From owner-freebsd-hackers@FreeBSD.ORG Mon Mar 23 20:46:23 2015 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 671151E8 for ; Mon, 23 Mar 2015 20:46:23 +0000 (UTC) Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E9D22B58 for ; Mon, 23 Mar 2015 20:46:22 +0000 (UTC) Received: by wegp1 with SMTP id p1so147723327weg.1 for ; Mon, 23 Mar 2015 13:46:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6xL+trFmF+2H2314n8eynAZJnsfn8uQyQAIM34rWT5g=; b=eLvgnGmPMmzZUtryeBJ54VzA/OI7/jADPClhBdfsz4jSPZ5679GtxfGQbnlp/BI+VD 5KYLxb3FXTE7hKl+iDXPzNMX4oZHj7puAKOI1vadma5BfFNJ2k9puXOgViqU6YGaejM9 5P0mPhRvBwulCiLNhTH0quSIDu9Li5vlkqnylvpzvsf9nnKXLgJxXga1P+7M9i9cOfS4 itHOZILxDsnUx5E9FhIFIHdO7GO0rW/BoGUmmk1KyMPbgnc15zcbW9pRHvSqFPV/cjz/ loHH/ZhD1guLJ/nn5BJEjNT7XhiT9YtLje3dNpDiiGho4Yqlup4lucHhuNsGODhh+m7n EfcQ== MIME-Version: 1.0 X-Received: by 10.194.179.41 with SMTP id dd9mr1882866wjc.72.1427143580472; Mon, 23 Mar 2015 13:46:20 -0700 (PDT) Received: by 10.194.18.37 with HTTP; Mon, 23 Mar 2015 13:46:20 -0700 (PDT) In-Reply-To: <20150319013231.GR51048@funkthat.com> References: <20150319013231.GR51048@funkthat.com> Date: Mon, 23 Mar 2015 17:46:20 -0300 Message-ID: Subject: Re: GELI support on /boot folder From: Pedro Arthur To: John-Mark Gurney Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Mar 2015 20:46:23 -0000 Based on your idea the project could be merge the GPT boot stages into a single program with support for GELI and instead of having a binary for zfs and other for ufs we could have the boot program with support for both file systems so that we can choose to boot from any partition in the GPT being zfs or ufs. What I want to know is if it is a good idea or merging these boot stages has any drawback or infringes any design choices? 2015-03-18 22:32 GMT-03:00 John-Mark Gurney : > Pedro Arthur wrote this message on Wed, Mar 18, 2015 at 15:50 -0300: > > I was discussing with Kris Moore about adding support for GELI in > > bootloader as a GSoC project, > > thus the /boot folder could be encrypted. > > However the stage 2 boot program has a limit size of ~8 Kb which is > almost > > reached in the default > > HEAD src. > > Thus I would like to know your thoughts about this project, if it is > > viable, and what can be done to > > overcome these 8 Kb limit. > > One option is to not support MBR and only support GPT for this... w/ > GPT we do not have the 8k limitation (and actually the limit is 7.5k > as .5k has historically been used for MBR boot code/partition table > in the dangerously dedicated mode)... > > If we go thise route, I'd ask why we don't put loader into the gptboot > instead of using the existing shim to load loader... Then the project > would be to add GELI decryption to loader which could then be used > w/ MBR in the limited sense of loading kernel and modules, though > boot/loader would still have to be on an unencrypted partition... > > I hope others who know the boot process better will inform us why > this is a good or bad idea... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." >