Date: Sat, 15 Nov 2014 19:04:38 -0600 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: FreeBSD Geom <freebsd-geom@freebsd.org> Subject: [patch] GELI Boot-time unlock failure Message-ID: <5467F826.3070208@cyberleo.net>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193624 I've reworked the patch to apply to 10.1-RELEASE, and am now using it successfully. The proper fix for this issue is most likely a new metadata version to set the md_iterations per-keyslot instead of per-container, but I didn't want to introduce incompatibility without input from the current GELI maintainers; this patch works with the layout as-is. If a GELI container has a keyfile in one slot and a passphrase in the other (to implement automatic boot-time unlock with offline key escrow, for example), the boot-time unlock code will get confused and assume the key and passphrase are to be combined, resulting in a container that cannot be unlocked during boot when its keyfile is preloaded. The included patch attempts to unlock using only the keyfile first. Thanks! -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://www.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5467F826.3070208>