From owner-freebsd-geom@FreeBSD.ORG Sun Nov 16 01:12:55 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 520EFDC9 for ; Sun, 16 Nov 2014 01:12:55 +0000 (UTC) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) by mx1.freebsd.org (Postfix) with ESMTP id 32C53F66 for ; Sun, 16 Nov 2014 01:12:54 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 9C84618569; Sat, 15 Nov 2014 20:04:39 -0500 (EST) Message-ID: <5467F826.3070208@cyberleo.net> Date: Sat, 15 Nov 2014 19:04:38 -0600 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0 MIME-Version: 1.0 To: FreeBSD Geom Subject: [patch] GELI Boot-time unlock failure X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2014 01:12:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624 I've reworked the patch to apply to 10.1-RELEASE, and am now using it successfully. The proper fix for this issue is most likely a new metadata version to set the md_iterations per-keyslot instead of per-container, but I didn't want to introduce incompatibility without input from the current GELI maintainers; this patch works with the layout as-is. If a GELI container has a keyfile in one slot and a passphrase in the other (to implement automatic boot-time unlock with offline key escrow, for example), the boot-time unlock code will get confused and assume the key and passphrase are to be combined, resulting in a container that cannot be unlocked during boot when its keyfile is preloaded. The included patch attempts to unlock using only the keyfile first. Thanks! -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/ From owner-freebsd-geom@FreeBSD.ORG Sun Nov 16 19:24:14 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5C22BAE for ; Sun, 16 Nov 2014 19:24:14 +0000 (UTC) Received: from mail-qa0-f52.google.com (mail-qa0-f52.google.com [209.85.216.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 82BC9D13 for ; Sun, 16 Nov 2014 19:24:13 +0000 (UTC) Received: by mail-qa0-f52.google.com with SMTP id u7so13356111qaz.25 for ; Sun, 16 Nov 2014 11:24:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=6mgVegrjQXmDbkydYcRUkTf2H2brJqZouUE+U9l0e7o=; b=VXKHDgbuKr/gJEX/2HiZLTLnsYob2GMWaCmf6xPFSY6apb0TGqkOTEpt5s7YsjtVU3 LP0c3/0x1Z8nyIHtUIb9l+JMf/yXzc2qFphWAULz9PGzezRDKkU2B9i9tJ2MQzm5Dk8V 03LlGtK2u1h1kFAaaARGGE9H3toHko55Lmf9hKk4rvTg3x1lnfETDUb9xVAh1+QdPn1J KCVAv/2/KHXvGHepXP1EZABfAJf6szSTzwUoMTpA5Sxo6LHTIu0SbxA04bOQ38qrBRSw BSczkO/YWTe/Xas9MAy2SXXRwk+YB5DpKGaEV0rd+aZyWkNKGb0nyQ8eN3ONToM8ZPzg zXZA== X-Gm-Message-State: ALoCoQnwEC724qNEBsdcw89GSWIQAW9sk876Dy8x/vnC2EGkgB4kOEdnsyF9oGyvQCOI5E5mxpZF X-Received: by 10.140.40.239 with SMTP id x102mr27937023qgx.69.1416165846933; Sun, 16 Nov 2014 11:24:06 -0800 (PST) Received: from [10.0.0.20] (c-71-195-85-44.hsd1.pa.comcast.net. [71.195.85.44]) by mx.google.com with ESMTPSA id k6sm32450856qaz.41.2014.11.16.11.24.05 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 16 Nov 2014 11:24:06 -0800 (PST) Message-ID: <5468F9D6.4020300@natserv.net> Date: Sun, 16 Nov 2014 14:24:06 -0500 From: Francisco Reyes User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: "Michael W. Lucas" Subject: Re: Gmirror vs 10 Release-P12 References: <5465580A.6070609@natserv.net> <20141114161658.GA1719@mail.michaelwlucas.com> In-Reply-To: <20141114161658.GA1719@mail.michaelwlucas.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-geom@freebsd.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2014 19:24:14 -0000 On 11/14/2014 11:16 AM, Michael W. Lucas wrote: > I believe 9+ GPT partitioning doesn't work with gmirror on a whole > disk. Pardon the narcissistic link, but: But it was a 10.0 Release To recap.. 