Index: sbin/geom/class/eli/geli.8 =================================================================== --- sbin/geom/class/eli/geli.8 +++ sbin/geom/class/eli/geli.8 @@ -51,7 +51,7 @@ .Pp .Nm .Cm init -.Op Fl bPTv +.Op Fl bgPTv .Op Fl a Ar aalgo .Op Fl B Ar backupfile .Op Fl e Ar ealgo @@ -88,7 +88,7 @@ .Ar prov .Nm .Cm configure -.Op Fl bBtT +.Op Fl bBgGtT .Ar prov ... .Nm .Cm setkey @@ -293,6 +293,11 @@ .Nm AES-XTS . .Nm NULL is unencrypted. +.It Fl g +Enable booting from this encrypted root filesystem. +The boot loader prompts for the passphrase and loads +.Xr loader 8 +from the encrypted partition. .It Fl i Ar iterations Number of iterations to use with PKCS#5v2 when processing User Key passphrase component. @@ -485,6 +490,13 @@ subcommand. .It Fl B Remove the BOOT flag from the given providers. +.It Fl g +Enable booting from this encrypted root filesystem. +The boot loader prompts for the passphrase and loads +.Xr loader 8 +from the encrypted partition. +.It Fl G +Deactivate booting from this encrypted root partition. .It Fl t Enable TRIM/UNMAP passthru. For more information, see the description of the Index: sbin/geom/class/eli/geom_eli.c =================================================================== --- sbin/geom/class/eli/geom_eli.c +++ sbin/geom/class/eli/geom_eli.c @@ -82,13 +82,13 @@ /* * Available commands: * - * init [-bhPv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-V version] prov + * init [-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov * label - alias for 'init' * attach [-dprv] [-j passfile] [-k keyfile] prov * detach [-fl] prov ... * stop - alias for 'detach' * onetime [-d] [-a aalgo] [-e ealgo] [-l keylen] prov - * configure [-bB] prov ... + * configure [-bBgGtT] prov ... * setkey [-pPv] [-n keyno] [-j passfile] [-J newpassfile] [-k keyfile] [-K newkeyfile] prov * delkey [-afv] [-n keyno] prov * suspend [-v] -a | prov ... @@ -108,6 +108,7 @@ { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "backupfile", "", G_TYPE_STRING }, { 'e', "ealgo", "", G_TYPE_STRING }, + { 'g', "geliboot", NULL, G_TYPE_BOOL }, { 'i', "iterations", "-1", G_TYPE_NUMBER }, { 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, @@ -118,7 +119,7 @@ { 'V', "mdversion", "-1", G_TYPE_NUMBER }, G_OPT_SENTINEL }, - "[-bPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov" + "[-bgPTv] [-a aalgo] [-B backupfile] [-e ealgo] [-i iterations] [-l keylen] [-J newpassfile] [-K newkeyfile] [-s sectorsize] [-V version] prov" }, { "label", G_FLAG_VERBOSE, eli_main, { @@ -126,6 +127,7 @@ { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "backupfile", "", G_TYPE_STRING }, { 'e', "ealgo", "", G_TYPE_STRING }, + { 'g', "geliboot", NULL, G_TYPE_BOOL }, { 'i', "iterations", "-1", G_TYPE_NUMBER }, { 'J', "newpassfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, { 'K', "newkeyfile", G_VAL_OPTIONAL, G_TYPE_STRING | G_TYPE_MULTI }, @@ -180,11 +182,13 @@ { { 'b', "boot", NULL, G_TYPE_BOOL }, { 'B', "noboot", NULL, G_TYPE_BOOL }, + { 'g', "geliboot", NULL, G_TYPE_BOOL }, + { 'G', "nogeliboot", NULL, G_TYPE_BOOL }, { 't', "trim", NULL, G_TYPE_BOOL }, { 'T', "notrim", NULL, G_TYPE_BOOL }, G_OPT_SENTINEL }, - "[-bBtT] prov ..." + "[-bBgGtT] prov ..." }, { "setkey", G_FLAG_VERBOSE, eli_main, { @@ -702,6 +706,8 @@ md.md_flags = 0; if (gctl_get_int(req, "boot")) md.md_flags |= G_ELI_FLAG_BOOT; + if (gctl_get_int(req, "geliboot")) + md.md_flags |= G_ELI_FLAG_GELIBOOT; if (gctl_get_int(req, "notrim")) md.md_flags |= G_ELI_FLAG_NODELETE; md.md_ealgo = CRYPTO_ALGORITHM_MIN - 1; @@ -906,7 +912,7 @@ static void eli_configure_detached(struct gctl_req *req, const char *prov, int boot, - int trim) + int geliboot, int trim) { struct g_eli_metadata md; bool changed = 0; @@ -928,6 +934,20 @@ changed = 1; } + if (geliboot == 1 && (md.md_flags & G_ELI_FLAG_GELIBOOT)) { + if (verbose) + printf("GELIBOOT flag already configured for %s.\n", prov); + } else if (geliboot == 0 && !(md.md_flags & G_ELI_FLAG_GELIBOOT)) { + if (verbose) + printf("GELIBOOT flag not configured for %s.