Solved Password prompt when booting USB media (file bug report)

T

tOsYZYny

Why am I prompted for a password when booting to USB media if that device is not encrypted?

The hard drive in my system is encrypted with GELI, but I am not booting to it, so why does it care? It is an unnecessary step that slows down the boot process and makes me enter in the password.
 
Yes this is a bit annoying. AFAIK the bootloader scans every attached device for a geli(8) provider. If it finds an encrypted provider which is also configured with the -g flag, the bootloader prompts for the password.

Code: 
-g Enable booting from this encrypted root filesystem. The boot loader prompts for the passphrase and loads loader(8) from the encrypted partition.

You can put the following line in your /boot/loader.conf on your USB media (NOT on your hard drive):

Code: 
kern.geom.eli.tries=0

According to /boot/defaults/loader.conf there is also this knob:

Code: 
geom_eli_passphrase_prompt="NO"

I haven't tried the two options, so I don't know if that's working as indented. Please try.
 
I added both to my USB drive @ /boot/loader.conf and they did not alter the behavior unfortunately. I will continue to play around with it some more.
 
Found a link:
forums.freebsd.org

Solved - Disable GELI prompt for external drives on boot

Hello. I recently switched to FreeBSD desktop from GNU/Linux and I'm really happy with it, slowly finding my way around it. My system is encrypted, with geom_eli_load="YES" in /boot/loader.conf and necessary partitions listed in /etc/fstab. I enter my passphrase early on before the Beastie...
forums.freebsd.org forums.freebsd.org

same advice, but it doesn't seem to work.

Rubenerd: Prevent GELI password boot prompts

While the prompt is useful, it’s not always wanted
rubenerd.com rubenerd.com

So, I suppose that GELI is doing what it does because the boot flag is set on my volumes. So, I think I'm out of luck.
 
Very unfortunate. We could look into the source (/usr/src/stand) and see, if the bootloader actually has some way for suppressing the passphrase prompt in this situation. But that seems to be a highly undocumented adventure. Maybe even worth a bugreport in order to improve the user experience?

Before we dive into the dark abyss: could you try putting kern.geom.eli.tries=0 into /boot/efi/freebsd/loader.env (that is, /freebsd/loader.env in the ESP of your USB media)?
 
Sorry I made a mistake. It's /boot/efi/efi/freebsd/loader.env, not /boot/efi/freebsd/loader.env. But this won't work. I read the source and the passphrase prompt comes before any loader configurations are read: the main function of efi/loader/main.c does some small initializations before it calls into devinit, which does the whole device probing thing and reaches geli_probe_and_attach in libsa/geli/gelidev.c. And this calls geli_passphrase in libsa/geli/geliboot.c. Configuration files like loader.env are read after this. geli_passphrase has the number of tries hardcoded to 3.

Conclusion: in the current implementation there is no easy way to disable the geli passphrase prompt when you boot from external media. Do it like the old Romans did and press Enter three times at the passphrase prompt without entering the actual passphrase.
 
You must log in or register to reply here.
Back
Top