From 9f3e19fb9620c69a3ce636206ec103de5f8459d4 Mon Sep 17 00:00:00 2001
From: CyberLeo <cyberleo@cyberleo.net>
Date: Fri, 8 Nov 2019 22:12:26 -0600
Subject: [PATCH] cdn-patch: use key from efi if it exists

---
 libexec/rc/rc.d/geli | 52 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/libexec/rc/rc.d/geli b/libexec/rc/rc.d/geli
index e1442e43994..2a7cbb14d9d 100755
--- a/libexec/rc/rc.d/geli
+++ b/libexec/rc/rc.d/geli
@@ -39,6 +39,39 @@ start_cmd="geli_start"
 stop_cmd="geli_stop"
 required_modules="geom_eli:g_eli"
 
+# Takes provider
+# Reads key from EFIvar
+# Returns tempfile pathname containing key
+geli_efi()
+{
+	local provider="${1}"
+	local provider_=`ltr ${provider} '/-' '_'`
+	local guid="65537263-7465-654b-4f79-44666f6f216d"
+
+	eval "efi=\${geli_${provider_}_efi}"
+
+	if checkyesno efi
+	then
+		efivar="$(printf "%s-%s" "${guid}" "$(echo -n "${provider}" | sha256)")"
+		tmpkey="$(mktemp "/tmp/efikey_${provider_}")"
+		efivar --binary --no-name "${efivar}" > "${tmpkey}"
+		if [ -s "${tmpkey}" ]
+		then
+			echo "${tmpkey}"
+		fi
+	fi
+}
+
+geli_efi_init()
+{
+	mount -t tmpfs tmpfs /tmp
+}
+
+geli_efi_fini()
+{
+	umount -t tmpfs /tmp
+}
+
 geli_start()
 {
 	devices=`geli_make_list`
@@ -52,6 +85,8 @@ geli_start()
 		fi
 	fi
 
+	geli_efi_init
+
 	for provider in ${devices}; do
 		provider_=`ltr ${provider} '/-' '_'`
 
@@ -59,6 +94,14 @@ geli_start()
 		if [ -z "${flags}" ]; then
 			flags=${geli_default_flags}
 		fi
+
+		efikey="$(geli_efi "${provider}")"
+		if [ -s "${efikey}" ]
+		then
+			echo "Acquired key for ${provider} from EFI."
+			flags="${flags} -p -k ${efikey}"
+		fi
+
 		if [ -e "/dev/${provider}" -a ! -e "/dev/${provider}.eli" ]; then
 			echo "Configuring Disk Encryption for ${provider}."
 			count=1
@@ -87,6 +130,13 @@ geli_start()
 			continue
 		fi
 
+		efikey="$(geli_efi "${group}")"
+		if [ -s "${efikey}" ]
+		then
+			echo "Acquired key for ${group} from EFI."
+			flags="${flags} -p -k ${efikey}"
+		fi
+
 		if [ -e "/dev/${providers%% *}" -a ! -e "/dev/${providers%% *}.eli" ]; then
 			echo "Configuring Disk Encryption for geli group ${group}, containing ${providers}."
 			count=1
@@ -100,6 +150,8 @@ geli_start()
 			done
 		fi
 	done
+
+	geli_efi_fini
 }
 
 geli_stop()
-- 
2.45.0