From e98808fa8377837046b8d4a71b48705b1f32f6ca Mon Sep 17 00:00:00 2001 From: gjb Date: Wed, 8 Jul 2015 09:54:17 +0000 Subject: [PATCH] MFC r273489 (cperciva): Populate the GELI passphrase cache with the kern.geom.eli.passphrase variable (if any) provided in the boot environment. Unset it from the kernel environment after doing this, so that the passphrase is no longer present in kernel memory once we enter userland. This will make it possible to provide a GELI passphrase via the boot loader. Note: head and stable/10 differ as a result of r273174, which renames the getenv(), setenv(), and unsetenv() functions with kern_getenv(), kern_setenv(), and kern_unsetenv(), which was reverted in the relevant parts of this change in 10-STABLE. PR: 200448 Approved by: re (kib) Sponsored by: The FreeBSD Foundation git-svn-id: svn://svn.freebsd.org/base/stable/10@285263 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/geom/eli/g_eli.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c index 01c3b5334..96156215e 100644 --- a/sys/geom/eli/g_eli.c +++ b/sys/geom/eli/g_eli.c @@ -99,6 +99,25 @@ SYSCTL_UINT(_kern_geom_eli, OID_AUTO, boot_passcache, CTLFLAG_RD, &g_eli_boot_passcache, 0, "Passphrases are cached during boot process for possible reuse"); static void +fetch_loader_passphrase(void * dummy) +{ + char * env_passphrase; + + KASSERT(dynamic_kenv, ("need dynamic kenv")); + + if ((env_passphrase = getenv("kern.geom.eli.passphrase")) != NULL) { + /* Extract passphrase from the environment. */ + strlcpy(cached_passphrase, env_passphrase, + sizeof(cached_passphrase)); + freeenv(env_passphrase); + + /* Wipe the passphrase from the environment. */ + unsetenv("kern.geom.eli.passphrase"); + } +} +SYSINIT(geli_fetch_loader_passphrase, SI_SUB_KMEM + 1, SI_ORDER_ANY, + fetch_loader_passphrase, NULL); +static void zero_boot_passcache(void * dummy) { -- 2.45.0