Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool

From: Guido van Rooij <guido_at_gvr.org>
Date: Wed, 17 Aug 2022 13:35:36 UTC

> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote:
> 
> 
> 
> 
>> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote:
>> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote:
>> >    On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org>
>> >    wrote:
>> > 
>> >      Currently I have a system with ZFS on GELI. I use the ability in
>> >      the EFI loader to enter the GELI password.
>> >      Is it possible somehow to use a serial console to enter the
>> >      password?
>> >      My system does have a COM1 port but it isn't recognised at the early
>> >      bot stage. There I only see:
>> >      Â  Â  Consoles: EFI console
>> >      Â  Â  GELI Passphrase for disk0p4:
>> >      (Note: this is early in the boot process so there is no access to
>> >      boot.config (or any other file in the ZFS pool) as it still on
>> >      encrypted storage at that time).
>> > 
>> >    The boot loader.efi will read ESP:/efi/freebsd/loader.env for
>> >    environment
>> >    variables. You can use that to set the COM1 port since it appears your
>> >    EFI system doesn't do console redirection.
>> >    If you want it to only prompt COM1 for the password, but everything
>> >    else is
>> >    on the efi console, that's a lot harder.
>> 
>> Hi Warner,
>> 
>> Thanks, but somehow I still cannot get it to work properly.
>> Content of /efi/freebsd/loader.env:
>> boot_multicons="YES"
>> console="efi comconsole"
>> 
>> The boot prompt still only shows "Consoles: EFI console".
> 
> Yes. That's printed before we process the ESP file and switch to the new console...
>  
>> When I boot I get the GELI passphrase prompt at the EFI console only. But when the kernel starts
>> to run I do get output to the serial console, staring with:
>> ---<<BOOT>>---
>> Copyright (c) 1992-2021 The FreeBSD Project.
>> 
>> So it seems the loader.env file is read correctly (it didn't output anything to the serial
>> console before I created efi/freebsd/loader.env). But looking at the source I see in 
>> efi/loader/main.c:read_loader_env():
>>         if (fn) {
>>                 printf("    Reading loader env vars from %s\n", fn);
>>                 parse_loader_efi_config(boot_img->DeviceHandle, fn);
>>         }
>> I never saw the printf appearing. I do not understand this.
> 
> It should have appeared on the video console of the EFI console (assuming no serial
> redirect is going on in that BIOS).
> 

It surely did not.
> I'd have to delve more deeply into the prompts for the GELI password than I have
> time to do this morning. What if you type the password blind into the serial port?
> 

Tried that but nothing happened. When I
enter the passphrase after typing it in via
the serial port, it worked immediately so
we can conclude that no single keystroke 
got through.

-Guido