Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Jan 2019 12:51:18 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Not sure if this is the correct place.... (laptop, dual-boot EFI)
Message-ID:  <751a3212-016f-e5ae-d6b3-fab90ca78a7f@denninger.net>
In-Reply-To: <59c4f20f-0526-0d0a-4a67-f6ad7b00899d@denninger.net>
References:  <7391812a-a2ad-874a-80c9-5a871a29f680@denninger.net> <CAJuc1zOaWhfDLKJUFPT7rFORP%2B4m4B5aTU769LK_aDkBOZWMDA@mail.gmail.com> <CACNAnaFLEOucgRFvuukCoznCn7e4RyYSsdo1cRPGUWk9A6ToNg@mail.gmail.com> <CAO7yDHovVLsd2V8Me-fqOcCx=c1%2BC0Ff%2BsrKnmG17GSLtPp1bw@mail.gmail.com> <7a61c927-796d-ea1f-8dce-37e82fb6d646@denninger.net> <CANCZdfrX5TQTY268RqRr%2BGpVbcWGyjh7c=jsZjAzzZ1edsTuMg@mail.gmail.com> <a961425a-ea40-1dd3-6342-d1b3f22515ce@denninger.net> <59c4f20f-0526-0d0a-4a67-f6ad7b00899d@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Here's a write-up on it -- it was /much /simpler than I expected and
unlike my X220 didn't require screwing with group policy for Bitlocker
to coexist with a dual-boot environment.

https://market-ticker.org/akcs-www?post=234936

Feel free to grab/reproduce/link to/whatever; hope this helps others. 
It runs very nicely on 12-RELEASE -- the only thing I've noted thus far
is the expected lack of 5g WiFi support.

On 1/26/2019 15:04, Karl Denninger wrote:
> Nevermind!
>
> I set the "-g" flag on the provider and.... voila.  Up she comes; the
> loader figured out that it had to prompt for the password and it was
> immediately good.
>
> Now THAT'S easy compared with the convoluted BS I had to do (two
> partitions, fully "by-hand" install, etc) for 11 on my X220.
>
> Off to the races I go; now I have to figure out what I have to set in
> Windows group policy so Bitlocker doesn't throw up every time I boot
> FreeBSD (this took a bit with my X220 since the boot manager tickled
> something that Bitlocker interpreted as "someone tampered with the
> system.")  Maybe this will be a nothingburger too (which would be great
> if true.)
>
> I'm going to write this one up when I've got it all solid and post it on
> my blog; hopefully it will help others.
>
> On 1/26/2019 14:26, Karl Denninger wrote:
>>  1/26/2019 14:10, Warner Losh wrote:
>>> On Sat, Jan 26, 2019 at 1:01 PM Karl Denninger <karl@denninger.net
>>> <mailto:karl@denninger.net>> wrote:
>>>
>>>     Further question....  does boot1.efi (which I assume has to be
>>>     placed on
>>>     the EFI partition and then something like rEFInd can select it)
>>>     know how
>>>     to handle a geli-encrypted primary partition (e.g. for root/boot so I
>>>     don't need an unencrypted /boot partition), and if so how do I tell it
>>>     that's the case and to prompt for the password?
>>>
>>>
>>> Not really. The whole reason we ditched boot1.efi is because it is
>>> quite limited in what it can do. You must loader.efi for that.
>>>  
>>>
>>>     (If not I know how to set up for geli-encryption using a non-encrypted
>>>     /boot partition, but my understanding is that for 12 the loader was
>>>     taught how to handle geli internally and thus you can now install
>>>     12 --
>>>     at least for ZFS -- with encryption on root.  However, that wipes the
>>>     disk if you try to select it in the installer, so that's no good
>>>     -- and
>>>     besides, on a laptop zfs is overkill.)
>>>
>>>
>>> For MBR stuff, yes. For loader.efi, yes. For boot1.efi, no: it did not
>>> and will not grow that functionality.
>>>
>>> Warner
>>>  
>> Ok, next dumb question -- can I put loader.efi in the EFI partition
>> under EFI/FreeBSD as "bootx64.efi" there (from reading mailing list
>> archives that appears to be yes -- just copy it in) and, if yes, how do
>> I "tell" it that when it finds the freebsd-ufs partition on the disk it
>> was started from (which, if I'm reading correctly, it will scan and look
>> for) that it needs to geli attach the partition before it dig into there
>> and find the rest of what it needs to boot?
>>
>> That SHOULD allow me to use an EFI boot manager to come up on initial
>> boot, select FreeBSD and the loader.efi (named as bootx64.efi in
>> EFI/FreeBSD) code will then boot the system.
>>
>> I've looked as the 12-RELEASE man page(s) and it's not obvious how you
>> tell the loader to look for the partition and then attach it via GELI
>> (prompting for the password of course) before attempting to boot it;
>> obviously a "load" directive (e.g. geom_eli_load ="YES") makes no sense
>> as the thing you'd "load" is on the disk you'd be loading it from and
>> its encrypted.. .never mind that loader.conf violates the 8.3 filename
>> rules for a DOS filesystem.
>>
>> Thanks!
>>
-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0	*H
010
	`He0	*H

