bin/55157: Request: cgd: timeout on waiting for passphrase

[schaecsn%gmx.net@localhost]

>Number:         55157
>Category:       bin
>Synopsis:       Request: cgd: timeout on waiting for passphrase
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 09 04:20:00 +0000 2020
>Originator:     schaecsn%gmx.net@localhost
>Release:        NetBSD 9.0
>Organization:
>Environment:
System: NetBSD XXX.XXX.XX 9.0 NetBSD 9.0 (GENERIC) #0: Fri=
 Feb 14 00:06:28 UTC 2020 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd=
64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
Every couple of months, we have here a blackout. When the ma=
chine comes back, /etc/rc.d/cgd waits on the passphrase prompt (in my case=
 for the home partition) and the whole bootup is blocked.

I rely on having remote access to my machine but can't ssh into it as ssh =
gets started after cgd. Had ssh started, I could ssh into the machine and =
manually mount the encrypted partition.

I have some patches that I use for some time. Perhaps they can serve as a =
starting point for a discussion.


I introduce a timeout flag for cgdconfig. A timeout can be configured in /=
etc/rc.conf via
cgd_flags=3D"-t 60"

In cgdconfig.c, it's hard to propagate a timeout value from main() all the=
 way to maybe_getpass(), where the timeout is applied and so the patch int=
roduces a global variable. This is similiar to the global variables nflag =
and pflag which are also derived from commandline arguments and set in mai=
n().

With my modified cgdconfig.c, /etc/rc.d/cgd times out and /dev/cgd* is lef=
t unconfigured. Cgdconfig and /etc/rc.d/cgd return an error as getpassfd()=
 can not distinguish a timeout from a wrong passphrase.

Now /etc/rc.d/fsck fails checking unconfigured encrypted filesystems and d=
rops into an emergency shell. For this I introduce a new fstab option "opt=
" which fsck will ignore if the partition is not configured:

- fsck happens to open /etc/fstab and retrieves options such as "opt". It =
does not know whether a partition is configured or not: it unconditionally=
 execv fsck.ffs
- fsck.ffs does not read /etc/fstab but knows (at some point) that the par=
tition is not configured.

Least intrusive way is to let fsck check for unconfigured partitions and s=
kip execv fsck.ffs if opt flag is set.

Next, mount_ffs does not like unknown options

# mount -a
mount_ffs: -o opt: option not supported

New options can to be introduced by extending /usr/include/mntopts.h

/* This is parsed by mount(8), but is ignored by specific mount_*(8)s. */
...
#define MOPT_OPT                { "opt",        0, 0, 0 }
...

#define MOPT_FSTAB_COMPAT                                               \
...
        MOPT_OPT


I think cgd timeouts are important. What do you think about my patch? Anyo=
ne has ideas for a less intrusive implementation?

 Stefan

>How-To-Repeat:

>Fix:

Index: etc/defaults/rc.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/etc/defaults/rc.conf,v
retrieving revision 1.151.2.1
diff -u -p -r1.151.2.1 rc.conf
=2D-- etc/defaults/rc.conf	27 Sep 2019 09:18:38 -0000	1.151.2.1
+++ etc/defaults/rc.conf	8 Apr 2020 23:36:17 -0000
@@ -116,7 +116,7 @@ raidframe=3DYES

 # Crypto file system.
 #
-cgd=3DYES
+cgd=3DYES			cgd_flags=3D""

 # Logical Volume Manager
 #
Index: etc/rc.d/cgd
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/etc/rc.d/cgd,v
retrieving revision 1.8
diff -u -p -r1.8 cgd
=2D-- etc/rc.d/cgd	1 Nov 2010 14:41:11 -0000	1.8
+++ etc/rc.d/cgd	8 Apr 2020 23:36:17 -0000
@@ -19,7 +19,7 @@ cgd_start()
 {
 	if [ -f /etc/cgd/cgd.conf ]; then
 		print_rc_normal "Configuring CGD devices."
-		cgdconfig -C
+		cgdconfig -C ${cgd_flags}
 	fi
 }

Index: include/mntopts.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/include/mntopts.h,v
retrieving revision 1.18
diff -u -p -r1.18 mntopts.h
=2D-- include/mntopts.h	9 Jan 2018 03:31:12 -0000	1.18
+++ include/mntopts.h	8 Apr 2020 23:36:45 -0000
@@ -77,12 +77,14 @@ struct mntopt {
 /* This is parsed by mount(8), but is ignored by specific mount_*(8)s. */
 #define MOPT_AUTO		{ "auto",	0, 0, 0 }
 #define MOPT_RUMP		{ "rump",	0, 0, 0 }
+#define MOPT_OPT		{ "opt",	0, 0, 0 }
 #define MOPT_NULL		{ NULL,		0, 0, 0 }

