Commit Graph

52 Commits

Author SHA1 Message Date
Mariusz Zaborski
5fff09660e geli: split the initalization of HMAC
GELI allows to read a user key from a standard input.
However if user initialize multiple providers at once, the standard
input will be empty for the second and next providers.
This caused GELI to encrypt a master key with an empty key file.

This commits initialize the HMAC with the key file, and then reuse the
finalized structure to generate different encryption keys for different
providers.

Reported by:	Nathan Dorfman
Tested by:	philip
Security:	FreeBSD-SA-23:01.geli
Security:	CVE-2023-0751
2023-02-08 10:01:58 -08:00
Emmanuel Vadot
0bf688786f pkgbase: Put geom utilities in their own package
For most users it's not needed to boot and they are also
available in the FreeBSD-rescue package in case an update
break and FreeBSD-geom package isn't updated correctly.

Differential Revision:	https://reviews.freebsd.org/D36224
2022-10-26 19:46:28 +02:00
Benedict Reuschling
d63104d253 Add information on how to load gmirror on boot to auto activate mirrors
PR:			234997
Reported by:		Michiel van Baak <michiel@vanbaak.eu>
Event:			Aberdeen Hackathon 2022
Differential Revision:	https://reviews.freebsd.org/D20577
2022-10-05 16:44:31 +00:00
Jens Schweikhardt
cf13e67730 Fix dead reference to boot0(8) to point to boot0cfg(8). 2022-09-16 19:08:22 +02:00
Mateusz Piotrowski
a848315f68 gmirror.8: Remove references rc.early
The manual page of gmirror describes how gmirror providers can be used
for kernel dumps. Unfortunately, the instruction references
/etc/rc.early, which is no longer a part of rc(8).

Remove references to rc.early and suggest creating an rc(8) service
script instead.

Future work: In the Problem Report on Bugzilla, Lawrence Chen suggested
adding example rc(8) scripts to the gmirror. However, those examples
need to be tested before they become official reference examples in the
base. Also, those scripts should probably land directly to /etc/rc.d,
/usr/share/examples/rc.d, or /usr/share/examples/gmirror instead of the
gmirror manual page.

PR:		178818
Reported by:	Lawrence Chen <beastie@tardisi.com>
Fixes:		dd2b024a33 Removal of early.sh
MFC after:	1 week
2022-07-21 22:02:44 +02:00
Mark Johnston
081b4452a7 geli: Add a chicken switch for unmapped I/O
We have a report of a panic in GELI that appears to go away when
unmapped I/O is disabled.  Add a tunable to make such investigations
easier in the future.  No functional change intended.

PR:		262894
Reviewed by:	asomers
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34944
2022-04-18 17:55:24 -04:00
Mateusz Piotrowski
fd06117525 *: Do not use the no-op -r flag for bsdlabel(8)
The -r flag is ignored by the FreeBSD implementation of bsdlabel(8)
(also called disklabel(8) in the past). Remove its use from examples
and tests in the tree.

This commit does not touch historical documentation under share/doc/smm
and files under contrib/netbsd-tests.

Reviewed by:	imp
MFC after:	2 weeks
Approved by:	imp (src)
Fixes:		57dfbec57b More axe-work:
Differential Revision:	https://reviews.freebsd.org/D34585
2022-03-17 17:28:07 +01:00
Alexander Motin
7f16b501e2 GEOM: Introduce partial confxml API
Traditionally the GEOM's primary channel of information from kernel to
user-space was confxml, fetched by libgeom through kern.geom.confxml
sysctl.  It is convenient and informative, representing full state of
GEOM in a single XML document.  But problems start to arise on systems
with hundreds of disks, where the full confxml size reaches many
megabytes, taking significant time to first write it and then parse.

This patch introduces alternative solution, allowing to fetch much
smaller XML document, subset of the full confxml, limited to 64KB and
representing only one specified geom and optionally its parents.  It
uses existing GEOM control interface, extended with new "getxml" verb.
In case of any error, such as the buffer overflow, it just transparently
falls back to traditional full confxml.  This patch uses the new API in
user-space GEOM tools where it is possible.