00H^Ōc!5
H0
	*H
010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0"0
	*H
0
h-5B>[;olӴ0~͎O9}9Ye*$g!ukvʶLzN`jL>MD'7U45CB+kY`bd~b*c3Ny-78ju]9HeuέsӬDؽmgwER?&UURj'}9nWD i`XcbGz\gG=u%\Oi13ߝ4
K44pYQr]Ie/r0+eEޝݖ0C15Mݚ@JSZ(zȏNTa(25DD5.l<g[[ZarQQ%Buȴ~~`IohRbʳڟu2MS8EdFUClCMaѳ!}ș+2k/bųE,n当ꖛ\(8WV8	d]b	yXw	܊:I39
00U]^§Q\ӎ0U#0T039N0b010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CA	@Ui0U00U0
	*H
:P U!>vJnio-#ן]WyujǑR̀Q
nƇ!GѦFg\yLxgw=OPycehf[}ܷ['4ڝ\[p6\o.B&JF"ZC{;*o*mcCcLY߾`
t*S!񫶭(`]DHP5A~/NPp6=mhk밣'doA$86hm5ӚS@jެEgl
)0JG`%k35PaC?σ
׳HEt}!P㏏%*BxbQwaKG$6h¦Mve;[o-Iی&
I,Tcߎ#t wPA@l0P+KXBպT	zGv;NcI3&JĬUPNa?/%W6G۟N000k#Xd\=0
	*H
0{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W10	UUS10UFlorida10U
Cuda Systems LLC10Ukarl@denninger.net0"0
	*H
0
T[I-ΆϏdn;Å@שy.us~_ZG%<MYd\gvfnsa1'6Egyjs"C [{~_KPn+<*pv#Q+H/7[-vqDV^U>f%GX)H.|l`M(Cr>е͇6#odc"YljҦln8@5SA0&ۖ"OGj?UDWZ5	dDB7k-)9Izs-JAv
J6L$Ն1SmY.Lqw*SH;EF'DĦH]MOgQQ|Mٙג2Z9y@y]}6ٽeY9Y2xˆ$T=eCǺǵbn֛{j|@LLt1[Dk5:$=	`	M00<+00.0,+0 http://ocsp.cudasystems.net:88880	U00	`HB0U0U%0++03	`HB
&$OpenSSL Generated Client Certificate0U%՞V=؁;bzQ0U#0]^§Q\ӎϡ010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems CA1!0UCuda Systems LLC 2017 CAH^Ōc!5
H0U0karl@denninger.net0
	*H
۠A0-j%--$%g2#ޡ1^>{K+uGEv1ş7Af&b&O;.;A5*U)ND2bF|\=]<sˋL!wrw٧>YMÄ3\mWR hSv!_zvl? 3_ xU%\^#O*Gk̍YI_&Fꊛ@&1n”} ͬ:{hTP3B.;bU8:Z=^Gw8!k-@xE@i,+'Iᐚ:fhztX7/(hY` O.1}a`%RW^akǂpCAufgDixUTЩ/7}%=jnVZvcF<M=
2^GKH5魉
_O4ެByʈySkw=5@h.0z>
W1000{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CAk#Xd\=0
	`HeE0	*H
	1	*H
0	*H
	1
190127185118Z0O	*H
	1B@ov҅%`Gg}9k+6ʘjXE$24Z0l	*H
	1_0]0	`He*0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+7100{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CAk#Xd\=0*H
	10{10	UUS10UFlorida10U
Cuda Systems LLC10UCuda Systems CA1%0#UCuda Systems LLC 2017 Int CAk#Xd\=0
	*H
,@TAߕL0},P:VM8[
RF_*Gge\*pfR
w<zQiă{u2	f[(85Ƥlո,ʹ7Ue0>~v:CaQ[!|K9tDp]Z
=YQr0/jx^㴖"
Ojd){Y?ӹ_j	e!M@Bȼh'EY8}fj7r.F|7^Z'-fM.@;;ٱqUʯ@JZKjfpmHYGt"VozXE&:{RAHP3(y}1ྡྷ,ƷmuˆL=Av¶!j
Y
EydesjL;{P52Bd?hΓҖ]B݁i+@;Z7g//r}c8=U0=O"%kp

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?751a3212-016f-e5ae-d6b3-fab90ca78a7f>