Date: Fri, 30 Dec 2016 19:35:19 +0100 From: Dirk-Willem van Gulik <dirkx@webweaving.org> To: Allan Jude <allanjude@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: ZFS and GPT boot - size issue bootblock v.s. default of sysinstall Message-ID: <AA9367DE-A56B-458A-927D-C228386507E9@webweaving.org> In-Reply-To: <0ac24a2a-ae82-be4a-d162-b0c62e5b0d13@freebsd.org> References: <AB657A06-8886-4EA5-9323-92317707B039@webweaving.org> <068c90c2-61c0-2fbc-3984-0bc937e19d63@freebsd.org> <10FC4055-5650-4C68-A07B-FBA7BF6BB60A@webweaving.org> <0ac24a2a-ae82-be4a-d162-b0c62e5b0d13@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 30 Dec 2016, at 19:25, Allan Jude <allanjude@freebsd.org> wrote: >>=20 >>> The other option is to rebuild gptzfsboot without GELI support, and = then >>> it will be under 64 KB. >>=20 >> Unfortunately - we rather rely on GELI and PKCS#11. >=20 > This would only apply to gptzfsboot, the new feature I introduced in > 11.0 that allows you to have even the /boot directory encrypted = (rather > than having an unencrypted ufs partition, or a 2nd zpool that is not > encrypted). >=20 > If you are upgrading from 10.x or earlier, you can use gptzfsboot > without GELI, since it didn't exist before. Ah - good to know. thanks for that! We=E2=80=99re not quite there yet - as we need a modicum of PKCS#11 to = negotiate with the TPM (or on low end archive machines; a USB = smartcard/token) - i.e a tad beyond geli_passphrase(). Dw.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AA9367DE-A56B-458A-927D-C228386507E9>