Page MenuHomeFreeBSD

zfskeys: if location is prompt then prompt during boot
Needs RevisionPublic

Authored by ambrisko on Aug 8 2022, 6:42 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 12, 3:22 PM
Unknown Object (File)
Mon, Nov 11, 2:47 PM
Unknown Object (File)
Sun, Nov 10, 3:12 PM
Unknown Object (File)
Sun, Nov 10, 8:27 AM
Unknown Object (File)
Sun, Nov 10, 7:55 AM
Unknown Object (File)
Sun, Nov 10, 7:40 AM
Unknown Object (File)
Sun, Nov 10, 7:04 AM
Unknown Object (File)
Apr 6 2024, 10:44 PM

Details

Reviewers
allanjude
0mp
jhb
Summary

Sometimes, prompting for the key is needed. If the ZFS key is to be
entered during boot, then prompt and accept the key during boot.

Test Plan

Tested with a ZFS encryption using a file for key and another test to prompt for key.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 46790
Build 43679: arc lint + arc unit

Event Timeline

ambrisko added a reviewer: allanjude.

Do docs need to be updated?
Otherwise, I like it.

libexec/rc/rc.d/zfskeys
51

kl == prompt, so why obfuscate by expanding it here?

0mp requested changes to this revision.Sep 16 2022, 12:14 PM
In D36081#823478, @imp wrote:

Do docs need to be updated?

The rc.conf manual page does not document any of that at the moment. We probably should reference zfs-load-key(8) somewhere at least. This is not part of this revision though I'd say.

Otherwise, I like it.

I'm not sure if I don't understand the purpose of the /dev/tty redirects. Could you explain a bit the reason behind that construct?

Otherwise, seems OK as well

libexec/rc/rc.d/zfskeys
51

What's the reason for < /dev/tty > /dev/tty 2>/dev/tty?

This revision now requires changes to proceed.Sep 16 2022, 12:14 PM
libexec/rc/rc.d/zfskeys
51

Combining both questions.

I don't understand the "kl == prompt" question, if the key was set to prompt then we need to read the key from console. If is in not prompt mode then read the key from a file like the original code did. So when the ZFS key is set in prompt mode then it needs to read from /dev/tty etc. or it dies:

ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Key prompt for hdd_zfs_data_1/encrypted.
Key load error: encryption failure
 Key failed to load for hdd_zfs_data_1/encrypted.
    ....
Mounting /etc/fstab filesystems failed, startup aborted
ERROR: ABORTING BOOT (sending SIGTERM to parent)!

with /dev/tty:

ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Key prompt for hdd_zfs_data_1/encrypted.
Enter passphrase for 'hdd_zfs_data_1/encrypted':
<ZFS password entered>
Key loaded for hdd_zfs_data_1/encrypted.
Starting file system checks:
  ....
FreeBSD/amd64 (p15s) (ttyu0)

login:

/dev/tty makes it read and write to the console so the key can be entered.