From owner-freebsd-questions@freebsd.org Thu Mar 15 23:20:59 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C900F5D2D5 for ; Thu, 15 Mar 2018 23:20:59 +0000 (UTC) (envelope-from petr.hejl@freedev.cz) Received: from smtp.fdlnet.cz (smtp.fdlnet.cz [IPv6:2a03:1180:0:ffff::25]) by mx1.freebsd.org (Postfix) with ESMTP id EE5F17F055 for ; Thu, 15 Mar 2018 23:20:58 +0000 (UTC) (envelope-from petr.hejl@freedev.cz) Received: from localhost (unknown [10.1.252.193]) by smtp.fdlnet.cz (Postfix) with ESMTPS id 02DE0A35F2 for ; Fri, 16 Mar 2018 00:20:58 +0100 (CET) Received: from [192.168.1.3] (unknown [149.255.82.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by localhost (Postfix) with ESMTPSA id E4BFB72 for ; Fri, 16 Mar 2018 00:20:57 +0100 (CET) Subject: Re: Can't boot from encrypted partition From: Petr Hejl To: freebsd-questions@freebsd.org References: <1f375819-bcf9-af5c-00d1-12dd29a5e9d9@freedev.cz> Message-ID: <22ac9bc6-2330-a1ce-748a-e583a4f429ce@freedev.cz> Date: Fri, 16 Mar 2018 00:20:46 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <1f375819-bcf9-af5c-00d1-12dd29a5e9d9@freedev.cz> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="kisnvvLErUqfziE1gcFhYg08lxQuYfmOL" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 23:20:59 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --kisnvvLErUqfziE1gcFhYg08lxQuYfmOL Content-Type: multipart/mixed; boundary="ETnFS9WrZ25kcp8HrGVvyoEHaslNuGijW"; protected-headers="v1" From: Petr Hejl To: freebsd-questions@freebsd.org Message-ID: <22ac9bc6-2330-a1ce-748a-e583a4f429ce@freedev.cz> Subject: Re: Can't boot from encrypted partition References: <1f375819-bcf9-af5c-00d1-12dd29a5e9d9@freedev.cz> In-Reply-To: <1f375819-bcf9-af5c-00d1-12dd29a5e9d9@freedev.cz> --ETnFS9WrZ25kcp8HrGVvyoEHaslNuGijW Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable OK, I experimented a little and now I can reply to myself :). The EFI bootloader (meaning the BOOTX64.EFI) is not yet capable of unlocking an encrypted device. Either that or the function is not implemented correctly. I went through the steps I described earlier while temporarily switching my motherboard to CSM mode. The only other difference being: /dev/ada0 |- /dev/ada0p1 (freebsd-boot, 128K) and a bootcode written to the device. The bootloader asked for the password, unlocked the second partition, loaded the loader and the machine booted OK. So it's definitely the EFI bootloader. One other thing is weird, though. The geli manpage states: geli init [-bgPTv] ... However, both -b AND -g options can and probably even have to be given at the same time. I created the geli container with '-g' only and the boot process crashed when looking for the ZFS pool "root", stating there is none. After adding the '-b' via geli configure -b /dev/ada0p2 it works OK. The bootloader gives some strange error (didn't catch it, sorry) but succeeds in unlocking the partition anyway. So I'm guessing it should probably be corrected to geli init [-bPTv][-g] ... Does anybody know whether it works for EFI in 11.1-STABLE? Thank you. > Hello, FreeBSD community. >=20 > I need help with booting from an encrypted partition. Until now, my EFI= > machine booted from an unencrypted ZFS, while the rest of the system > resided on an encrypted ZFS. The layout was like this: >=20 > /dev/ada0 > |- /dev/ada0p1 (efi, 800k) > |- /dev/ada0p2 (freebsd-zfs, 1G) > |- /dev/ada0p3 (freebsd-zfs, geli-encrypted, 931G) >=20 > That worked OK. Since FreeBSD >=3D 11.0 should be able to boot an entir= ely > encrypted system (let alone the EFI loader, of course), I'd like to get= > to that point (installing 11.1-RELEASE on amd64). So I create my layout= > like this: >=20 > gpart create -s gpt /dev/ada0 > gpart add -t efi -l efi -s 800k /dev/ada0 > gpart add -t freebsd-zfs -l system /dev/ada0 > dd if=3D/boot/boot1.efifat of=3D/dev/ada0p1 > geli init -g -l 256 -s 4096 /dev/ada0p2 >=20 > So the only difference is that there is no separate partition for /boot= > and the ZFS partition is encrypted with 'geli init -g' rather than 'gel= i > init -b'. >=20 > The new layout is then: >=20 > /dev/ada0 > |- /dev/ada0p1 (efi, 800k) > |- /dev/ada0p2 (freebsd-zfs, geli-encrypted, 931G)[/CODE] >=20 > After that, I install the system as usual, in the way it's always worke= d. >=20 > geli manpage says: >=20 > " ... > -g Enable booting from this encrypted root > filesystem. The boot loader prompts for the > passphrase and loads loader from the > encrypted partition. > ..." >=20 > The problem is, that it doesn't. When the EFI loader starts, it says it= > can't find any UFS or ZFS partitions, thus no /boot/loader.efi and ends= > with: >=20 > panic: No bootable partitions found >=20 > I have no idea what's wrong. >=20 > Thank you for any advice. >=20 --ETnFS9WrZ25kcp8HrGVvyoEHaslNuGijW-- --kisnvvLErUqfziE1gcFhYg08lxQuYfmOL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCgAzFiEEhtAS11xPRRb0juNdncEiidQZLkcFAlqq/9IVHHBldHIuaGVq bEBmcmVlZGV2LmN6AAoJEJ3BIonUGS5HPl0QAJrh9/8NDHJZzaFvnOnaZlfuywiA Ek8VCMGwcV2zVjY2Tb71zkXu2DShpwSIzNvSWm0o0k/bqNqGOMACAkHuEa7jsVLg WZ/UndVxNx7rVbitwmRTkPnwXEhFXTXD0ldLB7SB/NZre9MosP8NbF2Abk91DzzP Nq6m8IK2XmRZjxygdf0EkSiefVQMlKsvUjv0RP2gvgEaFOhC4ZsZ0/1Gxr8INOQ7 KlIv9TUEJy+dFgC3vIHZkIhSDAG38eCM5OE3YBxHplVSqjkBAXdYIpyc9C/3etTp RdeD3Qw8PBxZnrATwMmVK0+gbAXS4BR/XFHnh9cwgsTl/B2989H9LeTA/emZrkUh oDxSARj2R6JyIEk92O6JczTldDUXRDrFUKfTwjuE3Ojg46TriElw8wgNyjQatoQy eSKLXQ83LfVAVYkTjRZ2A8PhZM2iOGAT1OdH9k5paMXq8drA0vjeVnX8L8236Xk5 9fSkl36TdoKepddOUCffHic8GV59Er4XFR5i6WYCX6lmJGEopW7t/udSCQ74AVrn gk0JREFWEwOUjXr4+bJDi6KUI1HFD4TX8yVw+Gq/PXC6Orh17IeXMw582oS8oU53 yEEA728+Ra4+io/mzyHcck0QcF0TGTjooiM0v+xrkk636aX/KYOYGJ9uagWbtFyB M8u2f600P17BdY/Q =R1Yx -----END PGP SIGNATURE----- --kisnvvLErUqfziE1gcFhYg08lxQuYfmOL--