From owner-freebsd-hackers@freebsd.org Sun Sep 6 01:16:13 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D806A9CBB22 for ; Sun, 6 Sep 2015 01:16:13 +0000 (UTC) (envelope-from starkbeats@gmail.com) Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F8BE8A3 for ; Sun, 6 Sep 2015 01:16:13 +0000 (UTC) (envelope-from starkbeats@gmail.com) Received: by lanb10 with SMTP id b10so32972537lan.3 for ; Sat, 05 Sep 2015 18:16:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version; bh=LqojoF8hTn7Emb9HSewhmwUfBvItrpHf+14L461SftM=; b=DEaDk5DSXE5WjGvSGatIJCIF0o2WS1P7y+GQ8zVFZcwI3EKduuqRyqdRy40H8NkFqN SiSMid88L3Gb+3/oEqSowfm/HsjNB/jc6Lk8U4TJlovWUiOnPa7S+ogFn3yVOoaqywLe ouesvuftm/xqcneUqQTrpW4pWbraXKSIfBaOQCq9aDIH0eYJWoWDFICzEJEQL5rCyi3e k3sTlLCq3AqigExwf7cq/TSOK0DTatKNJr6xRE5niCGyIvVJvv973LlpycOcgdadfIVw QeepkwoJm/TNG7lRXFHRm0UQ94WSmnTSAtVJcftYD+Zt88+Qi45Iz0Jea1qnZ/skYqUV rAQg== X-Received: by 10.152.20.228 with SMTP id q4mr10372717lae.74.1441502171205; Sat, 05 Sep 2015 18:16:11 -0700 (PDT) Received: from [192.168.0.2] (c83-251-248-85.bredband.comhem.se. [83.251.248.85]) by smtp.gmail.com with ESMTPSA id v6sm227742lby.49.2015.09.05.18.16.10 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 05 Sep 2015 18:16:10 -0700 (PDT) From: Fredrik Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: modfind returns error on kernel module name Date: Sun, 6 Sep 2015 03:18:30 +0200 Message-Id: <6A80D610-39DC-4DAC-A4F5-1D03C8DCF572@gmail.com> To: FreeBSD Hackers Mime-Version: 1.0 (Apple Message framework v1085) X-Mailer: Apple Mail (2.1085) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 01:16:13 -0000 Hello I'm experimenting with a syscall KLD and are trying to find a loaded = module by name reference, but the modfind function always fails with = ENOENT. If I skip the modfind step and hard code in the value (which I = print when the module is loaded) it works as expected.=20 I use the exact name I use for my function and when I register the = function with the SYSCALL_MODULE macro. Any ideas what may be going on = here? From owner-freebsd-hackers@freebsd.org Sun Sep 6 05:27:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DCE09CB3D6 for ; Sun, 6 Sep 2015 05:27:20 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm9-vm6.bullet.mail.ne1.yahoo.com (nm9-vm6.bullet.mail.ne1.yahoo.com [98.138.91.102]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5BF8F9B2 for ; Sun, 6 Sep 2015 05:27:20 +0000 (UTC) (envelope-from noname.esst@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1441517105; bh=vcp5PDeg2omp2GQ1UhcynMoMt4CgWGDjzhPM6KX66rg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Ik/G/AkNtKN9tavKebKIyLAQmP89czSpIfCBKJxz9Cuq/efKtFMHYWBJnnAWwldCLjX4vtM0JRkycQJtXPHBw9VzsM23IPV6jlJyTFqXBqnU1nY3GHX/skzgZ0WgsztaXcYuc7eovhh+ejoc+AH5obj1Y9fzEVSbvPBrJ26xrreLtExnjqD1dhRX/ICMIxSuKXFqlALjXX9eKBHWqk5k8UrO2xdJPiQE0MFawl2h3X9da/pWJiUbbiXkM0fRNg9uHpYi6WsB/95RvqN0bgYQc0FrDruZEVn2lgI9EuQGw2AVCiuwOpg/btMedk6ubGRrPamQEZNe1qLuwtQPHNdJ4w== Received: from [98.138.101.131] by nm9.bullet.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 05:25:05 -0000 Received: from [98.138.89.166] by tm19.bullet.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 05:25:05 -0000 Received: from [127.0.0.1] by omp1022.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 05:25:05 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 590712.91044.bm@omp1022.mail.ne1.yahoo.com X-YMail-OSG: WlAsdkAVM1kAI1d1lvWUIK3G0qtev5IifDaYK85qxT_UMhygL1QFrIEbYutLKl2 r0f8F.aqZ3wca4O2r.onn3ufcnywc2HDjQykXlMr0FuplJ8511WZHTN0cVyOlZfm5KZAQE.Zgp6r GE1hnLoSkvRl2RP89JqEb2m2j5fDRAyZBzyAbE1cXfoCRSbWh8p8Mr1UnU8WvS97sViFtvPGoLvv jE5q1Q3Dm1O55aP.TbUT_B9zBaJQit7LXBn.6U4C3XCCJ.Q7dmB4uFAQp11lLgoAg7_HZ6IJm_95 kICp4B4nNXD13pUppmh4rWiYcQy8q2MkojFCZe5qz0LsMZV2Lub8swLCaL560Qcef7xnFGz14eLT gqQ350.uzmDGCxPYzXuudfiBxEXhyzpMBxjVfo4LzThWZIOdqWmITSv8rvq8KbqtbP9dSaiIxp9U qIEihUibc_ieXX64MxS865.LteeXndXVnjNZYXwM96jH9Ta_Yz5ej3fJYe4iuWM5S88LlTL3XVRe BHHlfrHrBm2Ji4fCyaQ-- Received: by 98.138.105.227; Sun, 06 Sep 2015 05:24:58 +0000 Date: Sun, 6 Sep 2015 05:24:55 +0000 (UTC) From: Nomad Esst Reply-To: Nomad Esst To: Adrian Chadd Cc: Freebsd Hackers List Message-ID: <2036397629.2295424.1441517095478.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: Subject: Re: em. igb performance test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 05:27:20 -0000 Thanks for your reply. How can I solve this problem? e.g. speed up the link negotiation, buffer the packets while link negotiation is being done ? Any ideas? Regards. On Saturday, September 5, 2015 8:01 PM, Adrian Chadd wrote: Hi, It's likely a combination of STP and how long it takes to do link negotiation. Packets transmitted during link negotiation will be lost. -adrian On 5 September 2015 at 08:03, Slawa Olhovchenkov wrote: > On Sat, Sep 05, 2015 at 02:45:28PM +0000, Nomad Esst via freebsd-hackers wrote: > >> Hi allDuring some performance tests, we found out some weird problems. We use a shell script that do the following : >> do from 1 to 10Shutdown em/igb interfacesleep 3Bring em/igb interface uptcpreplay -i em0 -l ospf_hello.pcap sleep3end >> By running this shell on one side we expect 10 ospf hello packets to get arrived at the other side, but tcpdump (on the other side) shows 4, sometimes 8 and etc ... (not all 10 packets are arrived at the other side).We test this scenario with a Cisco router, and all packets are received at the Cisco side. What causes this packet loss in FreeBSD (maybe in em or igb drivers)?I know that this scenario may not have any use in the real world, but I'm curious, why Cisco don't have such behavior.Thanks in advance. > > uping interface not momentaly. > packets sending to down interface will be lost. > try to wait `status: active` before run tcpreplay. > Also, check STP off on interconnect switch you port. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Sun Sep 6 06:48:27 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB9F69CB2DE for ; Sun, 6 Sep 2015 06:48:27 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 668E8BB9 for ; Sun, 6 Sep 2015 06:48:27 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.84 (FreeBSD)) (envelope-from ) id 1ZYTkS-000ByV-RS; Sun, 06 Sep 2015 09:48:20 +0300 Date: Sun, 6 Sep 2015 09:48:20 +0300 From: Slawa Olhovchenkov To: Nomad Esst Cc: Adrian Chadd , Freebsd Hackers List Subject: Re: em. igb performance test Message-ID: <20150906064820.GH21849@zxy.spb.ru> References: <2036397629.2295424.1441517095478.JavaMail.yahoo@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2036397629.2295424.1441517095478.JavaMail.yahoo@mail.yahoo.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 06:48:27 -0000 On Sun, Sep 06, 2015 at 05:24:55AM +0000, Nomad Esst via freebsd-hackers wrote: > Thanks for your reply. How can I solve this problem? e.g. speed up the link negotiation, buffer the packets while link negotiation is being done ? Any ideas? > Regards. try this for wait carrier: until ifconfig em0 | grep -q 'status: active' do echo waiting carrier... sleep 1 done > > > On Saturday, September 5, 2015 8:01 PM, Adrian Chadd wrote: > > > > Hi, > > It's likely a combination of STP and how long it takes to do link > negotiation. Packets transmitted during link negotiation will be lost. > > > > -adrian > > > On 5 September 2015 at 08:03, Slawa Olhovchenkov wrote: > > On Sat, Sep 05, 2015 at 02:45:28PM +0000, Nomad Esst via freebsd-hackers wrote: > > > >> Hi allDuring some performance tests, we found out some weird problems. We use a shell script that do the following : > >> do from 1 to 10Shutdown em/igb interfacesleep 3Bring em/igb interface uptcpreplay -i em0 -l ospf_hello.pcap sleep3end > >> By running this shell on one side we expect 10 ospf hello packets to get arrived at the other side, but tcpdump (on the other side) shows 4, sometimes 8 and etc ... (not all 10 packets are arrived at the other side).We test this scenario with a Cisco router, and all packets are received at the Cisco side. What causes this packet loss in FreeBSD (maybe in em or igb drivers)?I know that this scenario may not have any use in the real world, but I'm curious, why Cisco don't have such behavior.Thanks in advance. > > > > uping interface not momentaly. > > packets sending to down interface will be lost. > > try to wait `status: active` before run tcpreplay. > > Also, check STP off on interconnect switch you port. > > _______________________________________________ > > freebsd-hackers@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Sun Sep 6 08:13:51 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A5CDF9CB059 for ; Sun, 6 Sep 2015 08:13:51 +0000 (UTC) (envelope-from Don.whY@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3692DC78 for ; Sun, 6 Sep 2015 08:13:51 +0000 (UTC) (envelope-from Don.whY@gmx.com) Received: from [192.168.1.115] ([67.212.197.98]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MLunc-1ZbmrY3TeG-007o6B for ; Sun, 06 Sep 2015 10:13:49 +0200 Message-ID: <55EBF5C1.2050906@gmx.com> Date: Sun, 06 Sep 2015 01:13:53 -0700 From: Don whY User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: FreeBSD-Hackers Mailing List Subject: Mount NetBSD partition/slice Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:IgVQQCgLNdNo+bbWV6mqB8v94z4TKkzxL/Ms78vUHRH9ESeHOl/ o2DXQn2crcuxqKIBWAjgFJEIFkbfFgwQw3cRZ/CYrGTDGkegMmrdWxoEuB+6chVP4vv2KXI xinugCiofywXSz43/YUREpvEiXH7xnFtka7OJ+oEZwPhd2NrMVOL0HPqMNC5+4iZZwBYKhl ZuYhSv2yKjNklHI2IrBOg== X-UI-Out-Filterresults: notjunk:1;V01:K0:/fbB2eefNQw=:89rfD8k8HEHLM7/RkMtv99 vkz6SzzYfdy/O+Lo7hZSgHPjxpGa64dmlEjiOz/u6gp0O0EqxuKs7bSulrqpa2OkR/mjSJe/S l9TnCfbe6xA+aNz3Jwz2+8xEOuVPK8fcJWAEMOIWjOtOGHptNGsITdxMmJDvlaLOx9Lv8ivLK 9Kxj1Q/2FXwbE1CE1EiR7oCEMWNrE/Yz9ZaGoRrsadAdqGal0SRWLuJVOZ0p62j8cTEn2vRc4 sEPYuKzrjOnsiJkMwFxvIdVqGRDihn0yVjucCwi4MivnJTyFossVlPejuNl9YFsBVLmT2DqYE +qp19uLyfAP9OTXguvnfQmyvtLOc2nNU1AguGFCJB53+M7xnBx2yCHXIrwY268Z6TIe3AVy4r T69g73LCYAbPv96AZrbmgspQW7VSsxl6CA1kX/P/ivbi6WRny4lBM1V3fB5p1TpsWJ50RdU1N 54ccIhqzPJOPZQG1MOd0HnoO1T0PE8VWm7Q7LPumuw1qPJfeoNV8+3GqF3hStwoGTlLWo9luZ z1mCBuuazO7GdnqGkMhNzfs4JKcNfko/oIS7iQ7+foQS/gFwW4TYaps5HVEw774lHm7zfVOjI Bj9geCjiPtAmGzdUHUBzyZjji6Va2qRh71PM6lzG9wiEBTBd5mAsRK3ViVyUG0Z5nskaXLNiZ Hemt8USMdLphD79IOFcpmCg1TFzA+yhanI4tlTiAv3DJ4V5PFc492f9tzu8o7oJKZ5ERjIPkh +44HmZRjT4vuWtuwEIPHcDUj1701Wrk9cqwIpw== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 08:13:51 -0000 Hi, I've pulled the media from my NetBSD systems (6.x?) before moving to FreeBSD (9.2). The goal was to set up FreeBSD-based appliances and maintain them from FreeBSD *systems*. However, I've been having a tough time getting FreeBSD to play nice with the NetBSD media. A bit of research indicates that there is no support for these incompatible volume formats. So, I can either rebuild one of more NetBSD systems and pull all the data across a network connection. This could be tedious as there are 10-12 slices of significant size on each volume. (I had hoped to just install the drives in the FreeBSD boxen and cp(1) the contents of the volume at bus speeds.) Or, just rebuild the NetBSD systems and make NetBSD-based appliances (i.e., abandon FreeBSD). [I'm not an OS zealot; I'm just looking for something that *works* with the least amount of wasted effort/time] Have I missed some "trick" to coax NetBSD into *reading* these volumes? Thanks! --don From owner-freebsd-hackers@freebsd.org Sun Sep 6 08:15:13 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CBA69CB18A for ; Sun, 6 Sep 2015 08:15:13 +0000 (UTC) (envelope-from Don.whY@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C1347D92 for ; Sun, 6 Sep 2015 08:15:12 +0000 (UTC) (envelope-from Don.whY@gmx.com) Received: from [192.168.1.115] ([67.212.197.98]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LfjlS-1YryIE3yKA-00pM52 for ; Sun, 06 Sep 2015 10:15:05 +0200 Message-ID: <55EBF60D.8090403@gmx.com> Date: Sun, 06 Sep 2015 01:15:09 -0700 From: Don whY User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Re: Mount NetBSD partition/slice References: <55EBF5C1.2050906@gmx.com> In-Reply-To: <55EBF5C1.2050906@gmx.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:1ZYY4Ny/eNbaP49AXym+0Erb6cUx+9F+3BVACL6klaMjSLiGQTu jfQpDsJq1AJoP8cEr6T0A3uXj9jWvw51CeZgdHCz/iQbOIQva2fejAS0FjrYiUl6io0iWaU PvchPlTwJ1FXx1vQ5+8i/kHoRImaEc6wrVux8f/qQbZ90uiBqTj2oKJEFjIxVo2K1FyX62Y iJfnSR0GJTZT1yuObfrhA== X-UI-Out-Filterresults: notjunk:1;V01:K0:2W/AEY/THlY=:AB6nbFy5c/WN2QKB9Bps7L SCy5CnR2CWaWbxO3dWSfVfw0Pmw1VQJlRnti//pFXzT4IZV6Pwf0ucJ77uIX3ByxEI+nm2fEe wA+SSQ1Q8sS7TPVHCppKUllhpBvavQ6HOli/Sa3lllgv6+KMQflO7qYWEe5eVgK0at3oZt1Jb UVkLsOys3KyQStk6qf+6TuO/Ig/c2arjS5dXr+ezMvvXhJVV44q7EzltmJcDQYXK2wwl64/B+ tqTGM65f3WlFAyoJZHugkN0nkl77sMAHI2ROXkhV8s2nsECSbitS8b2cWHiNFOAev/eT8QAJ3 43gtOLWLcfBPnPnAt0pBoIuQ9vHbXboL2Un59/WKzrBeDpGhUdreVZSh9MhyG8t2J+0W91jvi zQcYvJfOiwtSRbXh4Csywe+u4lLePAkt33WPT1Fb8AIzsZBKvSqVm+fLoQ7e5uBcneg9PXPBO k83lyEjcDjrSDicq0Zj5Y4y0f3j9vUwg4MJQ3MQ/bVqWF2aE/UrAHPd7P8NrVq4vRPqgK8GiO WUeuWLqfBLZut8TRV2F7Bnbj31noPHYyZHvVnhiFnZ35ux3ug8z6Gl7CQlQkuZhGRiQKpvTQR F1qol/Gfopp3vsM0lQBNJHywYHk7vIlDIpaVAPKhu6WpZ2hve3RtPw/TTBjuNbBnlr/xwAxW6 6qZGBms4cF7kBnE1dLPmw9DQcK8tyrZOb5UmGUHoQSQY3XeLs3C7Jkk+LYyAQU6rWXMeLnr1n 7VJ4r1EU8mfv1MjrmN3OMwhfzV7q3yzUzXs9xA== X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 08:15:13 -0000 On 9/6/2015 1:13 AM, Don whY wrote: > Have I missed some "trick" to coax NetBSD into *reading* these > volumes? Grrr... s/NetBSD/FreeBSD/ From owner-freebsd-hackers@freebsd.org Sun Sep 6 08:41:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 763B29CBED3 for ; Sun, 6 Sep 2015 08:41:09 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm26-vm5.bullet.mail.ne1.yahoo.com (nm26-vm5.bullet.mail.ne1.yahoo.com [98.138.91.248]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 41E1617F8 for ; Sun, 6 Sep 2015 08:41:08 +0000 (UTC) (envelope-from noname.esst@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1441528861; bh=RYXkm+0p4SUGM9jetY4OWRw2LT3K3F+iCGrtak6k1Vw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Y6FQ0qzaJNpeuI/BWtW43JX/T684zlLJB40ciPm5QKCcsdNuXzX2QqmVvTGLnwVDAmTgrutqwx4o5if0I1OsDgSF5XGneLrZwtBkDfHy780k+MlqlOTIkSHKqbAnx6MpFqC7ZBvgeCn2BajyDz0sygP8TNJypRIc8HfkeQ71SHrwc708LeDO3E3XaXz70SefWQiB04XK7gRTTzkVFfMMTxSKv0v14qoz6Vwpk4Gl0VcpLQKtjC7dndVKu6F9sgMoD5ggXmUTrxE9psix1058FNstjAMDfVyiTFJcKmuQOcDAd3T4Sk4qapT36AojVoPzvDdai2NEzBjD4LOwHrstTw== Received: from [98.138.101.131] by nm26.bullet.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 08:41:01 -0000 Received: from [98.138.88.238] by tm19.bullet.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 08:41:01 -0000 Received: from [127.0.0.1] by omp1038.mail.ne1.yahoo.com with NNFMP; 06 Sep 2015 08:41:01 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 869525.3994.bm@omp1038.mail.ne1.yahoo.com X-YMail-OSG: Q2PofGUVM1nrPXm3dTA1.cOe8_4WlcUEfqTLZahNliStf.0zPryUZEA0aqG_y8F hZTAlxUD8CBHWvCndyrGurUOZAEK06YSOLvLSp9G2Q.2ANTVLND6am9hVXS1X8pNAet2yesH1xtT 2l8e0oys0Id4vIO8qxHR.t0vm5Ne8H7VFAtDCvq3IwVbEnXgniNXNGvLn_FlK_gT6J8kKyLSUnPu jFOPzQQ77X2DrRdVkC9oGbBshlZ3SVsMtW5BlJ7IHRoB89nDzcxtOsob9yQ.vm191_LWyiM91p1B g0WJIZ2MDTRlzqm1Ym65nbH1HlcZFiwndShAgNeacE2kbhHwWVwf_6fCmIBs02o50igeDNqwA9ig pn64YnEyD7N6D4Dp_DEb..BI2.3X1TcFs3qiw9TtHbjtwJs8osY2lybYByHjLWKJHbiwmCo6ns3i pFHCiKOL5K8cpsIkbdtoxqg2lmQYQK0eJYaSrdwgXDbqRZuaWfQdcabNhnTyYsgAbB8bGdme9Paz xYzqZwe7n8UnKSgFE1g-- Received: by 98.138.101.167; Sun, 06 Sep 2015 08:41:01 +0000 Date: Sun, 6 Sep 2015 08:40:57 +0000 (UTC) From: Nomad Esst Reply-To: Nomad Esst To: Adrian Chadd Cc: Freebsd Hackers List Message-ID: <210203157.2313294.1441528857993.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: Subject: Re: em. igb performance test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 08:41:09 -0000 Thank you allWe've recently found out that if we change the media type to 10BaseT all ten packets are arrived. And if we change the number of packets to 2 in tcpreplay like tcpreplay -i gbeth0 -l 2 ospf_hello.pcap at least 1 packet is arrived at the time (while the media type is 10BaseT and auto negotiation is disabled). but sometimes the second packet is missed. Adrian, you said that someone is working on adding a buffer to queue the packets until the interface come up. How can I contact with him/her? Regards. On Sunday, September 6, 2015 1:00 PM, Adrian Chadd wrote: Hi, I can imagine someone hacking up driver support for buffering up to 'n' packets until the link comes up, or timing them out if the link doesn't come up in time. Thing is, bringing an interface up doesn't guarantee it'll be up and live by the time the next command is run. The cleanest way to get some clean behaviour here is to wait until the link shows active before running the next command. hth, -adrian On 5 September 2015 at 22:24, Nomad Esst wrote: > Thanks for your reply. How can I solve this problem? e.g. speed up the link > negotiation, buffer the packets while link negotiation is being done ? Any > ideas? > > Regards. > > > > On Saturday, September 5, 2015 8:01 PM, Adrian Chadd > wrote: > > > > Hi, > > It's likely a combination of STP and how long it takes to do link > negotiation. Packets transmitted during link negotiation will be lost. > > > > -adrian > > > On 5 September 2015 at 08:03, Slawa Olhovchenkov wrote: >> On Sat, Sep 05, 2015 at 02:45:28PM +0000, Nomad Esst via freebsd-hackers >> wrote: >> >>> Hi allDuring some performance tests, we found out some weird problems. We >>> use a shell script that do the following : >>> do from 1 to 10Shutdown em/igb interfacesleep 3Bring em/igb interface >>> uptcpreplay -i em0 -l ospf_hello.pcap sleep3end >>> By running this shell on one side we expect 10 ospf hello packets to get >>> arrived at the other side, but tcpdump (on the other side) shows 4, >>> sometimes 8 and etc ... (not all 10 packets are arrived at the other >>> side).We test this scenario with a Cisco router, and all packets are >>> received at the Cisco side. What causes this packet loss in FreeBSD (maybe >>> in em or igb drivers)?I know that this scenario may not have any use in the >>> real world, but I'm curious, why Cisco don't have such behavior.Thanks in >>> advance. >> >> uping interface not momentaly. >> packets sending to down interface will be lost. >> try to wait `status: active` before run tcpreplay. >> Also, check STP off on interconnect switch you port. >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > From owner-freebsd-hackers@freebsd.org Sun Sep 6 08:54:08 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 121849CB5A9 for ; Sun, 6 Sep 2015 08:54:08 +0000 (UTC) (envelope-from freebsd-hackers@dino.sk) Received: from mailhost.netlabit.sk (mailhost.netlabit.sk [84.245.65.72]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8A8571CD8 for ; Sun, 6 Sep 2015 08:54:06 +0000 (UTC) (envelope-from freebsd-hackers@dino.sk) Received: from zeta.dino.sk (fw1.dino.sk [84.245.95.252]) (AUTH: LOGIN milan) by mailhost.netlabit.sk with ESMTPA; Sun, 06 Sep 2015 10:48:53 +0200 id 0041C53F.55EBFDF5.00009503 Date: Sun, 6 Sep 2015 10:48:52 +0200 From: Milan Obuch To: freebsd-hackers@freebsd.org Subject: Re: Mount NetBSD partition/slice Message-ID: <20150906104852.3c4a6254@zeta.dino.sk> In-Reply-To: <55EBF5C1.2050906@gmx.com> References: <55EBF5C1.2050906@gmx.com> X-Mailer: Claws Mail 3.12.0 (GTK+ 2.24.28; i386-portbld-freebsd10.1) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 08:54:08 -0000 On Sun, 06 Sep 2015 01:13:53 -0700 Don whY wrote: > Hi, > > I've pulled the media from my NetBSD systems (6.x?) before moving to > FreeBSD (9.2). The goal was to set up FreeBSD-based appliances and > maintain them from FreeBSD *systems*. > > However, I've been having a tough time getting FreeBSD to play nice > with the NetBSD media. A bit of research indicates that there is > no support for these incompatible volume formats. > > So, I can either rebuild one of more NetBSD systems and pull all > the data across a network connection. This could be tedious as > there are 10-12 slices of significant size on each volume. (I had > hoped to just install the drives in the FreeBSD boxen and cp(1) the > contents of the volume at bus speeds.) > > Or, just rebuild the NetBSD systems and make NetBSD-based appliances > (i.e., abandon FreeBSD). > > [I'm not an OS zealot; I'm just looking for something that *works* > with the least amount of wasted effort/time] > > Have I missed some "trick" to coax NetBSD into *reading* these > volumes? > > Thanks! > --don > What does 'gpart show' under FreeBSD say? I did not test NetBSD for a long time, but maybe there is some solution for you... Milan From owner-freebsd-hackers@freebsd.org Sun Sep 6 12:15:21 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4C9E39CC3F6 for ; Sun, 6 Sep 2015 12:15:21 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id EB04A1CDB for ; Sun, 6 Sep 2015 12:15:20 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.15.2/8.15.2) with ESMTPS id t86CFIdR024242 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 6 Sep 2015 06:15:18 