Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 24 Jun 2023 06:15:24 -0700
From:      Rick Macklem <rick.macklem@gmail.com>
To:        Peter Jeremy <peterj@freebsd.org>
Cc:        freebsd-fs@freebsd.org
Subject:   Re: Diskless NFS over TLS
Message-ID:  <CAM5tNy7nUwmhwXng2-c50j9QpU2jUmf2s6%2BSrj5wO-yHBWyYiA@mail.gmail.com>
In-Reply-To: <ZJa2I02XbQAit6dE@server.rulingia.com>
References:  <ZJa2I02XbQAit6dE@server.rulingia.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Jun 24, 2023 at 2:24=E2=80=AFAM Peter Jeremy <peterj@freebsd.org> w=
rote:
>
> I have a number of aarch64 SBCs that run "diskless": U-Boot loads
> boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader
> config and kernel via NFS and passes the NFS root details to the kernel.
>
> I am contemplating whether it's possible to use secure NFS for at least
> the root mount[*].  The problem is that NFS-over-TLS relies on
> rpc.tlsclntd to perform the STARTTLS and that needs a functional
> userland to run it.
At this point, I do not think the "tls" option can be added via "mount -u".
I had assumed that users would want "on the wire encryption, etc" to
be done right away, before any non-encrypted data travels across the
wire.

I suppose allowing "tls" to be added via "mount -u" could be added to
the code. What do others think about this?
(It means that the file system mount would be running insecure for a while.=
)

Can you put all the data that needs to be secured on a separate volume and
mount that from /etc/fstab? (I'm sure you have thought of this, but...)
Note that there is overhead in using NFS-over-TLS (mostly CPU overhead,
assuming you do not have hardware offload), so you only want to use it
when there is data that needs to be secured.

rick

>
> Does anyone have any idea how to proceed?  Maybe something like mfsroot
> with the real root then overlaid over it (though I haven't thought this
> through).  (And I realise that protecting the keys is problematic).
>
> [*] It would be nice to secure TFTP and the kernel load but that's less
>     feasible.
> --
> Peter Jeremy

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy7nUwmhwXng2-c50j9QpU2jUmf2s6%2BSrj5wO-yHBWyYiA>