Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool
- Reply: Warner Losh : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
- In reply to: Warner Losh : "Re: How to use serial console to enter GELI password to boot kernel on a GELI encrypted ZFS pool"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Aug 2022 13:35:36 UTC
> On 16 Aug 2022, at 19:09, Warner Losh <imp@bsdimp.com> wrote: > > > > >> On Tue, Aug 16, 2022 at 3:44 AM Guido van Rooij <guido@gvr.org> wrote: >> On Mon, Aug 15, 2022 at 02:20:32PM -0600, Warner Losh wrote: >> > On Mon, Aug 15, 2022 at 8:23 AM Guido van Rooij <[1]guido@gvr.org> >> > wrote: >> > >> > Currently I have a system with ZFS on GELI. I use the ability in >> > the EFI loader to enter the GELI password. >> > Is it possible somehow to use a serial console to enter the >> > password? >> > My system does have a COM1 port but it isn't recognised at the early >> > bot stage. There I only see: >> > Â Â Consoles: EFI console >> > Â Â GELI Passphrase for disk0p4: >> > (Note: this is early in the boot process so there is no access to >> > boot.config (or any other file in the ZFS pool) as it still on >> > encrypted storage at that time). >> > >> > The boot loader.efi will read ESP:/efi/freebsd/loader.env for >> > environment >> > variables. You can use that to set the COM1 port since it appears your >> > EFI system doesn't do console redirection. >> > If you want it to only prompt COM1 for the password, but everything >> > else is >> > on the efi console, that's a lot harder. >> >> Hi Warner, >> >> Thanks, but somehow I still cannot get it to work properly. >> Content of /efi/freebsd/loader.env: >> boot_multicons="YES" >> console="efi comconsole" >> >> The boot prompt still only shows "Consoles: EFI console". > > Yes. That's printed before we process the ESP file and switch to the new console... > >> When I boot I get the GELI passphrase prompt at the EFI console only. But when the kernel starts >> to run I do get output to the serial console, staring with: >> ---<<BOOT>>--- >> Copyright (c) 1992-2021 The FreeBSD Project. >> >> So it seems the loader.env file is read correctly (it didn't output anything to the serial >> console before I created efi/freebsd/loader.env). But looking at the source I see in >> efi/loader/main.c:read_loader_env(): >> if (fn) { >> printf(" Reading loader env vars from %s\n", fn); >> parse_loader_efi_config(boot_img->DeviceHandle, fn); >> } >> I never saw the printf appearing. I do not understand this. > > It should have appeared on the video console of the EFI console (assuming no serial > redirect is going on in that BIOS). > It surely did not. > I'd have to delve more deeply into the prompts for the GELI password than I have > time to do this morning. What if you type the password blind into the serial port? > Tried that but nothing happened. When I enter the passphrase after typing it in via the serial port, it worked immediately so we can conclude that no single keystroke got through. -Guido