Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 3 Aug 2018 19:54:51 +0300
From:      Tommi Pernila <tommi.pernila@iki.fi>
To:        Warner Losh <imp@bsdimp.com>
Cc:        Allan Jude <allanjude@freebsd.org>, Eric McCorkle <eric@metricspace.net>,  Ian Lepore <ian@freebsd.org>, Oliver Pinter <oliver.pinter@hardenedbsd.org>, Warner Losh <imp@freebsd.org>, freebsd-current <freebsd-current@freebsd.org>
Subject:   Re: GELI with UEFI supporting Boot Environments goes to HEAD when?
Message-ID:  <CABHD1wQ2ccTsQwTX5g7SPHC14zVCk3Mq6a8e7CFVyOaOQoaOVw@mail.gmail.com>
In-Reply-To: <CANCZdfpx8KpeUuvZ-jwmeEe0ds0Hiwrzsfmrj%2BSf6ewUU%2BC=Vw@mail.gmail.com>
References:  <CABHD1wRyrmXp5R_ViERa-MnJnVKN-U551SWt%2Behm6r%2B3viydxg@mail.gmail.com> <0e75a2ba-9a59-8301-a678-68a822025bd6@metricspace.net> <CABHD1wS-RoxP5fsCYgH61BsPsad_OPC4FZSUCUi6EfsWyXRzQA@mail.gmail.com> <9df63df2-9d61-4106-f360-347411869b41@metricspace.net> <f17bbb44-6735-e252-ba75-bd0b4f685d9d@metricspace.net> <CABHD1wRu_C4dPvzt%2BxMsYYYjFNJ1%2B78ne4cLsuCxr=YrN%2BhfFA@mail.gmail.com> <CANCZdfrkW1yteAixk44DetDe=uetVtvxM9-M7K5FioxeLseHJw@mail.gmail.com> <D667242D-ACB8-42E4-85B8-308702C15360@metricspace.net> <CAPQ4fftB27Y63yvk9zqEE3q4-MShHOYdwM7aD=c%2BXKzrs%2BZoMw@mail.gmail.com> <CANCZdfqZ1qr0Z7eiby6Kvwop_-%2B3_VZ0hFnCfo7Hm1NN9UbaUA@mail.gmail.com> <c0c57711-055a-5d0d-796e-f7acce4be3b4@metricspace.net> <CANCZdfpH4z8yhzD_pyJDPy0276FxqQ%2BpEWcp3HiPe-qhNnrYCw@mail.gmail.com> <5ba11024-e99b-86e1-48b7-125fb80b4001@metricspace.net> <CAPQ4fftg_8DRmHhsrt3k4660GyiXGQ%2BQe%2B-%2BOpfitVU5i-jTkA@mail.gmail.com> <1531078307.1336.22.camel@freebsd.org> <06cb8190-7a04-5c92-8fb9-637d1a80758f@freebsd.org> <CANCZdfpx8KpeUuvZ-jwmeEe0ds0Hiwrzsfmrj%2BSf6ewUU%2BC=Vw@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Jul 2018 at 1.05, Warner Losh <imp@bsdimp.com> wrote:

> I have this in my tree already...
>
> Warner
>
> On Mon, Jul 9, 2018, 10:28 AM Allan Jude <allanjude@freebsd.org> wrote:
>
>> I will look at updating the rootgen.sh script this evening, to support
>> creating more flexible ESP partitions, so we can drop the loader.efi
>> into an msdosfs directly.
>>
>> On 07/08/2018 15:31, Ian Lepore wrote:
>> > On Sun, 2018-07-08 at 21:08 +0200, Oliver Pinter wrote:
>> >> Hi!
>> >>
>> >> Have you or Warner any update on this code?
>> >>
>> >> On Thursday, April 12, 2018, Eric McCorkle <eric@metricspace.net>
>> >> wrote:
>> >>
>> >
>> > Are you aware of https://reviews.freebsd.org/D15743 ?
