Solved FreeBSD 14.1 hanging with encrypted rootfs UFS/GELI/BIOS

H

hhartzer

I'm a little puzzled getting UFS going with GELI. I used to have good luck with this.

I mostly followed this guide: https://web.archive.org/web/20200202070221/https://daemon-notes.com/articles/system/encryption

I reboot, get prompted for my key. Enter my key and it hangs.

Looks something like this.

Code: 
Enter passphrase for ada0p3: ...
GEOM_ELI: Device ada0p3.eli created.
GEOM_ELI: Encryption: AES-CBC 128
GEOM_ELI: Crypto: software
Setting hostuuid: blah
Setting hostid: blah
/dev/ada0p3.eli: FILESYSTEM CLEAN...
Mounting local filesystems:.
Autoloading module: acpi_dock
Autoloading module: acpi_wmi
Autoloading module: ichsmb

And here it hangs. I've done two installs and ended up at this point. I tried another install that was just a regular UFS install and had no problems.

Does anyone have any idea about this?

Thank you!
 
hhartzer said:
I mostly followed this guide: https://web.archive.org/web/20200202070221/https://daemon-notes.com/articles/system/encryption
Click to expand...
That guide is outdated, there is no need for a separate unencrypted boot partition for quite a while (I believe since 10.3 or 10.4 for BIOS, UEFI since 11.3 or so [1] [2] [3] [4] ).

hhartzer said:
I've done two installs and ended up at this point.
Click to expand...
Try following instructions from my notes I wrote a few days earlier:

Code: 
geli(8) encrypted root-on-UFS and encrypted swap

1. Create partition table

  gpart create -s gpt ada0

2. Create FreeBSD boot code partition, add boot code

2.1 BIOS systems

  gpart add -t freebsd-boot -s 512k -l gptboot0 ada0
  gpart bootcode -b /boot/pmbr  -p /boot/gptboot -i 1 ada0

2.2 UEFI systems create ESP
 
  gpart add -t efi -a 4k -s 260m -l efi0 ada0
  newfs_msdos -c 1 -F 32 ada0p1

2.2.1 Create ESP file system hierarchy, copy kernel loader

  mount_msdosfs /dev/ada0p1  /mnt
  mkdir -p /mnt/efi/freebsd
  cp -a /boot/loader.efi /mnt/efi/freebsd
  umount  /mnt

3. Create swap partition (adapt swap size to your needs)

  gpart add -t freebsd-swap -a 1m -s 2g -l swap0 ada0
 
4. Create root partition for geli(8) provider

  gpart add -t freebsd-ufs -a 1m -l ufsroot0 ada0

5. Initialize root file system geli(8) provider, attach provider

  geli init -g -l 256 -s 4096 ada0p3
  geli attach ada0p3

6. Construct UFS2 file system on geli(8) provider
 
   newfs -j ada0p3.eli

   Note: -U is default since 14.1

7. Install system distribution files

   mount /dev/ada0p3.eli  /mnt
   cd /usr/freebsd-dist

   tar xfC base.txz  /mnt
   tar xfC kernel.txz  /mnt

8. Configure system bootstrap information

   chroot /mnt
   vi /boot/loader.conf

       geom_eli_load="YES"
       cryptodev_load="YES"  # optional

9. Configure static file system information, exit chroot(8)

   vi /etc/fstab

       /dev/ada0p2.eli      none    swap    sw      0       0
       /dev/ada0p3.eli      /       ufs     rw      1       1

       # on UEFI mount ESP (optional)
       /dev/ada0p1         /boot/efi msdosfs rw     2       2

   exit

10. UEFI systems, optional create EFI boot manager entry

   umount /mnt
   mount_msdosfs  /dev/ada0p1  /mnt
   efibootmgr -c -a -L FreeBSD -l  /mnt/efi/freebsd/loader.efi

11. Reboot system, configure system



[1] Implement GELI (AES-XTS and AES-CBC only) in gptboot and gptzfsboot 2016-03-16

[2] Extend loader(8) geli support to all architectures and all disk-like devices. 2018-07-13

[3] bsdinstall/zfsboot: Enable new UEFI+GELI support 2018-08-23

[4] https://www.freebsd.org/security/unsupported/
 
Wow, thank you!

I saw geli init -g and that loader.efi supported it. I didn't realize you could do BIOS boot to geli! I thought it was UEFI only.

I do think this hang is a bug, but I will try this method.
 
I'm doing this slightly differently. Will track my commands here.

Code: 
geli(8) encrypted root-on-UFS for BIOS boot only

1. Create partition table

  gpart create -s gpt ada0

2. Create FreeBSD boot code partition, add boot code

  gpart add -t freebsd-boot -s 512k -l gptboot0 ada0
  gpart bootcode -b /boot/pmbr  -p /boot/gptboot -i 1 ada0

3. Create root partition for geli(8) provider

  gpart add -t freebsd-ufs -a 1m -l ufsroot0 ada0

4. Initialize root file system geli(8) provider, attach provider

  geli init -g -l 128 -e AES-CBC -s 4096 ada0p2
  geli attach ada0p2

5. Construct UFS2 (softupdates, TRIM, no journaling) file system on geli(8) provider
 
   newfs -t ada0p2.eli

   Note: -U is default since 14.1

6. Install system distribution files

   mount /dev/ada0p2.eli  /mnt
   cd /usr/freebsd-dist

   tar xfC base.txz  /mnt
   tar xfC kernel.txz  /mnt

7. Configure system bootstrap information

   vi /mnt/boot/loader.conf

       geom_eli_load="YES"
       cryptodev_load="YES"


   vi /mnt/etc/fstab

       /dev/ada0p2.eli      /       ufs     rw,noatime      1       1

   exit


8. Reboot system, configure system

This appeared to work just as well as the last method... Now at "Starting dev." it hangs.

I do prefer this, though! Nice to have it all on one partition.

UPDATE: I tried adding
Code: 
cryptodev_load="YES"
and it didn't hang! I updated my commands above to include that line in case anyone else tries to follow along. Originally, I omitted it.

Thank you for your help!

I opened PR 281762 about this.
 
You must log in or register to reply here.
Back
Top