OpenBSD Journal

Passphrase timeout for disk decryption at boot added (potential battery lifesaver)

Contributed by Peter N. M. Hansteen on from the bag heater no more dept.

Have you had your laptop accidentally un-hibernate while you weren't looking, leaving you with a totally drained battery?

Now OpenBSD-current has a fix for that, thanks to this commit by Klemens Nanni (kn@). The commit message reads, 

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Klemens Nanni <kn () cvs ! openbsd ! org>
Date:       2024-04-25 18:31:49

CVSROOT:	/cvs
Module name:	src
Changes by:	kn@cvs.openbsd.org	2024/04/25 12:31:49

Modified files:
	sys/lib/libsa  : softraid.c 
	sys/arch/amd64/stand/boot: boot.8 
	sys/arch/amd64/stand/efiboot: Makefile.common cmd_i386.c conf.c 
	                              efiboot.c efiboot.h 

Log message:
Add boot.conf(8) 'mach idle [secs]' to halt at idle passphrase prompts

Enable users to power down their machines if there was no input after N
seconds during disk descryption.

Motivation is to save battery and prevent pocket heaters when notebooks
unhibernate (e.g. lid accidentially opened) and sit at "Passphrase: ".

Only available on efi(4) systems as the timeout is saved as EFI variable;
mostly because that's trivial to do, but also because we lack a better
mechanism to configure that and persist such data without the root disk.

Discussed with many, starting at h2k23
OK Tests gnezdo

It is worth noting that this feature is only available on EFI systems configured with disk encryption (as one would have these days).

Thanks to Bryan Steele (brynet@) for the heads up via the fediverse.

Reply

Comments

  1. By Anonymous Coward (2003:d2:5737:c500:39d9:789a:a382:47ba) on

    Hi,

    I've had weird powerups on my early 2015 MBP running OpenBSD. I do shut it down nightly with this:

    https://gotweb.delphinusdns.org/?action=summary&path=x-shutdown.git

    (btw having this program in xenodm login startup is awesome!)

    So anyhow, whenever I shut this laptop down I have to remove the powerchord since it will power up magically by itself and chime at any hour of the night. Unplugging the chord seems to prevent that.

    This addition is great too! BTW, I had OpenBSD running on a windows host in QEMU (still do actually, however I had to rebuild it) and what I found out is the following. With an encrypted partition the boot process from bootloader to kernel is really really slow. A load would take on the account of 20 min sometimes. I came to the conclusion that there must have been some overlapping sectors on the NTFS and the crypto partition and that caused horrendous slowdowns. What I do now is I have put the drive for OpenBSD on a Bitlocker partition and it is encrypted by NTFS. There is no crypto inside OpenBSD right now. Bootup resumed to be fast. While I'm on this subject.. have you heard of the passphrase for bitlocker partitions changing case? as in PASSword changing to password? Because that happened to me, and I'm baffled but feel lucky that I figured out the lower case password.

    Keep up the good work!

    -pjp

    Reply

    Comments

    1. By Anonymous Coward (2003:d2:5737:c500:6147:1324:a5:aacb) on

      turns out the battery has 1 Ah out of 65 Ah left on it. It's as good as dead. I knew this day would happen eventually. it's 9 years old and was falling apart/bulging etc etc. I think I'm going to purchase a new (non-intel/amd) laptop this year, until then I'll use the craptops (acer 1's) that I have still. :-) or should it be :-(

      -pjp

      Reply

  2. By Sebastian Rother (2001:9e8:fab:5300:7da1:64f5:b492:2eb) on

    Either you Guys add a CHEAVAT-Section or you patch the disk-Decryptor:

    You can NOT USE NON-US-Chars in a Password since the DECRYPTOR will not switch your Keyboardlayout so you simply can not enter a "รถ" even you can use it during the INSTALLATION (where you can set the Keyboard Layout!). This renders your Installation COMPLETLY USELESS and you have to reinstall and use US-ASCII-only Passwords (wich allows faster Bruteforcing, limited Keyspace).

    If you do use a SERIAL CONSOLE you can NOT DECRYPT your Installation since switihing the CONSOLE to SERIAL happens AFTER you DECRYPTED the Installation (wich is a BUG). So Encryption is COMPLETLY USELESS for embedded Devices (wich still can do contain sensetive Data!)

    2 things for wich NOBODY cares....

    Reply

    Comments

    1. By Anonymous Coward (49.12.42.182) on

      Why are you so angry? When I get angry like that I threaten to fork the project however...then sanity kicks in and I realise this is a lot of effing work, it would kill me literally.

      Also I see a complete make-over of your mood. Almost like there is two of you. Duality at its finest Dr. Hyde?

      Reply

    2. By Peter N. M. Hansteen (pitrh) peter@bsdly.net on http://bsdly.blogspot.com/

      It is possible that a warning in a man page or FAQ that the boot loader does not use or know about any console configuration (stored in files on a yet to me mounted file system) could be useful.

      Then again I can see any such carefully phrased patch not making it in since it really would only state the already obvious.

      That said, if you think this issue is important enough, I would encourage you to put in the work.

      Reply

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]