Date: Fri, 15 Jun 2012 16:41:40 -0400 From: Robert Simmons <rsimmons0@gmail.com> To: freebsd-geom@freebsd.org Subject: Re: Pre-boot authentication / geli-aware bootcode Message-ID: <CA%2BQLa9DjOTe18k5cDeqFocby5Wa5P2BPPm15G3RSBNm_5mCrNg@mail.gmail.com> In-Reply-To: <20120615202458.GH1399@garage.freebsd.pl> References: <CA%2BQLa9ChmAL=qr00oV=hW=j0GDrS3rQWyNaVH=f3cszS%2Bm1GAg@mail.gmail.com> <CAHsZcQEsQU1M8Q%2B2uP%2Bk%2B4Q%2BykE67YsD3e9bM6cRBfha2c6QiA@mail.gmail.com> <CA%2BQLa9Ags=DYy4TQ24zz=VOGFOT63FWr_Dh%2B44qA-35O9QBA_Q@mail.gmail.com> <20120615202458.GH1399@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 15, 2012 at 4:24 PM, Pawel Jakub Dawidek <pjd@freebsd.org> wrot= e: > On Fri, Jun 15, 2012 at 04:22:18PM -0400, Robert Simmons wrote: >> On Fri, Jun 15, 2012 at 5:31 AM, Alaksiej Carniajeu <ac@belngo.info> wro= te: >> > Hi, >> > >> > It's not possible. But, you could have your /boot on a bootable >> > usbstick, together with some keyfiles, and start from it. From >> > security point of view, it is even better, than the whole drive >> > encryption TrueCrypt offers, because the former relies on password >> > only. >> >> This is what I thought. =A0Now, if I wanted to add this functionality, I >> would need to modify: >> /head/sys/boot/i386/pmbr/pmbr.s >> and >> /head/sys/boot/i386/gptboot/gptboot.c > > I'd leave pmbr.s alone, it is definiately too early to play with > decryption. You need to modify gptboot and loader for UFS or gptzfsboot > and zfsloader for ZFS. All of the decryption work is handled by the geom_eli kernel module, correct? I would assume that looking at the code in /head/sys/geom/eli and seeing how it's done there would be a good place to start.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BQLa9DjOTe18k5cDeqFocby5Wa5P2BPPm15G3RSBNm_5mCrNg>