Populate the GELI passphrase cache with the kern.geom.eli.passphrase

variable (if any) provided in the boot environment. Unset it from the kernel environment after doing this, so that the passphrase is no longer present in kernel memory once we enter userland. This will make it possible to provide a GELI passphrase via the boot loader; FreeBSD's loader does not yet do this, but GRUB (and PCBSD) will have support for this soon. Tested by: kmoore
2014-10-22 23:41:15 +00:00 · 2014-10-22 23:41:15 +00:00 · 66427784c1
commit 66427784c1
parent d4fef7d342
1 changed files with 19 additions and 0 deletions
--- a/sys/geom/eli/g_eli.c
+++ b/sys/geom/eli/g_eli.c
@ -93,6 +93,25 @@ SYSCTL_UINT(_kern_geom_eli, OID_AUTO, boot_passcache, CTLFLAG_RD,
    &g_eli_boot_passcache, 0,
    "Passphrases are cached during boot process for possible reuse");
 static void
+fetch_loader_passphrase(void * dummy)
+{
+	char * env_passphrase;
+
+	KASSERT(dynamic_kenv, ("need dynamic kenv"));
+
+	if ((env_passphrase = kern_getenv("kern.geom.eli.passphrase")) != NULL) {
+		/* Extract passphrase from the environment. */
+		strlcpy(cached_passphrase, env_passphrase,
+		    sizeof(cached_passphrase));
+		freeenv(env_passphrase);
+
+		/* Wipe the passphrase from the environment. */
+		kern_unsetenv("kern.geom.eli.passphrase");
+	}
+}
+SYSINIT(geli_fetch_loader_passphrase, SI_SUB_KMEM + 1, SI_ORDER_ANY,
+    fetch_loader_passphrase, NULL);
+static void
 zero_boot_passcache(void * dummy)
 {