FreeBSD Mail Archives

Date:      Sun, 23 Jun 2019 08:52:42 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-current@freebsd.org
Subject:   Re: UEFI firmware and getting FreeBSD recognized by default: who to talk to?
Message-ID:  <552a8d6e-73fa-e311-f16d-e56c6c0c2937@denninger.net>
In-Reply-To: <20190623073801.8A4EC1DE777@denninger.net>
References:  <1e08badd-a963-7e4b-98a7-52a9d3bd77a8@bluestop.org> <db7c8df3-ead3-9d56-bd9c-9ff732b401e9@denninger.net> <cc6c9260-451b-ae5b-0612-51b1a5525116@bluestop.org> <87dee58e-66dc-ddf8-980b-a538875ae8b9@denninger.net> <20190623012022.5270E1DDDFE@denninger.net> <cb2ef34c-836b-5a2d-9b9f-ff1b40cede59@denninger.net> <20190623073801.8A4EC1DE777@denninger.net>

This is a cryptographically signed message in MIME format.

--------------ms020906000009030900030607
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 6/23/2019 02:36, Thomas Mueller wrote:
> from Karl Denninger and my previous post:
>
>>> This is scary (Bitlocker), sent me to Wikipedia to look up Bitlocker.=

>>>
>>> Can you turn Bitlocker off after turning it on and get your system ba=
ck?
>> You SHOULD (better have!) kept the recovery key.=C3=82=C2=A0 If you ha=
ve it, you
>> can boot with it.=C3=82=C2=A0 Then turn it off and back on, and it wil=
l generate a
>> new key.
>>> Now I am even more scared to ever get a computer with MS-Windows!=20
Bitlocker is optional and in fact defaults off.
>>> One think on my mind is if I need a new motherboard, would it have th=
e undesired Secure Boot?  I guess I'd have to ask the seller and look on =
the motherboard manufacturer's website (MSI, ASRock, Asus, Gigabyte, or o=
ther).=20
>>> I have no Secure Boot now.
>> Probably.=C3=82=C2=A0 But you can shut THAT off (and should) provided =
you wish to
>> dual boot.=C3=82=C2=A0 The exception is ARM-based systems, many of whi=
ch are
>> secure-boot ONLY.=C3=82=C2=A0 For Intel machines I've never run into o=
ne that can't
>> have it turned off (and I'd return it immediately if I found one.)
>>> I am trying to set up UEFI to boot my FreeBSD and NetBSD installation=
s, and later, Linux.
>>>
>> Tom
>>
>> Easy.=C3=82=C2=A0 Refind should do that and allow selection from a men=
u.
> Can one recover after losing the recovery key?  I think I would want to=
 avoid Bitlocker from the outset (malware!).

No.=C2=A0 You can't recover in FreeBSD if you lose the Geli key either.=C2=
=A0
That's the entire point of disk encryption; no key, no data.=C2=A0 End of=

discussion.=C2=A0 Bitlocker has TWO keys (one normal one, which can eithe=
r be
TPM-only if you have one in the machine or TPM + PIN, or, if there is no
TPM, a password) and a recovery key which is a very long set of octal
digit groups.=C2=A0 It will insist you save that recovery key somewhere N=
OT
on the encrypted volume (e.g. to a USB key, to a network drive, printed,
etc) during setup.=C2=A0 It also (stupidly, in my opinion) allows you to =
save
it to your "Microsoft account" which is IMHO exactly identical to giving
it to Microsoft, the NSA, and probably China's Communist Party too.=C2=A0=
 I
recommended against that option, obviously.

Geli has two key slots too, and you can set both, and allows a
"randomization source" (e.g. key file), that plus a password, or just a
password.=C2=A0 But if, in any encrypted disk environment, you lose the k=
eys
for any reason you're screwed -- I hope you have backups! :)=C2=A0 Geli b=
y
default only sets one key; the other has to be set manually.

Oh, Geli also has a "duress" command (I don't know of one for Bitlocker)
that instantly destroys the key blocks on the disk.=C2=A0 If you use that=

then it's bye-bye even WITH the key unless you have backed them up to
some sort of other media (it does save the key blocks off during
initialization so you *can* back them up.)

It would be rather pointless to call a disk "encrypted" if, absent the
authentication means, you could manage to get into it.

