIC kernels. Fabian pgphzo8bV6YHH.pgp Description: OpenPGP digital signature
Re: Order of geli "passphrase prompt" on boot
On 11/04/2014 10:24, Kurt Jaeger wrote: > Hi! > >> If you don't need any USB devices to boot, you can delay their >> detection by loading the modules through /etc/rc.d/kld instead >> of the loader: >> >> fk@r500 ~ $grep kld /etc/rc.conf >> kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" > Does this really help with the GENERIC kernel ? > > If I add this to /etc/rc.conf and do > > /etc/rc.d/kld start > > this spews a load of errors. > Colin added this to HEAD recently: https://github.com/freebsd/freebsd/commit/bdb0ac02b9fd8f331fa70c8a4c29495b7ee43293 This will allow setting the passphrase at the boot-loader, so it doesn't get prompted for again during boot. I think there was some work by dteske@ to add this to the FreeBSD boot menus, but maybe you can use it manually for now. We are using it in PC-BSD to supply the passphrase directly from GRUB, so we only get prompted a single time. (Before somebody asks why we use grub) We are using grub to do full-disk encryption, without a unencrypted /boot, among other things :) -- Kris Moore PC-BSD Software iXsystems ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Order of geli "passphrase prompt" on boot
Hi! > If you don't need any USB devices to boot, you can delay their > detection by loading the modules through /etc/rc.d/kld instead > of the loader: > > fk@r500 ~ $grep kld /etc/rc.conf > kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" Does this really help with the GENERIC kernel ? If I add this to /etc/rc.conf and do /etc/rc.d/kld start this spews a load of errors. -- p...@opsec.eu+49 171 3101372 6 years to go ! ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Order of geli "passphrase prompt" on boot
Miguel Clara wrote: > Sorry to bring this one back but I see no changes have been made to this in > current. > > The issue is that USB devices are detected after the geli prompt and so the > "geli paraphrase" prompt becomes hidden, and the simple solution would be > to change the order the prompt show as in wait a few secs for the usb > devices to be detected. If you don't need any USB devices to boot, you can delay their detection by loading the modules through /etc/rc.d/kld instead of the loader: fk@r500 ~ $grep kld /etc/rc.conf kld_list="usb.ko usb_quirk.ko ehci.ko umass.ko" Fabian pgpd6329GXoxZ.pgp Description: OpenPGP digital signature
Re: Order of geli "passphrase prompt" on boot
Hi! > The issue is that USB devices are detected after the geli prompt and so the > "geli paraphrase" prompt becomes hidden, and the simple solution would be > to change the order the prompt show as in wait a few secs for the usb > devices to be detected. I've seen the same issue on 10.x, and a solution for this would be useful, yes. -- p...@opsec.eu+49 171 3101372 6 years to go ! ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: Order of geli "passphrase prompt" on boot
Sorry to bring this one back but I see no changes have been made to this in current. The issue is that USB devices are detected after the geli prompt and so the "geli paraphrase" prompt becomes hidden, and the simple solution would be to change the order the prompt show as in wait a few secs for the usb devices to be detected. Also the FreeBSD installer includes the zfs+geli install options, which encrypts root, so any user can do it now, yet when they boot they won't even see the passphrase prompt, which to me is really not inviting when we want to bring over the linux folks! Some linux distros even allow you to type the passphrase for the device in a neat prompt (black background mint logo ec...) but I don't think we need to go that far, that's probably something PC-BSD folks can do though (if they don't already). I understand tough that what some times seems simple from user perspective its really not for devs, so my question is: Is this a hard change to implement, and by change I just mean change the order or wait a few secs for usb device detection, or somehow stop this detection of the devices to "spam" the screen until a passphrase is entered!? Thanks Melhores Cumprimentos // Best Regards --- *Miguel Clara* *IT - Sys Admin & Developer* *E-mail:*miguelmcl...@gmail.com www.linkedin.com/in/miguelmclara/ On Thu, Aug 28, 2014 at 5:01 PM, dweimer wrote: > On 08/28/2014 10:20 am, Francesco Toscan wrote: > >> On Wed, Aug 27, 2014 at 12:42:31PM +0100, Miguel Clara wrote: >> >>> Hi, >>> >> >> Hi, >> >>> >>> Does any one know if there's a way to change the order of the passphrase >>> prompt when the disk is encrypted? >>> >>> The ways it is now devices get detected after this prompt (usb devices it >>> seems) and makes the prompt kind of hidden which complicates things for >>> less experience users! >>> >> >> I experienced this issue running 9.0. >> 10-RELEASE seems fine (as works for me...) but i didn't investigate. >> >> If your root partition is not encrypted, you can try to mount encrypted >> volumes later, adding the relevant bits into /etc/rc.local or a rc.d >> script. Just remove the BOOT flag from your volumes with >> >> geli configure -B provider >> > > I can confirm the issue on my laptop (Dell Lattitude E6520) with > 10.0-RELEASE-p7 using an encrypted boot on zfs, and booting from usb thumb > drive. It doesn't do it if I have no other USB devices plugged in in > addition to the USB thumb frive. However if its in the port replicator, > with external mouse/keyboard I get a lot of device discovery prompts > following the prompt for the password. Its only a nuisance for me, though > when I built it off the port replicator then took it into the office and > booted it the first time I thought I broke it and hard reset it. The next > boot I was watching closely and saw the prompt go by. > > -- > Thanks, >Dean E. Weimer >http://www.dweimer.net/ > ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
