Add "GELI Passphrase:" prompt to boot loader.

A new loader.conf(5) option of geom_eli_passphrase_prompt="YES" will now allow you to enter your geli(8) root-mount credentials prior to invoking the kernel. See check-password.4th(8) for details. Differential Revision: https://reviews.freebsd.org/D2105 Reviewed by: imp, kmoore Discussed on: -current MFC after: 3 days X-MFC-to: stable/10 Relnotes: yes
author: dteske <dteske@FreeBSD.org> 2015-04-16 20:53:15 +0000
committer: dteske <dteske@FreeBSD.org> 2015-04-16 20:53:15 +0000
commit: f2c181fe22e7d0ae5014e1729b455cbc48da009f (patch)
tree: ba035b2b8cab4a9a9c1695f21754db9da3d15a6e /sys/boot/forth
parent: 342ec6f56c33b761fd0b40a079597271bc7b6a2b (diff)
download: FreeBSD-src-f2c181fe22e7d0ae5014e1729b455cbc48da009f.zip
FreeBSD-src-f2c181fe22e7d0ae5014e1729b455cbc48da009f.tar.gz
3 files changed, 45 insertions, 7 deletions
diff --git a/sys/boot/forth/check-password.4th b/sys/boot/forth/check-password.4th
index 04114aa..d41777c 100644
--- a/sys/boot/forth/check-password.4th
+++ b/sys/boot/forth/check-password.4th
@@ -146,6 +146,15 @@ only forth definitions also password-processing
 		2drop read-reset
 	else drop then
 
+	\ Prompt for GEOM ELI (geli(8)) passphrase if enabled
+	s" geom_eli_passphrase_prompt" getenv dup -1 <> if
+		s" YES" compare-insensitive 0= if
+			s" GELI Passphrase: " read ( prompt -- )
+			readval readlen @ s" kern.geom.eli.passphrase" setenv
+			read-reset
+		then
+	else drop then
+
 	\ Exit if a password was not set
 	s" password" getenv -1 = if exit else drop then
 
diff --git a/sys/boot/forth/check-password.4th.8 b/sys/boot/forth/check-password.4th.8
index e1f52b7..db0aa4b 100644
--- a/sys/boot/forth/check-password.4th.8
+++ b/sys/boot/forth/check-password.4th.8
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2011-2012 Devin Teske
+.\" Copyright (c) 2011-2015 Devin Teske
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd December 10, 2012
+.Dd March 20, 2015
 .Dt CHECK-PASSWORD.4TH 8
 .Os
 .Sh NAME
@@ -33,8 +33,12 @@
 .Sh DESCRIPTION
 The file that goes by the name of
 .Nm
-is a set of commands designed to either prevent booting or prevent modification
-of boot options without an appropriately configured password.
+is a set of commands designed to do one or more of the following:
+.Pp
+.Dl o Prevent booting without password
+.Dl o Prevent modification of boot options without password
+.Dl o Provide a password to mount geli(8) encrypted root disk(s)
+.Pp
 The commands of
 .Nm
 by themselves are not enough for most uses.
@@ -58,14 +62,23 @@ The commands provided by it are:
 .Pp
 .Bl -tag -width disable-module_module -compact -offset indent
 .It Ic check-password
-Dual-purpose function that can either protect the interactive boot menu or
-prevent boot without password (separately).
+Multi-purpose function that can protect the interactive boot menu,
+prevent boot without password, or prompt for geli(8) passphrase
+.Pq depending on Xr loader.conf 5 settings .
 .Pp
 First checks
 .Va bootlock_password
 and if-set, the user cannot continue until the correct password is entered.
 .Pp
-Next checks
+Next, checks
+.Va geom_eli_passphrase_prompt
+and if set to
+.Li YES
+.Pq case-insensitive
+prompts the user to enter their GELI password for later mounting of the root
+device(s) during boot.
+.Pp
+Last, checks
 .Va password
 and if-set, tries to
 .Ic autoboot
@@ -81,6 +94,11 @@ The environment variables that effect its behavior are:
 Sets the bootlock password (up to 16 characters long) that is required by
 .Ic check-password
 to be entered before the system is allowed to boot.
+.It Va geom_eli_passphrase_prompt
+Selects whether loader(8) will prompt for GELI credentials, handing-off to the
+kernel for later mounting of
+.Xr geli 8
+encrypted root device(s).
 .It Va password
 Sets the password (up to 16 characters long) that is required by
 .Ic check-password
@@ -122,6 +140,16 @@ to prevent booting without password:
 .Bd -literal -offset indent -compact
 bootlock_password="boot"
 .Ed
+.Pp
+Add the following to
+.Xr loader.conf 5
+to generate a prompt at boot to collect GELI credentials for mounting
+.Xr geli 8
+encrypted root device(s):
+.Pp
+.Bd -literal -offset indent -compact
+geom_eli_passphrase_prompt="YES"
+.Ed
 .Sh SEE ALSO
 .Xr loader.conf 5 ,
 .Xr loader 8 ,
diff --git a/sys/boot/forth/loader.conf b/sys/boot/forth/loader.conf
index 573a06a..275a58b 100644
--- a/sys/boot/forth/loader.conf
+++ b/sys/boot/forth/loader.conf
@@ -62,6 +62,7 @@ entropy_cache_type="/boot/entropy"
 				# "NO" to disable autobooting
 #password=""			# Prevent changes to boot options
 #bootlock_password=""		# Prevent booting (see check-password.4th(8))
+#geom_eli_passphrase_prompt="NO" # Prompt for geli(8) passphrase to mount root
 #beastie_disable="NO"		# Turn the beastie boot menu on and off
 #kernels="kernel kernel.old"	# Kernels to display in the boot menu
 #loader_logo="orbbw"		# Desired logo: orbbw, orb, fbsdbw, beastiebw, beastie, none
author	dteske <dteske@FreeBSD.org>	2015-04-16 20:53:15 +0000
committer	dteske <dteske@FreeBSD.org>	2015-04-16 20:53:15 +0000
commit	f2c181fe22e7d0ae5014e1729b455cbc48da009f (patch)
tree	ba035b2b8cab4a9a9c1695f21754db9da3d15a6e /sys/boot/forth
parent	342ec6f56c33b761fd0b40a079597271bc7b6a2b (diff)
download	FreeBSD-src-f2c181fe22e7d0ae5014e1729b455cbc48da009f.zip FreeBSD-src-f2c181fe22e7d0ae5014e1729b455cbc48da009f.tar.gz