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.15.2/8.15.2/Submit) with ESMTP id t86CFIah024239; Sun, 6 Sep 2015 06:15:18 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sun, 6 Sep 2015 06:15:18 -0600 (MDT) From: Warren Block To: Don whY cc: FreeBSD-Hackers Mailing List Subject: Re: Mount NetBSD partition/slice In-Reply-To: <55EBF5C1.2050906@gmx.com> Message-ID: References: <55EBF5C1.2050906@gmx.com> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sun, 06 Sep 2015 06:15:18 -0600 (MDT) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 12:15:21 -0000 On Sun, 6 Sep 2015, Don whY wrote: > Hi, > > I've pulled the media from my NetBSD systems (6.x?) before moving to > FreeBSD (9.2). The goal was to set up FreeBSD-based appliances and > maintain them from FreeBSD *systems*. > > However, I've been having a tough time getting FreeBSD to play nice > with the NetBSD media. A bit of research indicates that there is > no support for these incompatible volume formats. It's not clear whether you mean filesystems or a partitioning system or maybe some kind of RAID-type "volume". > So, I can either rebuild one of more NetBSD systems and pull all > the data across a network connection. This could be tedious as > there are 10-12 slices of significant size on each volume. (I had > hoped to just install the drives in the FreeBSD boxen and cp(1) the > contents of the volume at bus speeds.) > > Or, just rebuild the NetBSD systems and make NetBSD-based appliances > (i.e., abandon FreeBSD). > > [I'm not an OS zealot; I'm just looking for something that *works* > with the least amount of wasted effort/time] > > Have I missed some "trick" to coax NetBSD into *reading* these > volumes? It depends on the answer to the question above. If FreeBSD can read the NetBSD version of UFS but there is some header/partitioning data in the way, there is an example of skipping over that in mdconfig(8). If NetBSD can read and write FreeBSD UFS, then add another drive with FreeBSD UFS to the NetBSD system and copy it there. If it is something only NetBSD can read, a NetBSD VM on a FreeBSD host could deal with it. scp/rsync/cpdup could be used. That will go through the VM-to-host network. In theory, that would be faster than a physical network. In practice, it might not be any faster. From owner-freebsd-hackers@freebsd.org Sun Sep 6 15:58:01 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28B789CB270 for ; Sun, 6 Sep 2015 15:58:01 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DAA72915 for ; Sun, 6 Sep 2015 15:58:00 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from jre-mbp.elischer.org (ppp121-45-243-143.lns20.per4.internode.on.net [121.45.243.143]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id t86FvnWl021567 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 6 Sep 2015 08:57:52 -0700 (PDT) (envelope-from julian@freebsd.org) Subject: Re: Mount NetBSD partition/slice To: Don whY , FreeBSD-Hackers Mailing List References: <55EBF5C1.2050906@gmx.com> From: Julian Elischer Message-ID: <55EC6277.1040002@freebsd.org> Date: Sun, 6 Sep 2015 23:57:43 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <55EBF5C1.2050906@gmx.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 15:58:01 -0000 On 9/6/15 4:13 PM, Don whY wrote: > Hi, > > I've pulled the media from my NetBSD systems (6.x?) before moving to > FreeBSD (9.2). The goal was to set up FreeBSD-based appliances and > maintain them from FreeBSD *systems*. > > However, I've been having a tough time getting FreeBSD to play nice > with the NetBSD media. A bit of research indicates that there is > no support for these incompatible volume formats. > > So, I can either rebuild one of more NetBSD systems and pull all > the data across a network connection. This could be tedious as > there are 10-12 slices of significant size on each volume. (I had > hoped to just install the drives in the FreeBSD boxen and cp(1) the > contents of the volume at bus speeds.) > > Or, just rebuild the NetBSD systems and make NetBSD-based appliances > (i.e., abandon FreeBSD). > > [I'm not an OS zealot; I'm just looking for something that *works* > with the least amount of wasted effort/time] > > Have I missed some "trick" to coax NetBSD into *reading* these > volumes? > > Thanks! > --don > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org" I had the same problem when moving from Mach2.5 to 386BSD in 1992.. answer.. after making a physical copy (always make a physical copy), I noted down the start and end locations for the partitions I wanted, and created new 386BSD disklabels on the drive, overwriting the Mach VTOCs . I set the partitions in the new disklabel to match the locations of the old ones. then I just mounted them as the partitioning scheme doesn't touch the contents of the partitions, just defines them. NetBSD have more 'slices' than we had, so you may have to copy out the first 8 and then do it again and do the second 8. use fdisk and disklabel. IF there is some small amount of space at the end of the device, and you can do without the first partition, (copy it off first) you maybe able to use a gpt partition table and get them all (except I remmeber that a gpt partitoning block set, uses more space than may be available at the front of a NetBSD drive before the frst important information. It also uses some space at the end, but you'll have to google it to find out how much in each case. From owner-freebsd-hackers@freebsd.org Sun Sep 6 16:14:20 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F96F9CBBA3 for ; Sun, 6 Sep 2015 16:14:20 +0000 (UTC) (envelope-from dieterbsd@gmail.com) Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30E6210F9 for ; Sun, 6 Sep 2015 16:14:20 +0000 (UTC) (envelope-from dieterbsd@gmail.com) Received: by igbni9 with SMTP id ni9so43799891igb.0 for ; Sun, 06 Sep 2015 09:14:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=T79mkKEGfeLZr6sQe3HDkniLAt8Z7QyDz0U6rHJ9vPA=; b=jK745k9cIikaOCetJW85VysRpMo7BMBjUk/VJrT49OxljJ7SQ1AkqITBvtzu1O33M1 r5zIw4jyPPwgQmy/tWMgoP/y/EC8Kkvtcw08LEofNJm84WOvtmBUmY6bMdu579olZEGZ W0nfFdt7/D4m4NEABYGpdCWKG2DMApTPtK+VYofwKcI65W/kJaF5zj7OY+pZmaqfXAxJ hgkBX293uUpveS0fbdIMbkhqqT4akzJFIxMMxBHgsGtcVxy+WvHQR7qdeXdXXlLh2yl3 kd2C4jrn7H6DnY8OPKVyELb+dCyqp3V74hXqpdi1xgWSTv7hKjXZLlcAtnFioYTqJCZq 5/pQ== MIME-Version: 1.0 X-Received: by 10.50.111.83 with SMTP id ig19mr22283393igb.82.1441556059210; Sun, 06 Sep 2015 09:14:19 -0700 (PDT) Received: by 10.64.2.132 with HTTP; Sun, 6 Sep 2015 09:14:19 -0700 (PDT) Date: Sun, 6 Sep 2015 09:14:19 -0700 Message-ID: Subject: Re: Mount NetBSD partition/slice From: Dieter BSD To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Sep 2015 16:14:20 -0000 Don whY: > A bit of research indicates that there is > no support for these incompatible volume formats. What, exactly, do you mean by "volume formats"? What type of media? Some USB-to-[PS]ATA bridges have bugs (or just plain brain damage) and sector(s) are missing. This can prevent the OS from finding the partitioning info. This can be worked around by hacking the kernel, but probably doesn't qualify as the "least amount of wasted effort/time" you are seeking. What type of partitioning? BSD disklabel? MBR? GPT? ... What filesystem? I have vanilla sata disks with a NetBSD mbr, and NetBSD 4.0 and 5.0.1 partitions ("slices" if you prefer), FFS with softdep. FreeBSD/amd64 6.x, 7.x and 8.x mount and read these partitions fine. NetBSD 6.0 and newer would not have softdep. FreeBSD 10.1 is broken. NetBSD partitions on gpt disks also mount and read fine under FreeBSD. From owner-freebsd-hackers@freebsd.org Mon Sep 7 05:51:49 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 321719CBF4E for ; Mon, 7 Sep 2015 05:51:49 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm25-vm0.bullet.mail.ne1.yahoo.com (nm25-vm0.bullet.mail.ne1.yahoo.com [98.138.91.73]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F30631BB8 for ; Mon, 7 Sep 2015 05:51:48 +0000 (UTC) (envelope-from noname.esst@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1441604956; bh=cX6xIiPTYHrOQK4PbYYojbP/t2XxKQFtw+/xjBqMYAU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=HuKWS+1qKH/dEFVC4uFQpd7gwBhRT0NC8Ma+veBV1cZM0GqcDK/jSR8dhoowDN82TtnHaOg7dMjze9u9NKRWDC/DVry4gotOqNh4BnykCQKy/Q69FQzzcIzM4N9/Y8Cw7blqdCM3Fp4wX3mrOm+DR87gx+nv16eedPve//qRpH5Txg0WRaPIZmeoyXMG0YB/BFghwLmo/QeTCulC+4CsJpne0NMFCDEJk8+QH3czU5Qy617M/KgBZWGFWsJoamW16uatd4MnnodylKE+QkdtUnUjKMhts00t258dFA7RcLO3t/1/xB6Dj2J1e67dzIiFLAH1RzJBUtkx4v2G+bX06A== Received: from [98.138.101.130] by nm25.bullet.mail.ne1.yahoo.com with NNFMP; 07 Sep 2015 05:49:16 -0000 Received: from [98.138.87.10] by tm18.bullet.mail.ne1.yahoo.com with NNFMP; 07 Sep 2015 05:49:16 -0000 Received: from [127.0.0.1] by omp1010.mail.ne1.yahoo.com with NNFMP; 07 Sep 2015 05:49:16 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 76964.30357.bm@omp1010.mail.ne1.yahoo.com X-YMail-OSG: XcUpE_gVM1lqyOv1ue9dk.I2LDXTHYeP1st6_9Z7QD1jva21Y5XazTNIO1oIvq6 Q8XpivviM25W6fTD37KA6Bn7teBWe6Bx7ZIgXewMdOzqZtBElVgYzypeJfa9Bb.pzvP8kYowfegB Vw4FWp8y7MJfLir07.hcE1APaRtp8QK1LxiRa.g8zoOQMVX6InonP0n0YrmXzLxS.pwN5SO_22bv soJUPwfgexEteuXhp8LkcroXBCUx.VZQpwLmsL81DLXNEp5lV_orimVp8Vwl1CkPpPMXUMdpEFmj HRLV2dGfu.DkyJ4PZBbUe8rVn7oBvmuNBpEPAsz5cVURhfZEetpMS.p7dkM0q.O09r3ZIZYx4sue 10CwtdHszy6zr.NVIjrDdfFwg1LAu6lb05k5rB2xj0FsjfffFlFkA.Q9uLSm45C7ztNiY0.cMsGp 6beNgf_7k_qaxZWuDQ1wAgjl0IdUi7v9zEu0c9gvXREENc7z3dnQiSEf4YYiBSoYkuCPs0HoixRG ip6mhEY8cwgQrFaFFZQ-- Received: by 98.138.105.219; Mon, 07 Sep 2015 05:49:15 +0000 Date: Mon, 7 Sep 2015 05:49:14 +0000 (UTC) From: Nomad Esst Reply-To: Nomad Esst To: Adrian Chadd Cc: Freebsd Hackers List Message-ID: <116728681.2558040.1441604954963.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: Subject: Re: em. igb performance test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 05:51:49 -0000 Thank you Adrian.=C2=A0Do you have any ideas on how to add a buffer until t= he link is up? Regards.=20 On Sunday, September 6, 2015 7:08 PM, Adrian Chadd wrote: =20 =20 No, I meant you'd likely have to do that in order to get the functionality you desire! -a On 6 September 2015 at 01:40, Nomad Esst wrote: > Thank you all > We've recently found out that if we change the media type to 10BaseT all = ten > packets are arrived. And if we change the number of packets to 2 in > tcpreplay like > > tcpreplay -i gbeth0 -l 2 ospf_hello.pcap > > at least 1 packet is arrived at the time (while the media type is 10BaseT > and auto negotiation is disabled). but sometimes the second packet is > missed. > > Adrian, you said that someone is working on adding a buffer to queue the > packets until the interface come up. How can I contact with him/her? > > Regards. > > > > On Sunday, September 6, 2015 1:00 PM, Adrian Chadd > wrote: > > > > Hi, > > I can imagine someone hacking up driver support for buffering up to > 'n' packets until the link comes up, or timing them out if the link > doesn't come up in time. Thing is, bringing an interface up doesn't > guarantee it'll be up and live by the time the next command is run. > The cleanest way to get some clean behaviour here is to wait until the > link shows active before running the next command. > > hth, > > > -adrian > > > On 5 September 2015 at 22:24, Nomad Esst wrote: >> Thanks for your reply. How can I solve this problem? e.g. speed up the >> link >> negotiation, buffer the packets while link negotiation is being done ? A= ny >> ideas? >> >> Regards. >> >> >> >> On Saturday, September 5, 2015 8:01 PM, Adrian Chadd >> wrote: >> >> >> >> Hi, >> >> It's likely a combination of STP and how long it takes to do link >> negotiation. Packets transmitted during link negotiation will be lost. >> >> >> >> -adrian >> >> >> On 5 September 2015 at 08:03, Slawa Olhovchenkov wrote: >>> On Sat, Sep 05, 2015 at 02:45:28PM +0000, Nomad Esst via freebsd-hacker= s >>> wrote: >>> >>>> Hi allDuring some performance tests, we found out some weird problems. >>>> We >>>> use a shell script that do the following : >>>> do from 1 to 10Shutdown em/igb interfacesleep 3Bring em/igb interface >>>> uptcpreplay -i em0 -l ospf_hello.pcap sleep3end >>>> By running this shell on one side we expect 10 ospf hello packets to g= et >>>> arrived at the other side, but tcpdump (on the other side) shows 4, >>>> sometimes 8 and etc ... (not all 10 packets are arrived at the other >>>> side).We test this scenario with a Cisco router, and all packets are >>>> received at the Cisco side. What causes this packet loss in FreeBSD >>>> (maybe >>>> in em or igb drivers)?I know that this scenario may not have any use i= n >>>> the >>>> real world, but I'm curious, why Cisco don't have such behavior.Thanks >>>> in >>>> advance. >>> >>> uping interface not momentaly. >>> packets sending to down interface will be lost. >>> try to wait `status: active` before run tcpreplay. >>> Also, check STP off on interconnect switch you port. >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to >>> "freebsd-hackers-unsubscribe@freebsd.org" >> >> > > =20 From owner-freebsd-hackers@freebsd.org Mon Sep 7 10:45:03 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C4E99C8F94 for ; Mon, 7 Sep 2015 10:45:03 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.0x20.net", Issuer "mail.0x20.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1683E1BD6; Mon, 7 Sep 2015 10:45:02 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id 842F26DF91B; Mon, 7 Sep 2015 12:44:59 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id t87AixWe092589; Mon, 7 Sep 2015 12:44:59 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id t87Aiwx3091508; Mon, 7 Sep 2015 12:44:58 +0200 (CEST) (envelope-from lars) Date: Mon, 7 Sep 2015 12:44:58 +0200 From: Lars Engels To: Pavel Timofeev Cc: Stefan Esser , freebsd-hackers@freebsd.org Subject: Re: How to control and setup service? Message-ID: <20150907104458.GL16003@e-new.0x20.net> References: <55DF261C.80009@freebsd.org> <20150827200534.GH16003@e-new.0x20.net> <55E086D3.1040700@freebsd.org> <55E1803E.7080706@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kkRamCq5m5VQq0L6" Content-Disposition: inline In-Reply-To: X-Editor: VIM - Vi IMproved 7.4 X-Operation-System: FreeBSD 8.4-RELEASE-p23 User-Agent: Mutt/1.5.23 (2014-03-12) X-Mailman-Approved-At: Mon, 07 Sep 2015 11:29:33 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 10:45:03 -0000 --kkRamCq5m5VQq0L6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 31, 2015 at 10:57:27AM +0300, Pavel Timofeev wrote: > 2015-08-29 12:49 GMT+03:00 Stefan Esser : > > Am 28.08.2015 um 18:51 schrieb Pavel Timofeev: > >> Sorry for top posting! It's pretty hard to write email walking under > >> heavy rain and umbrella. > >> So, I talked about special key, not default behaviour. > >> Let me give you an example. > >> You got a server (or ten) which was/were somehow configured before you. > >> You want to reconfigure it/them. You don't care how and where it's > >> already configured, you just want to set particular rcvars and be sure > >> that no other rcvars are set. > >> > >> Before you came it was: > >> mysql_enable=3D"YES/NO" # no matter > >> mysql_datadir=3D"/mycozystorage/db/mysql" > >> mysql_defaults_extra_file=3D"/mycozystorage/mysql/my.cnf" > >> mysql_plugin_dir=3D"/somewhere/lib/mysql/plugin" > >> mysql_log_error=3D"/mycozystorage/db/mysql/hostname.err" > >> > >> then you run something like (look at -k key) > >> # service -k mysql-server enable set datadir "/mysqldb" log_error > >> "/mysqllogs/hostname.err" > >> it becomes > >> mysql_enable=3D"YES" > >> mysql_datadir=3D"/mysqldb" > >> mysql_log_error=3D"/mysqllogs/hostname.err" > >> > >> I. e. sets what requested and deletes rcvars which was not requested. > > > > I think that the removal of the previous config state should not come > > as the side-effect of some "set" command. > > > > I'd rather introduce a now verb for this purpose, which has the effect > > of clearing all previous settings for a service, instead of overloading > > the "set" operation. >=20 > BTW, it's already suggested here https://reviews.freebsd.org/D451 > it's rcdelete. Not sure if it's good name. >=20 Back from holidays... It would be nice if we could find a consensus what should be done with my patch in D451. The code itself works fine for me, but what's still unclear is what config files should be touched by it: 1 /etc/rc.conf 2 /etc/rc.conf.local 3 /etc/rc.conf.d/$servicename I could add some flags to service(8), e.g. -l to edit rc.conf.local, -d for /etc/rc.conf.d. But please don't let the review rot any longer. :) --kkRamCq5m5VQq0L6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJV7WqqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1t5hsH/3HBSlGFYgxcO6R9jC06Etoq /RVkrA87XyKNQTstH0UVkEZl5Pvc8CI6veYRvEmuVwI18FmF9UW6H7wUOEQTKoJN b/EzB3w3QCG5hNp1jv22SG0gpDiIpFTV7TxtUDbEjdUWa5YbzE3u96xlJ2ZsxPAl Ls5Sx/zphW+pe/L5E66gkETn0g5aJmeB6GJYWkE0uuWo9dZIcbAz+p3qzwwLsuC1 zJQHASsGMxd0xItWzg+47sd4TkQbQTud9U3ZbOdY1TMvvkjWShMz4vCQ/yH5aQPL WkpO5qZlUdb+xPlhcigqm/0C9cwiKgSZ5dM3pmJwJUMC2Z3bycO4VyCzhmbBhlA= =5JJL -----END PGP SIGNATURE----- --kkRamCq5m5VQq0L6-- From owner-freebsd-hackers@freebsd.org Mon Sep 7 14:59:38 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 416799CC47A for ; Mon, 7 Sep 2015 14:59:38 +0000 (UTC) (envelope-from timp87@gmail.com) Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C59531E4F; Mon, 7 Sep 2015 14:59:37 +0000 (UTC) (envelope-from timp87@gmail.com) Received: by wiclk2 with SMTP id lk2so91605140wic.0; Mon, 07 Sep 2015 07:59:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ueQqSw4VyS9nk2cHXH2MYF0TFgV56NPUvkcx++uMZFY=; b=CPE/J/yhkgxCYpi692cSjdZBpwsnZJ1cz7afaSoWnBQREBGQNvHdJjPRqkKULv3pOJ s9Z8N/tBZFZdwgqkPiYBD1agzo/xmQEP5Pqkv+AQB2sg+GGuwEWl7H2aosxSfqlac32e jFs3EylZvtD3PIVv+WR9WDcqovqbh7db8ADwf13gqT8X/xaEe3a00mWV7BKqqMnE/Up/ PW6FrIcblFHKWcOok4VjriEl/qHgknnIxYR5ya7yEddiUH9TOZt+vZYz+WQablfZlVPN e+gGte1TAp75ri0LT1jopBqipof/1TJm1WofzhDhGwMbBVC0r2m5YruVb2LT1S85Nodn nHEg== MIME-Version: 1.0 X-Received: by 10.180.85.194 with SMTP id j2mr34953686wiz.11.1441637975291; Mon, 07 Sep 2015 07:59:35 -0700 (PDT) Received: by 10.28.9.195 with HTTP; Mon, 7 Sep 2015 07:59:35 -0700 (PDT) In-Reply-To: <20150907104458.GL16003@e-new.0x20.net> References: <55DF261C.80009@freebsd.org> <20150827200534.GH16003@e-new.0x20.net> <55E086D3.1040700@freebsd.org> <55E1803E.7080706@freebsd.org> <20150907104458.GL16003@e-new.0x20.net> Date: Mon, 7 Sep 2015 17:59:35 +0300 Message-ID: Subject: Re: How to control and setup service? From: Pavel Timofeev To: Lars Engels Cc: Stefan Esser , freebsd-hackers@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 14:59:38 -0000 2015-09-07 13:44 GMT+03:00 Lars Engels : > On Mon, Aug 31, 2015 at 10:57:27AM +0300, Pavel Timofeev wrote: >> 2015-08-29 12:49 GMT+03:00 Stefan Esser : >> > Am 28.08.2015 um 18:51 schrieb Pavel Timofeev: >> >> Sorry for top posting! It's pretty hard to write email walking under >> >> heavy rain and umbrella. >> >> So, I talked about special key, not default behaviour. >> >> Let me give you an example. >> >> You got a server (or ten) which was/were somehow configured before you. >> >> You want to reconfigure it/them. You don't care how and where it's >> >> already configured, you just want to set particular rcvars and be sure >> >> that no other rcvars are set. >> >> >> >> Before you came it was: >> >> mysql_enable="YES/NO" # no matter >> >> mysql_datadir="/mycozystorage/db/mysql" >> >> mysql_defaults_extra_file="/mycozystorage/mysql/my.cnf" >> >> mysql_plugin_dir="/somewhere/lib/mysql/plugin" >> >> mysql_log_error="/mycozystorage/db/mysql/hostname.err" >> >> >> >> then you run something like (look at -k key) >> >> # service -k mysql-server enable set datadir "/mysqldb" log_error >> >> "/mysqllogs/hostname.err" >> >> it becomes >> >> mysql_enable="YES" >> >> mysql_datadir="/mysqldb" >> >> mysql_log_error="/mysqllogs/hostname.err" >> >> >> >> I. e. sets what requested and deletes rcvars which was not requested. >> > >> > I think that the removal of the previous config state should not come >> > as the side-effect of some "set" command. >> > >> > I'd rather introduce a now verb for this purpose, which has the effect >> > of clearing all previous settings for a service, instead of overloading >> > the "set" operation. >> >> BTW, it's already suggested here https://reviews.freebsd.org/D451 >> it's rcdelete. Not sure if it's good name. >> > > Back from holidays... > > It would be nice if we could find a consensus what should be done with > my patch in D451. The code itself works fine for me, but what's still > unclear is what config files should be touched by it: > > 1 /etc/rc.conf > 2 /etc/rc.conf.local > 3 /etc/rc.conf.d/$servicename > > I could add some flags to service(8), e.g. -l to edit rc.conf.local, -d > for /etc/rc.conf.d. I like an approach when /etc/rc.conf is a default place, and another default place is controlled through such flags. > > But please don't let the review rot any longer. :) Well, I'd reread this mail chain from the beginning. If you don't mind I could make a list of items/ideas, which can be discussed/approved/dropped then. > From owner-freebsd-hackers@freebsd.org Mon Sep 7 16:36:47 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6FCE9CCCC7 for ; Mon, 7 Sep 2015 16:36:46 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id A90DE1F10 for ; Mon, 7 Sep 2015 16:36:46 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 1CF439A8F for ; Mon, 7 Sep 2015 16:36:46 +0000 (UTC) Subject: Re: How to control and setup service? To: freebsd-hackers@freebsd.org References: <55DF261C.80009@freebsd.org> <20150827200534.GH16003@e-new.0x20.net> <55E086D3.1040700@freebsd.org> <55E1803E.7080706@freebsd.org> <20150907104458.GL16003@e-new.0x20.net> From: Allan Jude Message-ID: <55EDBD63.6060600@freebsd.org> Date: Mon, 7 Sep 2015 12:37:55 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150907104458.GL16003@e-new.0x20.