>> >
>> > That's my changes to add geli support to loader(8) in an architecture-
>> > agnostic way, so that "it just works" for all platforms and flavors of
>> > loader. It has been succesfully tested on armv6/7 (ubldr) and on x86
>> > using qemu.  The x86 tests cover ufs and zfs, legacy bios and uefi. The
>> > only variations that aren't tested yet are the uefi flavors, because
>> > the current rootgen.sh script for assembling test images is still using
>> > boot1.efi and I don't know enough about efi myself to update the script
>> > to make it assemble images the new way Warner envisions.
>> >
>> > -- Ian
>> >
>> >>>
>> >>> I'm in the middle of moving to a new apartment right now.  It's
>> >>> going to
>> >>> be a bit before I can get to this.
>> >>>
>> >>> On 04/11/2018 20:31, Warner Losh wrote:
>> >>>>
>> >>>> OK. I've pushed in the main part of it. The additional work I
>> >>>> have
>> >>>> shouldn't affect any of this stuff.  I was going to look at what
>> >>>> part(s)
>> >>>> of your open reviewed needed to be redone tomorrow and send you
>> >>>> feedback, but if you wanted to get a start before then, I'm happy
>> >>>> to
>> >>>> answer questions. All the rest of my work is going to be
>> >>>> selecting the
>> >>>> root partition when we're told to us a specific partition, so
>> >>>> will be
>> >>>> very constrained.
>> >>>>
>> >>>> Warner
>> >>>>
>> >>>> On Wed, Apr 11, 2018 at 6:02 PM, Eric McCorkle <eric@metricspace.
>> >>>> net
>> >>>> <mailto:eric@metricspace.net>> wrote:
>> >>>>
>> >>>>      I think the thing to do at this point is to wait for the
>> >>>> current
>> >>> work on
>> >>>>
>> >>>>      loader.efi to land, then adapt my patches to apply against
>> >>>> that work.
>> >>>>
>> >>>>      On 04/11/2018 15:06, Warner Losh wrote:
>> >>>>      > Still reviewing the code. I'm worried it's too i386
>> >>>> specific and it
>> >>>>      > conflicts with some work I'm doing. I'll have a list of
>> >>>> actionable
>> >>>>      > critiques this week.
>> >>>>      >
>> >>>>      > Warner
>> >>>>      >
>> >>>>      > On Wed, Apr 11, 2018 at 1:03 PM, Oliver Pinter
>> >>>>      > <oliver.pinter@hardenedbsd.org
>> >>>>      <mailto:oliver.pinter@hardenedbsd.org>
>> >>>>      <mailto:oliver.pinter@hardenedbsd.org
>> >>>>      <mailto:oliver.pinter@hardenedbsd.org>>>
>> >>>>      > wrote:
>> >>>>      >
>> >>>>      >     Hi!
>> >>>>      >
>> >>>>      >     Is there any update regarding the rebase or the
>> >>>> inclusion to
>> >>> base
>> >>>>
>> >>>>      >     system?
>> >>>>      >     On 3/28/18, Eric McCorkle <eric@metricspace.net
>> >>>> <mailto:
>> >>> eric@metricspace.net>
>> >>>>
>> >>>>      >     <mailto:eric@metricspace.net <mailto:eric@metricspace.n
>> >>>> et>>>
>> >>> wrote:
>> >>>>
>> >>>>      >     > I'll do another rebase from head just to be sure
>> >>>>      >     >
>> >>>>      >     > On March 28, 2018 3:23:23 PM EDT, Warner Losh <
>> >>> imp@bsdimp.com <mailto:imp@bsdimp.com>
>> >>>>
>> >>>>      >     <mailto:imp@bsdimp.com <mailto:imp@bsdimp.com>>> wrote:
>> >>>>      >     >>It's on my list for nexr, finally. I have an
>> >>>> alternate patch
>> >>> for
>> >>>>
>> >>>>      >     >>loader.efi
>> >>>>      >     >>from ESP, but i don't think it will affect the GELI
>> >>>> stuff. I
>> >>> have some
>> >>>>
>> >>>>      >     >>time
>> >>>>      >     >>slotted for integration issues though.