Reviewed by:	imp
MFC after:	2 month
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D34529
2022-03-12 11:55:52 -05:00
Hans Petter Selasky
419822b372 libgeom(3): Use calloc instead of malloc and bzero.
Pull Request:	https://github.com/freebsd/freebsd-src/pull/546
MFC after:	1 week
Sponsored by:	NVIDIA Networking
2022-03-11 10:38:16 +01:00
Alexander Motin
5c20bfc787 gpart: Avoid geom_gettree() call in "bootcode -b".
geom_gettree() may be pretty expensive on large systems, and it is
not needed if only -b flag specified, that is processed by kernel.

MFC after:	1 month
2022-03-08 14:01:04 -05:00
Alexander Motin
2117cdd4b4 GEOM: Introduce gctl_add_param() API.
Make gctl_add_param() API public, allowing more precise control over
parameter flags.  Previously it was impossible to properly declare
write-only ASCII parameters, used for result reporting, they were
declared as read-write binary instead, that was not nice.

MFC after:	1 month
2022-03-07 11:12:25 -05:00
Kirk McKusick
c7996ddf80 Create a new GEOM utility, gunion(8).
The gunion(8) utility is used to track changes to a read-only disk on
a writable disk. Logically, a writable disk is placed over a read-only
disk. Write requests are intercepted and stored on the writable
disk. Read requests are first checked to see if they have been
written on the top (writable disk) and if found are returned. If
they have not been written on the top disk, then they are read from
the lower disk.

The gunion(8) utility can be especially useful if you have a large
disk with a corrupted filesystem that you are unsure of how to
repair. You can use gunion(8) to place another disk over the corrupted
disk and then attempt to repair the filesystem. If the repair fails,
you can revert all the changes in the upper disk and be back to the
unchanged state of the lower disk thus allowing you to try another
approach to repairing it. If the repair is successful you can commit
all the writes recorded on the top disk to the lower disk.

Another use of the gunion(8) utility is to try out upgrades to your
system. Place the upper disk over the disk holding your filesystem
that is to be upgraded and then run the upgrade on it. If it works,
commit it; if it fails, revert the upgrade.

Further details can be found in the gunion(8) manual page.

Reviewed by: Chuck Silvers, kib (earlier version)
tested by:   Peter Holm
Differential Revision: https://reviews.freebsd.org/D32697
2022-02-28 16:36:08 -08:00
Ed Maste
9c296a2105 geom: Add HiFive boot partitions
As documented in the HiFive Unmatched Software Reference Manual.

Reviewed by:	imp, mhorne
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34010
2022-01-26 10:54:45 -05:00
Ed Maste
3524dead81 gpart.8: minor tidying
Reported by:	igor(1)
2022-01-26 10:54:45 -05:00
Eugene Grosbein
ba94a95402 gpart(8): add minimal reference to glabel(8) to manual page
MFC after:	1 week
2022-01-10 22:07:23 +07:00
Mateusz Piotrowski
58d60030ff gmultipath.8: Fix a typo
It's Word Wide Port Name, not World Word Port Name.

MFC after:	3 days
2021-12-10 14:33:34 +01:00
Alexander Motin
c7cf100aaf geli(8): Do not report error on resize to the same size.
Just validate the old metadata and exit.  Originally the check was
added to not thash the only copy of metadata, but we can achieve the
same just by skipping the writing/trashing.  The metadata validation
should protect user from wrongly specifying new size instead of old.

MFC after:	1 month
Sponsored by:	iXsystems, Inc.
2021-08-18 17:11:03 -04:00
Noah Bergbauer
d575e81fbc gconcat: Implement new online append feature
Implement the "gconcat append" command which can be used
to append a disk to the end of an existing gconcat device
without unmounting.

If the gconcat device is using the "automatic" method, i.e.,
stores metadata on the devices, new metadata is written
to all existing components, as well as to the newly added one.

Pull Request:	https://github.com/freebsd/freebsd-src/pull/472
Reviewed by:	imp@
2021-06-14 11:42:03 -06:00
Andreas Bjornestad
25352f9fda Minor grammar nit
PR:		docs/253975
2021-03-03 16:20:29 +00:00
Edward Tomasz Napierala
bce7ee9d41 Drop "All rights reserved" from all my stuff. This includes
Foundation copyrights, approved by emaste@.  It does not include
files which carry other people's copyrights; if you're one
of those people, feel free to make similar change.