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="es2nT6xvD5npPhVCgtkNRI8dC255Whi65" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2015 16:36:47 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --es2nT6xvD5npPhVCgtkNRI8dC255Whi65 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2015-09-07 06:44, Lars Engels wrote: > On Mon, Aug 31, 2015 at 10:57:27AM +0300, Pavel Timofeev wrote: >> 2015-08-29 12:49 GMT+03:00 Stefan Esser : >>> Am 28.08.2015 um 18:51 schrieb Pavel Timofeev: >>>> Sorry for top posting! It's pretty hard to write email walking under= >>>> heavy rain and umbrella. >>>> So, I talked about special key, not default behaviour. >>>> Let me give you an example. >>>> You got a server (or ten) which was/were somehow configured before y= ou. >>>> You want to reconfigure it/them. You don't care how and where it's >>>> already configured, you just want to set particular rcvars and be su= re >>>> that no other rcvars are set. >>>> >>>> Before you came it was: >>>> mysql_enable=3D"YES/NO" # no matter >>>> mysql_datadir=3D"/mycozystorage/db/mysql" >>>> mysql_defaults_extra_file=3D"/mycozystorage/mysql/my.cnf" >>>> mysql_plugin_dir=3D"/somewhere/lib/mysql/plugin" >>>> mysql_log_error=3D"/mycozystorage/db/mysql/hostname.err" >>>> >>>> then you run something like (look at -k key) >>>> # service -k mysql-server enable set datadir "/mysqldb" log_error >>>> "/mysqllogs/hostname.err" >>>> it becomes >>>> mysql_enable=3D"YES" >>>> mysql_datadir=3D"/mysqldb" >>>> mysql_log_error=3D"/mysqllogs/hostname.err" >>>> >>>> I. e. sets what requested and deletes rcvars which was not requested= =2E >>> >>> I think that the removal of the previous config state should not come= >>> as the side-effect of some "set" command. >>> >>> I'd rather introduce a now verb for this purpose, which has the effec= t >>> of clearing all previous settings for a service, instead of overloadi= ng >>> the "set" operation. >> >> BTW, it's already suggested here https://reviews.freebsd.org/D451 >> it's rcdelete. Not sure if it's good name. >> >=20 > Back from holidays... >=20 > It would be nice if we could find a consensus what should be done with > my patch in D451. The code itself works fine for me, but what's still > unclear is what config files should be touched by it: >=20 > 1 /etc/rc.conf > 2 /etc/rc.conf.local > 3 /etc/rc.conf.d/$servicename >=20 > I could add some flags to service(8), e.g. -l to edit rc.conf.local, -d= > for /etc/rc.conf.d. >=20 > But please don't let the review rot any longer. :) >=20 >=20 I plan to have a discussion about your review and the right solutions at the vBSDCon dev summit this friday. Don't worry, your review is not rotti= ng. --=20 Allan Jude --es2nT6xvD5npPhVCgtkNRI8dC255Whi65 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJV7b1jAAoJEBmVNT4SmAt+N0EP/Rh5zXa5BDTDeEmThWYogJmq NyfWco3Y3RGVgVcrP+QFHNdpIEyJfqWTTgqx5UYVm2xPQ9f6bx/Ovab8Oh2L7h1l QnGA7L+6ifAdBb2AdWxCBGGRZ8qVXruYHeNCnSq9P1eUbJgVoDWy6xQvqmChogL8 xwtB2ww2YRbuF279abunaPzCMnm+QZYvWh2+tTyYRf3gUnDtsfrhTxCO3hhnVb3o DYSxILDBedF1PMxMkPGepfrDqKaNzMiRhxbQicycnTrRIJlq972Xgci4WHpN/MMx IGinVQpiRXCYe37KwIcZeYdX8q0dhu5SGhPZ1CBW5TmMWB+jSZgdUjTJRibPRu/y yWUyD1vnWFmlzkt1szCbN7L/cs7SKYaW9UyLmCQFFwwzvrDRaLORy2YevPd+BVaQ cTl1zyl9+TCndDfqAJxwJGM+XMTrqNbsSvNCdPUZCYQdgCSwgxUccYWA0z6SZVhK +cz2HiMBlX9/UUibDY+YYclM+1K/6X06iDYR6FU4Rk0pNUT6hvww/jVo4LLbC4kU q0l54at6xEwiO9tvCGqDtVPTvO5pVXw1Pl+L2gyf3yliB3wkcbT2cRhTXhgdP4B1 45Yi89nNXOlzOHbd4TzJxhWQKfP7scb4d94jW9dx8aeChWedsIbxzsrkFBFamf39 W1YbWxEP4iVOVigOX9en =7Rwd -----END PGP SIGNATURE----- --es2nT6xvD5npPhVCgtkNRI8dC255Whi65-- From owner-freebsd-hackers@freebsd.org Tue Sep 8 17:22:21 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DB459CC80A for ; Tue, 8 Sep 2015 17:22:21 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 42DAC1A79 for ; Tue, 8 Sep 2015 17:22:21 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: by padhk3 with SMTP id hk3so44449097pad.3 for ; Tue, 08 Sep 2015 10:22:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=eAZp34xfBEGwi7dv0dKBADCwXOkbYlqbdPBAQaYyPXY=; b=04BRN3nUd9s1Te9lizfVU9dOZcMTGUV1UU6UMGnO669UlrVf1qdkGCZIVStnzC7VfN Nve1eKavz5li/MshSRczmWx0mGYH6pzGk3rW6nq8plf7ztfpe1Z+MJJPZJYgfnSKPqat aOWuguOlL4UwJ84jF3dURNMy/CRsZdm9WmHFto9dzYinvMpj3fHr2tBZtpQrvys5b93E OMY3TActEaVT+ALnf/r1OHzGs2uRzqNLej4rzM4NL4M8OfVTrEdB/LNIxbX7PXcy3MCK l+amZvbaa8HTCK7HhVbzmgaE8xgQzyBhY+5E3tPzYtFrdSIal/9SO3gBB9iAq5XUEdAu /s0A== X-Received: by 10.68.191.232 with SMTP id hb8mr60404607pbc.122.1441732940785; Tue, 08 Sep 2015 10:22:20 -0700 (PDT) Received: from a45e60cc77bb.amazon.com (54-240-196-185.amazon.com. [54.240.196.185]) by smtp.gmail.com with ESMTPSA id qr5sm4093576pbb.26.2015.09.08.10.22.19 for (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 10:22:19 -0700 (PDT) From: Analysiser Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Passphraseless Disk Encryption Options? Message-Id: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> Date: Tue, 8 Sep 2015 10:22:21 -0700 To: freebsd-hackers@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:22:21 -0000 Hi, I=E2=80=99m trying to perform a whole disk encryption for my boot drive = to protect its data at rest. However I would like to have a mac OS X-ish = full disk encryption that does not explicitly ask for a passphrase and = would boot as normal without manual input of passphrase. I tried to do = it with geli(8) but it seems there is no way I can avoid the manual = interaction. Really curious if there is a way to achieve it? Thanks! Xiao= From owner-freebsd-hackers@freebsd.org Tue Sep 8 17:42:46 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78150A003F7 for ; Tue, 8 Sep 2015 17:42:46 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26B481608 for ; Tue, 8 Sep 2015 17:42:46 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: by wicfx3 with SMTP id fx3so128970159wic.1 for ; Tue, 08 Sep 2015 10:42:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=Y6FpjWLwQMyEjPzbRaaV91wjkQhyFwinKmEsYTEoTPo=; b=sgK5Bk0WgiRlZmBVGx5fYAg1oskUwn5R8mK8EerEYCYPcTvLwQcaL5k5noH77s/xLh VXAjCBb22oknVfnYDCVyc02/7J0XspCmoXC3CwLZD1yZJ97MgDRO1dFPSwRFcTU1Thxw fUZBK1JtOJJ7MlU4UhfbNqlt9RXtSTVT/xGxvL8vZP6CRn38A/gTQtuxPlTf15foQVS6 wIpkQzy6efy+ctQwC9AUtJm81Pq2cl2gAygQIjfVyMli/y1fIcWp6VgW6D7fH5fBBlH5 F8V6FFoMOpI9OGBVA2km3UXlYgAX/yZ1/p0GKkJbscZeddG/Z0/GHUwYOYtWegXtyiD6 Unwg== X-Received: by 10.194.7.197 with SMTP id l5mr52667273wja.153.1441734164484; Tue, 08 Sep 2015 10:42:44 -0700 (PDT) Received: from gumby.homeunix.com ([90.195.198.255]) by smtp.gmail.com with ESMTPSA id l9sm6915318wiy.10.2015.09.08.10.42.42 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Sep 2015 10:42:43 -0700 (PDT) Date: Tue, 8 Sep 2015 18:42:40 +0100 From: RW To: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <20150908184240.0c368300@gumby.homeunix.com> In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> X-Mailer: Claws Mail 3.12.0 (GTK+ 2.24.28; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:42:46 -0000 On Tue, 8 Sep 2015 10:22:21 -0700 Analysiser wrote: > Hi, >=20 > I?m trying to perform a whole disk encryption for my boot drive to > protect its data at rest. However I would like to have a mac OS X-ish > full disk encryption that does not explicitly ask for a passphrase > and would boot as normal without manual input of passphrase. I tried > to do it with geli(8) but it seems there is no way I can avoid the > manual interaction. Really curious if there is a way to achieve it? What exactly do you want to do? Without some form of manual interaction disk encryption is pointless. From owner-freebsd-hackers@freebsd.org Tue Sep 8 17:44:42 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 11CE5A0051B for ; Tue, 8 Sep 2015 17:44:42 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D20E11849 for ; Tue, 8 Sep 2015 17:44:41 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by iofb144 with SMTP id b144so127664662iof.1 for ; Tue, 08 Sep 2015 10:44:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=lHbHtzUUoYqHd73v89rO4xRdUNk1Uo9AQBkQIx5E934=; b=X0tnuQLCFIo6+haHUMsaiAIs9vjwxckQ9QpTFWjPsahEbLgq5n/VIe7u8Mv888c0bC bnEy75biHVgj5thYOhdMBBEAdLz2kf3ppmDfAxGwdxHjjltQVF7odQbRoOSudEZwAFBA 9xVdqLpIDd6WehPpdz1wDhZ8kynW9eoxLD3TA9jvvnxzhcNH/Qce6ScCCn4wySp1dZ7q afPho6p8FCk1TvF0TXg2RwQmH5gktS0YfU8CU7LXksAxh1rDANg2yHoK9AFrRPQiSz7r U9H+uijDhMRn0W9o4xp4fKDASxNxxoZBBnQ8WOtNwGJcWXUdUnzCCAqvm+TT0Iwmkgvq rc4A== X-Received: by 10.107.34.85 with SMTP id i82mr47813367ioi.129.1441734281095; Tue, 08 Sep 2015 10:44:41 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Tue, 8 Sep 2015 10:44:01 -0700 (PDT) In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> From: Igor Mozolevsky Date: Tue, 8 Sep 2015 18:44:01 +0100 X-Google-Sender-Auth: HKfG9JnSOEmaIa6S_HubsZNMZUM Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: Analysiser Cc: Hackers freeBSD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:44:42 -0000 On 8 September 2015 at 18:22, Analysiser wrote: I=E2=80=99m trying to perform a whole disk encryption for my boot drive to = protect > its data at rest. However I would like to have a mac OS X-ish full disk > encryption that does not explicitly ask for a passphrase and would boot a= s > normal without manual input of passphrase. I tried to do it with geli(8) > but it seems there is no way I can avoid the manual interaction. Really > curious if there is a way to achieve it? Thanks! > Do you mean like DVD "encryption'? If you are able to decrypt the contents of the disk without something that only the person in front for the computer either has or knows then *anyone* would be able to decrypt it. What is the actual problem you're trying to solve? Remember that encryption is just a tool and not a solution- you need a good security protocol that will protect your data, and by the sound of it the protocol you propose (self-decrypting drive) is just broken. --=20 Igor M. From owner-freebsd-hackers@freebsd.org Tue Sep 8 17:57:26 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89673A00C4B for ; Tue, 8 Sep 2015 17:57:26 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 15B251721 for ; Tue, 8 Sep 2015 17:57:25 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441735046; x=1473271046; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=kAvUOV2PRD47IPSCcO/wOD4ADufjZXeYtdoxEeZK20I=; b=voAroQs9MxIml83UFIFz6/JPb2D4Wrai74611ZEyQynjPjEks2W40q6w DAgjURn1XPLm+tMYWp9N9WGZ7q5wgJxdkqnwUOQN1VLOAp1mT4u7PCtHH xZjhTTtBdMschkgHvHDcYdeLsEd4/Rv0RP4X1cDMtkTj4dlFQ2JriKhb3 U=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="340886316" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-7005.iad7.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 17:57:18 +0000 Received: from ex10-hub-7002.ant.amazon.com (iad1-ws-svc-lb91-vlan2.amazon.com [10.0.103.146]) by email-inbound-relay-7005.iad7.amazon.com (8.14.7/8.14.7) with ESMTP id t88Hv3WG008014 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 17:57:18 GMT Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by ex10-hub-7002.ant.amazon.com (10.43.110.153) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 10:57:04 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB004.ant.amazon.com (10.43.161.121) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 17:57:03 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 17:57:03 +0000 From: "Li, Xiao" To: RW , "freebsd-hackers@freebsd.org" Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5s0A//+OrgA= Date: Tue, 8 Sep 2015 17:57:03 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <20150908184240.0c368300@gumby.homeunix.com> In-Reply-To: <20150908184240.0c368300@gumby.homeunix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.160.246] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <92B1E254B7AB084F83F10E290B89665C@ant.amazon.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:57:26 -0000 Thanks for the reply! My problem is: I trust the booted system since the boot process is protected by trusted gpt boot, and a randomly generated login password. My machine only allows remote ssh access. I=B9m trying to protect the machine if the it is lost or intercepted and the attacker is trying to gain access to the files and data on the boot disk of it by attaching the boot disk to another system. I found a thread here and I have the same questions with the OP:http://serverfault.com/questions/412857/freebsd-encryption-concept-autom atic-boot-without-password-or-key-when-mounted?newreg=3D8066eff445b44f8f85b= 2a 7092f92b29f But since I=B9m using TPM I=B9m wondering if I could store the key or passphrase in TPM to achieve the automatic boot without manual interaction. Thanks again! Xiao On 9/8/15, 10:42 AM, "owner-freebsd-hackers@freebsd.org on behalf of freebsd-hackers@freebsd.org" wrote: >On Tue, 8 Sep 2015 10:22:21 -0700 >Analysiser wrote: > >> Hi, >>=20 >> I?m trying to perform a whole disk encryption for my boot drive to >> protect its data at rest. However I would like to have a mac OS X-ish >> full disk encryption that does not explicitly ask for a passphrase >> and would boot as normal without manual input of passphrase. I tried >> to do it with geli(8) but it seems there is no way I can avoid the >> manual interaction. Really curious if there is a way to achieve it? > >What exactly do you want to do? Without some form of manual interaction >disk encryption is pointless. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:14:46 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1FC149CC610 for ; Tue, 8 Sep 2015 18:14:46 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B21ED12D5 for ; Tue, 8 Sep 2015 18:14:45 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441736085; x=1473272085; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=H3ePO+LI72W0MT1ZSBYZtS006yzdR35ftJI/onJZb6A=; b=S//MVfDPMFmpsdftYtjL8fx5pPtf532qahqQbpzQRzSCaFTgZRlSfJIx t2Bsw1OUn3yBhEij6pr/lC7F9wHmZSIu8za1hr2gd+4l1zU2XMcd6bMws 0V5WmrZMgdEHKvdDyK0zbWADG4Jt1uYE60AG+RkOMYlHvsLqdfQ1Vvz+l Q=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="340900718" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-62006.pdx2.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 18:14:43 +0000 Received: from ex10-hub-7001.ant.amazon.com (pdx1-ws-svc-lb16-vlan2.amazon.com [10.239.138.210]) by email-inbound-relay-62006.pdx2.amazon.com (8.14.7/8.14.7) with ESMTP id t88IEOKV010319 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 18:14:42 GMT Received: from EX13D10UWB001.ant.amazon.com (10.43.161.111) by ex10-hub-7001.ant.amazon.com (10.43.103.49) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 11:14:31 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB001.ant.amazon.com (10.43.161.111) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 18:15:11 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 18:14:28 +0000 From: "Li, Xiao" To: Igor Mozolevsky , Analysiser CC: Hackers freeBSD Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5y6A//+TKIA= Date: Tue, 8 Sep 2015 18:14:28 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.162.217] Content-Type: text/plain; charset="Windows-1252" Content-ID: <32855FAB13F0B3499E0CE7D8F1E1A495@ant.amazon.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Precedence: Bulk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:14:46 -0000 Hi Igor, Thanks for the suggestion! I=B9m trying to achieve that the data could only be accessed in a trusted booted system and cannot be decrypted when the startup disk is a cold storage device. Something like FileVault on Mac OS X (https://support.apple.com/en-us/HT204837). I admit the protocol is broken. Like in geli, there have to be an unencrypted /boot partition to load kernel, and the rest of the OS is on an encrypted large storage partition. I=B9m thinking if I could make it passwordless then the passphrase or the key have to be stored on the unencrypted partition which would definitely break the security protocol, therefore I=B9m wondering if the passphrase or the key could be protected i= n the non volatile memory of some firmwares like TPM and could be retrieved only in known system status=8A Thanks again! Xiao On 9/8/15, 10:44 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor Mozolevsky" wrote: >On 8 September 2015 at 18:22, Analysiser wrote: > >I=B9m trying to perform a whole disk encryption for my boot drive to prote= ct >> its data at rest. However I would like to have a mac OS X-ish full disk >> encryption that does not explicitly ask for a passphrase and would boot >>as >> normal without manual input of passphrase. I tried to do it with geli(8) >> but it seems there is no way I can avoid the manual interaction. Really >> curious if there is a way to achieve it? Thanks! >> > > >Do you mean like DVD "encryption'? If you are able to decrypt the contents >of the disk without something that only the person in front for the >computer either has or knows then *anyone* would be able to decrypt it. > >What is the actual problem you're trying to solve? Remember that >encryption >is just a tool and not a solution- you need a good security protocol that >will protect your data, and by the sound of it the protocol you propose >(self-decrypting drive) is just broken. > > >--=20 >Igor M. >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:27:44 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CA3FA9CCCD4 for ; Tue, 8 Sep 2015 18:27:44 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94C7B1900 for ; Tue, 8 Sep 2015 18:27:44 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by ioii196 with SMTP id i196so128625206ioi.3 for ; Tue, 08 Sep 2015 11:27:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=4waFVJCii2oojkzcXf4MdAHxjMSLhk6Ipm4aoc/a23c=; b=AFBgcB/Fz/YxMeCPw6YX3FBm6sbDrOzpPkg0Z5W4+vkTZCx12CJzqJ78OvMn4uuz/2 o2SMpwFTNc6IzAh7wdBoW3hf4SIJYdIhqV71Pb0bKaBEhrOAghojYa1Oq315wQfWcuh5 /ZRJCevkW9w0UrBWmnZSlfgusL9il8nGZbvI1U6/DjdsjyZrX/6WA4RTSnLupFYjOLzn kPNHPP4HxnJFr8ys8baITm0d8iQFW6CD7iZ5RiZvzluMZtR8g6ASv9vjuzrt/0aaa7dX 5okT3AWW5C7ckIvM6kfbYWRoCA421tflgdG1pQOpuAUg3k7leYAVMmJMNSAUP62plGSj 3smg== X-Received: by 10.107.16.80 with SMTP id y77mr40651625ioi.183.1441736863765; Tue, 08 Sep 2015 11:27:43 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Tue, 8 Sep 2015 11:27:04 -0700 (PDT) In-Reply-To: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> From: Igor Mozolevsky Date: Tue, 8 Sep 2015 19:27:04 +0100 X-Google-Sender-Auth: 2KJnaluC4-xHGHjA0KUhWqYmef8 Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: "Li, Xiao" Cc: Analysiser , Hackers freeBSD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:27:45 -0000 On 8 September 2015 at 19:14, Li, Xiao wrote: > Hi Igor, > > Thanks for the suggestion! I=C2=B9m trying to achieve that the data could= only > be accessed in a trusted booted system and cannot be decrypted when the > startup disk is a cold storage device. Something like FileVault on Mac OS > X (https://support.apple.com/en-us/HT204837). Please read Apple's blurb- your logging in unlocks the FileVault; if you forget your login password (and you haven't set up password recovery) you data is just a source of entropy. I suspect what they did was that their uefi loader logs you in and decrypts the drive. --=20 Igor M. From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:28:03 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A8E5A9CCD0A for ; Tue, 8 Sep 2015 18:28:03 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.189.228]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A83719DB for ; Tue, 8 Sep 2015 18:28:03 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441736883; x=1473272883; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=/Ex2/Zqn4rCCpk2llb5V6UqhrmYKmYOnmVsBt6dbgs4=; b=kKvYdyuH/j1DnLwqaweprFpf/QBpxYhDBeniyVdbCY0cQI4GgZIn7tST IbtzC624fHTGMYgLb7uvAwoh8xH2JCBpDBPKdW6NEfIrY/COcuMi/s4mr QGVYH00jVPop16llxkmtC9buAitkt6Ir36EBxU9nte46Sd3zTELTLDfCo E=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="311888907" Received: from sea3-co-svc-lb3-vlan3.amazon.com (HELO email-inbound-relay-7003.iad7.amazon.com) ([172.18.12.86]) by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 18:28:01 +0000 Received: from ex10-hub-7001.ant.amazon.com (iad1-ws-svc-lb91-vlan3.amazon.com [10.0.103.150]) by email-inbound-relay-7003.iad7.amazon.com (8.14.7/8.14.7) with ESMTP id t88IRYFF027165 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 18:28:00 GMT Received: from EX13D10UWB001.ant.amazon.com (10.43.161.111) by ex10-hub-7001.ant.amazon.com (10.43.103.49) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 11:27:40 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB001.ant.amazon.com (10.43.161.111) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 18:28:23 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 18:27:39 +0000 From: "Li, Xiao" To: "Li, Xiao" , Igor Mozolevsky , Analysiser CC: Hackers freeBSD Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5y6A//+TKICAAAOvAA== Date: Tue, 8 Sep 2015 18:27:39 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.162.217] Content-Type: text/plain; charset="utf-8" Content-ID: <078F4CABE97EAF40A095B8843114B1CE@ant.amazon.