From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 24 18:46:51 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DDFD5A88 for ; Tue, 24 Mar 2015 18:46:50 +0000 (UTC) Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F17D5FC for ; Tue, 24 Mar 2015 18:46:50 +0000 (UTC) Received: by wibdy8 with SMTP id dy8so82825178wib.0 for ; Tue, 24 Mar 2015 11:46:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=7eURfSdalSusRZRupuPyFWFXwomqC+l4Q71cJ/J4lVY=; b=Z1br/6NRg3M6LEHkkoct4c/vQBPjmGCGFI4p7da4yJma8E0jugesQz7qXSEDuP2KqH Anqb/XnCqn+TxdmAHA6TN4znIQivWaY3Cch5w3Am8vq5r0N76IXhvU/VtKz5hP9HZ/x/ 3ofulOVdX91c1Me4E6THRdnQI3i2dGCbh98YhTGDD+LVnQyhmIQLNZIFY9U9AlaaJQz6 zCGYXkEFrhuWYygENGwOt+3o+Ap97RVSJLdmhL6h1QE3XEQAXHd94KirPFNOhIJ6d9Nj aLmbonDIQqE0RGeM3d53xbW2IaJ52AulLOwuz/mgV6ysYfUxMg6vKTm5XcIweHNBTv2o ab/A== X-Received: by 10.180.171.35 with SMTP id ar3mr31685673wic.24.1427222808974; Tue, 24 Mar 2015 11:46:48 -0700 (PDT) Received: from bath (fnord.cryptophone.de. [62.220.7.20]) by mx.google.com with ESMTPSA id ax10sm137802wjc.26.2015.03.24.11.46.47 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Mar 2015 11:46:48 -0700 (PDT) Date: Tue, 24 Mar 2015 18:45:59 +0000 From: Stefan Grundmann To: freebsd-hackers@freebsd.org Subject: Re: GELI support on /boot folder Message-ID: <20150324184559.GA9056@bath> References: <20150319013231.GR51048@funkthat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Mar 2015 18:46:51 -0000 On Mon, Mar 23, 2015 at 05:46:20PM -0300, Pedro Arthur wrote: > Based on your idea the project could be merge the GPT boot stages into > a single program with support for GELI and instead of having a binary for > zfs and other for ufs we could have the boot program with support for both > file systems so that we can choose to boot from any partition in the GPT > being zfs or ufs. > > What I want to know is if it is a good idea or merging these boot stages has > any drawback or infringes any design choices? one technical problem when merging gptload and/or zfsload code into gptboot is, that gptldr.S has to be extended to be able to load more boot2 code than the currently supported 64k. about a year ago i wrote a TPM 1.2 static root of trust boot loader (chain): 1. sys/boot/i386/pmbr was extended to support TCG_CompactHashLogExtendEvent so that it will measure the freebsd-boot partion 2. sys/boot/i386/gptboot/gptldr.S was modified to support up to 256k boot2 code 3. functionality was added to sys/boot/i386/gptboot/* - get (PCR sealed) Key and config_data path from TPM - read and decrypt the config_data from UFS - use config data to set kernel environment, load disk keys, verify and load kernel + modules (from UFS) - boot the kernel The code was tested on ThinkPad (X60,X61,T410s,X230) notebooks and HP ProLiant DL360p servers. I expect it to work on any amd64 or x86 system that has working TPM 1.2 and is able to boot gpt schema disks from (legacy) BIOS. The code is in daylie use on my Thinkpads. However: man page content and high level documentation (blog post, article, ...) has not been written and a code review is also needed. All this was planed but was deprioritized. Today i got the o.k. from $work to release (BSD 2 clause) a preview which will consist of a patchset against FreeBSD 10.1-p8 (it will apply and work on any 10* and 11) and a minimal howto. I'm in the process of writing the minimal howto and will send the preview to this list today or tomorrow. best regards, Stefan Grundmann