From owner-freebsd-current@FreeBSD.ORG Fri Aug 24 15:51:25 2012 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52C18106566C for ; Fri, 24 Aug 2012 15:51:25 +0000 (UTC) (envelope-from simon@qxnitro.org) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 08A348FC20 for ; Fri, 24 Aug 2012 15:51:24 +0000 (UTC) Received: by obbun3 with SMTP id un3so5900054obb.13 for ; Fri, 24 Aug 2012 08:51:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qxnitro.org; s=google; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=72mTIhSEsmdYeImhKkR4ZtlStRj/dkI7FSimwKU4miA=; b=GphMNkMPB3rh/3S3KCDM00ohza4tEzslTpMhChUGSiJVKrnBdtADJRrRCC5YuvZRxa q+Q5MuKxsDUUurt7PdSjgo01ExNp5m/cw2nvRZUxV27LEpM8uQcoXuF7ANq6coBRdrL6 lwYq1VLkYtLsMUUoJmfAJkuBhgodwpE+jPVVU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:x-originating-ip:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding:x-gm-message-state; bh=72mTIhSEsmdYeImhKkR4ZtlStRj/dkI7FSimwKU4miA=; b=K3ZaFhy9EF0/NdHhgf5UOVAi5YpGi3aBFb2MT2hg4n3AgD8dbpHVE2/SX2xUyjSce0 ekxQgVQp5+PfsolDm6FB2UzrM489uhDbO6sJuW0hTmmBNEevKQgptGkbWScBkF5p5zDi ObVdYrrsMThOOigV49a7TKrAthcs9DdcINjMGLo7Pk5ZyjACAGlpCgBDWsHzvATuqNRx l6wfgkedCLIKCkVeFgT39UoIPHckWy2bJkotz8BksiUm+Tbid4EQKUtGusbZOMJq7P1x wO6Z5pewY3imMkFdbED+jhrzVV/qPZKUKZnpy9hBq8x9YNEyqW3FMgXdcCftqXQ39FRx i9KA== MIME-Version: 1.0 Received: by 10.60.20.99 with SMTP id m3mr4280282oee.124.1345823484386; Fri, 24 Aug 2012 08:51:24 -0700 (PDT) Sender: simon@qxnitro.org Received: by 10.76.85.135 with HTTP; Fri, 24 Aug 2012 08:51:24 -0700 (PDT) X-Originating-IP: [2620:0:1040:201:9db5:5be0:5543:2221] In-Reply-To: <20120821120537.GL1202@acme.spoerlein.net> References: <5032AB28.9070306@FreeBSD.org> <20120821120537.GL1202@acme.spoerlein.net> Date: Fri, 24 Aug 2012 16:51:24 +0100 X-Google-Sender-Auth: hLKKXpa--7TtOiRvcrLu1pM1G-U Message-ID: From: "Simon L. B. Nielsen" To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQmSXFShyirskc3+7rzuQ2tDtVsYVlnccnataCv2a416KxQiiurXs6kGelL/c0ekd44btI1v Cc: Subject: Re: [HEADSUP] geli(4) weak master key generation on -CURRENT X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Aug 2012 15:51:25 -0000 On Tue, Aug 21, 2012 at 1:05 PM, Ulrich Sp=C3=B6rlein wro= te: > On Mon, 2012-08-20 at 22:24:56 +0100, Simon L. B. Nielsen wrote: >> Hello, >> >> If you are not using geli(4) on -CURRENT (AKA FreeBSD 10) you can safely >> ignore this mail. If you are, please read on! >> >> -CURRENT users of geli(4) should be advised that, a geli(4) device may >> have weak master key, if the provider is created on -CURRENT system >> built against source code between r238116 (Jul 4 17:54:17 2012 UTC) >> and r239184 (non-inclusive, Aug 10 18:43:29 2012 UTC). >> >> One can verify if its provider was created with weak keys by running: >> >> # geli dump | grep version >> >> If the version is 7 and the system did not include this fix (r239184) >> when provider was initialized, then the data has to be backed up, >> underlying provider overwritten with random data, system upgraded and >> provider recreated. >> >> Thanks to Fabian Keil for reporting the issue, Pawel Jakub Dawidek for >> fixing it, and Xin Li for drafting this text. >> >> PS. This only affects FreeBSD 10 / -CURRENT, and as -CURRENT isn't >> supported by the FreeBSD Security Team, we are not releasing an >> advisory, just this heads up. > > I haven't read commit mails in a very long time, but is there code in > place that will issue a warning upon geli attach if version 7 is > detected? While -CURRENT is not supported, there might be a lot of disks > initialized with version 7 and they'll eventually be upgraded to > 10.0-RELEASE (the OS, not necessarily the geli volumes). No, the bad code was only in head for about a month. I'm fine with having a warning, but somebody has to code it. --=20 Simon L. B. Nielsen