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Precedence: Bulk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:28:03 -0000 VG8gY2xhcmlmeSBtb3JlLCBJ4oCZbSB0cnlpbmcgdG8gcHJvdGVjdCBhIGhlYWRsZXNzIGRldmlj ZSB0aGF0IGhhcyBGcmVlQlNEDQppbnN0YWxsZWQgb24gaXQuIFRoZXJlIGlzIG5vIHVzYi92aWRl byBpbnB1dCwgb25seSBOSUMgYW5kIHBvd2VyIGFyZQ0KZXhwb3NlZC4gQW5kIEnigJltIHRyeWlu ZyB0byBwcm90ZWN0IGl0cyBib290YWJsZSBkcml2ZS4NCg0KT24gOS84LzE1LCAxMToxNCBBTSwg Im93bmVyLWZyZWVic2QtaGFja2Vyc0BmcmVlYnNkLm9yZyBvbiBiZWhhbGYgb2YNCkhhY2tlcnMg ZnJlZUJTRCIgPG93bmVyLWZyZWVic2QtaGFja2Vyc0BmcmVlYnNkLm9yZyBvbiBiZWhhbGYgb2YN CmZyZWVic2QtaGFja2Vyc0BmcmVlYnNkLm9yZz4gd3JvdGU6DQoNCj5IaSBJZ29yLA0KPg0KPlRo YW5rcyBmb3IgdGhlIHN1Z2dlc3Rpb24hIEnCuW0gdHJ5aW5nIHRvIGFjaGlldmUgdGhhdCB0aGUg ZGF0YSBjb3VsZCBvbmx5DQo+YmUgYWNjZXNzZWQgaW4gYSB0cnVzdGVkIGJvb3RlZCBzeXN0ZW0g YW5kIGNhbm5vdCBiZSBkZWNyeXB0ZWQgd2hlbiB0aGUNCj5zdGFydHVwIGRpc2sgaXMgYSBjb2xk IHN0b3JhZ2UgZGV2aWNlLiBTb21ldGhpbmcgbGlrZSBGaWxlVmF1bHQgb24gTWFjIE9TDQo+WCAo aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS9lbi11cy9IVDIwNDgzNykuDQo+DQo+SSBhZG1pdCB0 aGUgcHJvdG9jb2wgaXMgYnJva2VuLiBMaWtlIGluIGdlbGksIHRoZXJlIGhhdmUgdG8gYmUgYW4N Cj51bmVuY3J5cHRlZCAvYm9vdCBwYXJ0aXRpb24gdG8gbG9hZCBrZXJuZWwsIGFuZCB0aGUgcmVz dCBvZiB0aGUgT1MgaXMgb24NCj5hbiBlbmNyeXB0ZWQgbGFyZ2Ugc3RvcmFnZSBwYXJ0aXRpb24u IEnCuW0gdGhpbmtpbmcgaWYgSSBjb3VsZCBtYWtlIGl0DQo+cGFzc3dvcmRsZXNzIHRoZW4gdGhl IHBhc3NwaHJhc2Ugb3IgdGhlIGtleSBoYXZlIHRvIGJlIHN0b3JlZCBvbiB0aGUNCj51bmVuY3J5 cHRlZCBwYXJ0aXRpb24gd2hpY2ggd291bGQgZGVmaW5pdGVseSBicmVhayB0aGUgc2VjdXJpdHkg cHJvdG9jb2wsDQo+dGhlcmVmb3JlIEnCuW0gd29uZGVyaW5nIGlmIHRoZSBwYXNzcGhyYXNlIG9y IHRoZSBrZXkgY291bGQgYmUgcHJvdGVjdGVkIGluDQo+dGhlIG5vbiB2b2xhdGlsZSBtZW1vcnkg b2Ygc29tZSBmaXJtd2FyZXMgbGlrZSBUUE0gYW5kIGNvdWxkIGJlIHJldHJpZXZlZA0KPm9ubHkg aW4ga25vd24gc3lzdGVtIHN0YXR1c8WgDQo+DQo+VGhhbmtzIGFnYWluIQ0KPlhpYW8NCj4NCj5P biA5LzgvMTUsIDEwOjQ0IEFNLCAib3duZXItZnJlZWJzZC1oYWNrZXJzQGZyZWVic2Qub3JnIG9u IGJlaGFsZiBvZiBJZ29yDQo+TW96b2xldnNreSIgPG93bmVyLWZyZWVic2QtaGFja2Vyc0BmcmVl YnNkLm9yZyBvbiBiZWhhbGYgb2YNCj5pZ29yQGh5YnJpZC1sYWIuY28udWs+IHdyb3RlOg0KPg0K Pj5PbiA4IFNlcHRlbWJlciAyMDE1IGF0IDE4OjIyLCBBbmFseXNpc2VyIDxhbmFseXNpc2VyQGdt YWlsLmNvbT4gd3JvdGU6DQo+Pg0KPj5JwrltIHRyeWluZyB0byBwZXJmb3JtIGEgd2hvbGUgZGlz ayBlbmNyeXB0aW9uIGZvciBteSBib290IGRyaXZlIHRvDQo+PnByb3RlY3QNCj4+PiBpdHMgZGF0 YSBhdCByZXN0LiBIb3dldmVyIEkgd291bGQgbGlrZSB0byBoYXZlIGEgbWFjIE9TIFgtaXNoIGZ1 bGwgZGlzaw0KPj4+IGVuY3J5cHRpb24gdGhhdCBkb2VzIG5vdCBleHBsaWNpdGx5IGFzayBmb3Ig YSBwYXNzcGhyYXNlIGFuZCB3b3VsZCBib290DQo+Pj5hcw0KPj4+IG5vcm1hbCB3aXRob3V0IG1h bnVhbCBpbnB1dCBvZiBwYXNzcGhyYXNlLiBJIHRyaWVkIHRvIGRvIGl0IHdpdGgNCj4+PmdlbGko OCkNCj4+PiBidXQgaXQgc2VlbXMgdGhlcmUgaXMgbm8gd2F5IEkgY2FuIGF2b2lkIHRoZSBtYW51 YWwgaW50ZXJhY3Rpb24uIFJlYWxseQ0KPj4+IGN1cmlvdXMgaWYgdGhlcmUgaXMgYSB3YXkgdG8g YWNoaWV2ZSBpdD8gVGhhbmtzIQ0KPj4+DQo+Pg0KPj4NCj4+RG8geW91IG1lYW4gbGlrZSBEVkQg ImVuY3J5cHRpb24nPyBJZiB5b3UgYXJlIGFibGUgdG8gZGVjcnlwdCB0aGUNCj4+Y29udGVudHMN Cj4+b2YgdGhlIGRpc2sgd2l0aG91dCBzb21ldGhpbmcgdGhhdCBvbmx5IHRoZSBwZXJzb24gaW4g ZnJvbnQgZm9yIHRoZQ0KPj5jb21wdXRlciBlaXRoZXIgaGFzIG9yIGtub3dzIHRoZW4gKmFueW9u ZSogd291bGQgYmUgYWJsZSB0byBkZWNyeXB0IGl0Lg0KPj4NCj4+V2hhdCBpcyB0aGUgYWN0dWFs IHByb2JsZW0geW91J3JlIHRyeWluZyB0byBzb2x2ZT8gUmVtZW1iZXIgdGhhdA0KPj5lbmNyeXB0 aW9uDQo+PmlzIGp1c3QgYSB0b29sIGFuZCBub3QgYSBzb2x1dGlvbi0geW91IG5lZWQgYSBnb29k IHNlY3VyaXR5IHByb3RvY29sIHRoYXQNCj4+d2lsbCBwcm90ZWN0IHlvdXIgZGF0YSwgYW5kIGJ5 IHRoZSBzb3VuZCBvZiBpdCB0aGUgcHJvdG9jb2wgeW91IHByb3Bvc2UNCj4+KHNlbGYtZGVjcnlw dGluZyBkcml2ZSkgaXMganVzdCBicm9rZW4uDQo+Pg0KPj4NCj4+LS0gDQo+Pklnb3IgTS4NCj4+ X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+ZnJlZWJz ZC1oYWNrZXJzQGZyZWVic2Qub3JnIG1haWxpbmcgbGlzdA0KPj5odHRwczovL2xpc3RzLmZyZWVi c2Qub3JnL21haWxtYW4vbGlzdGluZm8vZnJlZWJzZC1oYWNrZXJzDQo+PlRvIHVuc3Vic2NyaWJl LCBzZW5kIGFueSBtYWlsIHRvDQo+PiJmcmVlYnNkLWhhY2tlcnMtdW5zdWJzY3JpYmVAZnJlZWJz ZC5vcmciDQo+DQo+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18NCj5mcmVlYnNkLWhhY2tlcnNAZnJlZWJzZC5vcmcgbWFpbGluZyBsaXN0DQo+aHR0cHM6Ly9s aXN0cy5mcmVlYnNkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ZyZWVic2QtaGFja2Vycw0KPlRvIHVu c3Vic2NyaWJlLCBzZW5kIGFueSBtYWlsIHRvICJmcmVlYnNkLWhhY2tlcnMtdW5zdWJzY3JpYmVA ZnJlZWJzZC5vcmciDQoNCg== From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:36:00 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9783A00275 for ; Tue, 8 Sep 2015 18:36:00 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "amazon-smtp.amazon.com", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 31F7C1094 for ; Tue, 8 Sep 2015 18:35:59 +0000 (UTC) (envelope-from prvs=686a33556=xaol@amazon.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1441737360; x=1473273360; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=vfOjZeRnIbqUb6qQiGiaq5TtIzSCQ5IEnhqNnckzXmc=; b=ZrXTEYTkPzrxNes7HBbM0OyW4OFIidSNVSSuAmeMVDnE1QONIYtYtQ7j dckWH9YRahhbcDa2eDcpEBz3j2ycxyWusVJSQJwzgARJINYoOCR51S/iK XBIX6iQTE7WYsjriHrgg9cCMVUTOPVRyf9p5nG9skLYIGxuGAOJ0uxhvd g=; X-IronPort-AV: E=Sophos;i="5.17,491,1437436800"; d="scan'208";a="340917136" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-60002.pdx1.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 18:35:57 +0000 Received: from ex10-hub-7001.ant.amazon.com (pdx1-ws-svc-lb16-vlan2.amazon.com [10.239.138.210]) by email-inbound-relay-60002.pdx1.amazon.com (8.14.7/8.14.7) with ESMTP id t88IZr4L026559 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2015 18:35:56 GMT Received: from EX13D10UWB001.ant.amazon.com (10.43.161.111) by ex10-hub-7001.ant.amazon.com (10.43.103.49) with Microsoft SMTP Server (TLS) id 14.3.181.6; Tue, 8 Sep 2015 11:35:30 -0700 Received: from EX13D10UWB004.ant.amazon.com (10.43.161.121) by EX13D10UWB001.ant.amazon.com (10.43.161.111) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 8 Sep 2015 18:36:12 +0000 Received: from EX13D10UWB004.ant.amazon.com ([10.43.161.121]) by EX13D10UWB004.ant.amazon.com ([10.43.161.121]) with mapi id 15.00.1076.000; Tue, 8 Sep 2015 18:35:29 +0000 From: "Li, Xiao" To: Igor Mozolevsky CC: Hackers freeBSD , Analysiser Subject: Re: Passphraseless Disk Encryption Options? Thread-Topic: Passphraseless Disk Encryption Options? Thread-Index: AQHQ6lr6Ydzyitj3H0mec7eivE1jBJ4y5y6A//+TKICAAHjfAP//jP+A Date: Tue, 8 Sep 2015 18:35:29 +0000 Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.43.160.246] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <475D46661608DD449127BD78166C28E1@ant.amazon.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:36:00 -0000 Agreed, that=B9s why I=B9m stuck in here: it seems like something either unachievable or haven=B9t been done before. I mentioned Apple=B9s method is only because it is something similar in that both requires a full disk encryption on startup disk. But Apple=B9s way is like to decrypt the disk o= n login; I=B9m trying to decrypt the disk during prelogin after the boot. On 9/8/15, 11:27 AM, "owner-freebsd-hackers@freebsd.org on behalf of Igor Mozolevsky" wrote: > From owner-freebsd-hackers@freebsd.org Tue Sep 8 18:51:56 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A894FA00CB5 for ; Tue, 8 Sep 2015 18:51:56 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 720DD135B for ; Tue, 8 Sep 2015 18:51:56 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by igbkq10 with SMTP id kq10so86446674igb.0 for ; Tue, 08 Sep 2015 11:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=MH7SHWkI3S6/GKy+hXDD2McrKJpenzgXfY0Q/VUbDMs=; b=zPmSCyzt+lRqrO6wiAIBo5DLvxF415USbv7RpiG9rC8TpSJK613BgiJHr5XGB6kR4U 2WicJzioQAjn11SnDVwEriWzjQUZnvRfnEXjGvdDo3gIRFMxqMnFbPMJlCxfSsiekguT AxMUVFkT3wjAKI0QnJKrVK3VJCDevhswO6tFtcIQRS21Dvch4HMQ3wShwFuVO2KKXJwn qtNfOlDt16hiVhJHFg1eW9ydRYtPTMFbghJExj5w1f9M3w8arlEaCgDzsQ3L6Rs+5LyD a4wKqFohY6zlgyl0QBm0PQHy5tJDzZ60mwg3Lu/xrflPWYZi/dLtMD1g28eAukbQFov3 hWTg== X-Received: by 10.50.78.6 with SMTP id x6mr4629677igw.27.1441738315895; Tue, 08 Sep 2015 11:51:55 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Tue, 8 Sep 2015 11:51:16 -0700 (PDT) In-Reply-To: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> From: Igor Mozolevsky Date: Tue, 8 Sep 2015 19:51:16 +0100 X-Google-Sender-Auth: 1FNnImWIDakjyxq5KkuxX9HhLCg Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: "Li, Xiao" Cc: Hackers freeBSD , Analysiser Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 18:51:56 -0000 On 8 September 2015 at 19:35, Li, Xiao wrote: > Agreed, that=C2=B9s why I=C2=B9m stuck in here: it seems like something e= ither > unachievable or haven=C2=B9t been done before. I mentioned Apple=C2=B9s m= ethod is > only because it is something similar in that both requires a full disk > encryption on startup disk. But Apple=C2=B9s way is like to decrypt the d= isk on > login; I=C2=B9m trying to decrypt the disk during prelogin after the boot= . > I think you're missing the point- I suspect Apple's login *is* the decrypt process- OS X needs something from the user to give access to the data; without the user typing in their password, the data on the disk (as I said) is just a source of entropy. --=20 Igor M. From owner-freebsd-hackers@freebsd.org Tue Sep 8 19:22:06 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D8139CCE04 for ; Tue, 8 Sep 2015 19:22:06 +0000 (UTC) (envelope-from bmvince1@asu.edu) Received: from mail-ig0-f176.google.com (mail-ig0-f176.google.com [209.85.213.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 00A95198F for ; Tue, 8 Sep 2015 19:22:05 +0000 (UTC) (envelope-from bmvince1@asu.edu) Received: by igcpb10 with SMTP id pb10so87122002igc.1 for ; Tue, 08 Sep 2015 12:21:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=l/X+1nkgmkvxpayP/M9vo60O3llKivsK+z7FwlRhP34=; b=Yhf4s+A99ZqjBVClMSk4EzV1Tyk7T/i0XgBThIuhLl0uZyhjci0sb3owySXeiPXLdG qN13d0aghdyyyYJiEn+fDA62CkqkxhDqykPcmDYY6aGygFyz0IotlFfWklvVFLOkv8d0 AHl8bk6oCofzav3NNCYFD2T6zW4ObBxxEqiei1ff0MtETxNP5+kyCis+o3YLY78/pRm6 fN+LifzHzSXHdhLaGXTsHcs7EcbzF9OuknfbquSm2iEMYt9lhg/O34NutZku8whewmxy GkZLGrBqQemRQJ77Pv6QXLwU8Z9HlveXJ5jdIXGSbjD/MIuvdInEUFXYWsR5Wg2YXKXW H2Qg== X-Gm-Message-State: ALoCoQlvxHf+XrHIBJQa3JqjqulYSA7hZZHM4Ci4VHtYTZnwbkVxIKKuVuP7uL9FW17SK8K1tUSZ MIME-Version: 1.0 X-Received: by 10.50.56.113 with SMTP id z17mr36495427igp.4.1441740119637; Tue, 08 Sep 2015 12:21:59 -0700 (PDT) Received: by 10.36.71.18 with HTTP; Tue, 8 Sep 2015 12:21:59 -0700 (PDT) In-Reply-To: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> Date: Tue, 8 Sep 2015 12:21:59 -0700 Message-ID: Subject: Re: Passphraseless Disk Encryption Options? From: Brandon Vincent To: Igor Mozolevsky Cc: "Li, Xiao" , Hackers freeBSD , Analysiser Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 19:22:06 -0000 On Tue, Sep 8, 2015 at 11:51 AM, Igor Mozolevsky wrote: > I think you're missing the point- I suspect Apple's login *is* the decrypt > process- OS X needs something from the user to give access to the data; > without the user typing in their password, the data on the disk (as I said) > is just a source of entropy. Analysiser, Backing up what Igor has stated, the underlying principles behind FileVault 2 is no different than those employed by commercially available FDE software and open source solutions such as LUKS on GNU/Linux. When FileVault 2 is enabled on OS X, the system loads additional EFI code from the unencrypted recovery partition during startup and then references a file (on the unencrypted recovery partition) which has the volume master key encrypted with a intermediary key (essentially each user's password). When you enable FileVault 2 for the first time, you have to enter the system password for each user who you want to have the ability to decrypt the hard drive on startup. After this point, if a user on the system decides to update their password, OS X seamlessly updates the intermediary key required to decrypt the key-encryption-key for the volume. Essentially, the engineers at Apple have elegantly streamlined the process to minimize user frustration and interruption. Most open source FDE is not quite polished similarly. Brandon Vincent From owner-freebsd-hackers@freebsd.org Tue Sep 8 20:15:22 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7E7159CCC48 for ; Tue, 8 Sep 2015 20:15:22 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (agora.rdrop.com [IPv6:2607:f678:1010::34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 616011B68 for ; Tue, 8 Sep 2015 20:15:22 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id t88KF8aP033761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 8 Sep 2015 13:15:08 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.14.2/Submit) with UUCP id t88KF8Fb033760; Tue, 8 Sep 2015 13:15:08 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: from fbsd81 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA12697; Tue, 8 Sep 15 13:03:00 PDT Date: Tue, 08 Sep 2015 13:02:55 -0700 From: perryh@pluto.rain.com (Perry Hutchison) To: xaol@amazon.com Cc: freebsd-hackers@freebsd.org, igor@hybrid-lab.co.uk, analysiser@gmail.com Subject: Re: Passphraseless Disk Encryption Options? Message-Id: <55ef3eef.qeb+Jh3sjv8B9NgH%perryh@pluto.rain.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 20:15:22 -0000 Xiao Li wrote: > I'm trying to protect a headless device that has FreeBSD installed > on it. There is no usb/video input, only NIC and power are exposed. > And I'm trying to protect its bootable drive. I think this is fundamentally impossible* to do, with any real security. It is like stashing a key to your house somewhere in the barn: you think no one else knows where that key is, but anyone who figures out what you've done can get in. In Apple's scheme, at least the house key is in a lockbox -- the login password is the key to the lockbox -- but even there the hard drive encryption is ultimately only as strong as the login password. * Granted, statements like this carry some risk of ending up in the same category as "There is no reason for anyone to have a home computer" (Gordon Bell), or "No one should ever need more than 640K of main memory" (Bill Gates). From owner-freebsd-hackers@freebsd.org Tue Sep 8 20:22:43 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6EBCA000F8 for ; Tue, 8 Sep 2015 20:22:43 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C15E61020 for ; Tue, 8 Sep 2015 20:22:43 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: by padhk3 with SMTP id hk3so48321674pad.3 for ; Tue, 08 Sep 2015 13:22:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=uRl+LnEOtUIkkOgp745BRlIFKvIIAAyj7JUcCz7LN1E=; b=Sy+tYZP6jelEasOxrIXf8gTbQCgEol0klP78LSEGWSGOjYrsuNtdVAVTBWhmKBf4Op UycHcjW8VCJcJ/RLbx8BoEgXPOtdjxO9ooAQD3yQzshUXhyY4toyTA6axZaluuPMmblu wCCFgoKkoHymteT2fh3wL7Fb+JkXvul3Oy1bZjMyyYSLGda2Zvrqz1kqQ9tdzriF9hsQ 95MRu3bEDlEleyWCXaE96GJP8C4ugRscwHUMoqYKDE6N47dH808Lwy4MIUrGe6whA7aD xzOBcO3wgG728guWJLH4ugJh5WhiYphgaBbVBlRRne7trBMnYJHhPqU4wMH+4FFC+vYy l6fw== X-Received: by 10.66.233.164 with SMTP id tx4mr51954557pac.21.1441743763104; Tue, 08 Sep 2015 13:22:43 -0700 (PDT) Received: from a45e60cc77bb.amazon.com (54-240-196-186.amazon.com. [54.240.196.186]) by smtp.gmail.com with ESMTPSA id tk1sm4437156pac.0.2015.09.08.13.22.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 13:22:42 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Passphraseless Disk Encryption Options? From: Analysiser In-Reply-To: <201509081352.25700.richard@hodges.org> Date: Tue, 8 Sep 2015 13:22:41 -0700 Cc: freebsd-hackers@freebsd.org, Igor Mozolevsky Message-Id: <98EEAA48-2C2C-4CBC-BBAF-F57D5F74464A@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <201509081352.25700.richard@hodges.org> To: Richard Hodges X-Mailer: Apple Mail (2.2104) Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 20:22:44 -0000 To Brandon and Igor,=20 Thanks for your pointing out about the facts of FileValut and yes I = understood your point in indicating the login IS the decryption process. = That is merely an appearance I think that *looks* something I would like = to have. I cannot have a login as the decryption process so it has to be = done somewhere before login. To Nik, Thanks for the suggestion at it looks very feasible. I=92m thinking it = might needs a strong algorithm to calculate the passphrase with some = rotating secret. I think I could test this way first. To Richard, Thank you for the suggestion. I believe that we have a secure boot = protected by the TPM. I think I could trust the motherboard and if = someone steals the TPM module the system would absolutely fail to boot. = I have some programs that relies on TPM attestation too that could = report the system status to a remote attester. However, since the = programs are not checking everything in OS I=92m hoping to perform a = startup disk encryption to further prevent unwanted alterations on the = files or executables in OS that might perform attacks. The device is = headless in that it has no exposed optical disks, usb ports, video = outputs=85 I like the idea of self-destruct USB stick idea but I cannot = have it :D Thanks again! Xiao=20 =20 > On Sep 8, 2015, at 12:52 PM, Richard Hodges = wrote: >=20 > On Tuesday 08 September 2015,"Li, Xiao via freebsd-hackers" = =20 > wrote: >> Agreed, that=B9s why I=B9m stuck in here: it seems like something = either >> unachievable or haven=B9t been done before.=20 >=20 > The decryption key has to come from somewhere. Usually someone types = it in, but they key=20 > could be on removable media, like a USB memory stick, a CD ROM, = floppy, etc. >=20 > I think you hinted at secure boot. Do you trust the security of the = motherboard? But if=20 > someone steals your hard drives, can't they also steal your other = hardware? >=20 > It might be interesting to think about an external key, such as in a = USB stick, that could=20 > be set to self-destruct (eg, overvoltage) coupled with a tamper = sensor. >=20 > If you could describe your threat model in more detail, and tell = exactly what parts are=20 > trusted, someone might have a helpful idea. >=20 > -Richard From owner-freebsd-hackers@freebsd.org Tue Sep 8 20:32:40 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23ED5A00630 for ; Tue, 8 Sep 2015 20:32:40 +0000 (UTC) (envelope-from amesbury@oitsec.umn.edu) Received: from mail.oitsec.umn.edu (mail.oitsec.umn.edu [128.101.238.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.oitsec.umn.edu", Issuer "InCommon RSA Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 001901887 for ; Tue, 8 Sep 2015 20:32:39 +0000 (UTC) (envelope-from amesbury@oitsec.umn.edu) Received: from mail.oitsec.umn.edu (localhost [127.0.0.1]) by mail.oitsec.umn.edu (Postfix) with ESMTP id CB7BA5C822; Tue, 8 Sep 2015 15:32:30 -0500 (CDT) X-Virus-Scanned: amavisd-new at oitsec.umn.edu Received: from mail.oitsec.umn.edu ([127.0.0.1]) by mail.oitsec.umn.edu (mail.oitsec.