>> >>>>      >     >>
>> >>>>      >     >>I am quite mindful of the freeze dates.... I  have
>> >>>> some uefi
>> >>> boot
>> >>>>
>> >>>>      >     >>loader
>> >>>>      >     >>protocol changes that I need to get in.
>> >>>>      >     >>
>> >>>>      >     >>Warner
>> >>>>      >     >>
>> >>>>      >     >>On Feb 21, 2018 11:18 PM, "Tommi Pernila" <
>> >>> tommi.pernila@iki.fi <mailto:tommi.pernila@iki.fi>
>> >>>>
>> >>>>      >     <mailto:tommi.pernila@iki.fi <mailto:tommi.pernila@iki.
>> >>>> fi>>>
>> >>> wrote:
>> >>>>
>> >>>>      >     >>
>> >>>>      >     >>> Awesome, thanks for the update and the work that
>> >>>> you have
>> >>> done!
>> >>>>
>> >>>>      >     >>>
>> >>>>      >     >>> Now we just need some more reviewers eyes on the
>> >>>> code :)
>> >>>>      >     >>>
>> >>>>      >     >>> Br,
>> >>>>      >     >>>
>> >>>>      >     >>> Tommi
>> >>>>      >     >>>
>> >>>>      >     >>> On Thu, 22 Feb 2018 at 2.03, Eric McCorkle <
>> >>> eric@metricspace.net <mailto:eric@metricspace.net>
>> >>>>
>> >>>>      >     <mailto:eric@metricspace.net <mailto:eric@metricspace.n
>> >>>> et>>>
>> >>>>      >     >>wrote:
>> >>>>      >     >>>
>> >>>>      >     >>>> FYI, I just IFC'ed everything, and the current
>> >>>> patches
>> >>>>      are still
>> >>>>      >     >>fine.
>> >>>>      >     >>>>
>> >>>>      >     >>>> Also, the full GELI + standalone loader has been
>> >>>> deployed
>> >>>>      on one of
>> >>>>      >     >>my
>> >>>>      >     >>>> laptops for some time now.
>> >>>>      >     >>>>
>> >>>>      >     >>>> On 02/21/2018 18:15, Eric McCorkle wrote:
>> >>>>      >     >>>> > The GELI work could be merged at this point,
>> >>>> though it
>> >>>>      won't be
>> >>>>      >     >>usable
>> >>>>      >     >>>> > without an additional patch to enable loader-
>> >>>> only
>> >>>>      operation.  The
>> >>>>      >     >>>> > patches are currently up for review:
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > This is the order in which they'd need to be
>> >>>> merged:
>> >>>>      >     >>>> >
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > https://reviews.freebsd.org/D12732
>> >>>>      <https://reviews.freebsd.org/D12732>;
>> >>>>      >     <https://reviews.freebsd.org/D12732
>> >>>>      <https://reviews.freebsd.org/D12732>>;
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > This one changes the efipart device.  Toomas
>> >>>> Soome
>> >>>>      identified
>> >>>>      >     some
>> >>>>      >     >>>> > problems, which I have addressed.  He has not
>> >>>>      re-reviewed it,
>> >>>>      >     >>however.
>> >>>>      >     >>>> >
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > https://reviews.freebsd.org/D12692
>> >>>>      <https://reviews.freebsd.org/D12692>;
>> >>>>      >     <https://reviews.freebsd.org/D12692
>> >>>>      <https://reviews.freebsd.org/D12692>>;
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > This adds some crypto code needed for GELI.  It
>> >>>> simply
>> >>>>      adds new
>> >>>>      >     >>code,
>> >>>>      >     >>>> > and doesn't conflict with anything.
