Page MenuHomeFreeBSD
Differential D12644

geli attach multiple providers (no kernel changes)
ClosedPublic
Actions

Authored by woodsb02 on Oct 12 2017, 3:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 20, 8:06 PM
Unknown Object (File)
Fri, Nov 15, 8:54 AM
Unknown Object (File)
Tue, Nov 5, 7:50 PM
Unknown Object (File)
Tue, Nov 5, 7:50 PM
Unknown Object (File)
Tue, Nov 5, 7:50 PM
Unknown Object (File)
Tue, Nov 5, 7:46 PM
Unknown Object (File)
Sun, Nov 3, 2:59 PM
Unknown Object (File)
Sun, Nov 3, 2:59 PM
View All Files
Subscribers
bcr
imp

Details

Reviewers
allanjude
cperciva
pjd
mav
oshogbo
sobomax
bcr
Group Reviewers
manpages
Commits
rS335673: geli attach multiple providers
Summary
Note: This diff is implementation option 2 of 2
Unlike D9396, this implementation does not modify the kernel. This is achieved by creating a new child geom request for each provider being attached, and passing each request to the kernel one by one.

Allow attaching of multiple geli providers at once if they use same
passphrase and keyfiles.

This is helpful when the providers being attached are not used for boot,
and therefore the existing code to first try the cached password when
tasting the providers during boot does not apply.

Multiple providers with the same passphrase and keyfiles can be attached
at the same time during system start-up by adding the following to
rc.conf:

geli_groups="storage backup"
geli_storage_flags="-k /etc/geli/storage.keys"
geli_storage_devices="ada0 ada1"
geli_backup_flags="-j /etc/geli/backup.passfile -k /etc/geli/backup.keys"
geli_backup_devices="ada2 ada3"
Test Plan

Tested using md(4) memory disks to confirm multiple providers can be attached if they use the same passphrase and keyfiles, but each provider fails to attach if the passphrase / keyfile combination fails to decrypt its master key.

mdconfig -s 1m -u 0
mdconfig -s 1m -u 1
mdconfig -s 1m -u 2
mdconfig -s 1m -u 3
geli init md0   # set password to "test"
geli init md1   # set password to "test"
geli init md2   # set password to "test123"
geli init md3   # set password to "test"
geli attach -v md0 md1  # enter password "test"
geli status
geli detach md0 md1

geli attach -v md0 md1 md2 md3  # enter password "test"
geli status
geli detach md0 md1 md3

mdconfig -s 1m -u 4
mdconfig -s 1m -u 5
mdconfig -s 1m -u 6
dd if=/dev/random of=/tmp/test.key bs=64 count=1
echo te > /tmp/pass1.txt
echo st > /tmp/pass2.txt
geli init -s 4096 -K /tmp/test.key -J /tmp/pass1.txt -J /tmp/pass2.txt md4
geli init -s 4096 -K /tmp/test.key md5  # set password "test123"
geli init -s 4096 -K /tmp/test.key -J /tmp/pass1.txt -J /tmp/pass2.txt md6
geli attach -k /tmp/test.key -j /tmp/pass1.txt -j /tmp/pass2.txt -v md4 md5 md6
geli status
geli detach md4 md6

mdconfig -d -u 0
mdconfig -d -u 1
mdconfig -d -u 2
mdconfig -d -u 3
mdconfig -d -u 4
mdconfig -d -u 5
mdconfig -d -u 6
rm /tmp/test.key /tmp/pass1.txt /tmp/pass2.txt

Expected output:

Attached to md0.
Attached to md1.
Done.
      Name  Status  Components
   md0.eli  ACTIVE  md0
   md1.eli  ACTIVE  md1

Attached to md0.
Attached to md1.
geli: Wrong key for md2.
Attached to md3.
geli: At least one provider failed to attach.
      Name  Status  Components
   md0.eli  ACTIVE  md0
   md1.eli  ACTIVE  md1
   md3.eli  ACTIVE  md3

Attached to md4.
geli: Wrong key for md5.
Attached to md6.
geli: At least one provider failed to attach.
      Name  Status  Components
   md4.eli  ACTIVE  md4
   md6.eli  ACTIVE  md6

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 12676
Build 12947: arc lint + arc unit