\n", prov); + } else if (geliboot >= 0) { + if (geliboot) + md.md_flags |= G_ELI_FLAG_GELIBOOT; + else + md.md_flags &= ~G_ELI_FLAG_GELIBOOT; + changed = 1; + } + if (trim == 0 && (md.md_flags & G_ELI_FLAG_NODELETE)) { if (verbose) printf("TRIM disable flag already configured for %s.\n", prov); @@ -951,8 +971,8 @@ eli_configure(struct gctl_req *req) { const char *prov; - bool boot, noboot, trim, notrim; - int doboot, dotrim; + bool boot, noboot, geliboot, nogeliboot, trim, notrim; + int doboot, dogeliboot, dotrim; int i, nargs; nargs = gctl_get_int(req, "nargs"); @@ -963,6 +983,8 @@ boot = gctl_get_int(req, "boot"); noboot = gctl_get_int(req, "noboot"); + geliboot = gctl_get_int(req, "geliboot"); + nogeliboot = gctl_get_int(req, "nogeliboot"); trim = gctl_get_int(req, "trim"); notrim = gctl_get_int(req, "notrim"); @@ -976,6 +998,16 @@ else if (noboot) doboot = 0; + dogeliboot = -1; + if (geliboot && nogeliboot) { + gctl_error(req, "Options -g and -G are mutually exclusive."); + return; + } + if (geliboot) + dogeliboot = 1; + else if (nogeliboot) + dogeliboot = 0; + dotrim = -1; if (trim && notrim) { gctl_error(req, "Options -t and -T are mutually exclusive."); @@ -986,7 +1018,7 @@ else if (notrim) dotrim = 0; - if (doboot == -1 && dotrim == -1) { + if (doboot == -1 && dogeliboot == -1 && dotrim == -1) { gctl_error(req, "No option given."); return; } @@ -997,7 +1029,7 @@ for (i = 0; i < nargs; i++) { prov = gctl_get_ascii(req, "arg%d", i); if (!eli_is_attached(prov)) - eli_configure_detached(req, prov, doboot, dotrim); + eli_configure_detached(req, prov, doboot, dogeliboot, dotrim); } } Index: sys/geom/eli/g_eli.h =================================================================== --- sys/geom/eli/g_eli.h +++ sys/geom/eli/g_eli.h @@ -97,6 +97,8 @@ #define G_ELI_FLAG_RO 0x00000020 /* Don't pass through BIO_DELETE requests. */ #define G_ELI_FLAG_NODELETE 0x00000040 +/* This GELI supports GELIBoot */ +#define G_ELI_FLAG_GELIBOOT 0x00000080 /* RUNTIME FLAGS. */ /* Provider was open for writing. */ #define G_ELI_FLAG_WOPEN 0x00010000 Index: sys/geom/eli/g_eli.c =================================================================== --- sys/geom/eli/g_eli.c +++ sys/geom/eli/g_eli.c @@ -1181,6 +1181,7 @@ ADD_FLAG(G_ELI_FLAG_DESTROY, "DESTROY"); ADD_FLAG(G_ELI_FLAG_RO, "READ-ONLY"); ADD_FLAG(G_ELI_FLAG_NODELETE, "NODELETE"); + ADD_FLAG(G_ELI_FLAG_GELIBOOT, "GELIBOOT"); #undef ADD_FLAG } sbuf_printf(sb, "\n"); Index: sys/geom/eli/g_eli_ctl.c =================================================================== --- sys/geom/eli/g_eli_ctl.c +++ sys/geom/eli/g_eli_ctl.c @@ -376,7 +376,7 @@ char param[16]; const char *prov; u_char *sector; - int *nargs, *boot, *noboot, *trim, *notrim; + int *nargs, *boot, *noboot, *trim, *notrim, *geliboot, *nogeliboot; int zero, error, changed; u_int i; @@ -421,6 +421,19 @@ if (*trim || *notrim) changed = 1; + geliboot = gctl_get_paraml(req, "geliboot", sizeof(*geliboot)); + if (geliboot == NULL) + geliboot = &zero; + nogeliboot = gctl_get_paraml(req, "nogeliboot", sizeof(*nogeliboot)); + if (nogeliboot == NULL) + nogeliboot = &zero; + if (*geliboot && *nogeliboot) { + gctl_error(req, "Options -g and -G are mutually exclusive."); + return; + } + if (*geliboot || *nogeliboot) + changed = 1; + if (!changed) { gctl_error(req, "No option given."); return; @@ -469,6 +482,16 @@ continue; } + if (*geliboot && (sc->sc_flags & G_ELI_FLAG_GELIBOOT)) { + G_ELI_DEBUG(1, "GELIBOOT flag already configured for %s.", + prov); + continue; + } else if (*nogeliboot && !(sc->sc_flags & G_ELI_FLAG_GELIBOOT)) { + G_ELI_DEBUG(1, "GELIBOOT flag not configured for %s.", + prov); + continue; + } + if (!(sc->sc_flags & G_ELI_FLAG_ONETIME)) { /* * ONETIME providers don't write metadata to @@ -504,6 +527,14 @@ sc->sc_flags &= ~G_ELI_FLAG_NODELETE; } + if (*geliboot) { + md.md_flags |= G_ELI_FLAG_GELIBOOT; + sc->sc_flags |= G_ELI_FLAG_GELIBOOT; + } else if (*nogeliboot) { + md.md_flags &= ~G_ELI_FLAG_GELIBOOT; + sc->sc_flags &= ~G_ELI_FLAG_GELIBOOT; + } + if (sc->sc_flags & G_ELI_FLAG_ONETIME) { /* There's no metadata on disk so we are done here. */ continue;