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvDZwSlBJx4N; Tue, 8 Sep 2015 15:32:30 -0500 (CDT) Received: from optimator.oitsec.umn.edu (optimator.oitsec.umn.edu [134.84.23.1]) (Authenticated sender: amesbury) by mail.oitsec.umn.edu (Postfix) with ESMTPSA id 0EA185C821; Tue, 8 Sep 2015 15:32:29 -0500 (CDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\)) Subject: Re: Passphraseless Disk Encryption Options? From: Alan Amesbury In-Reply-To: <55ef3eef.qeb+Jh3sjv8B9NgH%perryh@pluto.rain.com> Date: Tue, 8 Sep 2015 15:32:28 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <4B1D3515-2C6F-48C2-9773-7E4E9C686135@oitsec.umn.edu> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55ef3eef.qeb+Jh3sjv8B9NgH%perryh@pluto.rain.com> To: freebsd-hackers@freebsd.org, xaol@amazon.com X-Mailer: Apple Mail (2.2102) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 20:32:40 -0000 On Sep 8, 2015, at 15:02 , Perry Hutchison = wrote: > I think this is fundamentally impossible* to do, with any real > security. It is like stashing a key to your house somewhere in > the barn: you think no one else knows where that key is, but > anyone who figures out what you've done can get in. >=20 > In Apple's scheme, at least the house key is in a lockbox -- the > login password is the key to the lockbox -- but even there the > hard drive encryption is ultimately only as strong as the login > password. [snip] I think there's a difference between Apple's FileVault and FileVault 2. = I recall the former booting completely to a login prompt, i.e., the OS = was running and everything but home directories were accessible once the = boot process was completed. Logging in caused home directories to = become available, probably through using the user's password to decrypt = a copy of the disk encryption key (as has already been described). I = thought there was also a recovery partition. I could very well be wrong = about this, though; it's been some time since I saw FileVault. FileVault 2 appears to encrypt the entire drive, including the OS. = Booting the system to its normal state is not possible without user = interaction; you have to enter your password to allow the boot process = to decrypt the key that's used to decrypt the rest of the filesystem = containing the normal operating environment. It looks like there's no = recovery partition, either, at least under Yosemite (v10.10.x), even = though there appears to be one on disk; it doesn't show up as a boot = option when the option key is pressed at boot. The only options given = are to boot from the drive normally (which prompts for a password), or = boot from the network. I agree that it seems unlikely to be able to have a system boot without = user interaction unless the key is stored in plaintext somewhere that = the boot process can retrieve it... which means it's likely accessible = to other things, too. --=20 Alan Amesbury University Information Security http://umn.edu/lookup/amesbury From owner-freebsd-hackers@freebsd.org Tue Sep 8 19:52:33 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A7F4A00EF2 for ; Tue, 8 Sep 2015 19:52:33 +0000 (UTC) (envelope-from hodges.org@gmail.com) Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C6F8E1C95 for ; Tue, 8 Sep 2015 19:52:32 +0000 (UTC) (envelope-from hodges.org@gmail.com) Received: by igcrk20 with SMTP id rk20so83387325igc.1 for ; Tue, 08 Sep 2015 12:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=2zcbMRAdzhWczwZaXCCdViRp0wwBQ/MPh0rdFCtdzLY=; b=e1AEBAQvf1aDZlLpsi0ImliN2IPZDIL6a4AHOgLolJyRy2WncZyzkKLRXtnywQ4re/ aS1VmmStkJBXU97lN3i5YhU86/nST20qm7yMp5IscUYt2SM/fBxpiwh3EdZVBmZVShPt efOAyjFmE3wt1b76gDz0JCiKnkYgLTZpSAacerXSDCGNkuI8jUeBb05HIVAkeNQ8CneA keUe82seSAjWvtShjCVDiNlKxfLYUIf/ylWUhXnRfLb22AYOC0AsVIQBgst94JaH0Mtv y+sTgb3C7zjrF3bsIri7tHRcfCg8zCZyUKKBfKLzcW+Bn3VimA1CvpUy/zj2X3QJg7v3 R9Hw== X-Received: by 10.50.50.198 with SMTP id e6mr44444098igo.13.1441741952101; Tue, 08 Sep 2015 12:52:32 -0700 (PDT) Received: from lark.hodges.org (mobile-166-187-231-224.mycingular.net. [166.187.231.224]) by smtp.gmail.com with ESMTPSA id n14sm2917261ioi.15.2015.09.08.12.52.30 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 08 Sep 2015 12:52:30 -0700 (PDT) Sender: Richard Hodges From: Richard Hodges To: freebsd-hackers@freebsd.org, "Li, Xiao" Subject: Re: Passphraseless Disk Encryption Options? Date: Tue, 8 Sep 2015 13:52:24 -0600 User-Agent: KMail/1.13.5 (FreeBSD/8.1-RELEASE; KDE/4.4.5; amd64; ; ) Cc: Igor Mozolevsky , Analysiser References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201509081352.25700.richard@hodges.org> X-Mailman-Approved-At: Tue, 08 Sep 2015 20:39:49 +0000 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 19:52:33 -0000 On Tuesday 08 September 2015,"Li, Xiao via freebsd-hackers" =20 wrote: > Agreed, that=B9s why I=B9m stuck in here: it seems like something either > unachievable or haven=B9t been done before.=20 The decryption key has to come from somewhere. Usually someone types it in,= but they key=20 could be on removable media, like a USB memory stick, a CD ROM, floppy, etc. I think you hinted at secure boot. Do you trust the security of the motherb= oard? But if=20 someone steals your hard drives, can't they also steal your other hardware? It might be interesting to think about an external key, such as in a USB st= ick, that could=20 be set to self-destruct (eg, overvoltage) coupled with a tamper sensor. If you could describe your threat model in more detail, and tell exactly wh= at parts are=20 trusted, someone might have a helpful idea. =2DRichard From owner-freebsd-hackers@freebsd.org Tue Sep 8 20:50:48 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62427A00FA1 for ; Tue, 8 Sep 2015 20:50:48 +0000 (UTC) (envelope-from beckman@angryox.com) Received: from nog.angryox.com (nog.angryox.com [70.164.19.87]) by mx1.freebsd.org (Postfix) with ESMTP id 1760A142B for ; Tue, 8 Sep 2015 20:50:47 +0000 (UTC) (envelope-from beckman@angryox.com) Received: from nog.angryox.com (localhost [127.0.0.1]) by nog.angryox.com (Postfix) with ESMTP id 3F9052C48DF; Tue, 8 Sep 2015 20:39:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=angryox.com; h=date:from :to:cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=powerfulgood; bh=rDqvQPJi5ckePy3dYD0Yrg64KhM=; b= QQtJgUZLRIbmX4CuA7Dv03RHMr86OmxO4Dt2Y8fVbkAjpoDMTw5TcPxySzaTaueO eYIW4JoTtjKoc62P3zHh53vXF0w/4SeWeI5D7dB7jTEoUgtTu8+Xwq3+gCoxVp0m l5PcHy0qac3OXp2PjhWDaAtnWJmSfgPxQ/58oFYFFAg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=angryox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; q=dns; s=powerfulgood; b=vWnTJUZY6eA9Ah/P95JqbZ/+ GgaD1UkccnA/zGY6A7hXPL3MjLu5f7+2wg8iXhWx6rRXRxtrNLwJtnaseROe39ZT 2Rczn4lV/iqfGrcLCxZTpx8IjtlZ0vsggJB7Cg0VKpprnw6ODIKaUX/0AMLcYU9w PGnDJry5VWkUlEYO50o= Received: by nog.angryox.com (Postfix, from userid 1001) id EDF3A2C48DC; Tue, 8 Sep 2015 20:39:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by nog.angryox.com (Postfix) with ESMTP id EBA062C48D4; Tue, 8 Sep 2015 16:39:55 -0400 (EDT) Date: Tue, 8 Sep 2015 16:39:55 -0400 From: Peter Beckman To: "Li, Xiao" cc: Igor Mozolevsky , Analysiser , Hackers freeBSD Subject: Re: Passphraseless Disk Encryption Options? In-Reply-To: Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 20:50:48 -0000 On Tue, 8 Sep 2015, Li, Xiao via freebsd-hackers wrote: > To clarify more, I=E2=80=99m trying to protect a headless device that h= as FreeBSD > installed on it. There is no usb/video input, only NIC and power are > exposed. And I=E2=80=99m trying to protect its bootable drive. Seems to me that you would need one of the following: a) An unencrypted boot system that started up networking and an SSH daemon. Then you connect via SSH, "enter the encryption pass phra= se" and then the system shuts down the bootstrapped system and boots = the real OS. b) A USB key, or some other hardware, installed in the physical syst= em that the booting OS can access to magically auto-decrypt the OS a= s it boots. If they steal the drive but not the hardware, the drive is safe. If they steal it all, you're hosed. c) A network device which the OS knows to pass a public-key signed request to in order to receive back a private-key signed response= that, when decrypted, contains the decryption passphrase. An HSM might work here What most people are saying is that FileVault requires you to enter a password to decrypt your account. You don't want to/can't do this. And = if you store the decryption key on the server, as others have said, you ha= ve no security. Like leaving your house key under the front door mat. Maybe what you need is instead of disk-level encryption is account-leve= l encryption if you are more worried about the security of the data store= d in non-root accounts. Beckman -------------------------------------------------------------------------= -- Peter Beckman Internet G= uy beckman@angryox.com http://www.angryox.co= m/ -------------------------------------------------------------------------= -- From owner-freebsd-hackers@freebsd.org Tue Sep 8 20:56:16 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6F2FC9CC421 for ; Tue, 8 Sep 2015 20:56:16 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 53EAA1B1A for ; Tue, 8 Sep 2015 20:56:15 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from zeta.ixsystems.com (unknown [12.229.62.2]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id 9A063F6B4; Tue, 8 Sep 2015 13:56:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1441745769; x=1441760169; bh=6SUQcE2KDgO9XMcbznTcXhoSt+/XnzabbK5FkIS9Qm4=; h=Reply-To:Subject:References:To:Cc:From:Date:In-Reply-To; b=EV6h+mbo2upiMBR2kWVOU8kcblnWmG1YcBsDON0JrvG+WJrCjFPJe8lkL0CuMUaUy c5ARcghqGvS8p7YjAT6o81GYW2WQ/Fb2eg+fYLMvA7NYXAeWIdveI92pWIjSWKDBQv llbuRuThp0uzgQjILK9s4NhOExbnlQZ4Xl/eh4rs= Reply-To: d@delphij.net Subject: Re: Passphraseless Disk Encryption Options? References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> To: "Li, Xiao" , Igor Mozolevsky Cc: Hackers freeBSD , Analysiser From: Xin Li X-Enigmail-Draft-Status: N1110 Organization: The FreeBSD Project Message-ID: <55EF4B65.8030905@delphij.net> Date: Tue, 8 Sep 2015 13:56:05 -0700 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ss8fIUN2t1HGMDxiBCvajjrHdblIL9nmL" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 20:56:16 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ss8fIUN2t1HGMDxiBCvajjrHdblIL9nmL Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 09/08/15 11:35, Li, Xiao via freebsd-hackers wrote: > Agreed, that=B9s why I=B9m stuck in here: it seems like something eithe= r > unachievable or haven=B9t been done before. I mentioned Apple=B9s metho= d is > only because it is something similar in that both requires a full disk > encryption on startup disk. But Apple=B9s way is like to decrypt the di= sk on > login; I=B9m trying to decrypt the disk during prelogin after the boot.= If the goal is to use the same key that can unlock the whole disk before the user logs in and keep all data safe, then it's unachievable. You could, however, split the system data into two parts, one is the firmware-alike portion, for instance boot partition, the root filesystem that holds all system executable and the kernel, etc., and the other is the user data portion, where user home directory, temporary files, swap are located. Then, encrypt the user portion with a separate key protected by the user's login. Note that it's quite tricky to get the remote keying right, and it's not always possible if you can't keep the local console and system data safe. A few years ago I have implemented something experimental, that allowed me to unlock my laptop remotely that have a passphrase protected GELI volume with it: https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.= html You would be able to log in as root via SSH from remote, because the script sets up network, and starts a SSH daemon, so a remote login and entering GELI passphrase would unlock the provider; or alternatively if someone is at the laptop side, they can press enter to stop the loop and enter the passphrase directly from console. As we can see, this setup is not 100% safe and rely on the fact that the laptop has to be in a trustworthy place. For instance, an attacker may do this to completely defeat my experimental environment: - Turn off the power and copy the whole hard drive. - Because binaries are not encrypted nor signed (*), replace GELI binary that does this: 1. Ask for passphrase 2. Attempt to unlock the provider, if success, send the passphrase to the attacker and restore the old GELI binary. - The attacker in their place unlock my data on their copy once passphrase is received. So, while it's probably (practically) good enough to prevent data loss for average theft (someone steal the laptop and sell it to someone who is interested in the business data) and obviously better than not encrypting at all, it does not protect the data if it's a deliberate and targeted attack. (*) It would be possible to prevent this by establishing a full trust chain from the firmware to everything that gets run in the OS. At this time, FreeBSD do not verify executables/kernels/shared libraries before mapping them as executable, and there is no way to safely verify the system being uncompromised if you are paranoid enough. Verification is a low hanging fruit though, because the in-kernel cryptographic infrastructures are already there. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die --ss8fIUN2t1HGMDxiBCvajjrHdblIL9nmL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.7 (FreeBSD) iQIcBAEBCgAGBQJV70toAAoJEJW2GBstM+nsJNgP/2oskJgFQ9G5kx4yCPdEAPiq NfRjuZkUfa+s1lpgMaZQepIaw1rOWyg4NDkADRH2qpzzmKsgOWPGl9GvTiD9OTYY mgUT6rK4AjjkixCDjiNzP5fOCcxw/3pKrah9apEuKEpWJUn/J/r7StTrSAQVXhmx Z9gAUd4bHNZMVsYJO2+3eK7M/HsTDRX8PXMh7u2xu54HR8yj8xONmOT+fl3spkmG JNhWfMgf3heBQu1+JxMShdN+aAe4CvWvxmnIZjXroiemDCiavIzcHnI+VsLwQw5d fZRTjvVwylPoEJilufpxBAypU5nErhN7ddOk+fLGC+kNY32UGntvLWgsL0zKos1R n80Z2XRgPEPXkO1RjDPHo3Me+dIRh1WfPKdsYkQGECnLxKkmU5iS9I8oV6xtwmx/ gEh6PkNR8Ap/iXFFqLAbdHKNi3eXZUIOrfzK4DK8QodCmTo5eiUC7u0I16Cvl7HV 4/4YwPcj0Pwjd/A10FuHypgLNDgb64ZS7P7FDqXi9xEhIO39iUbyZmQHgZAjVxEA eOyuK68bqrndZOnXxltIVLyDu1uPyufNaUmEweDbms+gfRoo+ftzLLxsQkZLemdg Bblsf5ClDJomO1VbRqhK2Qch1keD9MtHkCG63+iSQje9dYiPlmb2bLUj628XZ3fj ln9NATtpabuMX102mCUT =E2W3 -----END PGP SIGNATURE----- --ss8fIUN2t1HGMDxiBCvajjrHdblIL9nmL-- From owner-freebsd-hackers@freebsd.org Tue Sep 8 21:50:13 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 147CB9CD178 for ; Tue, 8 Sep 2015 21:50:13 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D7D3C1D31 for ; Tue, 8 Sep 2015 21:50:12 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: by pacfv12 with SMTP id fv12so138165365pac.2 for ; Tue, 08 Sep 2015 14:50:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=a2TYn14d4Z6f51wyjisCRGbaR8Am6X/ukDjqc2nM+BM=; b=patOAQJVPfdtopsrSwFfWRHGxG7AtYHfhC+w8b5n2jiroTZeP/ZQ/1pVevYlFpNW1v 2AKtYjiLDRfGKDLbU3ciPDlawVXMou60B4Nug8I8OhOEvw0IIkNHhTU80RFiU5FM/GtQ LpgYB2FjBp+TfgS6Kx7iD2FFGeh9QcKGgrrnL0bamCGYV266NBcI3MqMsvffa+rjCjbn Z18tdfHfkqrpuLBJBTkylYgnLx1qrYfgr+WbJVtuIilw+zvkeOCHtbX2PChtjlw7lgeM /W7sPmAybq0Vylmx5Z7YPmNuvFeGklPZS42jIwAWbF1Ls/+2/tH/HTL9Bno7a7yO2Ir4 UC3Q== X-Received: by 10.68.136.234 with SMTP id qd10mr63374198pbb.162.1441749012220; Tue, 08 Sep 2015 14:50:12 -0700 (PDT) Received: from a45e60cc77bb.amazon.com (54-240-196-185.amazon.com. [54.240.196.185]) by smtp.gmail.com with ESMTPSA id kr1sm4524630pbc.93.2015.09.08.14.50.11 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 14:50:11 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Passphraseless Disk Encryption Options? From: Analysiser In-Reply-To: <55EF4B65.8030905@delphij.net> Date: Tue, 8 Sep 2015 14:50:10 -0700 Cc: Igor Mozolevsky , Hackers freeBSD Content-Transfer-Encoding: quoted-printable Message-Id: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> To: d@delphij.net X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 21:50:13 -0000 Hi all, Thank you so much for all the insights here! I think I is my bad not to = clarify the situation very well but still I found a lot of things I = could try from the replies. In my case I could not do remote passphrase = and and USB boot and/or USB hold key/passphrase since the device might = not always have internet access and no ports (internally or externally = are exposed).=20 I think your suggestions in separating the root filesystem and user = space applications and data and perform encryption only on user portion = is a more reasonable practice given the time scale on the project I=92m = working on. Thanks again! I still have some more detailed questions I=92m seeking for an answer = related to the full startup disk encryption: Background is I=92m using geli that creates an encrypted partition that = holds the whole OS and an unencrypted partition that has the symlink to = /boot, which would boot first and ask for passphrase, my questions are: 1. is it possible to provide a plain text passphrase on the = unencrypted partition and feed it to GELI for decrypting the full disk = at all? =09 2. If 1 is possible, is it possible to seal that passphrase in = TPM (as the locked box that holds the key for the house) and only = provide the passphrase only when secure booted and system in a known = status? =09 3. If 2 is possible, is it possible for an attacker to recover = the passphrase during the process when TPM gives it out?=20 Hopefully if the answer is 110 then I think I would keep on = experimenting on the full startup disk encryption, or else I would try = to encrypt only part of the OS instead=85 Thank you all so much! Xiao > On Sep 8, 2015, at 1:56 PM, Xin Li wrote: >=20 > On 09/08/15 11:35, Li, Xiao via freebsd-hackers wrote: >> Agreed, that=B9s why I=B9m stuck in here: it seems like something = either >> unachievable or haven=B9t been done before. I mentioned Apple=B9s = method is >> only because it is something similar in that both requires a full = disk >> encryption on startup disk. But Apple=B9s way is like to decrypt the = disk on >> login; I=B9m trying to decrypt the disk during prelogin after the = boot. >=20 > If the goal is to use the same key that can unlock the whole disk = before > the user logs in and keep all data safe, then it's unachievable. >=20 > You could, however, split the system data into two parts, one is the > firmware-alike portion, for instance boot partition, the root = filesystem > that holds all system executable and the kernel, etc., and the other = is > the user data portion, where user home directory, temporary files, = swap > are located. Then, encrypt the user portion with a separate key > protected by the user's login. >=20 > Note that it's quite tricky to get the remote keying right, and it's = not > always possible if you can't keep the local console and system data > safe. A few years ago I have implemented something experimental, that > allowed me to unlock my laptop remotely that have a passphrase = protected > GELI volume with it: >=20 > = https://lists.freebsd.org/pipermail/freebsd-security/2012-August/006547.ht= ml >=20 > You would be able to log in as root via SSH from remote, because the > script sets up network, and starts a SSH daemon, so a remote login and > entering GELI passphrase would unlock the provider; or alternatively = if > someone is at the laptop side, they can press enter to stop the loop = and > enter the passphrase directly from console. >=20 > As we can see, this setup is not 100% safe and rely on the fact that = the > laptop has to be in a trustworthy place. For instance, an attacker = may > do this to completely defeat my experimental environment: >=20 > - Turn off the power and copy the whole hard drive. > - Because binaries are not encrypted nor signed (*), replace GELI > binary that does this: > 1. Ask for passphrase > 2. Attempt to unlock the provider, if success, send the passphrase > to the attacker and restore the old GELI binary. > - The attacker in their place unlock my data on their copy once > passphrase is received. >=20 > So, while it's probably (practically) good enough to prevent data loss > for average theft (someone steal the laptop and sell it to someone who > is interested in the business data) and obviously better than not > encrypting at all, it does not protect the data if it's a deliberate = and > targeted attack. >=20 > (*) It would be possible to prevent this by establishing a full trust > chain from the firmware to everything that gets run in the OS. At = this > time, FreeBSD do not verify executables/kernels/shared libraries = before > mapping them as executable, and there is no way to safely verify the > system being uncompromised if you are paranoid enough. Verification = is > a low hanging fruit though, because the in-kernel cryptographic > infrastructures are already there. >=20 > Cheers, > --=20 > Xin LI https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die >=20 From owner-freebsd-hackers@freebsd.org Tue Sep 8 22:10:16 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3D369CDAAD for ; Tue, 8 Sep 2015 22:10:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BB04F17B3 for ; Tue, 8 Sep 2015 22:10:15 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by ioiz6 with SMTP id z6so1264684ioi.2 for ; Tue, 08 Sep 2015 15:10:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=6jFjYSFJ8ZKC2yN11G4NcuaYXHW/SbnKW3w+vKr3jEY=; b=SU8ag3jqtpdhacRetTRFqbundph0Q5CTJ3tNPpfbqWJojybzk/uWy224l2hAI3zbA4 j7AS2HXub0ALMckxB0zVSOgBdKIzXta625T8bWTZZ+c1aSVGloyc4H30ILOktRvH4A5D bdEuzJGtqHboSwOcpwlXhoSwjxPph3WLdEQePjPSeLtOLcp13e1YCbvJoodlLXlBTMgA U9PMYgqoxJPtIrn+0dS7hTrSbtvKI7uRUTTj+NJ2pYnPdO7dy4ChEqXcoBDIvLqSg7zR x1Pjgb4koWcdhnJSpiQa87PgurnT4bFPZu7qVi+ZCX4KWLonH7fUG8jrWc9aZgmZygqn LvHA== X-Received: by 10.107.16.80 with SMTP id y77mr42267059ioi.183.1441750215066; Tue, 08 Sep 2015 15:10:15 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Tue, 8 Sep 2015 15:09:35 -0700 (PDT) In-Reply-To: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> From: Igor Mozolevsky Date: Tue, 8 Sep 2015 23:09:35 +0100 X-Google-Sender-Auth: DiYLXlBEraPBdBaC1Xz7PLIOxrY Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: Analysiser Cc: Xin LI , Hackers freeBSD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 22:10:16 -0000 On 8 September 2015 at 22:50, Analysiser wrote: > Hi all, > > Thank you so much for all the insights here! I think I is my bad not to > clarify the situation very well but still I found a lot of things I could > try from the replies. In my case I could not do remote passphrase and and > USB boot and/or USB hold key/passphrase since the device might not always > have internet access and no ports (internally or externally are exposed). > > I think your suggestions in separating the root filesystem and user space > applications and data and perform encryption only on user portion is a mo= re > reasonable practice given the time scale on the project I=E2=80=99m worki= ng on. > Thanks again! > > I still have some more detailed questions I=E2=80=99m seeking for an answ= er > related to the full startup disk encryption: I think you're worrying about the problem from the wrong end- what is it that you're attempting to protect, I'm still unsure of that?.. --=20 Igor M. From owner-freebsd-hackers@freebsd.org Tue Sep 8 22:23:02 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63E1EA00132 for ; Tue, 8 Sep 2015 22:23:02 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30ABC12F9 for ; Tue, 8 Sep 2015 22:23:02 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: by padhk3 with SMTP id hk3so50831930pad.3 for ; Tue, 08 Sep 2015 15:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=yXy2w4UVUPyqEiYn3GgYWFlMEcwjgpPh0Ku6UTmFDGY=; b=pmviE51ii3N+CQJrW6/a1i2qyJuLrPeTm/GhnZF9n30beMV6bVL+4WYBKKbGHESuMl b6KC/BMjj0VVlbiERAFZEijWo8QDZNKG/P3c1Q3hROKfMm/kmrsnjMuS2GblJwmgBcap KEnV8MvpK04lICBbiZqh44tnTUAuAGIMVblZwQ901t27s/0DXCgb0ZdlWjqudjXXBo45 B43YKwAihLEvSH2XorNX4fH14Aq7GrfJVDE5prlCDhsuCl1THQhAUMYW/po/4jYr8asF WuwU2dtkX3Wgwu+rJTjzy8OBqKAimdJSCEF+IkWkjwOggLfm5fuTtjkE7wCBVyzadWS3 LGGA== X-Received: by 10.68.184.197 with SMTP id ew5mr63254774pbc.145.1441750981391; Tue, 08 Sep 2015 15:23:01 -0700 (PDT) Received: from a45e60cc77bb.amazon.com (54-240-196-186.amazon.com. [54.240.196.186]) by smtp.gmail.com with ESMTPSA id ft14sm4616131pdb.13.2015.09.08.15.23.00 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 15:23:00 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Passphraseless Disk Encryption Options? From: Analysiser In-Reply-To: Date: Tue, 8 Sep 2015 15:22:59 -0700 Cc: Xin LI , Hackers freeBSD Message-Id: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> To: Igor Mozolevsky X-Mailer: Apple Mail (2.2104) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 22:23:02 -0000 Hi Igor, I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being = tampered with by someone who has physically access to the disk. He might = put it on some other machine, add some malicious code or check the logs = stored in /var, and then put it back my machine, when the machine is = stayed in some public untrusted environment. When I regain the machine = from a public untrusted environment and boot the disk, some malicious = code might running and try to contaminate my own network or other = machines, or monitor my activities with the machine.=20 I hope I explained clearer this time :) Xiao > On Sep 8, 2015, at 3:09 PM, Igor Mozolevsky = wrote: >=20 >=20 >=20 > On 8 September 2015 at 22:50, Analysiser > wrote: > Hi all, >=20 > Thank you so much for all the insights here! I think I is my bad not = to clarify the situation very well but still I found a lot of things I = could try from the replies. In my case I could not do remote passphrase = and and USB boot and/or USB hold key/passphrase since the device might = not always have internet access and no ports (internally or externally = are exposed). >=20 > I think your suggestions in separating the root filesystem and user = space applications and data and perform encryption only on user portion = is a more reasonable practice given the time scale on the project I=E2=80=99= m working on. Thanks again! >=20 > I still have some more detailed questions I=E2=80=99m seeking for an = answer related to the full startup disk encryption: >=20 >=20 > >=20 > I think you're worrying about the problem from the wrong end- what is = it that you're attempting to protect, I'm still unsure of that?.. >=20 >=20 > --=20 > Igor M.=20 From owner-freebsd-hackers@freebsd.org Tue Sep 8 22:30:21 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44FE6A00528 for ; Tue, 8 Sep 2015 22:30:21 +0000 (UTC) (envelope-from beckman@angryox.com) Received: from nog.angryox.com (nog.angryox.com [70.164.19.87]) by mx1.freebsd.org (Postfix) with ESMTP id EA5D01971 for ; Tue, 8 Sep 2015 22:30:20 +0000 (UTC) (envelope-from beckman@angryox.com) Received: from nog.angryox.com (localhost [127.0.0.1]) by nog.angryox.com (Postfix) with ESMTP id 4A0332C48D4; Tue, 8 Sep 2015 22:30:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=angryox.com; h=date:from :to:cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=powerfulgood; bh=55Fvp4esAW5af/PL3dBherLh0KU=; b= xA+yagJfyoanE/g+xm8h6bUBcsTQWb9Jcb+XIEJoXdsSandQe8fQLtdsdlcc+Umo tU2aSMeW1g5+l9tQnCRc/jzOul6jcZlg77xhAI1uUIqhNOZTgWYXjMdB4Z+Bo9bv Eh6xY7OCPg4lSlPk8hok9HtTsRVbiUh+++pvWHXx6VM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=angryox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; q=dns; s=powerfulgood; b=rlIN/ZNudP6Qg6exOZvySkWf j6e7EBNBeHRnDoZgLG1mTq4U+J3wT2jya8FzroTmdbltYk8fX1LZbpBYWdx5Qg+Y InIuQhnGyFNQf6A4TlLsNF4dlSOf1kqLZdbHNYYwWEQ6KECmlhpouFU5tQMJJryh ytBx+OfCHxTdW1b1LDM= Received: by nog.angryox.com (Postfix, from userid 1001) id 411342C48CC; Tue, 8 Sep 2015 22:30:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by nog.angryox.com (Postfix) with ESMTP id 38EA22C48C3; Tue, 8 Sep 2015 18:30:19 -0400 (EDT) Date: Tue, 8 Sep 2015 18:30:19 -0400 From: Peter Beckman To: Analysiser cc: Igor Mozolevsky , Hackers freeBSD , Xin LI Subject: Re: Passphraseless Disk Encryption Options? In-Reply-To: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 22:30:21 -0000 If logs were stored in /var and that was an encrypted volume, no problem. If you are worried about malicious code, fingerprint your known volume of non-changing files e.g. exclude logs, then compare the files on disk with your fingerprint. If they don't match, something has changed. Easier to know that something has changed than to encrypt to prevent change. On Tue, 8 Sep 2015, Analysiser wrote: > Hi Igor, > > I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being= tampered with by someone who has physically access to the disk. He might= put it on some other machine, add some malicious code or check the logs = stored in /var, and then put it back my machine, when the machine is stay= ed in some public untrusted environment. When I regain the machine from a= public untrusted environment and boot the disk, some malicious code migh= t running and try to contaminate my own network or other machines, or mon= itor my activities with the machine.=20 > > I hope I explained clearer this time :) > > Xiao > > >> On Sep 8, 2015, at 3:09 PM, Igor Mozolevsky wr= ote: >>=20 >>=20 >>=20 >> On 8 September 2015 at 22:50, Analysiser > wrote: >> Hi all, >>=20 >> Thank you so much for all the insights here! I think I is my bad not t= o clarify the situation very well but still I found a lot of things I cou= ld try from the replies. In my case I could not do remote passphrase and = and USB boot and/or USB hold key/passphrase since the device might not al= ways have internet access and no ports (internally or externally are expo= sed). >>=20 >> I think your suggestions in separating the root filesystem and user sp= ace applications and data and perform encryption only on user portion is = a more reasonable practice given the time scale on the project I=E2=80=99= m working on. Thanks again! >>=20 >> I still have some more detailed questions I=E2=80=99m seeking for an a= nswer related to the full startup disk encryption: >>=20 >>=20 >> >>=20 >> I think you're worrying about the problem from the wrong end- what is = it that you're attempting to protect, I'm still unsure of that?.. >>=20 >>=20 >> --=20 >> Igor M.=20 > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.o= rg" -------------------------------------------------------------------------= -- Peter Beckman Internet G= uy beckman@angryox.com http://www.angryox.co= m/ -------------------------------------------------------------------------= -- From owner-freebsd-hackers@freebsd.org Tue Sep 8 22:43:48 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A07FEA00B5E for ; Tue, 8 Sep 2015 22:43:48 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 672191028 for ; Tue, 8 Sep 2015 22:43:48 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by iofh134 with SMTP id h134so2137344iof.0 for ; Tue, 08 Sep 2015 15:43:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=/GwKghYBE5gcdblLDEnkyAbzXs6dphCHlbX3oVInFCk=; b=0Bg62H/gN159cf8LjuDloOnJ2LKtdrFfcC+/gMtLuQAJBaLSkVo8kX8R3RrQNoaaQV GLSKvUw2GoqBQx/r21upPdGEojvZEXMe1338HW9SZzuIIcvz+TRpkc5w55zqZ6wxFoJa TRHE1Xktb6PFPb2ripXVMDeLYjXQOveNUolVJ3FN6s5+MDAjjCD08pmqVNqdOpOrqblS UEu3wu0Kuox8xt8pwcD1RheN7pEf/di2sxRvJ3uHyAvQ7/dK2irX4+rhjpjkUcxWKH3l 9vKk1XNw8zXGICkBp03o7zQUIBqflgttIdG/K1lq19LNnVE2YbtGh9U/1csxOsojBcUn GgXA== X-Received: by 10.107.154.13 with SMTP id c13mr43627253ioe.104.1441752227756; Tue, 08 Sep 2015 15:43:47 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Tue, 8 Sep 2015 15:43:08 -0700 (PDT) In-Reply-To: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> From: Igor Mozolevsky Date: Tue, 8 Sep 2015 23:43:08 +0100 X-Google-Sender-Auth: dEqM0Jn6_xtFqBVaxyvj_3YQeoo Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: Analysiser Cc: Xin LI , Hackers freeBSD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 22:43:48 -0000 On 8 September 2015 at 23:22, Analysiser wrote: > Hi Igor, > > I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being t= ampered with by > someone who has physically access to the disk. He might put it on some > other machine, add some malicious code or check the logs stored in /var, > and then put it back my machine, when the machine is stayed in some publi= c > untrusted environment. When I regain the machine from a public untrusted > environment and boot the disk, some malicious code might running and try = to > contaminate my own network or other machines, or monitor my activities wi= th > the machine. > Ok, so how does FDE stop anyone from either replacing the disk all together, or wiping the disk that you put in and putting their code on it? --=20 Igor M. From owner-freebsd-hackers@freebsd.org Tue Sep 8 23:18:48 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4110A9CCE4C for ; Tue, 8 Sep 2015 23:18:48 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0ED4C1634 for ; Tue, 8 Sep 2015 23:18:48 +0000 (UTC) (envelope-from analysiser@gmail.com) Received: by pacex6 with SMTP id ex6so136945497pac.0 for ; Tue, 08 Sep 2015 16:18:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7k7A48YuMBA61+V1brw3HRgdtMD1XBEf+SHYP1S7V5Y=; b=BLcTrhK3cQ4Bfh4P8LOd6V31RCRtIJ55ubg6IHbAH7W3qf6+2jr2D8um6e/QcNhTsO nf7lRJeeu32XaoynENgKx+ZZ6BCnvWcmrSiXx/7HkvoSUYXHDDYByxsy9UgCd7hwOSnN QZ9M6pZy44OA5Auv2GABS/degDt3Id0i9iX0JesF3N2wRGRmD90dYHZ/sA7/yIf3zRcI qtNk669Yp7KRa/Y8Ku5YnO+QIijH0kOzkTaNy/T+Qj4P9kjkIFtC8m9nQTTZtLqYP5pe wJyA7hJJb2Q9XSsJkbMVh5iCnFcXfx1i0oUJFncOS8OAcbAUY16iM59B8+586qVBO1A5 HFHA== X-Received: by 10.68.65.43 with SMTP id u11mr10663095pbs.167.1441754327527; Tue, 08 Sep 2015 16:18:47 -0700 (PDT) Received: from a45e60cc77bb.amazon.com (54-240-196-185.amazon.com. [54.240.196.185]) by smtp.gmail.com with ESMTPSA id u6sm4674182pds.69.2015.09.08.16.18.46 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Sep 2015 16:18:46 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: Passphraseless Disk Encryption Options? From: Analysiser In-Reply-To: Date: Tue, 8 Sep 2015 16:18:45 -0700 Cc: Xin LI , Hackers freeBSD Content-Transfer-Encoding: quoted-printable Message-Id: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> To: Igor Mozolevsky X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 23:18:48 -0000 Ah my current implementation has the boot process protected by TPM so if = the disk is wiped and another OS is installed it won=E2=80=99t boot=E2=80=A6= but thanks for the suggestion :D > On Sep 8, 2015, at 3:43 PM, Igor Mozolevsky = wrote: >=20 >=20 From owner-freebsd-hackers@freebsd.org Wed Sep 9 02:37:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1B9FA00E79 for ; Wed, 9 Sep 2015 02:37:09 +0000 (UTC) (envelope-from rpokala@panasas.com) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0057.outbound.protection.outlook.com [157.56.111.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F2D414C3 for ; Wed, 9 Sep 2015 02:37:07 +0000 (UTC) (envelope-from rpokala@panasas.com) Received: from CY1PR08MB1803.namprd08.prod.outlook.com (10.162.218.25) by CY1PR08MB1804.namprd08.prod.outlook.com (10.162.218.26) with Microsoft SMTP Server (TLS) id 15.1.262.15; Wed, 9 Sep 2015 02:37:05 +0000 Received: from CY1PR08MB1803.namprd08.prod.outlook.com ([10.162.218.25]) by CY1PR08MB1803.namprd08.prod.outlook.com ([10.162.218.25]) with mapi id 15.01.0262.011; Wed, 9 Sep 2015 02:37:05 +0000 From: "Pokala, Ravi" To: "freebsd-hackers@freebsd.org" Subject: bus_.*_resource() and rid Thread-Topic: bus_.*_resource() and rid Thread-Index: AQHQ6qhpmlcbMDBrSUWapu14ripoSg== Date: Wed, 9 Sep 2015 02:37:04 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.4.150722 authentication-results: spf=none (sender IP is ) smtp.mailfrom=rpokala@panasas.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [64.80.217.3] x-microsoft-exchange-diagnostics: 1; CY1PR08MB1804; 5:94/DvyVIARhcUSOPswbqf9dDoaG65T6RPO4JoNF04z8jvqfeP8W/P9mkENDvWURMrmCwEj2WAMCMj1xj/c48K2W0v9BkbBItH1nZAaEDfTIIA6Z2/EGD1Y+nMoQiOEeSRXd1D9O4NbVkgdZWqcledA==; 24:9G2kHp4apJzzNK0cTorkxUo4G6OhIPx50jk60SIjPpW+tOUr4Z83K/G+TcebddQFLGQl4nJp+ABtdmZ9GdFR2edrL66dPvzEmuj7T52ijsQ=; 20:397im9L9h8OOao9uYT9UaD06MYdJkosMx6AlCnyc6++BlxorWpMUgPIk3qQkMl2KPtLipFG7O/Tdi9AJX2haRg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR08MB1804; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(8121501046)(5005006)(3002001); SRVR:CY1PR08MB1804; BCL:0; PCL:0; RULEID:; SRVR:CY1PR08MB1804; x-forefront-prvs: 0694C54398 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(164054003)(199003)(101416001)(87936001)(62966003)(92566002)(2900100001)(450100001)(2501003)(107886002)(77096005)(77156002)(50986999)(102836002)(10400500002)(110136002)(11100500001)(36756003)(2351001)(15975445007)(5001960100002)(189998001)(97736004)(54356999)(5002640100001)(229853001)(5001860100001)(106356001)(99286002)(106116001)(46102003)(5001830100001)(68736005)(5001920100001)(86362001)(40100003)(105586002)(4001350100001)(4001540100001)(83506001)(81156007)(5890100001)(64706001)(5007970100001)(66066001)(122556002)(19580395003)(5004730100002)(21314002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR08MB1804; H:CY1PR08MB1803.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: panasas.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <8388A5A97F429C48B6B06A7A5DA49573@namprd08.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: panasas.com X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2015 02:37:04.0700 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: acf01c9d-c699-42af-bdbb-44bf582e60b0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR08MB1804 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 02:37:10 -0000 Hi folks, I'm modifying a home-grown device driver; this is the first time I've played around in device-probe and -attach, so I'm a bit out of my element here. This is an LPC device attached to a PCI-ISA bridge (aka the LPC controller). It's accessed through IOPORT, and the BIOS sets up enough stuff that we can look for it. One thing that's confusing me is the "rid" which is passed to a bunch of the bus_.*_resource() functions. I've looked at bus_set_resource(9), bus_alloc_resource(9), and section 10.5 of the Architecture Handbook[1], and I'm still confused. bus_alloc_resource(9) says: rid points to a bus specific handle that identifies the resource being allocated. For ISA this is an index into an array of resources that have been setup for this device by either the PnP mechanism, or via the hints mechanism. ... But there's no indication as to how we get that index. One possibility is that the value passed in doesn't matter; bus_alloc_resource() sets it correctly and the caller can use the new value. However, that doesn't appear to be the case, since lots of times rid is ignored after the call to bus_alloc_resource(). For the sake of discussion, here are stripped-down versions of our probe and attach functions: xxx_probe_unit(device_t dev) { uint32_t ioport_base; uint32_t ioport_size; int rc; /* Device identification stuff; details unimportant, but we determine * ioport_base and ioport_size. */ rc =3D bus_set_resource( /* dev */ dev, /* type */ SYS_RES_IOPORT, /* rid */ 0, /* start */ ioport_base, /* count */ ioport_size); } Most of those args are obvious, but I have no idea why rid is 0. It looks like lots of drivers pass in a rid of 0, and the original author might have just shrugged and gone with "convention". xxx_attach_unit(device_t dev) { struct xxx_softc *sc; int rid; struct resource res; sc =3D device_get_softc(dev); /* Device configuration stuff; details unimportant. */ rid =3D 0; res =3D bus_alloc_resource( /* dev */ dev, /* type */ SYS_RES_IOPORT, /* rid */ &rid, /* start */ 0, /* end */ ~0, /* count */ sc->ioport_size, /* flags */ RF_ACTIVE); /* save stuff for use with bus_space_{read,write}_1() */ sc->iobase_addr =3D rman_get_start(res); sc->iobase_bustag =3D rman_get_bustag(res); sc->iobase_bushandle =3D rman_get_bushandle(res); sc->dev =3D dev; } Again, most things are fairly obvious, but I have no idea why rid is 0. It's passed by reference to bus_alloc_resource(), but the potentially-altered value is never stored or used. The lazy part of me says to just go with blindly passing in 0, because it works. However, the new device I'm adding support for will have multiple IOPORT ranges associated with it, so I'm not sure if passing 0 is the right thing. Any help would be appreciated. Thanks, Ravi [1]=20 https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/isa-driver- resources.html From owner-freebsd-hackers@freebsd.org Wed Sep 9 02:53:25 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A58529CC7E6 for ; Wed, 9 Sep 2015 02:53:25 +0000 (UTC) (envelope-from frase@frase.id.au) Received: from captainmorgan.hollandpark.frase.id.au (110-174-235-130.static.tpgi.com.au [110.174.235.