From owner-freebsd-hackers@freebsd.org Sat May 28 14:27:42 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F000AB4D314 for ; Sat, 28 May 2016 14:27:42 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id D637F111D for ; Sat, 28 May 2016 14:27:42 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 6010BD095 for ; Sat, 28 May 2016 14:27:41 +0000 (UTC) Subject: Re: EFI GELI support ready for testers To: freebsd-hackers@freebsd.org References: <519CC1FC-84DF-4710-8E62-AF26D8AED2CF@metricspace.net> <20160528083656.GT38613@kib.kiev.ua> From: Allan Jude Message-ID: Date: Sat, 28 May 2016 10:27:40 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160528083656.GT38613@kib.kiev.ua> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 May 2016 14:27:43 -0000 On 2016-05-28 04:36, Konstantin Belousov wrote: > On Fri, May 27, 2016 at 07:39:57PM -0400, Eric McCorkle wrote: >> I am pleased to announce that my work to add support for GELI in the EFI boot loader (as well as perform more general refactoring) is now ready for testing. I am able to successfully detect multiple GELI partitions in boot1 and pass the keys into the kernel. > > Can somebody explain in which way this is useful ? > Same question for the GELI code for non-EFI loader. > > BIOS cannot read raw data from the encrypted partition, so you need > either old boot or the loader and some additional data on EFI boot > partition anyway. > > Features adds significant amount of code, which must be maintained in > parallel with the kernel code. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > The motivation for my work (GELI in boot2 and loader for non-EFI boot) was supporting ZFS boot environments. Previously, when you use GELI you needed to have two ZFS pools, one for an unencrypted /boot and one for the encrypted / This breaks ZFS boot environments, since a snapshot of the root file system won't include the correct kernel etc. The final version of my geliboot took an extra effort to reuse the AES code from sys/crypto/rijndael and sys/opencrypto and GELI directly from sys/geom/eli to avoid maintaining a separate copy of that code in sys/boot Hopefully the work I did to make sys/opencrypto and sys/geom/eli more reusable outside of the kernel will make it easier for Eric to do the same for the EFI version. The motivation for the EFI version is the same, ZFS boot environments, plus the obvious security advantages of having the kernel stored encrypted rather than not. -- Allan Jude