About GELI root

Rex Ai

Rex Ai

Environment: FreeBSD 10.0R amd64

The root partition is /dev/ada0p1 with gpart label /dev/gpt/rootfs. /dev/gpt/rootfs.eli is created from /dev/gpt/rootfs, not /dev/ada0p1.
Code: 
# cat /boot/loader.conf
vfs.root.mountfrom="ufs:/dev/gpt/rootfs.eli"
aesni_load="YES"
geom_eli_load="YES"
geli_gpt_rootfs_keyfile0_load="YES"
geli_gpt_rootfs_keyfile0_type="gpt/rootfs:geli_keyfile0"
geli_gpt_rootfs_keyfile0_name="/boot/rootfskey"

Question 1.

Boot is OK, but many messages like the under can be found in dmesg:
Code: 
...
GEOM_ELI: Found no key files in loader.conf for ad4p1
...
GEOM_ELI: Found no key files in loader.conf for gptid/*
...
After adding "kern.cam.ada.legacy_aliases=0" to /boot/loader.conf, the left messages are:
Code: 
GEOM_ELI: Found no key files in loader.conf for ada0p1
GEOM_ELI: Found no key files in loader.conf for gptid/*
How to: disable the two messages except to change gpt_rootfs and gpt/rootfs to ada0p1 in /boot/loader.conf?

Question 2

I want to use the two different authentication for the root partition. The first(geli setkey -n 0) is a key without passphrase. The partition can be automounted with it. The second(geli setkey -n 1) is a passphrase without key. The partition can be mounted manually with it on the other computers.

Before I add the second, the partition can be automounted. After adding it, I have to input the passphrase at booting. It looks like the system mix the two authentication, instead of independence. Perhaps because of "geli init -b"?

How to: if the key is found, the autobooting is OK; if the key isn't found, the booting continue after inputting the passphrase?

Thanks!
 
alphachi said:
Question 1.
[...]
How to: disable the two messages except to change gpt_rootfs and gpt/rootfs to ada0p1 in /boot/loader.conf?
Click to expand...
If there is a way, I haven't found it. The only clean way I have my GELI devices attaching at boot is to reference them as /dev/ada0p1 or similar. An alternative behaviour to searching through all devices would be for GELI to look at the values in loader.conf and try the devices listed there first, but that's not how it seems to work at the moment. Perhaps submit a feature request (if someone hasn't already)?

alphachi said:
Question 2
Before I add the second, the partition can be automounted. After adding it, I have to input the passphrase at booting. It looks like the system mix the two authentication, instead of independence. Perhaps because of "geli init -b"?
How to: if the key is found, the autobooting is OK; if the key isn't found, the booting continue after inputting the passphrase?
Click to expand...
Like you, I would expect the behaviour to be that both key slots would be checked and the first one that is successfully decrypted would be used. It might be that the GELI code that runs at boot time has more limited functionality and the two keys slots may not be supported. I haven't looked at the source code to determine intended behaviour and the geli(8) man page doesn't explicitly define it. Did you check that the keys in the slots were correct (after you added key 1) by trying to mount /dev/gpt/rootfs manually (using a boot disk)? Did you try switching the keys in the slots in case GELI checks key 1 before key 0?
 
1. Yes, the behavior of GELI is similar to ssh-agent&ssh-add - it scans orderly and can't be changed.

2. I'm sure the two keys are correct. I find either key can autoboot if they all haven't the passphrases, but the passphrase need be inputted for booting if either key includes a passphrase.
 
You must log in or register to reply here.
Back
Top