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1FF31D3A for ; Wed, 9 Sep 2015 02:53:24 +0000 (UTC) (envelope-from frase@frase.id.au) Received: from bacardi.hollandpark.frase.id.au (bacardi.hollandpark.frase.id.au [192.168.0.100]) by captainmorgan.hollandpark.frase.id.au (8.14.9/8.14.9) with ESMTP id t892PZdl008067; Wed, 9 Sep 2015 12:25:35 +1000 (EST) (envelope-from frase@frase.id.au) Received: from bacardi.hollandpark.frase.id.au (localhost [127.0.0.1]) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2) with ESMTPS id t892PZdW098264 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 9 Sep 2015 12:25:35 +1000 (EST) (envelope-from frase@frase.id.au) Received: (from fraser@localhost) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2/Submit) id t892PWaQ098263; Wed, 9 Sep 2015 12:25:32 +1000 (EST) (envelope-from frase@frase.id.au) X-Authentication-Warning: bacardi.hollandpark.frase.id.au: fraser set sender to frase@frase.id.au using -f Date: Wed, 9 Sep 2015 12:25:32 +1000 From: Fraser Tweedale To: Analysiser Cc: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <20150909022531.GW1656@bacardi.hollandpark.frase.id.au> Mail-Followup-To: Analysiser , freebsd-hackers@freebsd.org References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jAJnlX6Iz2QeVWJH" Content-Disposition: inline In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 02:53:25 -0000 --jAJnlX6Iz2QeVWJH Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 08, 2015 at 10:22:21AM -0700, Analysiser wrote: > Hi, >=20 > I=E2=80=99m trying to perform a whole disk encryption for my boot drive t= o protect its data at rest. However I would like to have a mac OS X-ish ful= l disk encryption that does not explicitly ask for a passphrase and would b= oot as normal without manual input of passphrase. I tried to do it with gel= i(8) but it seems there is no way I can avoid the manual interaction. Reall= y curious if there is a way to achieve it? Thanks! >=20 >=20 > Xiao > If the machine is on a trusted network, and if networking capabilities are available in the boot environment, you can coordinate with another host to decrypt the secret key and boot without operator intervention. In the scheme proposed in [1] the secret is encrypted locally and sent to a trusted server for decryption (TLS protects the secret on the wire). A variation of this protocol that does not expose the secret to the decryption service or on the wire is being investigated. You can watch a demo[2] of the system in action. The tech is all very Red Hat-centric at the moment but the general approach or the specific protocol could be implemented for FreeBSD. [1] http://www.freeipa.org/page/Network_Bound_Disk_Encryption [2] https://www.youtube.com/watch?v=3DlyDmhhVgXEc Cheers, Fraser --jAJnlX6Iz2QeVWJH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJV75iYAAoJEEtTkFJBEeHivGoP/1A0Ts+QzcscmIeBfm/Bo3di hBpemsFyKLd+9aT6Uq5t9H3Uf+6HrUFPOZQbplPUnEW6F2Q5+HBEIkW/T+NQrOsp xJqVCm5/jivZVq5CfAeYhzaKIqD/xwQX/ima++EbQyWktIR64+TJIX3QYcVw80dI UHpKZnzCgFSlqE95Q5budlfrL0nyFcIHUoAYAjol7Y1OffGg30U/AppV+Kw8Qkks mgiWPnz25HB6LqK2+DIy3/tEDtc7GIhWPIyGI30rNeu2ZQUzO1nK2W6/ReI+Jyy0 DQeIeT4QJgGxv1/5CxiT66u0Gx/KdkDMiRbNe2WKnwtGOcZ6HGdBPsS/BeOhAtCf RY1yJMgtH/U2t256KdqQlFjR19+Wh6+Y8eay53ccZMlCgKbdRq1tdj2Uc7lWqNxb N69yV4mnKuNbIjF+03uUocsAjoVFTkmj2QOyBkSLa0aBfl1G/6BGGpnYXEbKyRq0 E5hspPHK9IpG4DvX2vaDn/BxwCDgEjm59vvySbf/TpC6vXOAQMAXlbpsdFfEefr2 OzCGEuN8doxEp5Qac7SUDe8SpS4vOtbTYxQPrebmY+CZCbKaNVT7YxoHqOMeLakN bsmYfeQ2oFkIZWcxzfvuu6mTjQxLAC0eSu8eEwS6/tE6OtL6ns5punxnPRgsXIlu yaSHM1VY5pIYtWcKGs/R =MKDc -----END PGP SIGNATURE----- --jAJnlX6Iz2QeVWJH-- From owner-freebsd-hackers@freebsd.org Wed Sep 9 09:57:37 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5BE0B9CD29B for ; Wed, 9 Sep 2015 09:57:37 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 193C21F27 for ; Wed, 9 Sep 2015 09:57:36 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from [78.35.136.4] (helo=fabiankeil.de) by smtprelay02.ispgateway.de with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.84) (envelope-from ) id 1ZZc7K-00024H-Gy for freebsd-hackers@freebsd.org; Wed, 09 Sep 2015 11:56:38 +0200 Date: Wed, 9 Sep 2015 11:56:38 +0200 From: Fabian Keil To: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? Message-ID: <74e08b7d.41e63923@fabiankeil.de> In-Reply-To: <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 09:57:37 -0000 --Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Analysiser wrote: > I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being t= ampered with > by someone who has physically access to the disk. He might put it on some > other machine, add some malicious code or check the logs stored in /var, > and then put it back my machine, when the machine is stayed in some public > untrusted environment. When I regain the machine from a public untrusted > environment and boot the disk, some malicious code might running and try > to contaminate my own network or other machines, or monitor my activities > with the machine.=20 You can boot the system using an encrypted root pool by putting a geli keyfile and essential parts of the kernel on an unencrypted boot pool that is destroyed and overwritten once the system has booted. I do that with ElectroBSD but it works on vanilla FreeBSD as well. It's not perfect, but depending on your threat model it may be good enough: https://www.fabiankeil.de/gehacktes/electrobsd/#fde https://www.fabiankeil.de/gehacktes/cloudiatr/ Fabian --Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlXwAlYACgkQBYqIVf93VJ1WsgCfVXm5UPPCbsMBos2SnyCeEr4a grsAn2aEJj6MFOHJ05PcT3hLvE5gsOwz =PKpT -----END PGP SIGNATURE----- --Sig_/D6.8r5ZrEU8ROi9/IQKvQtQ-- From owner-freebsd-hackers@freebsd.org Wed Sep 9 10:23:41 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D93BE9CDFB2 for ; Wed, 9 Sep 2015 10:23:41 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A02451F03 for ; Wed, 9 Sep 2015 10:23:41 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by igxx6 with SMTP id x6so10542392igx.1 for ; Wed, 09 Sep 2015 03:23:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=iTan7PT4z6I2O0uxPuBU6gC7yf5Lv3QO4kiiC5yGJkI=; b=AbXtbjzgQZP1iuSSsGzKKWO1HTEpGV9BF0hsk0v8zDPkWwLIZN2QAMWrGUqAfieVKV O+cBMRv9XzmfQ9FQWjO/gAPHoXcnSCUiWA9Zhc9pBbjOhZcZa6OQi2gCC7MwdojDgaua HT3z8ur2CeZAGNyOeD7QZvNygINCsPm90TOXtcZmcT93BnAF4GTabd8ZiQ27pfyzXZHd 2vQ9AsfqtdQzt1kp3xwlOAkpTI4fXNAdBh4O4er/TBPGlC7cmwub/z88/JrNOtjwa1XM wMOKZXluWHQgGxZ4sRDcGEXTRBDL6P1a6O0zadEhq61g6t35dgtkpEUOE7nld7dB7/P/ kgcQ== X-Received: by 10.50.127.177 with SMTP id nh17mr40607071igb.40.1441794220961; Wed, 09 Sep 2015 03:23:40 -0700 (PDT) MIME-Version: 1.0 Sender: mozolevsky@gmail.com Received: by 10.79.92.198 with HTTP; Wed, 9 Sep 2015 03:23:01 -0700 (PDT) In-Reply-To: <74e08b7d.41e63923@fabiankeil.de> References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> <55EF4B65.8030905@delphij.net> <74385D4D-48C7-4B5B-BF94-B99806C667EE@gmail.com> <74e08b7d.41e63923@fabiankeil.de> From: Igor Mozolevsky Date: Wed, 9 Sep 2015 11:23:01 +0100 X-Google-Sender-Auth: ZADqV0G7DqN06oXprW50w6oMQc0 Message-ID: Subject: Re: Passphraseless Disk Encryption Options? To: Fabian Keil Cc: Hackers freeBSD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 10:23:41 -0000 On 9 September 2015 at 10:56, Fabian Keil wrote: > Analysiser wrote: > > > I=E2=80=99m trying to protect my startup disk=E2=80=99s data from being= tampered with > > by someone who has physically access to the disk. He might put it on so= me > > other machine, add some malicious code or check the logs stored in /var= , > > and then put it back my machine, when the machine is stayed in some > public > > untrusted environment. When I regain the machine from a public untruste= d > > environment and boot the disk, some malicious code might running and tr= y > > to contaminate my own network or other machines, or monitor my activiti= es > > with the machine. > > You can boot the system using an encrypted root pool by putting a > geli keyfile and essential parts of the kernel on an unencrypted > boot pool that is destroyed and overwritten once the system has > booted. > > I do that with ElectroBSD but it works on vanilla FreeBSD as > well. It's not perfect, but depending on your threat model it > may be good enough: > https://www.fabiankeil.de/gehacktes/electrobsd/#fde > https://www.fabiankeil.de/gehacktes/cloudiatr/ Can't this be simply undermined by the adversary yanking the power cord resulting in the disk being but a source of entropy? There is, of course, a number of scenarios where that would be a perfectly desirable outcome, but based on what was said earlier, I doubt this is one of them. I am still unclear what the OP is trying to achieve: first the requirement was to protect the data on disk from being taken by third party, then the OP said they just wanted to prevent tampering because they'd be bringing the box back into their network=E2=80=A6 Then, there's the whole headless issue: it was said that there's only the NIC and the power cord. If that is true, the only way to tamper with data is to gain physical access to the device. The OP thinks that TPM+trusted gptBoot waves some magic wand and makes the system secure from tampering; I seriously doubt that- if one can replace the disk, why can't their replace TPM, clear BIOS with a jumper, or replace the board all together? The point I'm driving at is that it seems that the threat model and attack vectors are not properly analysed for that particular environment, and there's wishful thinking about a magic genie-in-a-box solution. The final point is: you cannot have a device that guarantees confidentiality, availability, and integrity of data in the circumstances described- you have to sacrifice at least one of the three. If you are storing the decryption key alongside the encrypted data, no sane person should ever think that data is actually encrypted. --=20 Igor M. From owner-freebsd-hackers@freebsd.org Wed Sep 9 13:26:09 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3F45A9CCD34 for ; Wed, 9 Sep 2015 13:26:09 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.0x20.net", Issuer "mail.0x20.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C604B1B83; Wed, 9 Sep 2015 13:26:08 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id B11606DF91B; Wed, 9 Sep 2015 15:26:05 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id t89DQ5pc055275; Wed, 9 Sep 2015 15:26:05 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id t89DQ5tf055087; Wed, 9 Sep 2015 15:26:05 +0200 (CEST) (envelope-from lars) Date: Wed, 9 Sep 2015 15:26:05 +0200 From: Lars Engels To: Allan Jude Cc: freebsd-hackers@freebsd.org Subject: Re: How to control and setup service? Message-ID: <20150909132605.GP16003@e-new.0x20.net> References: <20150827200534.GH16003@e-new.0x20.net> <55E086D3.1040700@freebsd.org> <55E1803E.7080706@freebsd.org> <20150907104458.GL16003@e-new.0x20.net> <55EDBD63.6060600@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="RtGa12sjXv8gVUZO" Content-Disposition: inline In-Reply-To: <55EDBD63.6060600@freebsd.org> X-Editor: VIM - Vi IMproved 7.4 X-Operation-System: FreeBSD 8.4-RELEASE-p23 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 13:26:09 -0000 --RtGa12sjXv8gVUZO Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 07, 2015 at 12:37:55PM -0400, Allan Jude wrote: > On 2015-09-07 06:44, Lars Engels wrote: > > On Mon, Aug 31, 2015 at 10:57:27AM +0300, Pavel Timofeev wrote: > >> 2015-08-29 12:49 GMT+03:00 Stefan Esser : > >>> Am 28.08.2015 um 18:51 schrieb Pavel Timofeev: > >>>> Sorry for top posting! It's pretty hard to write email walking under > >>>> heavy rain and umbrella. > >>>> So, I talked about special key, not default behaviour. > >>>> Let me give you an example. > >>>> You got a server (or ten) which was/were somehow configured before y= ou. > >>>> You want to reconfigure it/them. You don't care how and where it's > >>>> already configured, you just want to set particular rcvars and be su= re > >>>> that no other rcvars are set. > >>>> > >>>> Before you came it was: > >>>> mysql_enable=3D"YES/NO" # no matter > >>>> mysql_datadir=3D"/mycozystorage/db/mysql" > >>>> mysql_defaults_extra_file=3D"/mycozystorage/mysql/my.cnf" > >>>> mysql_plugin_dir=3D"/somewhere/lib/mysql/plugin" > >>>> mysql_log_error=3D"/mycozystorage/db/mysql/hostname.err" > >>>> > >>>> then you run something like (look at -k key) > >>>> # service -k mysql-server enable set datadir "/mysqldb" log_error > >>>> "/mysqllogs/hostname.err" > >>>> it becomes > >>>> mysql_enable=3D"YES" > >>>> mysql_datadir=3D"/mysqldb" > >>>> mysql_log_error=3D"/mysqllogs/hostname.err" > >>>> > >>>> I. e. sets what requested and deletes rcvars which was not requested. > >>> > >>> I think that the removal of the previous config state should not come > >>> as the side-effect of some "set" command. > >>> > >>> I'd rather introduce a now verb for this purpose, which has the effect > >>> of clearing all previous settings for a service, instead of overloadi= ng > >>> the "set" operation. > >> > >> BTW, it's already suggested here https://reviews.freebsd.org/D451 > >> it's rcdelete. Not sure if it's good name. > >> > >=20 > > Back from holidays... > >=20 > > It would be nice if we could find a consensus what should be done with > > my patch in D451. The code itself works fine for me, but what's still > > unclear is what config files should be touched by it: > >=20 > > 1 /etc/rc.conf > > 2 /etc/rc.conf.local > > 3 /etc/rc.conf.d/$servicename > >=20 > > I could add some flags to service(8), e.g. -l to edit rc.conf.local, -d > > for /etc/rc.conf.d. > >=20 > > But please don't let the review rot any longer. :) > >=20 > >=20 >=20 > I plan to have a discussion about your review and the right solutions at > the vBSDCon dev summit this friday. Don't worry, your review is not rotti= ng. Yes, I saw that you sent an updated patch for review. Thanks! --RtGa12sjXv8gVUZO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQF8BAEBCgBmBQJV8DNsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4RjQwMDE3RTRERjUzMTI1N0FGRTUxNDlF NTRDQjM3RDNBMDg5RDZEAAoJEOVMs306CJ1toF8H/i9wvTfIVnM7dsUUxaKyOYIa AO0D4EbngMl1LbegSxWrRzZGdFnBH+IFb9phJLKOIjM5kdsxNVzUjBIJKj63u3h9 SHNdBxE28pjDbQeC81SfBio5klIp8HL7NuPy+0xpik6j0vGj/q84P5T6EK00nHgq QsuPNylbvS9MT21g1bKzKuFHuElnOUECIClzZRLbZIboGzHPE78vqaML3hI01nNc uBxOZMCzP+FVJgxjxkatkPRJLJuLYmNtniHdSqadAiHSdYbxV2AsCt7IxFqd9tHl nEuERX09W03IJABjqF6N6tkPerxyDHkTJ6bw5Z18NQ3qY0fCkImaPeraPREdhww= =I7KZ -----END PGP SIGNATURE----- --RtGa12sjXv8gVUZO-- From owner-freebsd-hackers@freebsd.org Wed Sep 9 14:44:02 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B1139CDC7B for ; Wed, 9 Sep 2015 14:44:02 +0000 (UTC) (envelope-from f0andrey@gmail.com) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2A5D81A0D for ; Wed, 9 Sep 2015 14:44:02 +0000 (UTC) (envelope-from f0andrey@gmail.com) Received: by iofh134 with SMTP id h134so24696169iof.0 for ; Wed, 09 Sep 2015 07:44:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=jfjT0E7vo52eOegC72rKFL/jZA2BgcHxmS/3li+VyHQ=; b=1D0tLZLvZR9M8wYU/HWGTMab+236wEYIwtIJi53+5vgYkigEmzSHkCRtzShBMlbd6I ZCGS9LUIl5GNGkFT/9WtnhRgZJP7fgW2DF4upmF2NaaSrxK9sh2K59ur6QyciZJ0+RJ6 ffObkwNS0RgisDhXIlUbwf3mHLPNbb5Oi2PW7ECXNQETzRNnMd4J7M5BWYgTtn+QAelm +wLCRNvpIDUHDTxRs6qEEfWEmFAjqXRCwj2kYbz62tYDK7/2ipz75JtOUMy8U782Q+BS /BezRJndTEtlR9tEu7F1a52HvRDAwEWpVV9HnGLNoH4ajq4f9PczFm/Ie02e7C24XzUe q+rA== MIME-Version: 1.0 X-Received: by 10.107.136.213 with SMTP id s82mr50366051ioi.111.1441809841641; Wed, 09 Sep 2015 07:44:01 -0700 (PDT) Received: by 10.79.19.70 with HTTP; Wed, 9 Sep 2015 07:44:01 -0700 (PDT) Date: Wed, 9 Sep 2015 17:44:01 +0300 Message-ID: Subject: btxv86.h file not found (amd64 system) buildworld (test gsoc project) From: Andrey Fesenko To: prasadjoshi.linux@gmail.com, "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 14:44:02 -0000 Hello, I'm test [gsoc15] dynamically discover bes, this project i386-only? If buildworld uname -a FreeBSD des.local 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285895M: Sun Jul 26 23:02:06 MSK 2015 root@des.local:/usr/obj/usr/src/sys/GENERIC amd64 .... CC='cc ' mkdep -f .depend -a -DBOOTPROG=\"zfsloader\" -I/usr/src/sys/boot/zfs/../com mon -I/usr/src/sys/boot/zfs/../.. -I. -I/usr/src/sys/boot/zfs/../../../lib/libstand -I/u sr/src/sys/boot/zfs/../../cddl/boot/zfs -D_STANDALONE -std=gnu99 /usr/src/sys/boot/zfs /zfs.c /usr/src/sys/boot/zfs/bootenv.c /usr/src/sys/boot/zfs/boot_menu.c /usr/src/sys/boot/zfs/boot_menu.c:1:10: fatal error: 'btxv86.h' file not found #include ^ 1 error generated. mkdep: compile failed *** [.depend] Error code 1 .... From owner-freebsd-hackers@freebsd.org Wed Sep 9 20:38:04 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B231DA01548; Wed, 9 Sep 2015 20:38:04 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 824E0114C; Wed, 9 Sep 2015 20:38:04 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by igbkq10 with SMTP id kq10so4126782igb.0; Wed, 09 Sep 2015 13:38:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=PysglyN/nlPkwPuDNSXELWgE2+1oh0dFKcbWSmfQdYg=; b=BcugNJFeyOlKBJu3hz2yUSXLAXhWeVRhj+pHN/xxbO2pQxfWYqKQCl9TcuOjHlFoc/ ekrQDbafRsldyz2hkYpmdiMa0vXLuT1jSuuS5KMFQLwREMdDnP/Z8tcTzqV4mq6ZzHqH N3tmwZ+pvUWFBsanEG/DjPbveWF4HnlJm/zc5H/XzSjbyHVPeecS1XhRZCm3jV+gGoND 8M8MkwOt+KUJecFwSsv2TXR+QJzBUyGyM0tNmTokvLzVLDCAc37QGX1x5vkt4lgIwEy2 XJtiEEm0QqmiItaus4dd+KszOKkFyNtxMhXglWpqCGCsqG/FrNeV9fEu1xt+pV6J4NLU vCYA== X-Received: by 10.50.92.38 with SMTP id cj6mr4135470igb.58.1441831083830; Wed, 09 Sep 2015 13:38:03 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.158.75 with HTTP; Wed, 9 Sep 2015 13:37:44 -0700 (PDT) From: Ed Maste Date: Wed, 9 Sep 2015 16:37:44 -0400 X-Google-Sender-Auth: hj7kx_MHYSAk8_LZwlSS4Temt6w Message-ID: Subject: Call for FreeBSD 2015Q3 (July-September) Status Reports To: FreeBSD Current , "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Sep 2015 20:38:04 -0000 Dear FreeBSD Community, The deadline for the next FreeBSD Quarterly Status update is October 7, 2015, for work done in July through September. Status report submissions do not have to be very long. They may be about anything happening in the FreeBSD project and community, and provide a great way to inform FreeBSD users and developers about what you're working on. Submission of reports is not restricted to committers. Anyone doing anything interesting and FreeBSD-related can -- and should -- write one! The preferred and easiest submission method is to use the XML generator [1] with the results emailed to the status report team at monthly at freebsd.org . There is also an XML template [2] which can be filled out manually and attached if preferred. For the expected content and style, please study our guidelines on how to write a good status report [3]. You can also review previous issues [4][5] for ideas on the style and format. We are looking forward to all of your 2015Q3 reports! Thanks, Ed (on behalf of monthly@) [1] http://www.freebsd.org/cgi/monthly.cgi [2] http://www.freebsd.org/news/status/report-sample.xml [3] http://www.freebsd.org/news/status/howto.html [4] http://www.freebsd.org/news/status/report-2015-01-2015-03.html [5] http://www.freebsd.org/news/status/report-2015-04-2015-06.html From owner-freebsd-hackers@freebsd.org Thu Sep 10 03:04:04 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 18D04A01658 for ; Thu, 10 Sep 2015 03:04:04 +0000 (UTC) (envelope-from vijju.singh@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id F090F176F for ; Thu, 10 Sep 2015 03:04:03 +0000 (UTC) (envelope-from vijju.singh@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id ED783A01657; Thu, 10 Sep 2015 03:04:03 +0000 (UTC) Delivered-To: hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED1C0A01656 for ; Thu, 10 Sep 2015 03:04:03 +0000 (UTC) (envelope-from vijju.singh@gmail.com) Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BC168176E for ; Thu, 10 Sep 2015 03:04:03 +0000 (UTC) (envelope-from vijju.singh@gmail.com) Received: by iofb144 with SMTP id b144so45820698iof.1 for ; Wed, 09 Sep 2015 20:04:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=vsnSljsTFCmrGr8PSR1BHFVkSp+3UMjMQWjpmS+oVN4=; b=HY20PmMk7oRRMynDiFABgfOMq5WqFXx3p+7/Ae0bNBJxhNpUhvLgJYtiW4NazWlzb/ Mn5pfSwVDxRWDajawJOq/sTeRrg6UMHBU9LK0W58YqNTfXS7XDmOhxv6FvbZG2dm9Gwf I6cHqpbeSRNMwdATLOa+/JY6fLc0NWaQewTEqOucOCOSSFpNwMwnwS93DHA9w0spFpSc q9cEWrbCfW12CPEQUHB4b0V6EL0aBfuGb0MbuIOGnD5MMuDPdukLluIVVDVHpyyqJDtn qqs2fXsPRDk8GFeKb7REMDyHoMbVrm2IWbJ56A31w8I8C3wuvahmRlkCoWHIyO0Su0Vu 9Kxg== MIME-Version: 1.0 X-Received: by 10.107.131.134 with SMTP id n6mr48720351ioi.192.1441854242973; Wed, 09 Sep 2015 20:04:02 -0700 (PDT) Received: by 10.107.131.231 with HTTP; Wed, 9 Sep 2015 20:04:02 -0700 (PDT) Date: Wed, 9 Sep 2015 20:04:02 -0700 Message-ID: Subject: wakeup in g_do_wither From: Vijay Singh To: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 03:04:04 -0000 Hi, in g_do_wither(), would it be better to release the mutex after the wakeup() call? As an example, g_cancel_event() does this. -vijay From owner-freebsd-hackers@freebsd.org Thu Sep 10 05:58:39 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CF137A010D7 for ; Thu, 10 Sep 2015 05:58:39 +0000 (UTC) (envelope-from prasadjoshi.linux@gmail.com) Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8ABE11D8E for ; Thu, 10 Sep 2015 05:58:39 +0000 (UTC) (envelope-from prasadjoshi.linux@gmail.com) Received: by vkfp126 with SMTP id p126so3692056vkf.3 for ; Wed, 09 Sep 2015 22:58:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vmCgxHFV+zCFtGx81WJ7iCrQsVVzJD+xyLeKeybTRW0=; b=YRG7nuYrr3lERPzpANsldwXmESm3cieRzV1TxHifz8QXu5faRvPJ1vCEwzm1qYG425 m+aQ1oDXrA/L/i1usv756CoYuMKX/z/6EfV1hJCAeiEUHEQZxAGLSgmKtHWAMe5sTMsY 55aVrHTS3JLRhTJMxR8HqZJsql1ChUDzRDt0mBJJ1yv6/YR4JKrO55FMcHYHz6qD6tg0 G0rxBm/mb4UI5Meb0hAs/tUPRxmpkkxiks/UFJViRYbJd3KBB0ioNbKO6sERnuBpysFI QTvTXLwKsTLo8U0uOuMtHMUrRdrfUSMSMlXDNE/K5tsjE4pXXq4oAJ2SL3NqERg+B3+m Shqg== MIME-Version: 1.0 X-Received: by 10.31.135.133 with SMTP id j127mr663595vkd.73.1441864718459; Wed, 09 Sep 2015 22:58:38 -0700 (PDT) Received: by 10.31.50.6 with HTTP; Wed, 9 Sep 2015 22:58:38 -0700 (PDT) In-Reply-To: References: Date: Thu, 10 Sep 2015 11:28:38 +0530 Message-ID: Subject: Re: btxv86.h file not found (amd64 system) buildworld (test gsoc project) From: Prasad Joshi To: Andrey Fesenko Cc: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 05:58:39 -0000 On Wed, Sep 9, 2015 at 8:14 PM, Andrey Fesenko wrote: > Hello, > I'm test [gsoc15] dynamically discover bes, this project i386-only? > > If buildworld > > uname -a > FreeBSD des.local 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285895M: Sun > Jul 26 23:02:06 MSK 2015 > root@des.local:/usr/obj/usr/src/sys/GENERIC amd64 > > .... > CC='cc ' mkdep -f .depend -a -DBOOTPROG=\"zfsloader\" > -I/usr/src/sys/boot/zfs/../com > mon -I/usr/src/sys/boot/zfs/../.. -I. > -I/usr/src/sys/boot/zfs/../../../lib/libstand -I/u > sr/src/sys/boot/zfs/../../cddl/boot/zfs -D_STANDALONE -std=gnu99 > /usr/src/sys/boot/zfs > /zfs.c /usr/src/sys/boot/zfs/bootenv.c /usr/src/sys/boot/zfs/boot_menu.c > /usr/src/sys/boot/zfs/boot_menu.c:1:10: fatal error: 'btxv86.h' file not found > #include > ^ I will have a look and update you accordingly. Thanks and Regards, Prasad > 1 error generated. > mkdep: compile failed > *** [.depend] Error code 1 > .... From owner-freebsd-hackers@freebsd.org Thu Sep 10 20:45:18 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CDC0A009D7 for ; Thu, 10 Sep 2015 20:45:18 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mailhost.stack.nl", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 66E2A1079 for ; Thu, 10 Sep 2015 20:45:18 +0000 (UTC) (envelope-from jilles@stack.nl) Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131]) by mx1.stack.nl (Postfix) with ESMTP id F0AD0359319 for ; Thu, 10 Sep 2015 22:45:14 +0200 (CEST) Received: by snail.stack.nl (Postfix, from userid 1677) id CC79728494; Thu, 10 Sep 2015 22:45:14 +0200 (CEST) Date: Thu, 10 Sep 2015 22:45:14 +0200 From: Jilles Tjoelker To: freebsd-hackers@freebsd.org Subject: D3614 wordexp(): reliable WRDE_NOCMD by extending sh Message-ID: <20150910204514.GB24907@stack.