From owner-freebsd-hackers@FreeBSD.ORG Fri Mar 27 02:56:04 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E868FD9B for ; Fri, 27 Mar 2015 02:56:03 +0000 (UTC) Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7A73029A for ; Fri, 27 Mar 2015 02:56:03 +0000 (UTC) Received: by wibg7 with SMTP id g7so11139683wib.1 for ; Thu, 26 Mar 2015 19:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=49YYqO9P4qfq9ztyRhCMemcEGfxL1vX8+cNC6lKtCYM=; b=QVOHtc3ALu9RaZCQTyi1GGGFsDWiZrIjI84YAczh29w8R1euUpzUmQCv2mv7rKSYzp j82M2IasRL2l3MHvGi4yweY/arm9r1LIUFjovumpN9waZHbuNOA/YUGgZ5FtOXpLjlLa zIFgZvtsIHl6eieBwsUTJl9Ht7229HQa5Hltbpm7bhXWdUhCtWcYTmDVDlNSHRtK4guk dd9/g93Z4uyDK4mUK6CA6LgmozmcKG+3fqwrs5nja+g1twPL+ljPfG0k/LTF409QugRG iW/L1CVVR9mOiz6wJAUsIHnPH7BrZtKkToTcK2WEX4J5OCnW5zBI9EO5+M7I3OJd/8P6 bBhQ== MIME-Version: 1.0 X-Received: by 10.180.38.15 with SMTP id c15mr53069107wik.74.1427424960392; Thu, 26 Mar 2015 19:56:00 -0700 (PDT) Received: by 10.194.18.37 with HTTP; Thu, 26 Mar 2015 19:56:00 -0700 (PDT) In-Reply-To: <55149E70.30608@delphij.net> References: <20150319013231.GR51048@funkthat.com> <55149E70.30608@delphij.net> Date: Thu, 26 Mar 2015 23:56:00 -0300 Message-ID: Subject: Re: GELI support on /boot folder From: Pedro Arthur To: d@delphij.net Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "" , John-Mark Gurney X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Mar 2015 02:56:04 -0000 I think that encrypting the boot folder will protect the boot configurations, kernel and kernel modules from being changed. > If we make changes to loader more often, it could be a bad idea > because merging both parties would make it harder for those who > develop loader changes. > > Additionally, it may be desirable to keep different copies of loaders > in different "boot environment" datasets, it's more convenient for > debugging: let's say one developer decided to make some changes to ZFS > support of loader, and that's installed to a new boot environment, > then they can try it out without making a usable boot disk at hand > before hand. Once the zfsloader is proven to be working (we still > have zfsloader.old or a different boot environment available), we > would have much more confident that the system will boot after a > gptzfsboot update because they share the same code. > > I agree with you, but the boot2 has already reached its size limit.For example if you try to compile the boot2 with clang < 3.5 (>=3.5 uses the enable-gvn flag) you will get an error saying boot2 exceeded its max size by ~20 bytes. I can't see other way to do it without merging.