Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 25 Aug 2012 13:47:59 +0200 (CEST)
From:      =?us-ascii?Q?brouci=20tykadylko?= <brouci.tykadylko@seznam.cz>
To:        d@delphij.net, freebsd-geom@freebsd.org
Subject:   Re: geli remote password entering - md approach
Message-ID:  <3111.173.372-12526-80734053-1345895279@seznam.cz>
In-Reply-To: <503896E1.9000203@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> ------------ P=C3=B4vodn=C3=A1 spr=C3=A1va ------------
> Od: Xin Li <delphij@delphij.net>
> Predmet: Re: geli remote password entering
> D=C3=A1tum: 25.8.2012 11:19:54
> ----------------------------------------

> It would be interesting to implement initrd alike feature in FreeBSD,=

> however, but it's not totally impossible to do similar thing "right
> now"-ish by using a mdroot while having it chroot into the new / with=

> devfs and friends mounted, it's like a kluge but still do-able.


When / is encrypted, I still have /sbin/init on encrypted partition. At=
 least in my current setup, when unencrypted is only /boot. Geli device=
s are mounted by kernel as defined in loader.conf:
geom_eli_load=3D"YES"
geom_label_load=3D"YES"
geom_mirror_load=3D"YES"
geom_part_gpt_load=3D"YES"
zfs_load=3D"YES"
geli_ad4p4_keyfile0_load=3D"YES"
geli_ad4p4_keyfile0_type=3D"ad4p4:geli_keyfile0"
geli_ad4p4_keyfile0_name=3D"/boot/keys/boot.key"
geli_ad6p4_keyfile0_load=3D"YES"
geli_ad6p4_keyfile0_type=3D"ad6p4:geli_keyfile0"
geli_ad6p4_keyfile0_name=3D"/boot/keys/boot.key"
vfs.root.mountfrom=3D"zfs:system"

If I understand it right, the md-approach would be:
0) prepare mfsroot image with kernel + zfs & geli modules and staticaly=
 linked dropbear (for example with http://mfsbsd.vx.sk/)
1) load mfsroot from loader.conf
2) execute kernel from mfsroot
3) execute dropbear and wait for login and geli mount done by hand (may=
be similary to your rc script - dropbear can hold it's own network conf=
ig) - and maybe even SCP-in the keys for both partitions, so I don't ne=
ed to keep them in unencrypted /boot
4) mount the new root from encrypted filesystem
5) chroot to new root
6) execute init from encrypted root

right? 
i'm not the sort of hacker able to modify the kernel code, so this is a=
t the edge of my kung-fu.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3111.173.372-12526-80734053-1345895279>