Date: Sun, 20 Mar 2016 14:43:39 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: boot1-compatible GELI and GPT code? Message-ID: <56EEEF5B.4010605@freebsd.org> In-Reply-To: <8F22A0E2-45A3-463B-8CAC-16BEC8DA8883@metricspace.net> References: <8F22A0E2-45A3-463B-8CAC-16BEC8DA8883@metricspace.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PwRckLVeSHb9tu0NA2hmDu7fOOrAMrov9 Content-Type: multipart/mixed; boundary="j1jsX6B6A3If2Vo9C18ie3gwMktComA0o" From: Allan Jude <allanjude@freebsd.org> To: freebsd-hackers@freebsd.org Message-ID: <56EEEF5B.4010605@freebsd.org> Subject: Re: boot1-compatible GELI and GPT code? References: <8F22A0E2-45A3-463B-8CAC-16BEC8DA8883@metricspace.net> In-Reply-To: <8F22A0E2-45A3-463B-8CAC-16BEC8DA8883@metricspace.net> --j1jsX6B6A3If2Vo9C18ie3gwMktComA0o Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-03-20 13:13, Eric McCorkle wrote: > Hello everyone, >=20 > I'm working (among other things) on expanding the capabilities of the E= FI boot block to be able to load GELI-encrypted partitions, which may con= tain a GPT partition table, in order to support full-disk encryption. >=20 > I'm wondering, is there any code for reading either of these formats th= at could be used in boot1 hiding out anywhere? It'd be best to avoid rew= riting this stuff if possible. >=20 > Also, I haven't investigated the capabilities of loader with regard to = GELI yet beyond cursory inspection. Most importantly, I need to know if = loader can handle GPTs and other partition formats inside a GELI, or just= single filesystems. >=20 > As an additional note, it'd be best if there was a method for having bo= ot1 pass the key(s) along to loader and ultimately the kernel, so the use= rs don't have to input their keys 3 times. I'm open to suggestions as to= how to do this. My initial thought is to create some kind of variable i= n both loader and kernel, then use the elf data to locate it and directly= inject the data prior to booting. The rationale is to avoid mechanisms = like arguments that could potentially reveal the keys. > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.o= rg" >=20 I presented a paper on my work in this area (booting from a GELI encrypted partition, it does not GELI encrypt the GPT table) at AsiaBSDCon last weekend, and committed it this week. Here is the paper: http://allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf The commit was: r296963 https://svnweb.freebsd.org/changeset/base/296963 I am interested in applying this work to UEFI as well. Is there much advantage to encrypted the GPT table as well? Currently my setup leaves the partition table, and the code up to boot2 unencrypted. Only encrypting the actual OS partition (/boot/{zfs,}loader, /boot/kernel, etc). Swap is encrypted separately with a unique throw-away key per reboot. --=20 Allan Jude --j1jsX6B6A3If2Vo9C18ie3gwMktComA0o-- --PwRckLVeSHb9tu0NA2hmDu7fOOrAMrov9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJW7u9fAAoJEBmVNT4SmAt+MTwQAKpCWXeYN2WyNWCTlRy82mhd eo0X9T3fBi5tftXl7LSWmAPlFlQlZEkE9FZPai6QySLmTGVD3K59omFa3wy5hoNj BBnDEN1mxgggsNh9lC8ZVQDys/H7ajnxZE7XhEZpSfevYvU8m0MHtyRq7NUckjBH lYKuyJTTyB8yDjpMj/Quz2Y1zHJEbF/660adLkZ1Lk1KB9u+gMz6biFXRJicNg6m 9Grns5p87E6/k0PUZkSVluasfXJ/NjPXfUpChBe+9L8WrHkEYt8ZZd5auOOxgJoK HCiLOyT+jmjFK0drl1Nh7q+kjK2+55HQ+fDCKiqdguVx5Gm/vJZjvTmocPGO6PC0 kwrCDXAp6khmx8XyokXNyXiRLrFduPffNy/PgunCzvRSzhOzEQNwoSF72evg/bpt bB6VPbBe/Bj93oenF43Ogyl65bSa8yamFr6Hl2r6DHn9CQNnSx2TKETp4dctFMP/ uyLc73n9JjqEJsM298c4pF/UQF1baqNWYWiEyTh8rX85MC6Sj57ZqH/KGazfyhDS tovSHpOayuLw96ctYrSXiskogKIjG4TBtW0UmfySbfeCvGhif3yMe72RCBYlOsig eXThCzJr6wWNrmG7ye/+OumncXCGn4xI5JgEErA6BpMAPkYr3fVU/hQtzjyIdAKi vQ+oIo846ZQtW+4Pz4GG =1A26 -----END PGP SIGNATURE----- --PwRckLVeSHb9tu0NA2hmDu7fOOrAMrov9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56EEEF5B.4010605>