Date: Mon, 6 Apr 2015 11:09:49 -0700 From: Devin Teske <dteske@FreeBSD.org> To: Eric van Gyzen <vangyzen@FreeBSD.org> Cc: Devin Teske <dteske@FreeBSD.org>, freebsd-current@freebsd.org, cperciva@freebsd.org Subject: Re: [RFC] Add "GELI Passphrase:" prompt to boot loader Message-ID: <97538B31-652D-4611-9F92-D1A58004A02C@FreeBSD.org> In-Reply-To: <5522C7E5.4090609@FreeBSD.org> References: <0D7CA1BF-3052-41FD-A3E7-5BBAA51B214A@FreeBSD.org> <5522C167.6090408@vangyzen.net> <72AB2A13-8DA5-4320-8302-598B6672DA25@FreeBSD.org> <5522C7E5.4090609@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 6, 2015, at 10:52 AM, Eric van Gyzen <vangyzen@FreeBSD.org> = wrote: >=20 > On 04/06/2015 13:39, Devin Teske wrote: >>=20 >>> On Apr 6, 2015, at 10:24 AM, Eric van Gyzen <eric@vangyzen.net> = wrote: >>>=20 >>> On 04/06/2015 12:58, Devin Teske wrote: >>>> Hi -current, >>>>=20 >>>> I have a pending enhancement to the boot loader that Colin P. and I >>>> have been working on together. >>>>=20 >>>> URL: https://reviews.freebsd.org/D2105 = <https://reviews.freebsd.org/D2105>; >>>>=20 >>>> The nature of the patch is to cause the boot loader to prompt for = the >>>> GELI passphrase and then pass that on (through a kenv(1) variable) >>>> to Colin=E2=80=99s code in geom_eli.ko where it will be: >>>>=20 >>>> (a) picked up for-use as the initial passphrase attempt(s) >>>> (b) zeroed after being picked-up so =E2=80=9Ckenv = kern.geom.eli.passphrase=E2=80=9D >>>> returns nothing >>>>=20 >>>> NB: Actually, =E2=80=9Ckenv kern.geom.eli.passphrase=E2=80=9D = generates the error >>>> =E2=80=9Ckenv: unable to get kern.geom.eli.passphrase=E2=80=9D >>>>=20 >>>> The problem that I (we) need help in solving is: >>>>=20 >>>> If the geom_eli.ko module doesn=E2=80=99t get loaded, then the = variable >>>> (kern.geom.eli.passphrase) is not zeroed. >>>>=20 >>>> While I do think that this is of minimal concern (not loading the = GELI >>>> module means you won=E2=80=99t be able to get past the mountroot = prompt in >>>> the case where GELI is required to boot), I discussed with Colin = and >>>> I think we are in consensus that the resetting of the variable = should >>>> perhaps be moved to another section of the kernel to prevent = leakage >>>> of this sensitive information being passed through kenv(1) = variable(s). >>>>=20 >>>> Issue for me is, I=E2=80=99m not sure where the best place to move = this to. >>>> Here=E2=80=99s the code that needs to be moved (Lines 108-109 of = g_eli.c): >>>>=20 >>>> https://svnweb.freebsd.org/base?view=3Drevision&revision=3D273489 = <https://svnweb.freebsd.org/base?view=3Drevision&revision=3D273489>; >>>>=20 >>>>=20 >>>> 108 = <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=3D2734= 89&pathrev=3D273489#l108> /* Wipe the = passphrase from the environment. */ >>>> 109 = <https://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?annotate=3D2734= 89&pathrev=3D273489#l109> = kern_unsetenv("kern.geom.eli.passphrase"); >>>>=20 >>>> Need to move that preferably to some place in the kernel that is = NOT >>>> optional in the compilation process. Suggestions? >>>=20 >>> How about putting it right after a successful mount of the root file = system?=20 >>> (I've never used GELI, so this could be as "right out" as five.) >>>=20 >>=20 >> I think that=E2=80=99s an excellent idea. >>=20 >> /me rummages through source >>=20 >> I=E2=80=99m thinking that the best place might be where we deal with = the registered >> event handler for mountroot. >>=20 >>=20 >> One place that I crawled upon that looks particularly sexy is in = start_init() >> of sys/kern/init_main.c: >>=20 >> ### BEGIN SNIPPET ### >> /* >> * Start the initial user process; try exec=E2=80=99ing each pathname = in init_path. >> * The program is invoked with one argument containing the boot flags. >> */ >> static void >> start_init(void *dummy) >> { >> vm_offset_t addr; >> struct execve_args args; >> int options, error; >> char *var, *path, *next, *s; >> char *ucp, **uap, *arg0, *arg1; >> struct thread *td; >> struct proc *p; >>=20 >> mtx_lock(&Giant); >>=20 >> GIANT_REQUIRED; >>=20 >> td =3D furthered; >> p =3D td->td_proc; >>=20 >> vfs_mountroot(); >>=20 >> ### RFC for code placement ### >> /* XXX Put reset of kern.geom.eli.passphrase here XXX */ >> ########################## >>=20 >> /* >> * Need just enough stack to hold the faked-up =E2=80=9Cexecve()=E2= =80=9D arguments. >> */ >> // snip rest // >> ### END SNIPPET ### >>=20 >> Or can you think of a better place? >=20 > That looks good to me, although I'm no expert in this area, so you = might wait > for more opinions. >=20 Kk. In the meantime, I=E2=80=99ve updated the patch in D2105 to reflect = the new potential outcome. Worth noting, that I left the kern_unsetenv() call in = sys/geom/eli/geom_eli.c in-tact (didn=E2=80=99t see any harm in calling kern_unsetenv() on the = same variable twice; no real conerns of removing it, just didn=E2=80=99t see any harm in leaving = it). Would like feedback on phabricator. https://reviews.freebsd.org/D2105 <https://reviews.freebsd.org/D2105>; =E2=80=94=20 Cheers, Devin=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97538B31-652D-4611-9F92-D1A58004A02C>