10.0 Release.. gmirror works. Updated to 10-P12... gmirror no longer worked. For now went without gmirror altogether. The client needed the machine ASAP. May try upgrading to 10.1 later afer it has been out longer. From owner-freebsd-geom@FreeBSD.ORG Mon Nov 17 05:29:06 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 033D427A for ; Mon, 17 Nov 2014 05:29:06 +0000 (UTC) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id C2DFCDB6 for ; Mon, 17 Nov 2014 05:29:04 +0000 (UTC) Received: from localhost (apn-31-2-12-230.dynamic.gprs.plus.pl [31.2.12.230]) by mail.dawidek.net (Postfix) with ESMTPSA id AD75E339; Mon, 17 Nov 2014 06:29:02 +0100 (CET) Date: Mon, 17 Nov 2014 06:29:10 +0100 From: Pawel Jakub Dawidek To: CyberLeo Kitsana Subject: Re: [patch] GELI Boot-time unlock failure Message-ID: <20141117052910.GE1771@garage.freebsd.pl> References: <5467F826.3070208@cyberleo.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5467F826.3070208@cyberleo.net> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.23 (2014-03-12) Cc: FreeBSD Geom X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 05:29:06 -0000 On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624 > > I've reworked the patch to apply to 10.1-RELEASE, and am now using it > successfully. > > The proper fix for this issue is most likely a new metadata version to > set the md_iterations per-keyslot instead of per-container, but I didn't > want to introduce incompatibility without input from the current GELI > maintainers; this patch works with the layout as-is. > > If a GELI container has a keyfile in one slot and a passphrase in the > other (to implement automatic boot-time unlock with offline key escrow, > for example), the boot-time unlock code will get confused and assume the > key and passphrase are to be combined, resulting in a container that > cannot be unlocked during boot when its keyfile is preloaded. The > included patch attempts to unlock using only the keyfile first. Hi, thanks for the patch, but I'd prefer to fix it properly, ie. allow for each key slot to have its dedicated iterations counter. Do you think this is something you could work on? -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com From owner-freebsd-geom@FreeBSD.ORG Mon Nov 17 08:31:00 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 758D9811 for ; Mon, 17 Nov 2014 08:31:00 +0000 (UTC) Received: from agora.rdrop.com (agora.rdrop.com [IPv6:2607:f678:1010::34]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5290815B for ; Mon, 17 Nov 2014 08:31:00 +0000 (UTC) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id sAH8UvKh068994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 17 Nov 2014 00:30:58 -0800 (PST) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.14.2/Submit) with UUCP id sAH8Uv0t068993; Mon, 17 Nov 2014 00:30:57 -0800 (PST) (envelope-from perryh@pluto.rain.com) Received: from fbsd81 by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA22147; Mon, 17 Nov 14 00:28:05 PST Date: Mon, 17 Nov 2014 00:28:03 -0800 From: perryh@pluto.rain.com (Perry Hutchison) To: lists@natserv.net Subject: Re: Gmirror vs 10 Release-P12 Message-Id: <5469b193.lkIZWruTiJ873IFy%perryh@pluto.rain.com> References: <5465580A.6070609@natserv.net> <20141114161658.GA1719@mail.michaelwlucas.com> <5468F9D6.4020300@natserv.net> In-Reply-To: <5468F9D6.4020300@natserv.net> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: mwlucas@michaelwlucas.com, freebsd-geom@freebsd.org X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 08:31:00 -0000 Francisco Reyes wrote: > On 11/14/2014 11:16 AM, Michael W. Lucas wrote: > > I believe 9+ GPT partitioning doesn't work with gmirror on a whole > > disk. Pardon the narcissistic link, but: > > But it was a 10.0 Release > To recap.. > 10.0 Release.. gmirror works. That was either a bug in 10.0 Release, or an accident. > Updated to 10-P12... gmirror no longer worked. As expected. > For now went without gmirror altogether. The client needed the machine > ASAP. May try upgrading to 10.1 later afer it has been out longer. 