Solved ZFS+geli: failed to read pad2 area of primary vdev

G

gqgunhed

Hi there,

I am currently running an FreeBSD 11.1-RELEASE and preparing for upgrade (late, I know). The only thing I am worried about is a message "failed to read pad2 area of primary vdev" during the boot process when geli needs the decryption phrase.
I searched the forum here but only found cases where there were other problems leading to that message.
And the information from the FreeBSD Handbook, Encryption doesn't give a hint what the installer does in the background so I am a little stuck.

Code: 
$ zpool status
NAME             STATE     READ WRITE CKSUM
rpool            ONLINE       0     0     0
  mirror-0       ONLINE       0     0     0
    ada2p3.eli   ONLINE       0     0     0
    ada3p3.eli   ONLINE       0     0     0
logs                                      
  mirror-1       ONLINE       0     0     0
    gpt/ada0ZIL  ONLINE       0     0     0
    gpt/ada1ZIL  ONLINE       0     0     0
cache                                    
  gpt/ada0Cache  ONLINE       0     0     0
  gpt/ada1Cache  ONLINE       0     0     0

Some more background to the current situation
- 11.1 installation with ZFS mirror and geli was done with the FreeBSD installer - encryption with manual passphrase to enter, so no key-file
- During the installation the ZFS mirror drives were ada0 and ada1
- For production use two SSDs were added as ada0 and ada1, so now the ZFS mirror drives are ada2 and ada3 <-- maybe geli should have been informed about that?
- Message appeared after the move of the drives
- System works and boots fine, except showing this message at the decryption step during boot procedure

Question:
- Where is the information for geli stored, which drives to en-/decrypt?
- How can I fix this error?
- Maybe the FreeBSD Handbook can include some hints what the installer does during the initialization of ZFS+geli encryption ;-)
 
Sorry to resurrect this post, but I am still struggling with the questions:
  • Where does geli store its information?
  • How can I change my setup so that geli()now knows that my correct drives are ada2 and ada3 (and not like before ada0 and ada1)?

My FreeBSD server (12.1-RELEASE now, geli setup was done by the FreeBSD installer) shows the following messages during startup:

Code: 
GELI Passphrase for disk0p3:

Calculating GELI Decryption Key for disk0p3: ....
Calculating GELI Decryption Key for disk2p3: ....
failed to read pad2 area of primary vdev

But I think: disk0p3 should be disk3p3, to reflect my ZFS setup mentioned above.
And geli and ZFS seem to work fine:

Code: 
$ geli status
     Name Status Components
da2p3.eli ACTIVE ada2p3
da3p3.eli ACTIVE ada3p3

How can I tell geli to only use ada2 and ada3. Do I have to use geli init somehow? Or is this stored somewhere in /boot?
Happy to get some pointers here.
Thanks.
 
gqgunhed said:
Sorry to resurrect this post, but I am still struggling with the questions:
  • Where does geli store its information?
Click to expand...

In the last block of the respective device.

In normal operation, geli should auto-detect it's devices, according to the -g and -b flags used when creating or reconfiguring ( init and configure options) the encryption (for pre-boot and post-boot auto-decryption respectively). The value of these flags is also stored in the last block.
But, I don't know how the installer would run these things, as I do not use installer.
 
Thanks PMc
So if I look at my two disks ada2 and ada3 (the correct, encrypted drives) with geli list they show both the BOOT and GELIBOOT flags, so I think it is fine.

What bothers me is the fact that my decryption prompt tells me something about disk0 and disk2.
I found a hint here at the forums, that the FreeBSD 11 installer used to create a small unencrypted partition to store information.
I use beadm() to save my boot environments. Is /boot the place to look for? Or any other place where this old disk configuration is stored? See first post: My current disks ada2 and ada3 where formerly known as ada0 and ada1.

Is this a geli or a bootloader thing? I have never really dug into the booting process of FreeBSD ;-)
 
PC BIOS boots from ada2 and ada3 as the other/first two SATA ports are faster and therefore used for the caching SSDs.
And the bootcode is only installed on the spinning disks ada2 and ada3. So the boot process should only include information stored on those two drives.
Which program generates these messages?

Code: 
Calculating GELI Decryption Key for disk0p3: ....
Calculating GELI Decryption Key for disk2p3: ....
failed to read pad2 area of primary vdev

Or is disk0p3 in this case just a "print" error, as this is the device the system is booting from?
 
Until a kernel is fully loaded, you don't have the real FreeBSD behaviour. The bootloader must resort on BIOS functions, and must use the disks as found by the BIOS (which may be different from the kernel disk numbering, and may be configurable in the BIOS). All this might be more or less hardware dependent. Then the bootloader must contain some copy of the geli code to do the geli stuff, and some zfs code to do the zfs thing - but don't ask me how that works.
 
gqgunhed said:
Which program generates these messages?

Calculating GELI Decryption Key for disk0p3: ....
Calculating GELI Decryption Key for disk2p3: ....
Click to expand...
geli(8), attempting to decrypt the devices, probing if working keys are existent, if not, prompt for a passphrase. From /usr/src/stand/libsa/geli/geliboot.c, beginning at line 218, reference to printed message at line 252:
Code: 
printf(“Calculating GELI Decryption Key for %s %d”
    “ iterations…\n”, gdev->name, gdev->md.md_iterations);
From here I don’t know where to look how the device name is generated by %s %d.

Concerning failed to read pad2 area of primary vdev message there is a bug report addressing this issue, PR 240942. It seems to be a harmless message.
 
So as FreeBSD is able to decrypt both drives it doesn't seem to be a problem with the disk numbering and the pad error message.
 
You must log in or register to reply here.
Back
Top