Reviewed by:	emaste, imp, gbe (manpages)
Differential Revision:	https://reviews.freebsd.org/D26980
2020-10-28 13:46:11 +00:00
Mateusz Piotrowski
6709a5167f Fix formatting of SYNOPSIS
There was an unnecessary newline being added before Nm.

MFC after:	3 days
2020-10-15 14:17:45 +00:00
Conrad Meyer
cb1480f8d4 gpart(8): Recognize apple-zfs and solaris-reserved partition ids
Introduce G_PART_ALIAS_SOLARIS_RESERVED, GPT_ENT_TYPE_SOLARIS_RESERVED et al.,
to make gpart show output more convenient on systems with illumos/openindiana
disks visible.

Submitted by:	Juraj Lutter <otis AT sk.FreeBSD.org>
Reviewed by:	bcr(manpages), delphij, myself
Differential Revision:	https://reviews.freebsd.org/D26012
2020-08-17 17:07:05 +00:00
Gordon Bergling
9af25ea3bb geli(8): Add missing commands in the EXAMPLES section
- Add a missing 'geli attach' command
- Fix the passphrase prompt for a 'geli attach' command

Reported by:	Fabian Keil <freebsd-listen at fabiankeil dot de>
Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
Differential Revision:	https://reviews.freebsd.org/D25761
2020-07-22 13:00:56 +00:00
Gordon Bergling
fcc9702f05 geli(8): Add an example on how to use geli(8) with a file as encrypted storage
Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D25741
2020-07-20 13:24:50 +00:00
Baptiste Daroussin
5b990a9463 Revert r362466
Such change should not have happen without prior discussion and review.

With hat:	transitioning core
2020-06-22 07:46:24 +00:00
Hans Petter Selasky
7747001b12 Improve wording to be more precise and clear.
No functional change intended.

s/Master Boot/Main Boot/ (also called MBR)

MFC after:	1 week
Sponsored by:	Mellanox Technologies
2020-06-21 13:34:08 +00:00
John Baldwin
e2b9919398 Remove support for geli(4) algorithms deprecated in r348206.
This removes support for reading and writing volumes using the
following algorithms:

- Triple DES
- Blowfish
- MD5 HMAC integrity

In addition, this commit adds an explicit whitelist of supported
algorithms to give a better error message when an invalid or
unsupported algorithm is used by an existing volume.

Reviewed by:	cem
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24343
2020-04-15 00:14:50 +00:00
Mateusz Piotrowski
9168ef5be3 Document geli(8) loader variables conventions
The geli(8) manual page has an example for preloading keyfiles during boot.
There is no detail though on how the lookup of these variables actually
works.

Let's document that the name of a device does not have to be a part
of the variable.

PR:		243261
Submitted by:	johannes@jo-t.de
Approved by:	bcr (mentor)
MFC after:	3 weeks
Differential Revision:	https://reviews.freebsd.org/D24114
2020-03-19 09:23:26 +00:00
David Malone
9945b2dfef Add some missing articles.
Use .Nm to format the utility name.
Get the name of the GEOM class right.

MFC after:	2 weeks
2020-01-28 15:34:00 +00:00
Alexander Motin
86c06ff886 Remove GEOM_SCHED class and gsched tool.
This code was not actively maintained since it was introduced 10 years ago.
It lacks support for many later GEOM features, such as direct dispatch,
unmapped I/O, stripesize/stripeoffset, resize, etc.  Plus it is the only
remaining use of GEOM nstart/nend request counters, used there to implement
live insertion/removal, questionable by itself.  Plus, as number of people
commented, GEOM is not the best place for I/O scheduler, since it has
limited information about layers both above and below it, required for
efficient scheduling.  Plus with the modern shift to SSDs there is just no
more significant need for this kind of scheduling.

Approved by:	imp, phk, luigi
Relnotes:	yes
2019-12-29 21:16:03 +00:00
Mariusz Zaborski
645532a448 gnop: change the "count until fail" option
Change the "count_until_fail" option of gnop, now it enables the failing
rating instead of setting them to 100%.

The original patch introduced the new flag, which sets the fail/rate to 100%
after N requests. In some cases, we don't want to have 100% of failure
probabilities. We want to start failing at some point.
For example, on the early stage, we may like to allow some read/writes requests
before having some requests delayed - when we try to mount the partition,
or when we are trying to import the pool.
Another case may be to check how scrub in ZFS will behave on different stages.

