mountroot error 19 when using GPT label on GELI encrypted root on 12.0-Release

Hello,

I'm installing FreeBSD 12.0-Release and I'm using the Shell option in the installer to partition my disk by hand.
I have a swap and a root partition. I'm using GPT label to label them, and GELI for the encryption.

After completing the installation and rebooting the host, I'm asked for the GELI passphrase, then the boot splash screen appears, then the booting process continues but halts later with the following error message:

Code:
mountroot: waiting for device /dev/gpt/ROOT.eli…
Mounting from ufs:/dev/gpt/ROOT.eli failed with error 19.

Loader variables:
  vfs.root.mountfrom=ufs:/dev/gpt/ROOT.eli
  vfs.root.mountfrom.options=rw

mountroot>

If I type '?', I can see that gpt/SWAP, gpt/BOOT and da0p3.eli are available. My root partition is indeed da0p3.eli but is not referenced under its GPT label.

If I type the following:
mountroot> ufs:/dev/da0p3.eli
then the system boots normally.


Here are the commands I used during the installation:

Code:
gpart destroy -F da0
gpart create -s GPT da0
gpart bootcode -b /boot/pmbr da0
gpart add -t freebsd-boot -s 512K -a 4K -l BOOT da0
gpart bootcode -p /boot/gptboot -i 1 da0
gpart add -t freebsd-swap -a 1M -s 1G -l SWAP da0
gpart add -t freebsd-ufs -a 1M -l ROOT da0
geli init -s 4096 -g -b /dev/gpt/ROOT 
geli attach /dev/gpt/ROOT
newfs -t -U -L rootfs /dev/gpt/ROOT.eli 
mount /dev/gpt/ROOT.eli /mnt

cat << EOF > /tmp/bsdinstall_etc/fstab
# Device            Mountpoint   FStype              Options   Dump   Pass#
/dev/gpt/SWAP.eli           no     swap   sw,sectorsize=4096      0      0
/dev/gpt/ROOT.eli            /      ufs                   rw      1      1
EOF

cat << EOF > /tmp/bsdinstall_boot/loader.conf
aesni_load="YES"
geom_eli_load="YES"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
kern.geom.label.gpt.enable="1"
EOF



How can I tell the bootloader to find the GELI encrypted root partition using its GPT name ?
Also, do I use the -b -g flags for the geli ini command correctly ?





Thanks ! :)
 
I think that's a limitation of GPT labels.
The same applies to GEOM-journaled UFS filesystems where the GPT label does not distinct between /dev/gpt/mylabel and /dev/gpt/mylabel.journal.

I never tested it myself with GELI, but I've been part of a discussion on the mailing list some time ago, where people had the same problem with the *.eli device nodes.
 
When a device is accessed by one method, the devices exposed via the other methods disappear.
In your case you see da0p3.eli so your drive was obviously decrypted via its device name and this would explain why the GPT label is not there.

So having this in your loader.conf is a good idea:
Code:
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
kern.geom.label.gpt.enable="1"

I think you should tell GELI in loader.conf which device to mount. You should probably go like this (ZFS file system):

Code:
geom_eli_load="YES"
geli_ad0p3_keyfile0_load="YES"
geli_ad0p3_keyfile0_type="gpt/ROOT:geli_keyfile0"
geli_ad0p3_keyfile0_name="/encryptionKeyPath"
vfs.root.mountfrom="zfs:zroot/ROOT/default"

I read the following thread: https://forums.freebsd.org/threads/labelling-geli-disk-with-zfs.44250/

Unfortunately I don't know how you can tell GELI to use the GPT label in the variable names. geli_gpt/ROOT_keyfile0_load="YES" is not OK - the variables cannot have a "/" in the name. Probably try "gpt_ROOT"?
 
Back
Top