Event Timeline

woodsb02 created this revision.Oct 12 2017, 3:01 PM
Herald added a reviewer: manpages. · View Herald TranscriptOct 12 2017, 3:01 PM
Herald added a subscriber: imp. · View Herald Transcript
woodsb02 edited the summary of this revision. (Show Details)Oct 12 2017, 3:02 PM
woodsb02 edited the test plan for this revision. (Show Details)
woodsb02 edited the summary of this revision. (Show Details)Oct 12 2017, 3:09 PM
woodsb02 mentioned this in D9396: geli attach multiple providers (with kernel changes).Oct 12 2017, 3:13 PM
woodsb02 edited the summary of this revision. (Show Details)Oct 13 2017, 12:06 AM
woodsb02 edited the test plan for this revision. (Show Details)Oct 16 2017, 2:54 PM
woodsb02 edited the test plan for this revision. (Show Details)Oct 16 2017, 3:00 PM
woodsb02 updated this revision to Diff 34029.Oct 16 2017, 3:02 PM

Fix geli attach using keyfile(s) or passfile(s).
This code is now fully functional.

woodsb02 added a reviewer: oshogbo.Nov 11 2017, 12:58 AM
oshogbo added a comment.Nov 11 2017, 8:29 AM

A little out of topic:
@woodsb02 you mentioned that geli detach behaves different - it's accepting multiple devices.
What do you think about making them behave the same - and re implemented geli detach for multiple providers in the userland?
This will make happy both sides - those who want to have kernel as simple you can and those that want to have consistent API.

I will came back here for code review but just had such idea, for now.

woodsb02 added a reviewer: sobomax.Nov 12 2017, 12:31 AM
woodsb02 updated this revision to Diff 35136.Nov 12 2017, 4:10 AM

Implement comment from delphij:

  • If device group in rc script is empty, use continue instead of break to carry on with the next device group instead of skipping all devices groups.

Implement comments from sobomax:

  • Use strlen instead of strcmp to check for empty cached_passphrase
  • Use strlcpy instead of memcpy for strings
  • Consistently use curly braces to surround variable names in rc script
Harbormaster completed remote builds in B12676: Diff 35136.Nov 12 2017, 4:10 AM
woodsb02 updated this revision to Diff 35158.Nov 12 2017, 5:33 PM

Implement comment from jilles:

  • Revert previous change from $(geli_make_list) and ${geli_make_list}
Harbormaster completed remote builds in B12691: Diff 35158.Nov 12 2017, 5:33 PM
woodsb02 updated this revision to Diff 44466.Jun 26 2018, 2:00 PM

Update diff to implement comments from wblock, delphij, sobomax in D9396

Also rebase diff on r334554.

Harbormaster completed remote builds in B17627: Diff 44466.Jun 26 2018, 2:00 PM
woodsb02 updated this revision to Diff 44467.Jun 26 2018, 2:59 PM

Rebase on r335667

Harbormaster completed remote builds in B17628: Diff 44467.Jun 26 2018, 2:59 PM
sobomax accepted this revision.Jun 26 2018, 3:38 PM

Looks fine to me. Just two small code nits.

lib/geom/eli/geom_eli.c
522 ↗(On Diff #44467)

Add {} around the "true" block to avoid ambiguity.

if (nfiles == -1) {
524 ↗(On Diff #44467)
} else if (nfiles == 0) {
This revision is now accepted and ready to land.Jun 26 2018, 3:38 PM
bcr accepted this revision.Jun 26 2018, 4:32 PM
bcr added a subscriber: bcr.

OK from manpages. Don't forget to bump the .Dd at the beginning of the man page with the date of the commit.
Thanks!

Closed by commit rS335673: geli attach multiple providers (authored by woodsb02). · Explain WhyJun 26 2018, 6:07 PM
This revision was automatically updated to reflect the committed changes.
woodsb02 marked 2 inline comments as done.

Revision Contents
Changeset List

PathSize
etc/
defaults/
7 lines
rc.d/
38 lines
sbin/
geom/
class/
eli/
93 lines
118 lines
share/
man/
man5/
13 lines

Diff 35136

View Options

etc/defaults/rc.conf

Loading...
View Options

etc/rc.d/geli

Loading...
View Options

sbin/geom/class/eli/geli.8

Loading...
View Options

sbin/geom/class/eli/geom_eli.c

Loading...
View Options

share/man/man5/rc.conf.5

Loading...