This allows us to cover more cases.
The previous behavior still may be configured.

Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D22632
2019-12-29 15:47:37 +00:00
Mariusz Zaborski
80e63e0a90 gnop: allow to change the name of created device
Thanks to this option we can create more then one gnop provider from
single provider. This may be useful for temporary labeling some data
on the disk.

Reviewed by:	markj, allanjude, bcr
Differential Revision:	https://reviews.freebsd.org/D22304
2019-12-29 15:40:02 +00:00
Conrad Meyer
f3ea8d846a gpart(8): ms-basic-data is used for exFAT on GPT
Be explicit about it; the first mention of exFAT is for the MBR type 'ntfs',
and the reader must work back from there to the GPT type and infer that a
reference to MBR ntfs type means ms-basic-data is canonical for exFAT.

(It'd also be great if gpart had convenient aliases that did the right
thing for the partition scheme, such as 'ntfs' => ms-basic-data on GPT
schemes or 'exfat' => 'ntfs' in MBR schemes.  The tool is also bad about
providing user-meaningful reasons for EINVAL failures.)
2019-12-24 01:47:08 +00:00
Edward Tomasz Napierala
2006d590d6 Add kern.geom.part.separator tunable. This makes it possible
to specify an optional separator to insert before partition name;
eg if it's set to "c/", you'll get "ada0c/s1" instead of "ada0s1".
(It cannot be set to just “/“, since ada0 is a device node, not
a directory.)

Reviewed by:	imp
MFC after:	2 weeks
Sponsored by:	Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D22193
2019-12-13 09:28:44 +00:00
Mark Johnston
ccd7667c1b Fix grammar in gpart.8.
PR:		241973
MFC after:	3 days
2019-11-18 19:05:52 +00:00
Alan Somers
ca64a75eda geli: raise WARNS to 6
MFC after:	2 weeks
Sponsored by:	Axcient
2019-11-01 02:48:43 +00:00
Chuck Silvers
090a3ea3c2 Add a "count_until_fail" option to gnop, which says to start failing
I/O requests after the given number have been allowed though.

Approved by:    imp (mentor)
Reviewed by:    rpokala kib 0mp mckusick
Sponsored by:   Netflix
Differential Revision:  https://reviews.freebsd.org/D21593
2019-09-13 23:03:56 +00:00
Mariusz Zaborski
a0ddf79987 gnop: Fix initial value for the wdelayprob
Reported by:	Chuck Silvers <chuq@chuq.com>
2019-09-10 20:27:44 +00:00
Kyle Evans
ef03f57dd2 Allow more nesting of GEOM partitioning schemes
GEOM is supposed to be topology-agnostic, but the GPT and BSD partition code
has arbitrary restrictions on nesting that are annoying in cases such as
running VMs on raw partitions (since the VM's partitioning scheme is not
visible to the host).

This patch adds sysctls to disable the restrictions except in the case of
BSD label (and similar) partitions with offset 0 (where we need to avoid
recursively recognizing the label).

Submitted by:	Andrew Gierth
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D21350
2019-09-03 20:57:20 +00:00
Mariusz Zaborski
4f80c85519 gnop: Introduce requests delay.
This allows to simulated disk that is responding slowly to the IO requests.

Reviewed by:	markj, bcr, pjd (previous version)
Differential Revision:	https://reviews.freebsd.org/D21052
2019-07-31 17:47:12 +00:00
Li-Wen Hsu
2b32abd2b1 Correct the argument passed to g_eli_algo2str()
MFC with:	r348206
Sponsored by:	The FreeBSD Foundation
2019-05-24 06:49:47 +00:00
John Baldwin
5c420aae3b Add deprecation warnings for weaker algorithms to geli(4).
- Triple DES has been formally deprecated in Kerberos (RFC 8429)
  and is soon to be deprecated in IPsec (RFC 8221).
- Blowfish is deprecated.  FreeBSD doesn't support its successor
  (Twofish).
- MD5 is generally considered a weak digest that has known attacks.

geli refuses to create new volumes using these algorithms via 'geli
init'.  It also warns when attaching to existing volumes or creating
temporary volumes via 'geli onetime' .  The plan is to fully remove
support for these algorithms in FreeBSD 13.