> I was thinking about AMD Ryzen if I need to replace motherboard.  I wou=
ld need a new CPU with any new motherboard, Intel or AMD-compatible, woul=
d also need new RAM (DDR4, I now have DDR3), and probaby a new case.
>
> But I would keep and transfer any hard drives that are still good.
>
> Can rEFInd find and boot FreeBSD, NetBSD, Haiku, etc?
Yes.
> I don't see any refind, however partially capitalized, in FreeBSD base =
system or ports, or NetBSD base system or pkgsrc.  I find efibootmgr now =
in FreeBSD, but not NetBSD, base system.
It's not a port or package; the software is not in any way
FreeBSD-specific.
> I would want to label boot options with the partition label (like WD2G1=
8, WD2G19, WD2G20, WD2G21, and others) so I can see on the boot menu.
Refind automatically figures it out -- it "knows" what FreeBSD and
Windows are, for example.
> I also notice it is difficult to choose the root partition when booting=
 UEFI.  I could create a zero-byte or very small file in root directory w=
ith the partition label name, like /WD2G18 on partition WD2G18 just to sh=
ow up with ls.
>
> Tom

That's a function of the actual EFI loader in question for the specific
OS and is beyond the scope of UEFI itself.

In point of fact UEFI BIOS implementations are *supposed* to implement a
reasonable "boot manager" option to select from whatever various UEFI
loaders are installed on the machine.=C2=A0 In actual practice most of th=
em
I've run into on various motherboards bite big ones and either their
alleged "manager" is worthless or nearly so; thus tools like Refind.

--=20
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

--------------ms020906000009030900030607
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL
MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf
BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4
MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD
dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1
ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI
KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD
0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY
vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn
uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24
SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E
6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH
YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL
h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd
zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE
FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q
EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ
TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5
c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY
MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN
gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9
oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj
tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K
uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv
HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK
17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/
Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA
6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY
UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO
62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp
ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD
QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx
MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A
16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg
96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg
y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs
YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg
6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX
SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM
cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN
5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l
CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg
CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v
b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC
GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE
BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh
IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ
zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN
AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR
dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu
2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X
lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK
FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q
IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA
1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL
shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ
qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE
QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwNjIzMTM1MjQz
WjBPBgkqhkiG9w0BCQQxQgRAOvHUYFbKzeTUbUUUz7BQ1Vzt//ve/Ml3kXtwhxtXO/HB7MTX
aK75td/ymShaCHG/AyXEpV/YCq9TPWwPRzavTjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg
gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz
dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0
ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF
AASCAgAK9OEQ3d8IqpK1kLwd3P7Q+RybfFmBwoauJ3Yx08EJj8i6Nu3btoV/GYw/Da9yLvww
/9iQtRHEDBsK6JBHAJc/KnvH2usdd/lRF7vJCWVGk2rXGFTX6f5cAq0hLHrbHlCfNTHdwf0J
ppagbT8iw154VhxpKYf6EgZ8JX4nrLYn+Kbg8i9jc0mz/Ok+33k0p63PSBBq1WK0N4gD8eSI
9DPYEQjqPEESd2z75z3yDYupnwtxBnaEKVRDf433/46+9oy9r+7cnvh9o04uMuwuoZ9vG9vC
MXOQl4RJ7Jt7b33uiVZrZk2XPy+mRZbuicTl2PmTqUFb33capNKNv4QwhXTo/N9YG0YE9GC1
cdxy8Mp5PofsApmI2rQqDcIRD3r9VTO08n8gDFdyYX2MTeBJ/Z1R/x6WPEARHHQb4l3Kjulr
X34gaVYEQ5rHg7rfRzXnB3wt/mIB47LXpjcH14Qq9OOHRm+Hzu52JU4by4XXBN0H3GJ6KBh9
IE45xN5vZU8GnqiyOIiFKMVy+1JomusXU6vmtzg/iVYk7zb9P70plQZBD3s6K7YTpK79VS2l
0UGtPYLLblWE+eFaAUInF354DGp3ryr9HWnvKeKKySF/THFt/HkTkTuJ4dM5Jcc23MKs+mu6
my11ttFUHEOo5Mv31qYmdF6WoCGotmyVmp/unSzz/QAAAAAAAA==
--------------ms020906000009030900030607--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?552a8d6e-73fa-e311-f16d-e56c6c0c2937>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation