From owner-freebsd-hackers@FreeBSD.ORG Thu Mar 19 01:32:32 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A03B7B5 for ; Thu, 19 Mar 2015 01:32:32 +0000 (UTC) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A6FDCF9 for ; Thu, 19 Mar 2015 01:32:32 +0000 (UTC) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id t2J1WVuP056430 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Mar 2015 18:32:31 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id t2J1WVRw056429; Wed, 18 Mar 2015 18:32:31 -0700 (PDT) (envelope-from jmg) Date: Wed, 18 Mar 2015 18:32:31 -0700 From: John-Mark Gurney To: Pedro Arthur Subject: Re: GELI support on /boot folder Message-ID: <20150319013231.GR51048@funkthat.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Wed, 18 Mar 2015 18:32:31 -0700 (PDT) Cc: "" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Mar 2015 01:32:32 -0000 Pedro Arthur wrote this message on Wed, Mar 18, 2015 at 15:50 -0300: > I was discussing with Kris Moore about adding support for GELI in > bootloader as a GSoC project, > thus the /boot folder could be encrypted. > However the stage 2 boot program has a limit size of ~8 Kb which is almost > reached in the default > HEAD src. > Thus I would like to know your thoughts about this project, if it is > viable, and what can be done to > overcome these 8 Kb limit. One option is to not support MBR and only support GPT for this... w/ GPT we do not have the 8k limitation (and actually the limit is 7.5k as .5k has historically been used for MBR boot code/partition table in the dangerously dedicated mode)... If we go thise route, I'd ask why we don't put loader into the gptboot instead of using the existing shim to load loader... Then the project would be to add GELI decryption to loader which could then be used w/ MBR in the limited sense of loading kernel and modules, though boot/loader would still have to be on an unencrypted partition... I hope others who know the boot process better will inform us why this is a good or bad idea... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."