From owner-freebsd-hackers@freebsd.org  Fri Dec 30 18:36:40 2016
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28D42C973F1
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Fri, 30 Dec 2016 18:36:40 +0000 (UTC)
 (envelope-from dirkx@webweaving.org)
Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.webweaving.org", Issuer "RapidSSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B029E13E4
 for <freebsd-hackers@freebsd.org>; Fri, 30 Dec 2016 18:36:39 +0000 (UTC)
 (envelope-from dirkx@webweaving.org)
Received: from beeb.leiden.webweaving.org (5ED06D14.cm-7-1b.dynamic.ziggo.nl
 [94.208.109.20]) (authenticated bits=0)
 by weser.webweaving.org (8.15.2/8.15.2) with ESMTPSA id uBUIZJmr033758
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Fri, 30 Dec 2016 19:35:20 +0100 (CET)
 (envelope-from dirkx@webweaving.org)
X-Authentication-Warning: weser.webweaving.org: Host
 5ED06D14.cm-7-1b.dynamic.ziggo.nl [94.208.109.20] claimed to be
 beeb.leiden.webweaving.org
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Subject: Re: ZFS and GPT boot - size issue bootblock v.s. default of sysinstall
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
In-Reply-To: <0ac24a2a-ae82-be4a-d162-b0c62e5b0d13@freebsd.org>
Date: Fri, 30 Dec 2016 19:35:19 +0100
Cc: freebsd-hackers@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA9367DE-A56B-458A-927D-C228386507E9@webweaving.org>
References: <AB657A06-8886-4EA5-9323-92317707B039@webweaving.org>
 <068c90c2-61c0-2fbc-3984-0bc937e19d63@freebsd.org>
 <10FC4055-5650-4C68-A07B-FBA7BF6BB60A@webweaving.org>
 <0ac24a2a-ae82-be4a-d162-b0c62e5b0d13@freebsd.org>
To: Allan Jude <allanjude@freebsd.org>
X-Mailer: Apple Mail (2.3259)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (weser.webweaving.org [148.251.234.232]);
 Fri, 30 Dec 2016 19:35:20 +0100 (CET)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 18:36:40 -0000


> On 30 Dec 2016, at 19:25, Allan Jude <allanjude@freebsd.org> wrote:
>>=20
>>> The other option is to rebuild gptzfsboot without GELI support, and =
then
>>> it will be under 64 KB.
>>=20
>> Unfortunately - we rather rely on GELI and PKCS#11.
>=20
> This would only apply to gptzfsboot, the new feature I introduced in
> 11.0 that allows you to have even the /boot directory encrypted =
(rather
> than having an unencrypted ufs partition, or a 2nd zpool that is not
> encrypted).
>=20
> If you are upgrading from 10.x or earlier, you can use gptzfsboot
> without GELI, since it didn't exist before.

Ah - good to know. thanks for that!

We=E2=80=99re not quite there yet - as we need a modicum of PKCS#11 to =
negotiate with the TPM (or on low end archive machines; a USB =
smartcard/token) - i.e a tad beyond geli_passphrase().

Dw.=