206599 – Geli restore from backuped geli-metadata is not possible

Bug 206599 - Geli restore from backuped geli-metadata is not possible

Summary: Geli restore from backuped geli-metadata is not possible

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.2-STABLE
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	freebsd-geom (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-01-25 11:08 UTC by Bachmarc
Modified:	2016-08-08 08:14 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bachmarc 2016-01-25 11:08:26 UTC

Hello,

Setup:
- I installed a freebsd in a vmware from using "auto zfs root" option.
- The zroot pool is located on /dev/da0p4.eli after installation. 
- Rebooting works, even if keyboardlayout during boot is US not selected... (this is a simple setting..)

Symptom:
Restoring a metadata from file is rejected by geli

Procedure to reproduce this:

root# geli backup /dev/da0p4 /root/backupme
root# geli restore /root/backupme /dev/da0p4
geli: Cannot write metadata to /dev/da0p4: Operation not permitted


Some tests I did:
a)
file backupme is existing and has size 512byte... For testing I tried to restore it to the created blockdevice da0p4.eli. The application rejects due to size, what makes sense as this is the inner container, not the partition itself.
=> file seems to contain valid data

b) I tried to force restoring to /dev/da0p4, even if partition was never modified.. same result: Operation not permitted...

The zpool was not exported, nor the cryptodevice detached as it is the rootpool. However it is never mentioned that restore works only in detached, offline blockdevices... it is just a block of data at the end with same masterpwd...

Regards Marc

Comment 1 Fabian Keil 2016-03-23 10:58:47 UTC

Are you trying to restore the meta data while the provider is attached?

By default this is not allowed.

If you absolutely want to do it, you can set the
"allow foot shooting" bit. For details see geom(4).

fk@r500 ~ $sudo geli attach /dev/md0
Enter passphrase: 
fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0
geli: Cannot write metadata to /dev/md0: Operation not permitted.
fk@r500 ~ $sudo sysctl kern.geom.debugflags=16
kern.geom.debugflags: 0 -> 16
fk@r500 ~ $sudo geli restore /var/backups/md0.eli /dev/md0
fk@r500 ~ $sudo sysctl kern.geom.debugflags=0
kern.geom.debugflags: 16 -> 0

Comment 2 Bachmarc 2016-03-23 12:00:06 UTC

Yes and this I would regard as default because standing in an open door while changing the lock is what people do... nobody would close the door to install a new  lock to get this thrill while not beeing sure if he will sees other side again.

Its a data block at the end of a device no on the fly transcrypting...


Even if not possible I would welcome a more meaningful error message: "Cannot perform action, cryptoprovider is still attached. Detach provider or set "ffot shoot bit" ;o)"