Date: Sat, 24 Jun 2023 19:23:47 +1000 From: Peter Jeremy <peterj@freebsd.org> To: freebsd-fs@freebsd.org Subject: Diskless NFS over TLS Message-ID: <ZJa2I02XbQAit6dE@server.rulingia.com>
next in thread | raw e-mail | index | archive | help
--pMMMsGAub9mTKzPv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I have a number of aarch64 SBCs that run "diskless": U-Boot loads
boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader
config and kernel via NFS and passes the NFS root details to the kernel.
I am contemplating whether it's possible to use secure NFS for at least
the root mount[*]. The problem is that NFS-over-TLS relies on
rpc.tlsclntd to perform the STARTTLS and that needs a functional
userland to run it.
Does anyone have any idea how to proceed? Maybe something like mfsroot
with the real root then overlaid over it (though I haven't thought this
through). (And I realise that protecting the keys is problematic).
[*] It would be nice to secure TFTP and the kernel load but that's less
feasible.
--=20
Peter Jeremy
--pMMMsGAub9mTKzPv
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSWthxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF
QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi
CzQw9w/9GIO5/gqmwPda+myzM2Nu0U8OpmlEuNRQUIkbCY4+5qkqM9Sr1MBB8Cwy
Ofy/CF9dPfPdvozxvNzmEIaeP8dvNvhcMmGGWoEVZuDlQyoK/Z5jhA5c/Saqfdzk
A81eQEJQPZslxlQCb5XuObyeA2uV+Fvbjw/32Waf4bVaXt2fYDJ2TkCH55JLi0S7
MrPsQBB81heTKZHtfI0u8ZZgxLb763pvFIPZ2+fUqFPU+e83QeJK3xfch48ocRTj
pKIQFLtYUUNW2aaUfacYzql5amaTtRvA0VCgzGCHQB1KPdotO40oTRYHHl/U9MVh
AgS2/xFGnycWp3w5ZnKITr0wg3S/toDjpKCSF0FTd6SsKYiuzVroIRBYafZ3lNSH
CpEIuw6r2BfJLfdjRlxUlLLn1JGxUT4ayDC5QlvSb9ipdMuCIQmGKjzIok7axwTN
TZTErX/sTkbZAsWg+yiSGxImsgWZeLyf2IIRRoKatHePiw7SWPTP52MtXvA6dyrZ
KiiBCzFPxGLy56FbYyu/ELYdVymSE4PpNKYkgwmuLaKmjn2dODVM/IR0ibUe2f71
SsCI0CIRk84nCYivLJWrzdG8KhXv07My0+Ja5JWmiXahp7SkSRkeC/gV5l3sPEqo
2TwEscodW+4oXniWdVGLlkx5/EcqeI0vRacNGOqnzJ/aKZEWS28=
=krth
-----END PGP SIGNATURE-----
--pMMMsGAub9mTKzPv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZJa2I02XbQAit6dE>