EFI Refactoring, GELI Support

From owner-svn-doc-all@freebsd.org Fri Jul 1 14:29:09 2016 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C3AF5B8E234; Fri, 1 Jul 2016 14:29:09 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 86E9D2BBA; Fri, 1 Jul 2016 14:29:09 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u61ET8Y5015912; Fri, 1 Jul 2016 14:29:08 GMT (envelope-from dru@FreeBSD.org) Received: (from dru@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u61ET8cT015911; Fri, 1 Jul 2016 14:29:08 GMT (envelope-from dru@FreeBSD.org) Message-Id: <201607011429.u61ET8cT015911@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dru set sender to dru@FreeBSD.org using -f From: Dru Lavigne Date: Fri, 1 Jul 2016 14:29:08 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49024 - head/en_US.ISO8859-1/htdocs/news/status X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 14:29:09 -0000 Author: dru Date: Fri Jul 1 14:29:08 2016 New Revision: 49024 URL: https://svnweb.freebsd.org/changeset/doc/49024 Log: Add EFI refactoring GELI support report from eric@metricspace.net. While here, fix a typo. Reviewed by: wblock@freebsd.org Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Thu Jun 30 14:42:57 2016 (r49023) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Fri Jul 1 14:29:08 2016 (r49024) @@ -102,7 +102,7 @@ final release.

The &os; 11.0-RELEASE cycle started late May, one month - behind the orignal schedule. The schedule slip was primarily + behind the original schedule. The schedule slip was primarily to accommodate for packaging the &os; base system with the pkg(8) utility. However, as work on this progressed, it became apparent that there were too many outstanding @@ -326,4 +326,129 @@ report issues. + + + EFI Refactoring, GELI Support + + + + + Eric + McCorkle + + eric@metricspace.net + + + + + GELI Support Branch + EFI Refactoring Branch + + + +

The EFI bootloader has undergone considerable refactoring to + make more use of the EFI API. The filesystem code in + boot1 has been eliminated, and a single codebase for + filesystems now serves both boot1 and + loader. This codebase is organized around the EFI + driver model and it should be possible to export any + filesystem implementation as a standalone EFI driver without + too much effort.

+ +

Both boot1 and loader have been refactored + to talk through the EFI_SIMPLE_FILE_SYSTEM interface. + In loader, this is accomplished with a dummy + filesystem driver that is just a translation layer between the + loader filesystem interface and + EFI_SIMPLE_FILE_SYSTEM. A reverse translation layer + allows the existing filesystem drivers to function as EFI + drivers.

+ +

The EFI refactoring by itself exists in + this branch.

+ +

Additionally, GELI support has been added using the EFI + refactoring. This allows booting from a GELI-encrypted + filesystem. Note that the EFI system partition, which + contains boot1, must be a plaintext msdosfs + partition. This patch adds an intake buffer to the crypto + framework, which allows injection of keys directly into a + loaded kernel, without the need to pass them through + arguments or environment variables. This patch only uses the + intake buffer for EFI GELI support as legacy BIOS GELI support + still uses environment variables.

+ +

EFI GELI support depends on the + efize branch.

+ +

These patches have been tested and used and should be able + to handle use by early adopters. Note that the + LOADER_PATH variable has been changed to + /boot/loader.tst, to facilitate safe testing.

+ + IMPORTANT: + +

As this is an encrypted filesystem patch, an error can + potentially leave data inaccessible. It is + strongly recommended to use the following procedure + for testing:

+ +

+
Back up your data!
+
+
Do not forget to back up your data!
+
+
Install an EFI shell on the ESP.
+
+
Install the patched boot1 on the ESP to + something like /boot/efi/BOOTX64.TST.
+
+
Install the patched loader to /boot/loader.tst + on your machine.
+
+
Create a GELI partition outside of the normal boot + partition.
+
+
First, try booting /boot/efi/BOOTX64.TST and + make sure it properly handles the encrypted partition.
+
+
Copy a boot environment, including the patched loader, to + the encrypted partition.
+
+
Use the loader prompt to load a kernel from the encrypted + partition.
+
+
Try switching over to an encrypted main partition once + everything else has worked.
+

+ + + + Testing is needed. + + Code will need review and some style(9) + normalization must occur before this code goes into + FreeBSD. + +