Author: allanjude Date: Sun May 22 20:31:52 2016 New Revision: 300436 URL: https://svnweb.freebsd.org/changeset/base/300436
Log: bsdinstall/zfsboot GPT+BIOS+GELI installs now make use of GELIBOOT In this configuration, a separate bootpool is not required. This allows ZFS Boot Environments to be used with GELI encrypted ZFS pools. Support for GPT+EFI+GELI is planned for the future. Tested by: Joseph Mingrone, HardenedBSD Relnotes: yes Sponsored by: ScaleEngine Inc. Differential Revision: https://reviews.freebsd.org/D5869 Modified: head/usr.sbin/bsdinstall/scripts/zfsboot Modified: head/usr.sbin/bsdinstall/scripts/zfsboot ============================================================================== --- head/usr.sbin/bsdinstall/scripts/zfsboot Sun May 22 20:17:55 2016 (r300435) +++ head/usr.sbin/bsdinstall/scripts/zfsboot Sun May 22 20:31:52 2016 (r300436) @@ -1,6 +1,6 @@ #!/bin/sh #- -# Copyright (c) 2013-2015 Allan Jude +# Copyright (c) 2013-2016 Allan Jude # Copyright (c) 2013-2015 Devin Teske # All rights reserved. # @@ -189,8 +189,10 @@ CHMOD_MODE='chmod %s "%s"' DD_WITH_OPTIONS='dd if="%s" of="%s" %s' ECHO_APPEND='echo "%s" >> "%s"' GELI_ATTACH='geli attach -j - -k "%s" "%s"' +GELI_ATTACH_NOKEY='geli attach -j - "%s"' GELI_DETACH_F='geli detach -f "%s"' GELI_PASSWORD_INIT='geli init -b -B "%s" -e %s -J - -K "%s" -l 256 -s 4096 "%s"' +GELI_PASSWORD_GELIBOOT_INIT='geli init -bg -e %s -J - -l 256 -s 4096 "%s"' GPART_ADD_ALIGN='gpart add %s -t %s "%s"' GPART_ADD_ALIGN_INDEX='gpart add %s -i %s -t %s "%s"' GPART_ADD_ALIGN_INDEX_WITH_SIZE='gpart add %s -i %s -t %s -s %s "%s"' @@ -205,6 +207,7 @@ GPART_SET_ACTIVE='gpart set -a active -i GPART_SET_LENOVOFIX='gpart set -a lenovofix "%s"' GPART_SET_PMBR_ACTIVE='gpart set -a active "%s"' GRAID_DELETE='graid delete "%s"' +KLDLOAD='kldload %s' LN_SF='ln -sf "%s" "%s"' MKDIR_P='mkdir -p "%s"' MOUNT_TYPE='mount -t %s "%s" "%s"' @@ -755,21 +758,6 @@ zfs_create_diskpart() esac # - # Enable boot pool if encryption is desired - # - [ "$ZFSBOOT_GELI_ENCRYPTION" ] && ZFSBOOT_BOOT_POOL=1 - - # - # ZFSBOOT_BOOT_POOL and BIOS+UEFI boot type are incompatible - # - if [ "$ZFSBOOT_BOOT_POOL" -a "$ZFSBOOT_BOOT_TYPE" = "BIOS+UEFI" ]; then - f_dprintf "$funcname: ZFSBOOT_BOOT_POOL is incompatible with BIOS+UEFI boot type" - msg_error="$msg_error: $funcname" f_show_err \ - "ZFSBOOT_BOOT_POOL is incompatible with BIOS+UEFI boot type" - return $FAILURE - fi - - # # Destroy whatever partition layout is currently on disk. # NOTE: `-F' required to destroy if partitions still exist. # NOTE: Failure is ok here, blank disk will have nothing to destroy. @@ -821,9 +809,14 @@ zfs_create_diskpart() fi # - # 2. Add small freebsd-boot or efi partition + # 2. Add small freebsd-boot and/or efi partition # if [ "$ZFSBOOT_BOOT_TYPE" = "UEFI" -o "$ZFSBOOT_BOOT_TYPE" = "BIOS+UEFI" ]; then + # + # Enable boot pool if encryption is desired + # + [ "$ZFSBOOT_GELI_ENCRYPTION" ] && ZFSBOOT_BOOT_POOL=1 + f_eval_catch $funcname gpart \ "$GPART_ADD_ALIGN_LABEL_WITH_SIZE" \ "$align_small" efiboot$index efi 800k $disk || @@ -916,6 +909,10 @@ zfs_create_diskpart() MBR) f_dprintf "$funcname: Creating MBR layout..." # + # Enable boot pool if encryption is desired + # + [ "$ZFSBOOT_GELI_ENCRYPTION" ] && ZFSBOOT_BOOT_POOL=1 + # # 1. Create MBR layout (no labels) # f_eval_catch $funcname gpart "$GPART_CREATE" mbr $disk || @@ -1190,6 +1187,10 @@ zfs_create_boot() # Create the geli(8) GEOMS # if [ "$ZFSBOOT_GELI_ENCRYPTION" ]; then + # + # Load the AES-NI kernel module to accelerate encryption + # + f_eval_catch -d $funcname kldload "$KLDLOAD" "aesni" # Prompt user for password (twice) if ! msg_enter_new_password="$msg_geli_password" \ f_dialog_input_password @@ -1203,27 +1204,51 @@ zfs_create_boot() for disk in $disks; do f_dialog_info "$msg_geli_setup" \ 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD - if ! echo "$pw_password" | f_eval_catch \ - $funcname geli "$GELI_PASSWORD_INIT" \ - "$bootpool/boot/$disk$targetpart.eli" \ - AES-XTS "$bootpool/$zroot_key" \ - $disk$targetpart - then - f_interactive || f_die - unset pw_password # Sensitive info - return $FAILURE - fi - if ! echo "$pw_password" | f_eval_catch \ - $funcname geli "$GELI_ATTACH" \ - "$bootpool/$zroot_key" $disk$targetpart - then - f_interactive || f_die - unset pw_password # Sensitive info - return $FAILURE + if [ "$ZFSBOOT_BOOT_POOL" ]; then + if ! echo "$pw_password" | f_eval_catch \ + $funcname geli "$GELI_PASSWORD_INIT" \ + "$bootpool/boot/$disk$targetpart.eli" \ + AES-XTS "$bootpool/$zroot_key" \ + $disk$targetpart + then + f_interactive || f_die + unset pw_password # Sensitive info + return $FAILURE + fi + if ! echo "$pw_password" | f_eval_catch \ + $funcname geli "$GELI_ATTACH" \ + "$bootpool/$zroot_key" $disk$targetpart + then + f_interactive || f_die + unset pw_password # Sensitive info + return $FAILURE + fi + else + # With no bootpool, there is no place to store + # the key files, use only a password + if ! echo "$pw_password" | f_eval_catch \ + $funcname geli \ + "$GELI_PASSWORD_GELIBOOT_INIT" AES-XTS \ + $disk$targetpart + then + f_interactive || f_die + unset pw_password # Sensitive info + return $FAILURE + fi + if ! echo "$pw_password" | f_eval_catch \ + $funcname geli "$GELI_ATTACH_NOKEY" \ + $disk$targetpart + then + f_interactive || f_die + unset pw_password # Sensitive info + return $FAILURE + fi fi done unset pw_password # Sensitive info + fi + if [ "$ZFSBOOT_BOOT_POOL" ]; then # Clean up f_eval_catch $funcname zfs "$ZFS_UNMOUNT" "$bootpool_name" || return $FAILURE @@ -1369,29 +1394,6 @@ zfs_create_boot() return $FAILURE fi - # We're all done unless we should go on for boot pool - [ "$ZFSBOOT_BOOT_POOL" ] || return $SUCCESS - - # Set cachefile for boot pool so it auto-imports at system start - f_dprintf "$funcname: Configuring zpool.cache for boot pool..." - f_eval_catch $funcname zpool "$ZPOOL_SET" \ - "cachefile=\"$BSDINSTALL_CHROOT/boot/zfs/zpool.cache\"" \ - "$bootpool_name" || return $FAILURE - - # Some additional geli(8) requirements for loader.conf(5) - for option in \ - 'zpool_cache_load=\"YES\"' \ - 'zpool_cache_type=\"/boot/zfs/zpool.cache\"' \ - 'zpool_cache_name=\"/boot/zfs/zpool.cache\"' \ - ; do - f_eval_catch $funcname echo "$ECHO_APPEND" "$option" \ - $BSDINSTALL_TMPBOOT/loader.conf.zfs || - return $FAILURE - done - f_eval_catch $funcname printf "$PRINTF_CONF" vfs.root.mountfrom \ - "\"zfs:$zroot_name/$zroot_bootfs\"" \ - $BSDINSTALL_TMPBOOT/loader.conf.root || return $FAILURE - # We're all done unless we should go on to do encryption [ "$ZFSBOOT_GELI_ENCRYPTION" ] || return $SUCCESS @@ -1403,9 +1405,10 @@ zfs_create_boot() $BSDINSTALL_TMPBOOT/loader.conf.aesni || return $FAILURE f_eval_catch $funcname echo "$ECHO_APPEND" 'geom_eli_load=\"YES\"' \ $BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE - f_eval_catch $funcname echo "$ECHO_APPEND" \ - 'geom_eli_passphrase_prompt=\"YES\"' \ - $BSDINSTALL_TMPBOOT/loader.conf.geli || return $FAILURE + + # We're all done unless we should go on for boot pool + [ "$ZFSBOOT_BOOT_POOL" ] || return $SUCCESS + for disk in $disks; do f_eval_catch $funcname printf "$PRINTF_CONF" \ geli_%s_keyfile0_load "$disk$targetpart YES" \ @@ -1423,6 +1426,27 @@ zfs_create_boot() return $FAILURE done + # Set cachefile for boot pool so it auto-imports at system start + f_dprintf "$funcname: Configuring zpool.cache for boot pool..." + f_eval_catch $funcname zpool "$ZPOOL_SET" \ + "cachefile=\"$BSDINSTALL_CHROOT/boot/zfs/zpool.cache\"" \ + "$bootpool_name" || return $FAILURE + + # Some additional geli(8) requirements for loader.conf(5) + for option in \ + 'zpool_cache_load=\"YES\"' \ + 'zpool_cache_type=\"/boot/zfs/zpool.cache\"' \ + 'zpool_cache_name=\"/boot/zfs/zpool.cache\"' \ + 'geom_eli_passphrase_prompt=\"YES\"' \ + ; do + f_eval_catch $funcname echo "$ECHO_APPEND" "$option" \ + $BSDINSTALL_TMPBOOT/loader.conf.zfs || + return $FAILURE + done + f_eval_catch $funcname printf "$PRINTF_CONF" vfs.root.mountfrom \ + "\"zfs:$zroot_name/$zroot_bootfs\"" \ + $BSDINSTALL_TMPBOOT/loader.conf.root || return $FAILURE + return $SUCCESS } _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
