Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.
Submitted by: Jan Schaumann <jschauma@stevens.edu>
Pull Request: https://github.com/freebsd/freebsd/pull/96
pwgets() is based on ngets() from libstand, which includes a feature
that is not wanted in a very of the function designed for password
handling.
Pressing control+r echos out the entered string
This commit removes that feature from pwgets()
PR: 217298
Reported by: ehaupt
Reviewed by: kristof, tsoome, ehaupt
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D9782
The PBKDF2 in sys/geom/eli/pkcs5v2.c is around half the speed it could be
GELI's PBKDF2 uses a simple benchmark to determine a number of iterations
that will takes approximately 2 seconds. The security provided is actually
half what is expected, because an attacker could use the optimized
algorithm to brute force the key in half the expected time.
With this change, all newly generated GELI keys will be approximately 2x
as strong. Previously generated keys will talk half as long to calculate,
resulting in faster mounting of encrypted volumes. Users may choose to
rekey, to generate a new key with the larger default number of iterations
using the geli(8) setkey command.
Security of existing data is not compromised, as ~1 second per brute force
attempt is still a very high threshold.
PR: 202365
Original Research: https://jbp.io/2015/08/11/pbkdf2-performance-matters/
Submitted by: Joe Pixton <jpixton@gmail.com> (Original Version), jmg (Later Version)
Reviewed by: ed, pjd, delphij
Approved by: secteam, pjd (maintainer)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D8236
Usually there is some slack after the last partition due to 4k alignment
In the 10.3 EC2 images, there was not. EC2 seems to hang if you try to
read past the end of the disk in the loader, resulting in an unbootable
instance after upgrading to 11.0
PR: 213196
Reported by: Peter Ankerstal <peter@pean.org>
Tested by: cperciva
Reviewed by: tsoome
MFC after: 3 days
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D8144
Add support for 4k sector GELI encrypted partitions to the bootloader
This is the default created by the installer
Because the IV is different for each sector, and the XTS tweak carries forward you can not decrypt a partial sector if the starting offset is not 0
Make boot2 and the loader read in 4k aligned chunks
Reviewed by: ed, oshogbo
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D5820
