From owner-freebsd-hackers@FreeBSD.ORG Tue Jun 19 07:09:04 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D8E71065675 for ; Tue, 19 Jun 2012 07:09:04 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms16-1.1blu.de (ms16-1.1blu.de [89.202.0.34]) by mx1.freebsd.org (Postfix) with ESMTP id AB0168FC16 for ; Tue, 19 Jun 2012 07:09:03 +0000 (UTC) Received: from [89.204.139.247] (helo=tiny.Sisis.de) by ms16-1.1blu.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1SgsYW-0002AX-Oz; Tue, 19 Jun 2012 09:08:53 +0200 Received: from tiny.Sisis.de (localhost [127.0.0.1]) by tiny.Sisis.de (8.14.5/8.14.3) with ESMTP id q5J78nWg001300; Tue, 19 Jun 2012 09:08:49 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by tiny.Sisis.de (8.14.5/8.14.3/Submit) id q5J78leQ001299; Tue, 19 Jun 2012 09:08:47 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: tiny.Sisis.de: guru set sender to guru@unixarea.de using -f Date: Tue, 19 Jun 2012 09:08:47 +0200 From: Matthias Apitz To: Warren Block Message-ID: <20120619070846.GA1283@tiny.Sisis.de> References: <4fb7dfd6.736a980a.186d.ffff902f@mx.google.com> <20120519180901.GA1264@tiny> <20120525183006.GA1259@tiny> <20120525225839.GA7347@server.rulingia.com> <20120527082745.GA2591@tinyCurrent> <20120616185822.GA1253@tiny.Sisis.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: FreeBSD 10.0-CURRENT r226986 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 89.204.139.247 Cc: Wojciech Puchar , rozhuk.im@gmail.com, freebsd-hackers@freebsd.org Subject: Re: proper newfs options for SSD disk X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2012 07:09:04 -0000 El día Sunday, June 17, 2012 a las 09:16:12PM -0600, Warren Block escribió: > On Sat, 16 Jun 2012, Matthias Apitz wrote: > > > OK, but I wanted to have most of the space of the 4 GB SSD encrypted > > with geli(8); so I should make there some slice containing /boot > > (unencrypted) and a second slice which later will contain my HOME and > > encrypted; wrong? > > That's correct: http://forums.freebsd.org/showthread.php?t=29652 Thanks for the pointers and the comments from you and Wojciech; I'm attaching below what I have planned as the exactly procedure now and would thank in advance for any comments; one remaining question is, how could I attache the geli(8) crypted file system during boot (via rc.conf) but using a passphrase which should be asked and typed in on boot? is this somehow possible? Thanks matthias $Id:$ current disk layout of EeePC: Filesystem Size Used Avail Capacity Mounted on /dev/ada0s1a 3.7G 568M 3.1G 15% / /dev/ada1s1a 14G 8.7G 5.8G 60% /usr/local future disk layout. /dev/ada0p1 freebsd-boot /dev/ada0p2 freebsd-ufs /boot 256 Mbyte /dev/ada0p3 freebsd-ufs /private 3.5 GByte (geli encrypted) /dev/ada1p1 freebsd-boot /dev/ada1p2 freebsd-ufs / 14.0 GByte (/ /usr /var ... all in one file system and unencrypted) commands: # gpart destroy -F ada0 # gpart create -s gpt ada0 # gpart add -t freebsd-boot -s 512k ada0 # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i1 ada0 # gpart add -t freebsd-ufs -b 1m -s 256m ada0 # gpart add -t freebsd-ufs ada0 # gpart destroy -F ada1 # gpart create -s gpt ada1 # gpart add -t freebsd-boot -s 512k ada1 # gpart bootcode -b /boot/pmbr -p /boot/gptboot -i1 ada1 # gpart add -t freebsd-ufs -b 1m ada1 this allows as well at the beginning to boot the system from ada1 (must be done manually from BIOS); later we will copy over /boot from ada1p2 to ada0p2 (see below); create on ada0 the future /boot and /privae file systems and on ada1 the future / root file system; and mount the last as /mnt # newfs /dev/ada0p2 # newfs /dev/ada0p3 # newfs /dev/ada1p2 # mount /dev/ada1p2 /mnt start the mouse daemon (only for cut&paste: # /etc/rc.d/moused onestart install the system (user land and kernel) from /usr/src to /mnt: # cd /usr/src # make installworld DESTDIR=/mnt # make installkernel DESTDIR=/mnt KERNCONF=GENERIC INSTALL_NODEBUG=t # make distrib-dirs DESTDIR=/mnt # make distribution DESTDIR=/mnt create the future /etc/fstab to mount / as root fs: # echo /dev/ada1p2 / ufs rw 1 1 > /mnt/etc/fstab configure some basic services in future /etc/rc.conf: # cat < /mnt/etc/rc.conf tmpmfs="YES" tmpsize="128m" wlans_ath0="wlan0" ifconfig_wlan0="WPA DHCP" ifconfig_bge0="DHCP" ifconfig_em0="DHCP" hostname=aurora.Sisis.de sshd_enable="YES" moused_enable="YES" keymap="german.iso" EOF create at least one unpriv user to be able to SSH into the new system later: # chroot /mnt /usr/sbin/adduser unmount the new / and reboot: # umount /mnt # reboot after reboot system should now come up from ada1 and we copy over the /boot to ada0p2 # mount /dev/ada0p2 /mnt # cp -Rp /boot /mnt # echo 'geom_eli_load="YES"' > /mnt/boot/loader.conf # echo 'vfs.root.mountfrom="ufs:ada1p2"' >> /mnt/boot/loader.conf # umount /mnt # reboot should now boot by itself from ada0 and mount the tootfs from ada1p2; later we will use /dev/ada0p3 for the geli(8) encrypted file system and we will mount this as /private; my $HOME should be /private/home -- Matthias Apitz e - w http://www.unixarea.de/ UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5