 #define MOPT_FSTAB_COMPAT						\
 	MOPT_RO,							\
 	MOPT_RW,							\
-	MOPT_AUTO
+	MOPT_AUTO,							\
+	MOPT_OPT

 /* Standard options which all mounts can understand. */
 #define MOPT_STDOPTS							\
Index: sbin/cgdconfig/cgdconfig.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sbin/cgdconfig/cgdconfig.8,v
retrieving revision 1.44
diff -u -p -r1.44 cgdconfig.8
=2D-- sbin/cgdconfig/cgdconfig.8	29 Dec 2018 18:34:01 -0000	1.44
+++ sbin/cgdconfig/cgdconfig.8	8 Apr 2020 23:36:46 -0000
@@ -35,17 +35,20 @@
 .Nd configuration utility for the cryptographic disk driver
 .Sh SYNOPSIS
 .Nm
-.Op Fl enpv
+.Op Fl env
+.Op Fl p | Fl t Ar timeout
 .Op Fl V Ar vmeth
 .Ar cgd dev
 .Op Ar paramsfile
 .Nm
 .Fl C
-.Op Fl enpv
+.Op Fl env
+.Op Fl p | Fl t Ar timeout
 .Op Fl f Ar configfile
 .Nm
 .Fl G
-.Op Fl enpv
+.Op Fl env
+.Op Fl p | Fl t Ar timeout
 .Op Fl i Ar ivmeth
 .Op Fl k Ar kgmeth
 .Op Fl o Ar outfile
@@ -133,6 +136,8 @@ in question to be unconfigured rather th
 again.
 .It Fl s
 Read the key (nb: not the passphrase) from stdin.
+.It Fl t
+Timeout on reading the passphrase in seconds (default: 0 meaning no timeo=
ut).
 .It Fl U
 Unconfigure all the devices listed in the cgd configuration file.
 .It Fl u
Index: sbin/cgdconfig/cgdconfig.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sbin/cgdconfig/cgdconfig.c,v
retrieving revision 1.50
diff -u -p -r1.50 cgdconfig.c
=2D-- sbin/cgdconfig/cgdconfig.c	10 Apr 2019 06:11:37 -0000	1.50
+++ sbin/cgdconfig/cgdconfig.c	8 Apr 2020 23:36:46 -0000
@@ -83,6 +83,8 @@ enum action {
 	 ACTION_LIST			/* list configured devices */
 };

+int	timeout =3D 0;
+
 /* if nflag is set, do not configure/unconfigure the cgd's */

 int	nflag =3D 0;
@@ -203,7 +205,7 @@ main(int argc, char **argv)
 	p =3D params_new();
 	kg =3D NULL;

-	while ((ch =3D getopt(argc, argv, "CGUV:b:ef:gi:k:lno:spuv")) !=3D -1)
+	while ((ch =3D getopt(argc, argv, "CGUV:b:ef:gi:k:lno:st:puv")) !=3D -1)
 		switch (ch) {
 		case 'C':
 			set_action(&action, ACTION_CONFIGALL);
@@ -270,7 +272,9 @@ main(int argc, char **argv)
 		case 's':
 			set_action(&action, ACTION_CONFIGSTDIN);
 			break;
-
+		case 't':
+			timeout =3D atoi(optarg);
+			break;
 		case 'u':
 			set_action(&action, ACTION_UNCONFIGURE);
 			break;
@@ -387,12 +391,13 @@ maybe_getpass(char *prompt)

 	switch (pflag) {
 	case PFLAG_GETPASS:
-		p =3D getpass_r(prompt, buf, sizeof(buf));
+		p =3D getpassfd(prompt, buf, sizeof(buf), NULL,
+		    GETPASS_NEED_TTY, timeout);
 		break;

 	case PFLAG_GETPASS_ECHO:
 		p =3D getpassfd(prompt, buf, sizeof(buf), NULL,
-		    GETPASS_ECHO|GETPASS_ECHO_NL|GETPASS_NEED_TTY, 0);
+		    GETPASS_ECHO|GETPASS_ECHO_NL|GETPASS_NEED_TTY, timeout);
 		break;

 	case PFLAG_STDIN:
Index: sbin/fsck/fsck.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sbin/fsck/fsck.c,v
retrieving revision 1.52
diff -u -p -r1.52 fsck.c
=2D-- sbin/fsck/fsck.c	25 Oct 2014 22:00:19 -0000	1.52
+++ sbin/fsck/fsck.c	8 Apr 2020 23:36:46 -0000
@@ -246,6 +246,7 @@ main(int argc, char *argv[])
 static void *
 isok(struct fstab *fs)
 {
+	int fsreadfd;

 	if (fs->fs_passno =3D=3D 0)
 		return NULL;
@@ -253,6 +254,17 @@ isok(struct fstab *fs)
 	if (BADTYPE(fs->fs_type))
 		return NULL;

+	if (strstr(fs->fs_mntops, "opt")) {
+		if ((fsreadfd =3D open(fs->fs_spec, O_RDONLY)) < 0) {
+			if (errno =3D=3D ENXIO) {
+				printf("skipping unconfigured optional device %s\n",
+				       fs->fs_spec);
+				return NULL;
+			}
+		} else
+			close(fsreadfd);
+	}
+
 	if (!selected(fs->fs_vfstype))
 		return NULL;