Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 1 Jun 2016 10:34:08 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-hackers@freebsd.org
Subject:   Re: EFI GELI support ready for testers
Message-ID:  <85c26cf4-5c28-526c-71f7-8ff463e0d4bd@denninger.net>
In-Reply-To: <609c25ce-7d3e-cdc5-534f-e885e20abd40@freebsd.org>
References:  <519CC1FC-84DF-4710-8E62-AF26D8AED2CF@metricspace.net> <20160528083656.GT38613@kib.kiev.ua> <d6b96a6c-4e92-35a5-e78b-cc674b6d2f25@freebsd.org> <20160528172618.GB38613@kib.kiev.ua> <6A9DADE0-B214-424A-BB14-0B0848F0D08D@metricspace.net> <20160529091827.GD38613@kib.kiev.ua> <46B3F9E2-A25B-4F9D-B35F-11AC782495B1@metricspace.net> <alpine.BSF.2.20.1606011623410.3503@laptop.wojtek.intra> <20160601144738.GA14531@britannica.bec.de> <609c25ce-7d3e-cdc5-534f-e885e20abd40@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On 6/1/2016 10:14, Allan Jude wrote:
> On 2016-06-01 10:47, Joerg Sonnenberger wrote:
>> On Wed, Jun 01, 2016 at 04:29:16PM +0200, Wojciech Puchar wrote:
>>>> It's undesirable because the whole point of ZFS is to have one ZFS
>>>> volume for the whole system.
>>> This sounds more like a religious dogma than anything else.
>>
>> If "ZFS volume" means "ZFS pool" here, it is also blatant bullshit.
>> There are a lot of reasons for having more than one ZFS pool, the
>> easiest being separating SSDs and HDDs for fast vs cheap storage.
>>
>> Joerg
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to
>> "freebsd-hackers-unsubscribe@freebsd.org"
>>
>
> Again, my only motivation for adding GELI encryption support to
> gptzfsboot was to allow ZFS Boot Environments, one of the biggest
> selling features of ZFS-on-root, to work with GELI encrypted disks.
>
> For boot environments to work, your kernel must reside in the / (root)
> ZFS dataset, so it can be snapshotted and cloned along with the rest
> of the base system.
>
> You can still use multiple pools.
>
> But for this useful feature to work, you need to be able to use a
> single pool, so I made it so. I added support for UFS, because it was
> only ~10 more lines of code.
>
> In my geliboot work, no new crypto code is introduced. It just reuses
> GELI and OpenCrypto.
>
> The entire geliboot codebase is only 450 lines including license and
> comments, mostly of boilerplate, and 100 lines of .h file to bridge
> the gap between the kernel and the boot2/loader environments.
>

I just want to add to this -- using Geli-encrypted volumes is fine as
things sit now, _*but*_ you cannot do so _*and*_ have BEADM (boot
environments) work properly which is a huge problem from a standpoint of
deployment and maintainability for complex installations /where//kernel
and system updates are made from time to time to either fix bugs or roll
forward new versions.

/This becomes a quite-material issue as security problems are found and
fixed.  With BE you clone the running environment, install the patch
onto the cloned copy and reboot.  Further, the previous (unpatched) copy
remains available until you wish to dump it should there prove to be a
problem with the patch or update you deployed.
/
/BE is a big deal in this regard, as it makes reverting such a change a
near-instant operation if it goes sideways on you and sometimes these
sorts of things *do* go sideways.  Without root-on-boot for the booting
pool, however, you have to manually sync things back and forth and the
risk of a mistake is quite high -- and a mistake can cost you data on a
production system.

Reducing the attack surface (somewhat) is a (convenient) side effect;
the real benefit is in maintainability as patches and new versions are
released.

-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0	*H
010
	`He0	*H
_0[0C)0
	*H
010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*H
	Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0"0
	*H
0
X@vkY
Tq/vE]5#֯MX\8LJ/V?5Da+
sJc*/r{ȼnS+w")ąZ^DtdCOZ ~7Q '@a#ijc۴oZdB&!Ӝ-<	?HN5y
5}F|ef゘"Vلio74zn">a1qWuɖbFeGE&3(KhixG3!#e_XƬϜ/,$+;4y'Bz<qT9_?rRUpn5
Jn&Rx/p Jyel*pN8/#9u/YPEC)TY>~/˘N[vyiDKˉ,^" ?$T8v&K%z8C @?K{9f`+@,|Mbia007++0)0'+0http://cudasystems.net:88880	U00	`HB0U0,	`HB
OpenSSL Generated Certificate0U-h\Ff Y0U#0$q}ݽʒm50U0karl@denninger.net0
	*H
Owbabɺx&Uk[(Oj!%pMQ0I!#QH}.>~2&D}<wm_>V6v]f>=Nn+8;q wfΰ/RLyUG#b}n!Dր_up|_ǰc/%ۥ
nN8:d;-UJd/m1~VނיnN I˾$tF1&}|?q?\đXԑ&\4V<lKۮ3%Am_(q-(cAeGX)f}-˥6cv~Kg8m~v;|9:-iAPқ6ېn-.)<[$KJtt/L4ᖣ^Cmu4vb{+BG$M0c\[MR|0FԸP&78"4p#}DZ9;V9#>Sw"[UP7100010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*H
	Cuda Systems LLC CA)0
	`HeM0	*H
	1	*H
0	*H
	1
160601153408Z0O	*H
	1B@B7]\BxU+v
C66SgЫL7R&.xyA*:KWW)a50l	*H
	1_0]0	`He*0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+710010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*H
	Cuda Systems LLC CA)0*H
	1010	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*H
	Cuda Systems LLC CA)0
	*H
_/	'WWi=yz*0{*]֑~Nus<CcJ7%5(MU^y
![miz1KΝ~yo<b=$d	k%]T+ '	x]_p!-e֐+p&@'En7?k;s͛MfrIC:	vz9U˨[uA5vfEukHY/<dLwCpe嚷wZHm(JC ߒdUMOd`޽BU
NY#R7LꏽC&LśLt%5$ovAWl&7=*,fK$4x%i#S{鱤#5(';hsYc0
Ac̉"|q1N_9]OG>ZO]w4[Gg* *\yx~p-Nܵp(~Μ/[

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85c26cf4-5c28-526c-71f7-8ff463e0d4bd>