Date: Fri, 1 Jul 2016 14:29:08 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49024 - head/en_US.ISO8859-1/htdocs/news/status Message-ID: <201607011429.u61ET8cT015911@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Jul 1 14:29:08 2016 New Revision: 49024 URL: https://svnweb.freebsd.org/changeset/doc/49024 Log: Add EFI refactoring GELI support report from eric@metricspace.net. While here, fix a typo. Reviewed by: wblock@freebsd.org Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Thu Jun 30 14:42:57 2016 (r49023) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml Fri Jul 1 14:29:08 2016 (r49024) @@ -102,7 +102,7 @@ final release.</p> <p>The &os; 11.0-RELEASE cycle started late May, one month - behind the orignal schedule. The schedule slip was primarily + behind the original schedule. The schedule slip was primarily to accommodate for packaging the &os; base system with the <tt>pkg(8)</tt> utility. However, as work on this progressed, it became apparent that there were too many outstanding @@ -326,4 +326,129 @@ report issues.</task> </help> </project> + + <project cat='proj'> + <title>EFI Refactoring, GELI Support</title> + + <contact> + <person> + <name> + <given>Eric</given> + <common>McCorkle</common> + </name> + <email>eric@metricspace.net</email> + </person> + </contact> + + <links> + <url href="https://github.com/emc2/freebsd/tree/geli_efi">GELI Support Branch</url> + <url href="https://github.com/emc2/freebsd/tree/efize">EFI Refactoring Branch</url> + </links> + + <body> + <p>The EFI bootloader has undergone considerable refactoring to + make more use of the EFI API. The filesystem code in + <tt>boot1</tt> has been eliminated, and a single codebase for + filesystems now serves both <tt>boot1</tt> and + <tt>loader</tt>. This codebase is organized around the EFI + driver model and it should be possible to export any + filesystem implementation as a standalone EFI driver without + too much effort.</p> + + <p>Both <tt>boot1</tt> and <tt>loader</tt> have been refactored + to talk through the <tt>EFI_SIMPLE_FILE_SYSTEM</tt> interface. + In <tt>loader</tt>, this is accomplished with a dummy + filesystem driver that is just a translation layer between the + <tt>loader</tt> filesystem interface and + <tt>EFI_SIMPLE_FILE_SYSTEM</tt>. A reverse translation layer + allows the existing filesystem drivers to function as EFI + drivers.</p> + + <p>The EFI refactoring by itself exists in + <a href="https://github.com/emc2/freebsd/tree/efize">this branch</a>.</p> + + <p>Additionally, GELI support has been added using the EFI + refactoring. This allows booting from a GELI-encrypted + filesystem. Note that the EFI system partition, which + contains <tt>boot1</tt>, must be a plaintext msdosfs + partition. This patch adds an intake buffer to the crypto + framework, which allows injection of keys directly into a + loaded kernel, without the need to pass them through + arguments or environment variables. This patch only uses the + intake buffer for EFI GELI support as legacy BIOS GELI support + still uses environment variables.</p> + + <p>EFI GELI support depends on the + <a href="https://github.com/emc2/freebsd/tree/geli_efi">efize branch</a>.</p> + + <p>These patches have been tested and used and should be able + to handle use by early adopters. Note that the + <tt>LOADER_PATH</tt> variable has been changed to + <tt>/boot/loader.tst</tt>, to facilitate safe testing.</p> + + <strong>IMPORTANT:</strong> + + <p>As this is an encrypted filesystem patch, an error can + potentially leave data inaccessible. It is + <em>strongly</em> recommended to use the following procedure + for testing:</p> + + <ol> + <li> + <p>Back up your data!</p> + </li> + + <li> + <p>Do not forget to back up your data!</p> + </li> + + <li> + <p>Install an EFI shell on the ESP.</p> + </li> + + <li> + <p>Install the patched <tt>boot1</tt> on the ESP to + something like <tt>/boot/efi/BOOTX64.TST</tt>.</p> + </li> + + <li> + <p>Install the patched loader to <tt>/boot/loader.tst</tt> + on your machine.</p> + </li> + + <li> + <p>Create a GELI partition outside of the normal boot + partition.</p> + </li> + + <li> + <p>First, try booting <tt>/boot/efi/BOOTX64.TST</tt> and + make sure it properly handles the encrypted partition.</p> + </li> + + <li> + <p>Copy a boot environment, including the patched loader, to + the encrypted partition.</p> + </li> + + <li> + <p>Use the loader prompt to load a kernel from the encrypted + partition.</p> + </li> + + <li> + <p>Try switching over to an encrypted main partition once + everything else has worked.</p> + </li> + </ol> + </body> + + <help> + <task>Testing is needed.</task> + + <task>Code will need review and some <tt>style(9)</tt> + normalization must occur before this code goes into + FreeBSD.</task> + </help> + </project> </report>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607011429.u61ET8cT015911>