Bug 206599

Summary: Geli restore from backuped geli-metadata is not possible
Product: Base System Reporter: Bachmarc <marc.arnold.bach>
Component: kernAssignee: freebsd-geom (Nobody) <geom>
Status: New ---    
Severity: Affects Some People CC: fk
Priority: ---    
Version: 10.2-STABLE   
Hardware: amd64   
OS: Any   

Description Bachmarc 2016-01-25 11:08:26 UTC 
Hello,

Setup:
- I installed a freebsd in a vmware from using "auto zfs root" option.
- The zroot pool is located on /dev/da0p4.eli after installation. 
- Rebooting works, even if keyboardlayout during boot is US not selected... (this is a simple setting..)

Symptom:
Restoring a metadata from file is rejected by geli

Procedure to reproduce this:

root# geli backup /dev/da0p4 /root/backupme
root# geli restore /root/backupme /dev/da0p4
geli: Cannot write metadata to /dev/da0p4: Operation not permitted


Some tests I did:
a)
file backupme is existing and has size 512byte... For testing I tried to restore it to the created blockdevice da0p4.eli. The application rejects due to size, what makes sense as this is the inner container, not the partition itself.
=> file seems to contain valid data

b) I tried to force restoring to /dev/da0p4, even if partition was never modified.. same result: Operation not permitted...

The zpool was not exported, nor the cryptodevice detached as it is the rootpool. However it is never mentioned that restore works only in detached, offline blockdevices... it is just a block of data at the end with same masterpwd...

Regards Marc
Comment 1 Fabian Keil 2016-03-23 10:58:47 UTC 
Are you trying to restore the meta data while the provider is attached?

By default this is not allowed.

If you absolutely want to do it, you can set the
"allow foot shooting" bit. For details see geom(4).

fk@r500 ~ $sudo geli attach /dev/md0
Enter passphrase: 
fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0
geli: Cannot write metadata to /dev/md0: Operation not permitted.
fk@r500 ~ $sudo sysctl kern.geom.debugflags=16
kern.geom.debugflags: 0 -> 16
fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0
fk@r500 ~ $sudo sysctl kern.geom.debugflags=0
kern.geom.debugflags: 16 -> 0
Comment 2 Bachmarc 2016-03-23 12:00:06 UTC 
Yes and this I would regard as default because standing in an open door while changing the lock is what people do... nobody would close the door to install a new  lock to get this thrill while not beeing sure if he will sees other side again.

Its a data block at the end of a device no on the fly transcrypting...


Even if not possible I would welcome a more meaningful error message: "Cannot perform action, cryptoprovider is still attached. Detach provider or set "ffot shoot bit" ;o)"