Add "GELI Passphrase:" prompt to boot loader.
A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now
allow you to enter your geli(8) root-mount credentials prior to invoking
the kernel.
See check-password.4th(8) for details.
Details
Details
Drop a head copy of check-password.4th into /boot and then apply the patch
(only the patch to /boot/check-password.4th is required; no other changes are
required but you do have to have a HEAD copy of check-password.4th to
apply the patch).
NB: The rest of your /boot files can be up to 2 years old but no older.
NB: The test won't work unless your kernel has the following change
https://svnweb.freebsd.org/base?view=revision&revision=273489
Now, put into /boot/loader.conf:
geom_eli_passphrase_prompt="YES"
and reboot.
You should be prompted for a GELI passphrase before the menu (if enabled),
just after loading loader.conf(5).
NB: It doesn't matter if you're using GELI or not. However if you are using
GELI and a sufficiently new enough release (has SVN r273489) and you entered
the proper passphrase to mount your GELI encrypted root device(s), you should
notice that the boot process did not stop (you went from loader all the way to login).
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
| sys/boot/forth/check-password.4th | ||
|---|---|---|
| 139 ↗ | (On Diff #4357) | How do you keep from disclosing the root password to anybody that can run kenv? |
Comment Actions
We tested with using GRUB to make sure the kenv password string memory was wiped. The way we confirmed was the following.
Setup a VM with full-disk encryption and a searchable plaintext password "abcd1234" for example.
Do the boot / decrypt using GRUB passphrase / pastthrough
Run the "memdump" utility streaming memory across network to VM host system.
Then do strings and grep on memory file looking for that particular string in memory
It took a few fixes, but the fixes Colin did to GELI did end up working wiping the string from memory, and the kenv variable.
You'll need to do the same booting from the 4th loader though, make sure that it doesn't make other copies of the string which get left in memory.
Comment Actions
There is one remaining issue being discussed here:
https://lists.freebsd.org/pipermail/freebsd-current/2015-April/055345.html
Issue: If geom_eli.ko is not loaded, the code that performs the reset of kenv(1) kern.geom.eli.passphrase is not invoked (leaking the contents to userland). Need to move the reset code out of sys/geom/eli/g_eli.c and into a standard part of the kernel so it can't be disabled/by-passed.
Comment Actions
Add patch to sys/kern/init_main.c: unset passphrase variable
in start_init() immediately after calling vfs_mountroot().
This prevents leaking variable contents to userland in the
event geom_eli.ko is not loaded (currently responsible for
preventing leakage).
Comment Actions
It was suggested that we do the reset right after successful mountroot.
I've added a patch to sys/kern/init_main.c (in start_init()). Suggestions welcome.
Comment Actions
Fix comment: s/geli(4)/geli(8)/
NB: Don't want to confuse anyone by pointing to a non-existent manual