encswap doesn't start on boot

nickolas · Feb 2, 2009

Hello!

I'm trying to encrypt my swap partition, but I have some troubles.

I've add ".eli" suffix to swap device in me /etc/fstab file:

Code:

# Device      Mountpoint FStype  Options     Dump    Pass#
/dev/ad4s1b.eli     none       swap    sw             0       0

and set geli_swap_flags in /etc/rc.conf:

Code:

geli_swap_flags="-e blowfish -l 448 -s 4096 -d"

.

I'm loading geom_eli, zlib and crypto kernel modules ad boot (through /boot/loader.conf):

Code:

zlib_load="YES"
crypto_load="YES"
geom_eli_load="YES"

But it seems that encswap doesn't start after reboot ("swapinfo" and "geli status" show nothing).

But if I run "/etc/rc.d/encswap start" manually, it seems to work ok:

Code:

cloud# geli status
Name  Status  Components
ad4s1b.eli     N/A  ad4s1b

What I'm doing wrong?
PS: I'm using FreeBSD 7.1

graudeejs · Feb 2, 2009

try
geli_swap_flags="-e blowfish -l 128 -s 4096 -d"

also no need to use long keylen for swap, it'll show down swap i/o
besides there aren't much usefull info to get from swap anyway

EDIT:
do the fallowing cmd as well
geli onetime -e blowfish -l 128 -s 4096 -d /dev/ad4s1b

nickolas · Feb 3, 2009

killasmurf86 said:
try
geli_swap_flags="-e blowfish -l 128 -s 4096 -d"

Nothing new - it doesn't start during boot.

killasmurf86 said:
try
do the fallowing cmd as well
geli onetime -e blowfish -l 128 -s 4096 -d /dev/ad4s1b

It works ok when I start it manually:

Code:

cloud# swapinfo
Device          1K-blocks     Used    Avail Capacity
cloud# geli status
cloud# geli onetime -e blowfish -l 128 -s 4096 -d /dev/ad4s1b
cloud# geli status
      Name  Status  Components
ad4s1b.eli     N/A  ad4s1b
cloud# swapon -a
swapon: adding /dev/ad4s1b.eli as swap device
cloud# swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad4s1b.eli   4194304        0  4194304     0%

trev · Feb 3, 2009

Add:

Code:

rc_debug="YES"
rc_info="YES"

to your /etc/rc.conf file, reboot and see if your problematic script(s) is/are being executed.

nickolas · Feb 3, 2009

trev said:
Add:

Code:

rc_debug="YES" rc_info="YES"

to your /etc/rc.conf file, reboot and see if your problematic script(s) is/are being executed.

I've found such strings:

Code:

cloud kernel: /etc/rc: DEBUG: run_rc_command: doit: [B]encswap_attach[/B]
cloud kernel: [B]geli:[/B]
cloud kernel: [B]Cannot access ad4s1b (error=1).[/B]
cloud kernel:
...

I wonder, why geli can't access device during boot?

trev · Feb 4, 2009

No further ideas, sorry.

nickolas · Feb 4, 2009

trev said:
Is ad4s1b mounted when geli tries to access it?

ad4s1b is a swap device

I've found out that dumpon start script runs before encswap.

I've add

Code:

dumpdev="/dev/ad4s1b"

into rc.conf file, but still, I get mystery errors:

Code:

cloud kernel: Loading configuration files.
[B]cloud kernel: kernel dumps on /dev/ad4s1b[/B]
cloud kernel: Entropy harvesting:
cloud kernel: interrupts
cloud kernel: ethernet
cloud kernel: point_to_point
cloud kernel: kickstart
cloud kernel: .
[B]cloud kernel: geli:
cloud kernel: Cannot access ad4s1b (error=1).
cloud kernel:
cloud kernel: swapon:
cloud kernel: /dev/ad4s1b.eli
cloud kernel: :
cloud kernel: No such file or directory[/B]

mart · Feb 5, 2009

nickolas said:
Hello!

I'm trying to encrypt my swap partition, but I have some troubles.

<...snip...>

What I'm doing wrong?
PS: I'm using FreeBSD 7.1

Here's what I get after a clean boot (also 7.1, fully up-to-date)...

Code:

[mart@bsddesktop ~]$ swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad10s1b.eli   4158768        0  4158768     0%
[mart@bsddesktop ~]$ cat /etc/rc.conf | grep "eli\|crypto"
[mart@bsddesktop ~]$ cat /boot/loader.conf | grep "eli\|crypto"
[mart@bsddesktop ~]$ cat /etc/fstab | grep "eli\|crypto"
/dev/ad10s1b.eli     none               swap    sw         0     0

ie I don't specify anything other than adding .eli to my swap in fstab, and all works (AES as default).

Here's dmesg...

Code:

GEOM_ELI: Device ad10s1b.eli created.
GEOM_ELI: Encryption: AES-CBC 256
GEOM_ELI:     Crypto: software

I just did a debug rc.conf and everything looked fine (set up geli, swapon -a etc). I'd post the output but FreeBSDs tragic usb keyboard support means I don't have access to function keys anymore, so I can't swap to a console right now. I'll save it and post it next reboot.

Summary: It works for me out-of-the-box, so try removing all your geli-swap related /boot/loader.conf and /etc/rc.conf settings and see if that helps.

[Edit]
Here's the rc.conf debug output:

Code:

   /etc/rc: DEBUG: run_rc_command: start_precmd: [ -n "$(geli_make_list)" ]
   /etc/rc: DEBUG: run_rc_command: start_precmd: find_gbde_devices start
   /etc/rc: DEBUG: run_rc_command: doit: gbde_start
   /etc/rc: DEBUG: run_rc_command: doit: encswap_attach
   cryptosoft0: <software crypto> on motherboard
   GEOM_ELI: Device ad10s1b.eli created.
   GEOM_ELI: Encryption: AES-CBC 256
   GEOM_ELI:     Crypto: software
   /etc/rc: DEBUG: run_rc_command: doit: ccd_start
   /etc/rc: DEBUG: run_rc_command: doit: swapon -a
   swapon: adding /dev/ad10s1b.eli as swap device
   /etc/rc: DEBUG: run_rc_command: doit: fsck_start
   Starting file system checks:

[/Edit]

nickolas · Feb 14, 2009

Problem has been solved.

I've removed GEOM_PART_MBR and GEOM_PART_BSD from my kernel config file.