10.1 should make no difference. The problem is that, per the GPT spec, the GPT partition data appears in both the first and last blocks of the physical drive. That conflicts with applying gmirror to the entire drive, since gmirror uses the last block of whatever provider it is hosted on. If you try to gmirror the whole drive, and GPT-partition the mirror, a strict BIOS will complain about the absence of the GPT data in the drive's last physical block and/or about the size in the GPT not matching the size reported by the drive. The proper way to use gmirror on a GPT disk is to mirror individual partitions, rather than the whole drive. Yes, this can be a nuisance -- if you have 5 partitions you need 5 mirrors rather than just one. Another approach is to make just one GPT partition, gmirror that, and then MBR-partition that mirror. However getting this scheme to work on the boot drive requires hacking the boot blocks. From owner-freebsd-geom@FreeBSD.ORG Mon Nov 17 09:33:17 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C7E6E6F0 for ; Mon, 17 Nov 2014 09:33:17 +0000 (UTC) Received: from maild-bd.linkedin.com (maild-bd.linkedin.com [108.174.3.188]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.linkedin.com", Issuer "DigiCert Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 662679EC for ; Mon, 17 Nov 2014 09:33:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; s=proddkim1024; t=1416216729; bh=WMYn7KOX0ZDLYmV0FfNLtzhDTSTQeRi21KLlMkScvIc=; h=From:Subject:MIME-Version:Content-Type:To:Date:X-LinkedIn-Class: X-LinkedIn-Template:X-LinkedIn-fbl; b=qVUglWmmniXkpkSay1vlksW3m74OI+BIsKzZKCfrZ0s4/SOB9ChtpMjJxEj9jMyT6 uu+ftBame81rLBV45FFijn4XyuySOqOVhNp6pTcQ+lfEk5KppYiuhS0c9VuE55SFcA N2BJ8Q1DgmJdwTMACT01CQUFXbmyHYRVd791vT0A= From: Anderson Souza via LinkedIn Message-ID: <1340146255.2314930.1416216729091.JavaMail.app@lva1-app1733.prod> Subject: =?UTF-8?Q?O_convite_de_Anderson_Souza_est=C3=A1_aguardando_sua_resposta?= MIME-Version: 1.0 To: Date: Mon, 17 Nov 2014 09:32:09 +0000 (UTC) X-LinkedIn-Class: INVITE-REMIND-GUEST X-LinkedIn-Template: inv_exp_19 X-LinkedIn-fbl: s-4vy378nspe5nhr39igm3fobb7q5juox0cqm0o83247418x8a2c9db8ma X-LinkedIn-Id: -gt9qwx-i2lmv7jt-66 Content-Type: text/plain;charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 09:33:18 -0000 Anderson Souza quer fazer parte da sua rede no LinkedIn. Como deseja respon= der? Aceitar: http://www.linkedin.com/blink?simpleRedirect=3Dd3cSd3oRcPwTcj4Zh4B= KrSBQonhFtCVF9CpIokMTcBdqfnBBiShBsC5EsOoVclZMu6lvtCVFfmJB9D9Bp6VFrmlObnhMpm= dzoiRybmtSrCBvrmRLoORIrmkZpSVFqSdxsDgCpnhFtCV9pSlipn9Mfm4CdzoJt6ETtCRIcCAJu= 7tNenhDbjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=3DI8282559111_1&m= arkAsRead=3D Visualizar o perfil de Anderson Souza: http://www.linkedin.com/blink?simple= Redirect=3Dej5vs7xBnTpKqjRHpipOpmhKqmRBsyRQs6lzoS4JoyRDtCVFnSRJrScJr6RBfmtK= qmJzon9Q9DpMrzRQ9zoSbnhGdTpJr39FbnxTsjBQpOQZpjYOtyZBbSRLoOVKqmhBqSVFr2VTtTs= LbPFMt7hE&msgID=3DI8282559111_1&markAsRead=3D Voc=C3=AA est=C3=A1 recebendo e-mails de lembretes sobre convites pendentes= . Cancele sua