Page MenuHomeFreeBSD

Implement the ability for GELIBoot to write encrypted data zfsbootcfg(8) depends on being able to write a valid block of zeros with the correct ZFS checksum to the PAD2 area of the first ZFS vdev label When the disk is encrypted with GELI...
ClosedPublic

Authored by allanjude on Apr 2 2017, 5:58 PM.

Details

Summary

..., zfsboot was writing unencrypted data to the correct location, but when it was read back on the next boot, the data was decrypted, resulting in gibberish and a warning about PAD2 not being read correctly.

This change implements GELI encrypt in the recent vdev_write() function if the partition is identified as being GELI encrypted

Diff Detail

Event Timeline

The geli conditionalization looks good to me.

sys/boot/i386/libi386/biosdisk.c
936–938

style(9): superfluous braces?

940–942

style(9): superfluous braces?

967–969

style(9): superfluous braces?

This revision is now accepted and ready to land.Apr 2 2017, 6:51 PM

Overall seems pretty nice, i think.

sys/boot/i386/libi386/biosdisk.c
881–882

I think we really should have better construct instead of 0/1:D enum for example for nice verbose constants;) same for other occurrences of geli_io() call.

allanjude edited edge metadata.

Use an enum for encrypt/decrypt switch

This revision now requires review to proceed.Apr 8 2017, 1:35 AM

I did not replicate the same comments for all the instances;)

sys/boot/geli/geliboot.h
47

There seems to be space-tab issue after define, compared to previous line (#46)?

sys/boot/geli/geliboot_crypto.c
52

Since we are now encrypting and decrypting, maybe the message should use something like "crypto keys" now?

63

now the comment seems to be not needed any more.

This revision is now accepted and ready to land.Jul 14 2020, 1:33 PM

Improved version committed as rS363090: loader: implement GELI writes.