Add "GELI Passphrase:" prompt to boot loader.
A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now allow you to enter your geli(8) root-mount credentials prior to invoking the kernel. See check-password.4th(8) for details. Differential Revision: https://reviews.freebsd.org/D2105 Reviewed by: imp, kmoore Discussed on: -current MFC after: 3 days X-MFC-to: stable/10 Relnotes: yes
This commit is contained in:
Devin Teske
parent
008bd7c6f6
commit
43d4f8c4c6
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=281616
@ -146,6 +146,15 @@ only forth definitions also password-processing
|
||||
2drop read-reset
|
||||
else drop then
|
||||
|
||||
\ Prompt for GEOM ELI (geli(8)) passphrase if enabled
|
||||
s" geom_eli_passphrase_prompt" getenv dup -1 <> if
|
||||
s" YES" compare-insensitive 0= if
|
||||
s" GELI Passphrase: " read ( prompt -- )
|
||||
readval readlen @ s" kern.geom.eli.passphrase" setenv
|
||||
read-reset
|
||||
then
|
||||
else drop then
|
||||
|
||||
\ Exit if a password was not set
|
||||
s" password" getenv -1 = if exit else drop then
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" Copyright (c) 2011-2012 Devin Teske
|
||||
.\" Copyright (c) 2011-2015 Devin Teske
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
@ -24,7 +24,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd December 10, 2012
|
||||
.Dd March 20, 2015
|
||||
.Dt CHECK-PASSWORD.4TH 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -33,8 +33,12 @@
|
||||
.Sh DESCRIPTION
|
||||
The file that goes by the name of
|
||||
.Nm
|
||||
is a set of commands designed to either prevent booting or prevent modification
|
||||
of boot options without an appropriately configured password.
|
||||
is a set of commands designed to do one or more of the following:
|
||||
.Pp
|
||||
.Dl o Prevent booting without password
|
||||
.Dl o Prevent modification of boot options without password
|
||||
.Dl o Provide a password to mount geli(8) encrypted root disk(s)
|
||||
.Pp
|
||||
The commands of
|
||||
.Nm
|
||||
by themselves are not enough for most uses.
|
||||
@ -58,14 +62,23 @@ The commands provided by it are:
|
||||
.Pp
|
||||
.Bl -tag -width disable-module_module -compact -offset indent
|
||||
.It Ic check-password
|
||||
Dual-purpose function that can either protect the interactive boot menu or
|
||||
prevent boot without password (separately).
|
||||
Multi-purpose function that can protect the interactive boot menu,
|
||||
prevent boot without password, or prompt for geli(8) passphrase
|
||||
.Pq depending on Xr loader.conf 5 settings .
|
||||
.Pp
|
||||
First checks
|
||||
.Va bootlock_password
|
||||
and if-set, the user cannot continue until the correct password is entered.
|
||||
.Pp
|
||||
Next checks
|
||||
Next, checks
|
||||
.Va geom_eli_passphrase_prompt
|
||||
and if set to
|
||||
.Li YES
|
||||
.Pq case-insensitive
|
||||
prompts the user to enter their GELI password for later mounting of the root
|
||||
device(s) during boot.
|
||||
.Pp
|
||||
Last, checks
|
||||
.Va password
|
||||
and if-set, tries to
|
||||
.Ic autoboot
|
||||
@ -81,6 +94,11 @@ The environment variables that effect its behavior are:
|
||||
Sets the bootlock password (up to 16 characters long) that is required by
|
||||
.Ic check-password
|
||||
to be entered before the system is allowed to boot.
|
||||
.It Va geom_eli_passphrase_prompt
|
||||
Selects whether loader(8) will prompt for GELI credentials, handing-off to the
|
||||
kernel for later mounting of
|
||||
.Xr geli 8
|
||||
encrypted root device(s).
|
||||
.It Va password
|
||||
Sets the password (up to 16 characters long) that is required by
|
||||
.Ic check-password
|
||||
@ -122,6 +140,16 @@ to prevent booting without password:
|
||||
.Bd -literal -offset indent -compact
|
||||
bootlock_password="boot"
|
||||
.Ed
|
||||
.Pp
|
||||
Add the following to
|
||||
.Xr loader.conf 5
|
||||
to generate a prompt at boot to collect GELI credentials for mounting
|
||||
.Xr geli 8
|
||||
encrypted root device(s):
|
||||
.Pp
|
||||
.Bd -literal -offset indent -compact
|
||||
geom_eli_passphrase_prompt="YES"
|
||||
.Ed
|
||||
.Sh SEE ALSO
|
||||
.Xr loader.conf 5 ,
|
||||
.Xr loader 8 ,
|
||||
|
||||
@ -62,6 +62,7 @@ entropy_cache_type="/boot/entropy"
|
||||
# "NO" to disable autobooting
|
||||
#password="" # Prevent changes to boot options
|
||||
#bootlock_password="" # Prevent booting (see check-password.4th(8))
|
||||
#geom_eli_passphrase_prompt="NO" # Prompt for geli(8) passphrase to mount root
|
||||
#beastie_disable="NO" # Turn the beastie boot menu on and off
|
||||
#kernels="kernel kernel.old" # Kernels to display in the boot menu
|
||||
#loader_logo="orbbw" # Desired logo: orbbw, orb, fbsdbw, beastiebw, beastie, none
|
||||
|
||||
@ -710,6 +710,9 @@ start_init(void *dummy)
|
||||
|
||||
vfs_mountroot();
|
||||
|
||||
/* Wipe GELI passphrase from the environment. */
|
||||
kern_unsetenv("kern.geom.eli.passphrase");
|
||||
|
||||
/*
|
||||
* Need just enough stack to hold the faked-up "execve()" arguments.
|
||||
*/
|
||||
|
||||
@ -1346,6 +1346,9 @@ zfs_create_boot()
|
||||
$BSDINSTALL_TMPBOOT/loader.conf.aesni || return $FAILURE
|
||||
f_eval_catch $funcname echo "$ECHO_APPEND" 'geom_eli_load=\"YES\"' \
|
||||
$BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE
|
||||
f_eval_catch $funcname echo "$ECHO_APPEND" \
|
||||
'geom_eli_passphrase_prompt=\"YES\"' \
|
||||
$BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE
|
||||
for disk in $disks; do
|
||||
f_eval_catch $funcname printf "$PRINTF_CONF" \
|
||||
geli_%s_keyfile0_load "$disk$targetpart YES" \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user