>> >>>>      >     >>>> >
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > https://reviews.freebsd.org/D12698
>> >>>>      <https://reviews.freebsd.org/D12698>;
>> >>>>      >     <https://reviews.freebsd.org/D12698
>> >>>>      <https://reviews.freebsd.org/D12698>>;
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > This adds the EFI KMS interface code, and has
>> >>>> the EFI
>> >>>>      loader pass
>> >>>>      >     >>keys
>> >>>>      >     >>>> > into the keybuf interface.
>> >>>>      >     >>>> >
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > I can't post the main GELI driver until those
>> >>>> get
>> >>>>      merged, as it
>> >>>>      >     >>depends
>> >>>>      >     >>>> > on them.  It can be found on the geli branch on
>> >>>> my
>> >>>>      github freebsd
>> >>>>      >     >>>> > repository, however.
>> >>>>      >     >>>> >
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > Additionally, you need this patch, which allows
>> >>>>      loader.efi to
>> >>>>      >     >>function
>> >>>>      >     >>>> > when installed directly to the ESP:
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > https://reviews.freebsd.org/D13497
>> >>>>      <https://reviews.freebsd.org/D13497>;
>> >>>>      >     <https://reviews.freebsd.org/D13497
>> >>>>      <https://reviews.freebsd.org/D13497>>;
>> >>>>      >     >>>> >
>> >>>>      >     >>>> > On 02/20/2018 22:56, Tommi Pernila wrote:
>> >>>>      >     >>>> >> Hi Eric,
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >> could you provide a brief update how the work
>> >>>> is going?
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >> Br,
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >> Tommi
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >> On Nov 16, 2017 04:29, "Eric McCorkle"
>> >>>>      <eric@metricspace.net <mailto:eric@metricspace.net>
>> >>>>      >     <mailto:eric@metricspace.net <mailto:eric@metricspace.n
>> >>>> et>>
>> >>>>      >     >>>> >> <mailto:eric@metricspace.net
>> >>>>      <mailto:eric@metricspace.net> <mailto:eric@metricspace.net
>> >>>>      <mailto:eric@metricspace.net>>>>
>> >>>>      >     wrote:
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     Right, so basically, the remaining GELI
>> >>>> patches
>> >>>>      are against
>> >>>>      >     >>>> loader, and
>> >>>>      >     >>>> >>     most of them can go in independently of the
>> >>>> work
>> >>>>      on removing
>> >>>>      >     >>boot1.
>> >>>>      >     >>>> >>     There's a unanimous consensus on getting
>> >>>> rid of
>> >>>>      boot1 which
>> >>>>      >     >>>> includes its
>> >>>>      >     >>>> >>     original author, so that's going to happen.
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     For GELI, we have the following (not
>> >>>> necessarily
>> >>>>      in order):
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     a) Adding the KMS interfaces, pseudo-
>> >>>> device, and
>> >>>>      kernel
>> >>>>      >     >>keybuf
>> >>>>      >     >>>> >>     interactions
>> >>>>      >     >>>> >>     b) Modifications to the efipart driver
>> >>>>      >     >>>> >>     c) boot crypto
>> >>>>      >     >>>> >>     d) GELI partition types (not strictly
>> >>>> necessary)
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     Then there's the GELI driver itself.  (a)
>> >>>> and (c)
>> >>> are
>> >>>>
>> >>>>      >     good to
>> >>>>      >     >>>> land, (b)
>> >>>>      >     >>>> >>     needs some more work after Toomas Soome
>> >>>> pointed
>> >>> out a
>> >>>>
>> >>>>      >     >>legitimate
>> >>>>      >     >>>> >>     problem, and (d) actually needs a good bit
>> >>>> more
>> >>>>      code (but
>> >>>>      >     >>again,
>> >>>>      >     >>>> it's
>> >>>>      >     >>>> >>     more cosmetic).  Additionally, the GELI
>> >>>> driver
>> >>>>      will need
>> >>>>      >     >>further
>> >>>>      >     >>>> mods to
>> >>>>      >     >>>> >>     efipart to be written (nothing too
>> >>>> big).  But we
>> >>>>      could go
>> >>>>      >     >>ahead
>> >>>>      >     >>>> with (a)
>> >>>>      >     >>>> >>     and (c), as they've already been proven to
>> >>>> work.
