Page MenuHomeFreeBSD
Files F110705731

D2105.diff
No OneTemporary
Actions

D2105.diff
View Options

Index: head/sys/boot/forth/check-password.4th
===================================================================
--- head/sys/boot/forth/check-password.4th
+++ head/sys/boot/forth/check-password.4th
@@ -146,6 +146,15 @@
2drop read-reset
else drop then
+ \ Prompt for GEOM ELI (geli(8)) passphrase if enabled
+ s" geom_eli_passphrase_prompt" getenv dup -1 <> if
+ s" YES" compare-insensitive 0= if
+ s" GELI Passphrase: " read ( prompt -- )
+ readval readlen @ s" kern.geom.eli.passphrase" setenv
+ read-reset
+ then
+ else drop then
+
\ Exit if a password was not set
s" password" getenv -1 = if exit else drop then
Index: head/sys/boot/forth/check-password.4th.8
===================================================================
--- head/sys/boot/forth/check-password.4th.8
+++ head/sys/boot/forth/check-password.4th.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2011-2012 Devin Teske
+.\" Copyright (c) 2011-2015 Devin Teske
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd December 10, 2012
+.Dd March 20, 2015
.Dt CHECK-PASSWORD.4TH 8
.Os
.Sh NAME
@@ -33,8 +33,12 @@
.Sh DESCRIPTION
The file that goes by the name of
.Nm
-is a set of commands designed to either prevent booting or prevent modification
-of boot options without an appropriately configured password.
+is a set of commands designed to do one or more of the following:
+.Pp
+.Dl o Prevent booting without password
+.Dl o Prevent modification of boot options without password
+.Dl o Provide a password to mount geli(8) encrypted root disk(s)
+.Pp
The commands of
.Nm
by themselves are not enough for most uses.
@@ -58,14 +62,23 @@
.Pp
.Bl -tag -width disable-module_module -compact -offset indent
.It Ic check-password
-Dual-purpose function that can either protect the interactive boot menu or
-prevent boot without password (separately).
+Multi-purpose function that can protect the interactive boot menu,
+prevent boot without password, or prompt for geli(8) passphrase
+.Pq depending on Xr loader.conf 5 settings .
.Pp
First checks
.Va bootlock_password
and if-set, the user cannot continue until the correct password is entered.
.Pp
-Next checks
+Next, checks
+.Va geom_eli_passphrase_prompt
+and if set to
+.Li YES
+.Pq case-insensitive
+prompts the user to enter their GELI password for later mounting of the root
+device(s) during boot.
+.Pp
+Last, checks
.Va password
and if-set, tries to
.Ic autoboot
@@ -81,6 +94,11 @@
Sets the bootlock password (up to 16 characters long) that is required by
.Ic check-password
to be entered before the system is allowed to boot.
+.It Va geom_eli_passphrase_prompt
+Selects whether loader(8) will prompt for GELI credentials, handing-off to the
+kernel for later mounting of
+.Xr geli 8
+encrypted root device(s).
.It Va password
Sets the password (up to 16 characters long) that is required by
.Ic check-password
@@ -122,6 +140,16 @@
.Bd -literal -offset indent -compact
bootlock_password="boot"
.Ed
+.Pp
+Add the following to
+.Xr loader.conf 5
+to generate a prompt at boot to collect GELI credentials for mounting
+.Xr geli 8
+encrypted root device(s):
+.Pp
+.Bd -literal -offset indent -compact
+geom_eli_passphrase_prompt="YES"
+.Ed
.Sh SEE ALSO
.Xr loader.conf 5 ,
.Xr loader 8 ,
Index: head/sys/boot/forth/loader.conf
===================================================================
--- head/sys/boot/forth/loader.conf
+++ head/sys/boot/forth/loader.conf
@@ -62,6 +62,7 @@
# "NO" to disable autobooting
#password="" # Prevent changes to boot options
#bootlock_password="" # Prevent booting (see check-password.4th(8))
+#geom_eli_passphrase_prompt="NO" # Prompt for geli(8) passphrase to mount root
#beastie_disable="NO" # Turn the beastie boot menu on and off
#kernels="kernel kernel.old" # Kernels to display in the boot menu
#loader_logo="orbbw" # Desired logo: orbbw, orb, fbsdbw, beastiebw, beastie, none
Index: head/sys/kern/init_main.c
===================================================================
--- head/sys/kern/init_main.c
+++ head/sys/kern/init_main.c
@@ -710,6 +710,9 @@
vfs_mountroot();
+ /* Wipe GELI passphrase from the environment. */
+ kern_unsetenv("kern.geom.eli.passphrase");
+
/*
* Need just enough stack to hold the faked-up "execve()" arguments.
*/
Index: head/usr.sbin/bsdinstall/scripts/zfsboot
===================================================================
--- head/usr.sbin/bsdinstall/scripts/zfsboot
+++ head/usr.sbin/bsdinstall/scripts/zfsboot
@@ -1346,6 +1346,9 @@
$BSDINSTALL_TMPBOOT/loader.conf.aesni || return $FAILURE
f_eval_catch $funcname echo "$ECHO_APPEND" 'geom_eli_load=\"YES\"' \
$BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE
+ f_eval_catch $funcname echo "$ECHO_APPEND" \
+ 'geom_eli_passphrase_prompt=\"YES\"' \
+ $BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE
for disk in $disks; do
f_eval_catch $funcname printf "$PRINTF_CONF" \
geli_%s_keyfile0_load "$disk$targetpart YES" \

File Metadata

Mime Type
text/plain
Expires
Sun, Feb 23, 3:05 AM (7 h, 2 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
16786743
Default Alt Text
D2105.diff (4 KB)

Event Timeline