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 20:45:18 -0000 It appears that there is some wordexp() use that may depend on security of WRDE_NOCMD. The current wordexp() allows arbitrary command execution even if WRDE_NOCMD is set, since shell syntax is too complicated to detect command substitution and unquoted operators reliably without implementing much of sh's parser. This diff fixes this by adding some functionality to sh (as opposed to implementing a full shell parser in libc). The new functionality is an undocumented builtin utility freebsd_wordexp that invokes the parser and expansion code. The old undocumented builtin utility wordexp may be removed at some point. The basic concept is: execl("/bin/sh", "sh", "-c", "freebsd_wordexp ${1:+\"$1\"} -f "$2", "", flags & WRDE_NOCMD ? "-p" : "", ); Apart from implementing wordexp(), freebsd_wordexp is also useful to fuzz more of sh than can be reached via sh -n. I fixed two bugs in the expansion code via fuzzing (already committed as r287081 and r287148). I may use this freebsd_ prefix more often for non-standard functionality. While changing sh's support anyway, also read input from a pipe instead of arguments to avoid {ARG_MAX} limits and improve privacy, and output count and length using 16 instead of 8 digits. The WRDE_BADCHAR error is still implemented in libc. POSIX requires us to fail strings containing unquoted braces with code WRDE_BADCHAR. Since this is normally not a syntax error in sh, there is still a need for checking code in libc, we_check(). The new we_check() is an optimistic check that all the characters | & ; < > ( ) { } are quoted. To avoid duplicating too much sh logic, such characters are permitted when quoting characters are seen, even if the quoting characters may themselves be quoted. This code reports all WRDE_BADCHAR errors; bad characters that get past it and are a syntax error in sh return WRDE_SYNTAX. The diff is at https://reviews.freebsd.org/D3614 -- Jilles Tjoelker From owner-freebsd-hackers@freebsd.org Thu Sep 10 22:33:00 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A21CA01820 for ; Thu, 10 Sep 2015 22:33:00 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from bigwig.baldwin.cx (bigwig.baldwin.cx [IPv6:2001:470:1f11:75::1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 73C781A99 for ; Thu, 10 Sep 2015 22:33:00 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from ralph.baldwin.cx (c-73-231-226-104.hsd1.ca.comcast.net [73.231.226.104]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id C179AB939; Thu, 10 Sep 2015 18:32:58 -0400 (EDT) From: John Baldwin To: freebsd-hackers@freebsd.org Cc: "Pokala, Ravi" Subject: Re: bus_.*_resource() and rid Date: Thu, 10 Sep 2015 14:24:20 -0700 Message-ID: <1685918.WyYIclYTSg@ralph.baldwin.cx> User-Agent: KMail/4.14.3 (FreeBSD/10.2-PRERELEASE; KDE/4.14.3; amd64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (bigwig.baldwin.cx); Thu, 10 Sep 2015 18:32:58 -0400 (EDT) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2015 22:33:00 -0000 On Wednesday, September 09, 2015 02:37:04 AM Pokala, Ravi wrote: > Hi folks, > > I'm modifying a home-grown device driver; this is the first time I've > played around in device-probe and -attach, so I'm a bit out of my element > here. This is an LPC device attached to a PCI-ISA bridge (aka the LPC > controller). It's accessed through IOPORT, and the BIOS sets up enough > stuff that we can look for it. > > One thing that's confusing me is the "rid" which is passed to a bunch of > the bus_.*_resource() functions. I've looked at bus_set_resource(9), > bus_alloc_resource(9), and section 10.5 of the Architecture Handbook[1], > and I'm still confused. > > bus_alloc_resource(9) says: > > rid points to a bus specific handle that identifies the resource being > allocated. For ISA this is an index into an array of resources that > have > been setup for this device by either the PnP mechanism, or via the > hints > mechanism. ... > > > But there's no indication as to how we get that index. One possibility is > that the value passed in doesn't matter; bus_alloc_resource() sets it > correctly and the caller can use the new value. However, that doesn't > appear to be the case, since lots of times rid is ignored after the call > to bus_alloc_resource(). > > For the sake of discussion, here are stripped-down versions of our probe > and attach functions: > > xxx_probe_unit(device_t dev) > { > uint32_t ioport_base; > uint32_t ioport_size; > int rc; > > /* Device identification stuff; details unimportant, but we determine > * ioport_base and ioport_size. > */ > > rc = bus_set_resource( > /* dev */ dev, > /* type */ SYS_RES_IOPORT, > /* rid */ 0, > /* start */ ioport_base, > /* count */ ioport_size); > } > > Most of those args are obvious, but I have no idea why rid is 0. It looks > like lots of drivers pass in a rid of 0, and the original author might > have just shrugged and gone with "convention". > > xxx_attach_unit(device_t dev) > { > struct xxx_softc *sc; > int rid; > struct resource res; > > sc = device_get_softc(dev); > > /* Device configuration stuff; details unimportant. */ > > rid = 0; > res = bus_alloc_resource( > /* dev */ dev, > /* type */ SYS_RES_IOPORT, > /* rid */ &rid, > /* start */ 0, > /* end */ ~0, > /* count */ sc->ioport_size, > /* flags */ RF_ACTIVE); > > /* save stuff for use with bus_space_{read,write}_1() */ > sc->iobase_addr = rman_get_start(res); > sc->iobase_bustag = rman_get_bustag(res); > sc->iobase_bushandle = rman_get_bushandle(res); > sc->dev = dev; > } > > Again, most things are fairly obvious, but I have no idea why rid is 0. > It's passed by reference to bus_alloc_resource(), but the > potentially-altered value is never stored or used. > > The lazy part of me says to just go with blindly passing in 0, because it > works. However, the new device I'm adding support for will have multiple > IOPORT ranges associated with it, so I'm not sure if passing 0 is the > right thing. > > Any help would be appreciated. Each bus decides how to manage RIDs. For PCI devices, RIDs are the address of the corresponding BAR for memory and I/O port resources and follow a different convention for interrupts (0 == INTx, 1...N == MSI/MSI-X). For ISA devices (and ACPI) RIDs are 0...N. If a device is enumerated via the firmware (e.g. ACPI DSDT entry with _CRS or PNPBIOS data for non-ACPI) then the firmware assigned resources are set for you by the parent bus and start at 0 (if you have two I/O port resources you'd have the second one at rid 1). If you are doing this on the LPC, then that it is actually a PCI device, and I don't know if the PCI bus is really going to let you create a rid at 0 via bus_set_resource(). Hmm, it should, but it's kind of a bit hacky. It might be somewhat cleaner if instead you treat this as an ISA device that is a child of isa0 below the LPC device. You can use an identify routine that looks at the grandparent isab0 device and then allocates this. However, a rid of 0 "should" work. You can check the resource list of the device in kgdb to see if there's a valid resource entry for rid 0. You could also try calling bus_get_resource() in your attach routine to see if the bus_set_resource() "worked". -- John Baldwin From owner-freebsd-hackers@freebsd.org Fri Sep 11 02:38:07 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3666A01A4A for ; Fri, 11 Sep 2015 02:38:07 +0000 (UTC) (envelope-from rpokala@panasas.com) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0079.outbound.protection.outlook.com [207.46.100.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 62D7F1A0B; Fri, 11 Sep 2015 02:38:06 +0000 (UTC) (envelope-from rpokala@panasas.com) Received: from CY1PR08MB1803.namprd08.prod.outlook.com (10.162.218.25) by CY1PR08MB1804.namprd08.prod.outlook.com (10.162.218.26) with Microsoft SMTP Server (TLS) id 15.1.262.15; Fri, 11 Sep 2015 02:37:59 +0000 Received: from CY1PR08MB1803.namprd08.prod.outlook.com ([10.162.218.25]) by CY1PR08MB1803.namprd08.prod.outlook.com ([10.162.218.25]) with mapi id 15.01.0262.011; Fri, 11 Sep 2015 02:37:59 +0000 From: "Pokala, Ravi" To: John Baldwin , "freebsd-hackers@freebsd.org" Subject: Re: bus_.*_resource() and rid Thread-Topic: bus_.*_resource() and rid Thread-Index: AQHQ6qhpmlcbMDBrSUWapu14ripoSp42SMsAgAAUkAA= Date: Fri, 11 Sep 2015 02:37:58 +0000 Message-ID: References: <1685918.WyYIclYTSg@ralph.baldwin.cx> In-Reply-To: <1685918.WyYIclYTSg@ralph.baldwin.cx> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.4.150722 authentication-results: spf=none (sender IP is ) smtp.mailfrom=rpokala@panasas.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [24.90.136.147] x-microsoft-exchange-diagnostics: 1; CY1PR08MB1804; 5:l3ti8ipE91ARjYEUIikM/HARtUVoVj2L+LPygtCiPPL0nnoiMztPkfUU4wq74nNuyl31uzVdr3alfeDeXVXPxG5NegPmhAOrTLZVe9jeQAx/C6EMSC1WR1UNo80deww2ZoV8BTjTlQVZXbo+/mHSnw==; 24:Kdhvl7ROGXxHoPzHgNv4F9/bhj+ChhoZL2WO6We5F5mtgV1dD7GB5p90XOUb4bVb2xvUEJ1pGjQjIDtmSi5LY58I+MaGRnwFEsDdcMYU9/0=; 20:LmpKX5kdeYC0hdgzHJRkhKe/fiTelxh5+bz+O4CxDjZPhTefg5F3RnM6L82OiZNGAC8aH9SCXp7YD7d8hSFimA== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR08MB1804; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(8121501046)(5005006)(3002001); SRVR:CY1PR08MB1804; BCL:0; PCL:0; RULEID:; SRVR:CY1PR08MB1804; x-forefront-prvs: 06968FD8C4 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(13464003)(189002)(199003)(377424004)(77156002)(2501003)(2900100001)(450100001)(107886002)(87936001)(92566002)(101416001)(62966003)(11100500001)(10400500002)(2950100001)(102836002)(50986999)(54356999)(36756003)(5002640100001)(77096005)(97736004)(4001540100001)(5001770100001)(5001860100001)(189998001)(99286002)(68736005)(86362001)(122556002)(46102003)(5001830100001)(5001960100002)(105586002)(19580405001)(81156007)(5004730100002)(106356001)(40100003)(106116001)(5890100001)(83506001)(5007970100001)(64706001)(19580395003)(76176999)(4001350100001)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR08MB1804; H:CY1PR08MB1803.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: panasas.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <4A39DBCE8CCEFA469C7B611D917EB2D1@namprd08.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: panasas.com X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2015 02:37:58.8785 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: acf01c9d-c699-42af-bdbb-44bf582e60b0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR08MB1804 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 02:38:07 -0000 -----Original Message----- From: John Baldwin Date: 2015-09-10, Thursday at 17:24 To: "freebsd-hackers@freebsd.org" Cc: Ravi Pokala Subject: Re: bus_.*_resource() and rid >Each bus decides how to manage RIDs. For PCI devices, RIDs are the >address of the corresponding BAR for memory and I/O port resources and >follow a different convention for interrupts (0 =3D=3D INTx, 1...N =3D=3D >MSI/MSI-X). For ISA devices (and ACPI) RIDs are 0...N. If a device is >enumerated via the firmware (e.g. ACPI DSDT entry with _CRS or PNPBIOS >data for non-ACPI) then the firmware assigned resources are set for you >by the parent bus and start at 0 (if you have two I/O port resources >you'd have the second one at rid 1). I see the address ranges w/ `devinfo -r', but they don't list RIDs. >If you are doing this on the LPC, then that it is actually a PCI device, >and I don't know if the PCI bus is really going to let you create a rid >at 0 via bus_set_resource(). Hmm, it should, but it's kind of a bit >hacky. It might be somewhat cleaner if instead you treat this as an ISA >device that is a child of isa0 below the LPC device. You can use an >identify routine that looks at the grandparent isab0 device and then >allocates this. My understanding was that the *only* way to treat devices hanging off the LPC was as an ISA device, so that's what I've been doing. That is, the LPC controller is a transparent bridge to allow ISA devices to connect to modern systems. (In several cases, the LPC controller also has some BARs which point at integrated ISA devices, like GPIO controllers, but that's beside the point.) >However, a rid of 0 "should" work. You can check the resource list of >the device in kgdb to see if there's a valid resource entry for rid 0. >You could also try calling bus_get_resource() in your attach routine to >see if the bus_set_resource() "worked". I'll look into bus_get_resource(). Oh, look - there's no manpage (share/man/man9/bus_get_resource.9 does not exist, despite being a "see also" entry in bus_set_resource.9). :-S -Ravi >--=20 >John Baldwin From owner-freebsd-hackers@freebsd.org Fri Sep 11 04:59:25 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E50E7A01EEB for ; Fri, 11 Sep 2015 04:59:25 +0000 (UTC) (envelope-from alex.burlyga.ietf@gmail.com) Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A331419E7 for ; Fri, 11 Sep 2015 04:59:25 +0000 (UTC) (envelope-from alex.burlyga.ietf@gmail.com) Received: by vkhf67 with SMTP id f67so20866157vkh.1 for ; Thu, 10 Sep 2015 21:59:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QslbW8oXzVsg0V8nw7hjR8W+1j3B0vUR6o3KamuSqZ8=; b=mXthswlAGmnsem/YP6eU36vNiy5IQs6U23qmxxVgNUCTSv1Kah/PCdkf7Qb0rc2r9f rMMSXGJiHpq8BAmEA/PnY4P6mfNTrSu25AQElLpC0y06cZSr/JXmdem9vjCNYPQeIfvR e9OoPr9UG18r1I9ATXdxzzh5P6kR484e5GuETm8pRDcUDq14rlPEa8lW6kRKPUN19exn Vq+6npHHWCQkc1RIz/MqaitGqT95qqtoBLndl/FO02rz8vBD5DeNPAaxR1jUyuNf1D4Y U6BbL0fQo3IjTd+99oEm6gCT1JFzsAOsh9S5+cTyUG9CTW4N0Ar8aWdIrF37IsumGZQi dt4w== MIME-Version: 1.0 X-Received: by 10.31.136.9 with SMTP id k9mr3096631vkd.92.1441947564557; Thu, 10 Sep 2015 21:59:24 -0700 (PDT) Received: by 10.103.81.193 with HTTP; Thu, 10 Sep 2015 21:59:24 -0700 (PDT) In-Reply-To: References: Date: Thu, 10 Sep 2015 21:59:24 -0700 Message-ID: Subject: Re: bus_.*_resource() and rid From: "alex.burlyga.ietf alex.burlyga.ietf" To: "Pokala, Ravi" Cc: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 04:59:26 -0000 See replies in-line. On Tue, Sep 8, 2015 at 7:37 PM, Pokala, Ravi wrote: > Hi folks, > > I'm modifying a home-grown device driver; this is the first time I've > played around in device-probe and -attach, so I'm a bit out of my element > here. This is an LPC device attached to a PCI-ISA bridge (aka the LPC > controller). It's accessed through IOPORT, and the BIOS sets up enough > stuff that we can look for it. > > One thing that's confusing me is the "rid" which is passed to a bunch of > the bus_.*_resource() functions. I've looked at bus_set_resource(9), > bus_alloc_resource(9), and section 10.5 of the Architecture Handbook[1], > and I'm still confused. > > bus_alloc_resource(9) says: > > rid points to a bus specific handle that identifies the resource being > allocated. For ISA this is an index into an array of resources that > have > been setup for this device by either the PnP mechanism, or via the > hints > mechanism. ... > > > But there's no indication as to how we get that index. One possibility is > that the value passed in doesn't matter; bus_alloc_resource() sets it > correctly and the caller can use the new value. However, that doesn't > appear to be the case, since lots of times rid is ignored after the call > to bus_alloc_resource(). It's a discriminator for the resource type. It's bus specific, so in case of ISA it's just an integer in a range of 0 to 50(i think). > > For the sake of discussion, here are stripped-down versions of our probe > and attach functions: > > xxx_probe_unit(device_t dev) > { > uint32_t ioport_base; > uint32_t ioport_size; > int rc; > > /* Device identification stuff; details unimportant, but we determine > * ioport_base and ioport_size. > */ > > rc = bus_set_resource( > /* dev */ dev, > /* type */ SYS_RES_IOPORT, > /* rid */ 0, > /* start */ ioport_base, > /* count */ ioport_size); > } > > Most of those args are obvious, but I have no idea why rid is 0. It looks > like lots of drivers pass in a rid of 0, and the original author might > have just shrugged and gone with "convention". Depends on the device, if it only has one IOPORT then this makes sense. > > xxx_attach_unit(device_t dev) > { > struct xxx_softc *sc; > int rid; > struct resource res; > > sc = device_get_softc(dev); > > /* Device configuration stuff; details unimportant. */ > > rid = 0; > res = bus_alloc_resource( > /* dev */ dev, > /* type */ SYS_RES_IOPORT, > /* rid */ &rid, > /* start */ 0, > /* end */ ~0, > /* count */ sc->ioport_size, > /* flags */ RF_ACTIVE); > > /* save stuff for use with bus_space_{read,write}_1() */ > sc->iobase_addr = rman_get_start(res); > sc->iobase_bustag = rman_get_bustag(res); > sc->iobase_bushandle = rman_get_bushandle(res); > sc->dev = dev; > } > > Again, most things are fairly obvious, but I have no idea why rid is 0. > It's passed by reference to bus_alloc_resource(), but the > potentially-altered value is never stored or used. You are attaching a driver to a device, so you are actually allocating resource for the range you claimed in the probe function with bus_set_resource. Again since device has only one IOPORT, and ISA does not change "rid" so there is no need to store "rid" anywhere. > > The lazy part of me says to just go with blindly passing in 0, because it > works. However, the new device I'm adding support for will have multiple > IOPORT ranges associated with it, so I'm not sure if passing 0 is the > right thing. I think you have options here, during probe you can go with just 0 as "rid" but then during allocation you would need to populate start and end parameters with appropriate offsets. Or you can do "rid" per IOPORT and then you can retain 0, ~0 for start end and pass appropriate "rid" during attach phase. > > Any help would be appreciated. > > Thanks, > > Ravi > > [1] > https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/isa-driver- > resources.html > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" From owner-freebsd-hackers@freebsd.org Fri Sep 11 08:31:43 2015 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A7549BF906 for ; Fri, 11 Sep 2015 08:31:43 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: from puchar.net (puchar.net [188.252.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "puchar.net", Issuer "puchar.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9AB3C1849 for ; Fri, 11 Sep 2015 08:31:42 +0000 (UTC) (envelope-from wojtek@puchar.net) Received: Received: from 127.0.0.1 (localhost [127.0.0.1]) by puchar.net (8.14.9/8.14.9) with ESMTP id t8B84oeI020191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 11 Sep 2015 10:04:50 +0200 (CEST) (envelope-from wojtek@puchar.net) Received: from laptop.wojtek.intra (localhost [127.0.0.1]) by laptop.wojtek.intra (8.14.9/8.14.9) with ESMTP id t8B84lLN004968; Fri, 11 Sep 2015 10:04:47 +0200 (CEST) (envelope-from wojtek@puchar.net) Received: from localhost (wojtek@localhost) by laptop.wojtek.intra (8.14.9/8.14.9/Submit) with ESMTP id t8B84fa9004965; Fri, 11 Sep 2015 10:04:41 +0200 (CEST) (envelope-from wojtek@puchar.net) X-Authentication-Warning: laptop.wojtek.intra: wojtek owned process doing -bs Date: Fri, 11 Sep 2015 10:04:41 +0200 (CEST) From: Wojciech Puchar X-X-Sender: wojtek@laptop.wojtek.intra To: Analysiser cc: freebsd-hackers@freebsd.org Subject: Re: Passphraseless Disk Encryption Options? In-Reply-To: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> Message-ID: References: <8B7FEE2E-500E-49CF-AC5E-A2FA3054B152@gmail.com> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (puchar.net [10.0.1.1]); Fri, 11 Sep 2015 10:04:51 +0200 (CEST) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Sep 2015 08:31:43 -0000 > I?m trying to perform a whole disk encryption for my boot drive to protect its data at rest. However I would like to have a mac OS X-ish full disk encryption that does not explicitly ask for a passphrase and would boot as normal without manual input of passphrase. I tried to do it with geli(8) but it seems there is no way I can avoid the manual interaction. Really curious if there is a way to achieve it? Thanks! what's a point of encrypting your disk if passphrase don't need to be entered. Where is a security?