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     I'd wanted to have this stuff shaped up
>> >>>> sooner,
>> >>>>      but I'm
>> >>>>      >     >>>> preoccupied with
>> >>>>      >     >>>> >>     the 7th RISC-V workshop at the end of the
>> >>>> month.
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>     Once this stuff is all in, loader should
>> >>>> handle
>> >>>>      any GELI
>> >>>>      >     >>volumes it
>> >>>>      >     >>>> >>     finds, and it should Just Work once boot1
>> >>>> is gone.
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> >>
>> >>>>      >     >>>> > _______________________________________________
>> >>>>      >     >>>> > freebsd-current@freebsd.org
>> >>>>      <mailto:freebsd-current@freebsd.org>
>> >>>>      >     <mailto:freebsd-current@freebsd.org
>> >>>>      <mailto:freebsd-current@freebsd.org>> mailing list
>> >>>>      >     >>>> > https://lists.freebsd.org/mailman/listinfo/freeb
>> >>>> sd-
>> >>> current
>> >>>>
>> >>>>      <https://lists.freebsd.org/mailman/listinfo/freebsd-current>;
>> >>>>      >     <https://lists.freebsd.org/mailman/listinfo/freebsd-cur
>> >>>> rent
>> >>>>      <https://lists.freebsd.org/mailman/listinfo/freebsd-current>>;
>> >>>>      >     >>>> > To unsubscribe, send any mail to
>> >>> "freebsd-current-unsubscribe@
>> >>>>
>> >>>>      >     >>>> freebsd.org <http://freebsd.org>;
>> >>>> <http://freebsd.org>"
>> >>>>      >     >>>> >
>> >>>>      >     >>>>
>> >>>>      >     >>>
>> >>>>      >     >
>> >>>>      >     > --
>> >>>>      >     > Sent from my Android device with K-9 Mail. Please
>> >>>> excuse my
>> >>> brevity.
>> >>>>
>> >>>>      >     > _______________________________________________
>> >>>>      >     > freebsd-current@freebsd.org
>> >>>>      <mailto:freebsd-current@freebsd.org>
>> >>>>      <mailto:freebsd-current@freebsd.org
>> >>>>      <mailto:freebsd-current@freebsd.org>>
>> >>>>      >     mailing list
>> >>>>      >     > https://lists.freebsd.org/mailman/listinfo/freebsd-cu
>> >>>> rrent
>> >>>>      <https://lists.freebsd.org/mailman/listinfo/freebsd-current>;
>> >>>>      >     <https://lists.freebsd.org/mailman/listinfo/freebsd-cur
>> >>>> rent
>> >>>>      <https://lists.freebsd.org/mailman/listinfo/freebsd-current>>;
>> >>>>      >     > To unsubscribe, send any mail to
>> >>>>      >     "freebsd-current-unsubscribe@freebsd.org
>> >>>>      <mailto:freebsd-current-unsubscribe@freebsd.org>
>> >>>>      >     <mailto:freebsd-current-unsubscribe@freebsd.org
>> >>>>      <mailto:freebsd-current-unsubscribe@freebsd.org>>"
>> >>>>      >     >
>> >>>>      >
>> >>>>      >
>> >>>>
>> >>>>
>> >>>
>> >> _______________________________________________
>> >> freebsd-current@freebsd.org mailing list
>> >> https://lists.freebsd.org/mailman/listinfo/freebsd-current
>> >> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd
>> >> .org"
>>
>> --
>> Allan Jude
>>
>
Hi all,

could anyone comment on the overall status of this feature?
Is it going to make in 12.0 as it's code freeze is nearing up?

Br,

Tommi



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABHD1wQ2ccTsQwTX5g7SPHC14zVCk3Mq6a8e7CFVyOaOQoaOVw>