Date: Sat, 3 Nov 2012 09:18:57 -0700 From: Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> To: Alexander Yerenkow <yerenkow@gmail.com> Cc: Ian Lepore <freebsd@damnhippie.dyndns.org>, lev@freebsd.org, freebsd-current <freebsd-current@freebsd.org> Subject: Re: FreeBSD as read-only firmware Message-ID: <CAOgwaMu7uzKAue4GLd5xYHDdZi9ddoViHUqzF4NBavCPCY%2Bwuw@mail.gmail.com> In-Reply-To: <CAPJF9wkPOL32PJvFjaGJ-=35CFwHgxZbKoU8_RCjWg-eMcFAPA@mail.gmail.com> References: <CAPJF9wmO-oO7cy4XUwnTMb5cpD14TaK430rWW2nqodBFWw54DQ@mail.gmail.com> <1167404891.20121103170049@serebryakov.spb.ru> <CAPJF9wmVPxMDBqyy=Dqdnb%2BZ33f_wLDx9CFbk_oSEx4inboK6A@mail.gmail.com> <CAOgwaMtnqCvA3_zyd1fqmEFyrTD4hZHoE5QZC0akmK0DTm8=yw@mail.gmail.com> <1351956625.1120.44.camel@revolution.hippie.lan> <CAOgwaMvzFJKE_s_W_NpOFSOD8aUdw7aJa5fVCG7rDo=qf=wS=w@mail.gmail.com> <CAPJF9wkPOL32PJvFjaGJ-=35CFwHgxZbKoU8_RCjWg-eMcFAPA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 3, 2012 at 9:08 AM, Alexander Yerenkow <yerenkow@gmail.com>wrote: > Actually in my case, base system image r24243.vmdk, have exactly two > partitions (gpt's freebsd-boot, and roots = freebsd-ufs), and second one is > used only in read-only :) > > For virtual machines approach, base image can be even ISO, which will be > implied RO for system, and upgrade is just switch ISO. > > For real hardware, it can be done with such approach - make two partitions > with fixed size, and when you need upgrade - just `dd` new image to other > partition, mark it as [bootonce] (And if all is ok, as [bootme]), reboot = > and you have new OS very quick, with same configs (except for some LARGE > changes which could happen in /etc and touch your configs), and with same > packages. > > BTW, when you mount /etc-rw union over /etc, when you'll need upgrade, > mergemaster could take less time, less places for errors - since you had to > merge only changed files(which present on /etc-rw). > I think these days with current hw, no one will complain against lost 1Gb > to achieve clean and simple OS upgrade. > > I'm not saying about possible way to shrink it further (no debug, gzip, > etc) - get lesser partition, but still RO, and get ability to make > something dd if=/dev/gpt/rootfs bs=1M | sha256 > > > -- > Regards, > Alexander Yerenkow > I am assuming that ANY SOFTWARE read-only protection , whatever it is , has security vulnerability . Therefore , the first approach should be to provide HARDWARE read only . If this is supplied , the next necessity is that , programs in write-protected part should not attempt to write anything onto write-protected part . Thank you very much . Mehmet Erol Sanliturk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOgwaMu7uzKAue4GLd5xYHDdZi9ddoViHUqzF4NBavCPCY%2Bwuw>