Note that none of these algorithms have ever been the default
algorithm used by geli(8).  Users would have had to explicitly select
these algorithms when creating volumes in the past.

Reviewed by:	cem, delphij
MFC after:	3 days
Relnotes:	yes
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D20344
2019-05-23 22:31:55 +00:00
Pawel Jakub Dawidek
2f07cdf871 Implement automatic online expansion of GELI providers - if the underlying
provider grows, GELI will expand automatically and will move the metadata
to the new location of the last sector.

This functionality is turned on by default. It can be turned off with the
-R flag, but it is not recommended - if the underlying provider grows and
automatic expansion is turned off, it won't be possible to attach this
provider again, as the metadata is no longer located in the last sector.

If the automatic expansion is turned off and the underlying provider grows,
GELI will only log a message with the previous size of the provider, so
recovery can be easier.

Obtained from:	Fudo Security
2019-04-03 23:57:37 +00:00
Pawel Jakub Dawidek
b4f850c006 - Add missing -T (notrim) option to the label subcommand.
- Add missing -T option in the onetime subcommand comment.

Obtained from:	Fudo Security
2019-04-03 23:50:52 +00:00
Dag-Erling Smørgrav
cdd2df880d Add a “skip_dsn” option to g_part's bootcode verb to prevent g_part_mbr
from setting the volume serial number.  This unbreaks older boot blocks
that don't support serial numbers, and allows boot0cfg to set the serial
number itself if requested by the user.

Submitted by:	lev@, yuripv@
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D17386
2018-11-27 14:58:19 +00:00
Ben Woods
e45068e3c9 geli init with multiple providers - fix init and fix -B "none"
Apply some fixes post rS336659, which allowed multiple provders to be
initialized in a single command.
- Fix issue where second and subsequent providers would fail init.
  This was due to the metadata struct being zeroed after the first
  provider init was completed, despite containing common data required
  for subsequent providers.
- Fix issue where -B "none" would still result in the metadata being
  backed-up if multiple providers had been specified. This was due to
  the backupfile of "none" being incorrectly made unique for each
  provider by appending "-<prov>".

Approved by:	asomers
Approved by:	re (gjb)
Differential Revision:	https://reviews.freebsd.org/D17096
2018-09-10 14:50:34 +00:00
Ben Woods
368455ec95 geli init: Allow initialization of multiple geli providers at once if
they use same passphrase and keyfiles.

Unique salt will be randomly generated for each provider to ensure the
Master Key for each is unique.

This change follows on from r335673 and r336602, which allowed multiple
providers to be attached in a single command.

Reviewed by:	asomers
Approved by:	sobomax
Differential Revision:	https://reviews.freebsd.org/D16115
2018-07-23 23:04:43 +00:00
Ben Woods
4b8e4d53fa geli attach: Fix exit codes and errors not being printed after r335673
Now that multiple providers can be attached at once, exit codes and
error messages must be handled correctly if there are failures in on
any of the providers.

Reported by:	asomers (Kyua test failures via continuous integration)
Reviewed by:	asomers
Approved by:	allanjude
Differential Revision:	https://reviews.freebsd.org/D16386
2018-07-22 13:40:52 +00:00
Warner Losh
fe5e6b2c56 Remove three stray instances of zfsloader. 2018-07-20 05:26:14 +00:00
Ben Woods
217df2da08 geli attach multiple providers
Allow attaching of multiple geli providers at once if they use same
passphrase and keyfiles.

This is helpful when the providers being attached are not used for boot,
and therefore the existing code to first try the cached password when
tasting the providers during boot does not apply.

Multiple providers with the same passphrase and keyfiles can be attached
at the same time during system start-up by adding the following to
rc.conf:
  geli_groups="storage backup"
  geli_storage_flags="-k /etc/geli/storage.keys"
  geli_storage_devices="ada0 ada1"
  geli_backup_flags="-j /etc/geli/backup.passfile -k /etc/geli/backup.keys"
  geli_backup_devices="ada2 ada3"

Reviewed by:	wblock, delphij, jilles
Approved by:	sobomax (src), bcr (doc)
Differential Revision:	https://reviews.freebsd.org/D12644
2018-06-26 18:07:16 +00:00