Date: Tue, 24 Mar 2015 18:45:59 +0000 From: Stefan Grundmann <sg2342@googlemail.com> To: freebsd-hackers@freebsd.org Subject: Re: GELI support on /boot folder Message-ID: <20150324184559.GA9056@bath> In-Reply-To: <CAKN1MR4D-hdX0Koy45LSg_zo-uvLi=njyPwSfYcVBYi5FT_C=w@mail.gmail.com> References: <CAKN1MR54TCWZa_wSLAe63fxVF6248yr_aKkg-T0WtxHzaiLkyw@mail.gmail.com> <20150319013231.GR51048@funkthat.com> <CAKN1MR4D-hdX0Koy45LSg_zo-uvLi=njyPwSfYcVBYi5FT_C=w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 23, 2015 at 05:46:20PM -0300, Pedro Arthur wrote:
> Based on your idea the project could be merge the GPT boot stages into
> a single program with support for GELI and instead of having a binary for
> zfs and other for ufs we could have the boot program with support for both
> file systems so that we can choose to boot from any partition in the GPT
> being zfs or ufs.
>
> What I want to know is if it is a good idea or merging these boot stages has
> any drawback or infringes any design choices?
one technical problem when merging gptload and/or zfsload code into gptboot
is, that gptldr.S has to be extended to be able to load more boot2 code than
the currently supported 64k.
about a year ago i wrote a TPM 1.2 static root of trust boot loader (chain):
1. sys/boot/i386/pmbr was extended to support TCG_CompactHashLogExtendEvent
so that it will measure the freebsd-boot partion
2. sys/boot/i386/gptboot/gptldr.S was modified to support up to 256k boot2 code
3. functionality was added to sys/boot/i386/gptboot/*
- get (PCR sealed) Key and config_data path from TPM
- read and decrypt the config_data from UFS
- use config data to set kernel environment, load disk keys,
verify and load kernel + modules (from UFS)
- boot the kernel
The code was tested on ThinkPad (X60,X61,T410s,X230) notebooks and
HP ProLiant DL360p servers.
I expect it to work on any amd64 or x86 system that has working TPM 1.2 and
is able to boot gpt schema disks from (legacy) BIOS.
The code is in daylie use on my Thinkpads.
However: man page content and high level documentation
(blog post, article, ...) has not been written and a code review is also needed.
All this was planed but was deprioritized.
Today i got the o.k. from $work to release (BSD 2 clause) a preview which will
consist of a patchset against FreeBSD 10.1-p8 (it will apply and work on
any 10* and 11) and a minimal howto. I'm in the process of writing the minimal
howto and will send the preview to this list today or tomorrow.
best regards,
Stefan Grundmann
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150324184559.GA9056>