Date: Sun, 23 Jun 2019 08:52:42 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-current@freebsd.org Subject: Re: UEFI firmware and getting FreeBSD recognized by default: who to talk to? Message-ID: <552a8d6e-73fa-e311-f16d-e56c6c0c2937@denninger.net> In-Reply-To: <20190623073801.8A4EC1DE777@denninger.net> References: <1e08badd-a963-7e4b-98a7-52a9d3bd77a8@bluestop.org> <db7c8df3-ead3-9d56-bd9c-9ff732b401e9@denninger.net> <cc6c9260-451b-ae5b-0612-51b1a5525116@bluestop.org> <87dee58e-66dc-ddf8-980b-a538875ae8b9@denninger.net> <20190623012022.5270E1DDDFE@denninger.net> <cb2ef34c-836b-5a2d-9b9f-ff1b40cede59@denninger.net> <20190623073801.8A4EC1DE777@denninger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms020906000009030900030607 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 6/23/2019 02:36, Thomas Mueller wrote: > from Karl Denninger and my previous post: > >>> This is scary (Bitlocker), sent me to Wikipedia to look up Bitlocker.= >>> >>> Can you turn Bitlocker off after turning it on and get your system ba= ck? >> You SHOULD (better have!) kept the recovery key.=C3=82=C2=A0 If you ha= ve it, you >> can boot with it.=C3=82=C2=A0 Then turn it off and back on, and it wil= l generate a >> new key. >>> Now I am even more scared to ever get a computer with MS-Windows!=20 Bitlocker is optional and in fact defaults off. >>> One think on my mind is if I need a new motherboard, would it have th= e undesired Secure Boot? I guess I'd have to ask the seller and look on = the motherboard manufacturer's website (MSI, ASRock, Asus, Gigabyte, or o= ther).=20 >>> I have no Secure Boot now. >> Probably.=C3=82=C2=A0 But you can shut THAT off (and should) provided = you wish to >> dual boot.=C3=82=C2=A0 The exception is ARM-based systems, many of whi= ch are >> secure-boot ONLY.=C3=82=C2=A0 For Intel machines I've never run into o= ne that can't >> have it turned off (and I'd return it immediately if I found one.) >>> I am trying to set up UEFI to boot my FreeBSD and NetBSD installation= s, and later, Linux. >>> >> Tom >> >> Easy.=C3=82=C2=A0 Refind should do that and allow selection from a men= u. > Can one recover after losing the recovery key? I think I would want to= avoid Bitlocker from the outset (malware!). No.=C2=A0 You can't recover in FreeBSD if you lose the Geli key either.=C2= =A0 That's the entire point of disk encryption; no key, no data.=C2=A0 End of= discussion.=C2=A0 Bitlocker has TWO keys (one normal one, which can eithe= r be TPM-only if you have one in the machine or TPM + PIN, or, if there is no TPM, a password) and a recovery key which is a very long set of octal digit groups.=C2=A0 It will insist you save that recovery key somewhere N= OT on the encrypted volume (e.g. to a USB key, to a network drive, printed, etc) during setup.=C2=A0 It also (stupidly, in my opinion) allows you to = save it to your "Microsoft account" which is IMHO exactly identical to giving it to Microsoft, the NSA, and probably China's Communist Party too.=C2=A0= I recommended against that option, obviously. Geli has two key slots too, and you can set both, and allows a "randomization source" (e.g. key file), that plus a password, or just a password.=C2=A0 But if, in any encrypted disk environment, you lose the k= eys for any reason you're screwed -- I hope you have backups! :)=C2=A0 Geli b= y default only sets one key; the other has to be set manually. Oh, Geli also has a "duress" command (I don't know of one for Bitlocker) that instantly destroys the key blocks on the disk.=C2=A0 If you use that= then it's bye-bye even WITH the key unless you have backed them up to some sort of other media (it does save the key blocks off during initialization so you *can* back them up.) It would be rather pointless to call a disk "encrypted" if, absent the authentication means, you could manage to get into it. > I was thinking about AMD Ryzen if I need to replace motherboard. I wou= ld need a new CPU with any new motherboard, Intel or AMD-compatible, woul= d also need new RAM (DDR4, I now have DDR3), and probaby a new case. > > But I would keep and transfer any hard drives that are still good. > > Can rEFInd find and boot FreeBSD, NetBSD, Haiku, etc? Yes. > I don't see any refind, however partially capitalized, in FreeBSD base = system or ports, or NetBSD base system or pkgsrc. I find efibootmgr now = in FreeBSD, but not NetBSD, base system. It's not a port or package; the software is not in any way FreeBSD-specific. > I would want to label boot options with the partition label (like WD2G1= 8, WD2G19, WD2G20, WD2G21, and others) so I can see on the boot menu. Refind automatically figures it out -- it "knows" what FreeBSD and Windows are, for example. > I also notice it is difficult to choose the root partition when booting= UEFI. I could create a zero-byte or very small file in root directory w= ith the partition label name, like /WD2G18 on partition WD2G18 just to sh= ow up with ls. > > Tom That's a function of the actual EFI loader in question for the specific OS and is beyond the scope of UEFI itself. In point of fact UEFI BIOS implementations are *supposed* to implement a reasonable "boot manager" option to select from whatever various UEFI loaders are installed on the machine.=C2=A0 In actual practice most of th= em I've run into on various motherboards bite big ones and either their alleged "manager" is worthless or nearly so; thus tools like Refind. --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms020906000009030900030607 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwNjIzMTM1MjQz WjBPBgkqhkiG9w0BCQQxQgRAOvHUYFbKzeTUbUUUz7BQ1Vzt//ve/Ml3kXtwhxtXO/HB7MTX aK75td/ymShaCHG/AyXEpV/YCq9TPWwPRzavTjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgAK9OEQ3d8IqpK1kLwd3P7Q+RybfFmBwoauJ3Yx08EJj8i6Nu3btoV/GYw/Da9yLvww /9iQtRHEDBsK6JBHAJc/KnvH2usdd/lRF7vJCWVGk2rXGFTX6f5cAq0hLHrbHlCfNTHdwf0J ppagbT8iw154VhxpKYf6EgZ8JX4nrLYn+Kbg8i9jc0mz/Ok+33k0p63PSBBq1WK0N4gD8eSI 9DPYEQjqPEESd2z75z3yDYupnwtxBnaEKVRDf433/46+9oy9r+7cnvh9o04uMuwuoZ9vG9vC MXOQl4RJ7Jt7b33uiVZrZk2XPy+mRZbuicTl2PmTqUFb33capNKNv4QwhXTo/N9YG0YE9GC1 cdxy8Mp5PofsApmI2rQqDcIRD3r9VTO08n8gDFdyYX2MTeBJ/Z1R/x6WPEARHHQb4l3Kjulr X34gaVYEQ5rHg7rfRzXnB3wt/mIB47LXpjcH14Qq9OOHRm+Hzu52JU4by4XXBN0H3GJ6KBh9 IE45xN5vZU8GnqiyOIiFKMVy+1JomusXU6vmtzg/iVYk7zb9P70plQZBD3s6K7YTpK79VS2l 0UGtPYLLblWE+eFaAUInF354DGp3ryr9HWnvKeKKySF/THFt/HkTkTuJ4dM5Jcc23MKs+mu6 my11ttFUHEOo5Mv31qYmdF6WoCGotmyVmp/unSzz/QAAAAAAAA== --------------ms020906000009030900030607--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?552a8d6e-73fa-e311-f16d-e56c6c0c2937>