This happens after inputting the GELI password at boot but before the boot prompt shows up. It displays the error mentioned in the Summary forever. I managed to get around this by booting a rescue disk and flipping my boot environment to a previous one.
Same here, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261172 I've had to revert all the latest changes in sys/opencrypto and the one in stand (geliboot: Use the multi-block functions for AES-XTS.). I don't know which one is causing the problem, reverting only 'geliboot: Use the multi-block functions for AES-XTS.' doesn't fix it. cryptosoft: Use multi-block encrypt/decrypt for ChaCha20-Poly1305 cryptosoft: Use multi-block encrypt/decrypt for AES-CCM cryptosoft: Use multi-block encrypt/decrypt for AES-GCM swcr_encdec: Rename blks to blkszcryptosoft: Use multi-block encrypt/decrypt for non-AEAD ciphers. crypto: Re-add encrypt/decrypt_multi hooks to enc_xform. crypto: Add support for the XChaCha20-Poly1305 AEAD cipher geliboot: Use the multi-block functions for AES-XTS. It's on a core i7 3540m cpu if that matters.
The issue is that the compile fix exposed an assertion that was previously unchecked. Hmm, the code in geliboot_crypto.c is a bit incorrect (but probably not harmfully so). This (untested) patch will fix the assertion, but it should also use a better IV size. The IV size is not the same as the key size (for AES-CBC the IV is a block, and for AES-XTS the IV is actually smaller than a block)
Created attachment 230991 [details] geliboot_iv.patch
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c7721958ffa1aa81064b74b884e81efbe11d7fe4 commit c7721958ffa1aa81064b74b884e81efbe11d7fe4 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-01-14 01:19:54 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-01-14 01:19:54 +0000 geliboot: Use the correct IV length for AES-XTS. - Use AES_XTS_IV_LEN instead of the key length as the IV length. - Use G_ELI_IVKEYLEN as the size of the zeroed iv[] array in g_eli_crypto_cipher() to match geli_io(). PR: 261172 Reported by: Malcolm Matalka <mmatalka@gmail.com>, mikael Reviewed by: markj Sponsored by: FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33884 stand/libsa/geli/geliboot.c | 2 +- stand/libsa/geli/geliboot_crypto.c | 9 ++++----- stand/libsa/geli/geliboot_internal.h | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=673910f3b8c4606313bd8e56a44ea43508dee0cc commit 673910f3b8c4606313bd8e56a44ea43508dee0cc Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-01-14 01:19:54 +0000 Commit: Warner Losh <imp@FreeBSD.org> CommitDate: 2023-01-24 21:49:20 +0000 geliboot: Use the correct IV length for AES-XTS. - Use AES_XTS_IV_LEN instead of the key length as the IV length. - Use G_ELI_IVKEYLEN as the size of the zeroed iv[] array in g_eli_crypto_cipher() to match geli_io(). PR: 261172 Reported by: Malcolm Matalka <mmatalka@gmail.com>, mikael Reviewed by: markj Sponsored by: FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33884 (cherry picked from commit c7721958ffa1aa81064b74b884e81efbe11d7fe4) stand/libsa/geli/geliboot.c | 2 +- stand/libsa/geli/geliboot_crypto.c | 9 ++++----- stand/libsa/geli/geliboot_internal.h | 2 +- 3 files changed, 6 insertions(+), 7 deletions(-)