Date: Sun, 10 Feb 2019 11:54:50 -0600 From: Karl Denninger <karl@denninger.net> To: Ian Lepore <ian@freebsd.org> Cc: freebsd-stable@freebsd.org, Allan Jude <allanjude@freebsd.org> Subject: Re: Fwd: Serious ZFS Bootcode Problem (GPT NON-UEFI) Message-ID: <3fd7f001-879c-7b1e-3d1a-d2939ac07d9c@denninger.net> In-Reply-To: <16c56c89ff8a3d89164d9152f6c38687dcba99b5.camel@freebsd.org> References: <911d001f-9e33-0521-51fe-f7d1383dfc62@denninger.net> <CANCZdfp0QaXodmYBp9Eox9Ca5kyQibCXw5rRTwsO-mCjApYswA@mail.gmail.com> <b11ec38c-1c6a-6e92-810c-4d2fe3e8df3d@freebsd.org> <a107a4f5-2851-191a-5f8c-a4cd44c98458@denninger.net> <16c56c89ff8a3d89164d9152f6c38687dcba99b5.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 2/10/2019 11:50, Ian Lepore wrote:
> On Sun, 2019-02-10 at 11:37 -0600, Karl Denninger wrote:
>> On 2/10/2019 09:28, Allan Jude wrote:
>>> Are you sure it is non-UEFI? As the instructions you followed,
>>> overwriting da0p1 with gptzfsboot, will make quite a mess if that
>>> happens to be the EFI system partition, rather than the freebsd-
>>> boot
>>> partition.
>> [...]
>>
>> BTW am I correct that gptzfsboot did *not* get the ability to read
>> geli-encrypted pools in 12.0? The UEFI loader does know how (which I'm
>> using on my laptop) but I was under the impression that for non-UEFI
>> systems you still needed the unencrypted boot partition from which to
>> load the kernel.
>>
> Nope, that's not correct. GELI support was added to the boot and loader
> programs for both ufs and zfs in freebsd 12. You must set the geli '-g'
> option to be prompted for the passphrase while booting (this is
> separate from the '-b' flag that enables mounting the encrypted
> partition as the rootfs). You can use "geli configure -g" to turn on
> the flag on any existing geli partition.
>
> -- Ian
Excellent - this will eliminate the need for me to run down the
foot-shooting that occurred in my update script since the unencrypted
kernel partition is no longer needed at all. That also significantly
reduces the attack surface on such a machine (although you could still
tamper with the contents of freebsd-boot of course.)
The "-g" flag I knew about from experience in putting 12 on my X1 Carbon
(which works really well incidentally; the only issue I'm aware of is
that there's no 5Ghz WiFi support.)
--
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
[-- Attachment #2 --]
0 *H
010
`He�0 *H
��
00�H^Ōc!5
H0
*H
�01
0 UUS10U
Florida10U
Niceville10U
Cuda Systems LLC10U
Cuda Systems CA1!0 U
Cuda Systems LLC 2017 CA0
170817164217Z
270815164217Z0{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA0"0
*H
��0
�h-5B>[;olӴ0~͎O9}9Ye*$
g
!ukvʶLzN`jL>MD'7U�45CB+kY`bd~b*c3Ny-78ju]9H euέsӬDؽmgwER?&UURj'}9nWD i`XcbGz�\gG=u%\Oi13ߝ4
K44pYQr]Ie/r0+eEޝݖ0C15Mݚ@JSZ(zȏ�
NTa(25DD5.l<g[[Z
arQQ%Buȴ~~`IohRbʳڟu2MS8EdFUClCMaѳ�!}ș+2k/bųE,n当ꖛ\(8
WV8 d]b yXw ܊:I39�
00
U
]^§Q\ӎ0U
#0T039N0b01
0 UUS10U
Florida10U
Niceville10U
Cuda Systems LLC10U
Cuda Systems CA1!0 U
Cuda Systems LLC 2017 CA �@Ui0U
0�0U
0
*H
��:P U!>vJ
n
io
-#ן]Wyu
jǑR̀Q
nƇ!G
ѦF g\
yLx
gw=OPycehf[
}ܷ['4ڝ\[p�6\o.B&JF"
ZC{;*o*mcCcLY߾`
t*S!(`
]DHP5A~/NPp6=mhk밣'doA$86hm5ӚS@
j
ެEgl
)0JG`%k35PaC?σ
׳HEt}!P㏏%*BxbQwaKG$6
h¦Mve;
[o-Iی&
I,Tc
ߎ#t wPA@l0P+KXBպT zGv;NcI3&J
ĬUPNa?/%W6G۟N000�k#Xd\
=0
*H
�0{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W1
0 UUS10U
Florida10U
Cuda Systems LLC10U
karl@denninger.net0"0
*H
��0
�
T[I-ΆϏ�dn;Å@שy.us~_ZG%<MYd\gvfnsa1'6Egyjs"C [{~
_K�Pn+<*pv#Q+H/7[-vqDV^U>f%GX)H.|l`M(Cr
>е͇6#odc"YljҦln8@5SA0&ۖ"OGj?UDWZ5 dDB
7k-)9Izs-JAv
J
6L$Ն1SmY.Lqw*SH;EF'DĦH]MOgQQ|Mٙג2Z9y@
y]}6ٽeY9Y2xˆ$T=e
CǺǵbn֛{j |@LLt1[Dk5:$= ` �M�00<+00.0,+0 http://ocsp.cudasystems.net:88880 U
0�0 `HB0U
0
U
%0++03 `HB
&$OpenSSL Generated Client Certificate0
U
%՞V
=;bzQ0U
#0]^§Q\ӎϡ01
0 UUS10U
Florida10U
Niceville10U
Cuda Systems LLC10U
Cuda Systems CA1!0 U
Cuda Systems LLC 2017 CA�H^Ōc!5
H0
U
0karl@denninger.net0
*H
��۠A0-j%--$%
g2#ޡ1^>{K+uGE
v1ş7Af&b&O;
.;A5* U)ND2bF|\=
]<sˋL!wrw٧>
YMÄ3\mWR hSv!_zvl? 3_
xU%\^#O*Gk̍YI_&Fꊛ@&1n�} ͬ:{hTP3B.;bU8:Z=^Gw8
!k-@xE@i,+'Iᐚ:f
hztX7/(hY` O.1}a`%RW^akǂpCAufgDix�UTЩ/7}%=jnVZvcF<M=
2^GKH5魉
_O4ެByʈySkw=5@h.0z>
W1000{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA�k#Xd\
=0
`He�E0 *H
1
*H
0
*H
1
190210175450Z0O *H
1B@ϴHe.
AcX
"*
%c~E#ŻDg
ƛŴaT 0l *H
1_0]0
`He*0
`He0
*H
0*H
�0
*H
@0+0
*H
(0 +7100{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA�k#Xd\
=0
*H
10{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA�k#Xd\
=0
*H
��@1#L
=Y~
(eL�@k
0Fb&
~4QK$k64+
i\
͉Z"-hu
V]ob=єaiR6t9|8s*L5ٞij44R
uѳ"/n
jΡ/X0XLpVK
+3ݾ\ /C
ٕloY:E?AA@N^)P~1-|h+˓X
uWE
ayqģuKU 6 U@Rg(9X^>/M5gS[mPO+c~'J@<qk]"Zb:[s_)kij`ZӅ
JFHz'*|Ta1 < 0dm䟽rd`GPyjW[Du3& M&c������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3fd7f001-879c-7b1e-3d1a-d2939ac07d9c>