inscri=C3=A7=C3=A3o aqui: http://www.linkedin.com/blink?simpl= eRedirect=3D6tOrQkO9mhPoClBsCoMd2lJrSlDbmhPoClBsCoZr6BxrmkCc3oMc38Zp6ACd3cS= d3oRcPwTcj4Zp6BD9zANnT1UplZSrCAZqSkCoDlPrDkJpyRzoClJnSRJrScJr6RBfmtKqmJzon9= Q9CZLpPRQ9zoSbnhGdTpJr39FbnxTsjBQpOQZpjYOtyZBbSRLoOVKqmhBqSVFr2VTtTsLbPFMt7= hE&msgID=3DI8282559111_1&markAsRead=3D Voc=C3=AA recebeu um convite de conex=C3=A3o. O LinkedIn utiliza seu endere= =C3=A7o de e-mail para fazer sugest=C3=B5es a nossos usu=C3=A1rios em recur= sos como Pessoas que talvez voc=C3=AA conhe=C3=A7a. Clique aqui para cancel= ar a inscri=C3=A7=C3=A3o: http://www.linkedin.com/blink?simpleRedirect=3D0S= dyRQqztSrmMOqiRUtT4Vt6sJfmhFpip1rRdhkBlCcSRisT94hSRLgQdlr6RVcRxBpkQQt6VBqRZ= plT5ilTdmp7kQtQxesjtlllASiRBqtjxyk69gi79ohAsVrll1gk5Dt69Stjllc4FejQthgjRAqm= ZI9zANnT1UplZSrCAZqSkCkjoPp4l7q5p6sCR6kk4ZrClHrRhAqmQCrDlIfngCdzoJt6ETtCRIc= CAJu7tNenhDbjRBfP9SbSkLrmZzbCVFp6lHrCBIbDtTtOYLeDdMt7hE&msgID=3DI828255= 9111_1&markAsRead=3D Saiba por que inclu=C3=ADmos isso neste link: http= ://www.linkedin.com/blink?simpleRedirect=3D0Ue3sQfmh9pmNzqnhOoioVclZMu6lvtC= VFfmJB9CNOlmlzqnpOpldOpmRLt7dRoPRx9zoSbnhGdTpJr39FbnxTsjBQpOQZpjYOtyZBbSRLo= OVKqmhBqSVFr2VTtTsLbPFMt7hE&msgID=3DI8282559111_1&markAsRead=3D © 2014, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 9404= 3, EUA From owner-freebsd-geom@FreeBSD.ORG Mon Nov 17 23:25:38 2014 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 49700F79; Mon, 17 Nov 2014 23:25:38 +0000 (UTC) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) by mx1.freebsd.org (Postfix) with ESMTP id 274CB850; Mon, 17 Nov 2014 23:25:37 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 154731996E; Mon, 17 Nov 2014 18:25:29 -0500 (EST) Message-ID: <546A83E8.9050409@cyberleo.net> Date: Mon, 17 Nov 2014 17:25:28 -0600 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.8.0 MIME-Version: 1.0 To: Pawel Jakub Dawidek Subject: Re: [patch] GELI Boot-time unlock failure References: <5467F826.3070208@cyberleo.net> <20141117052910.GE1771@garage.freebsd.pl> In-Reply-To: <20141117052910.GE1771@garage.freebsd.pl> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: FreeBSD Geom X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2014 23:25:38 -0000 On 11/16/2014 11:29 PM, Pawel Jakub Dawidek wrote: > On Sat, Nov 15, 2014 at 07:04:38PM -0600, CyberLeo Kitsana wrote: >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624 >> >> I've reworked the patch to apply to 10.1-RELEASE, and am now using it >> successfully. >> >> The proper fix for this issue is most likely a new metadata version to >> set the md_iterations per-keyslot instead of per-container, but I didn't >> want to introduce incompatibility without input from the current GELI >> maintainers; this patch works with the layout as-is. >> >> If a GELI container has a keyfile in one slot and a passphrase in the >> other (to implement automatic boot-time unlock with offline key escrow, >> for example), the boot-time unlock code will get confused and assume the >> key and passphrase are to be combined, resulting in a container that >> cannot be unlocked during boot when its keyfile is preloaded. The >> included patch attempts to unlock using only the keyfile first. > > Hi, > > thanks for the patch, but I'd prefer to fix it properly, ie. allow for > each key slot to have its dedicated iterations counter. Do you think > this is something you could work on? I think so. I'll see what I can do. It might take a bit, though, as, for that, I must familiarize myself with the userland portions as well. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/