FreeBSD Mail Archives

Date:      Sun, 27 Jan 2019 12:51:18 -0600
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Not sure if this is the correct place.... (laptop, dual-boot EFI)
Message-ID:  <751a3212-016f-e5ae-d6b3-fab90ca78a7f@denninger.net>
In-Reply-To: <59c4f20f-0526-0d0a-4a67-f6ad7b00899d@denninger.net>
References:  <7391812a-a2ad-874a-80c9-5a871a29f680@denninger.net> <CAJuc1zOaWhfDLKJUFPT7rFORP%2B4m4B5aTU769LK_aDkBOZWMDA@mail.gmail.com> <CACNAnaFLEOucgRFvuukCoznCn7e4RyYSsdo1cRPGUWk9A6ToNg@mail.gmail.com> <CAO7yDHovVLsd2V8Me-fqOcCx=c1%2BC0Ff%2BsrKnmG17GSLtPp1bw@mail.gmail.com> <7a61c927-796d-ea1f-8dce-37e82fb6d646@denninger.net> <CANCZdfrX5TQTY268RqRr%2BGpVbcWGyjh7c=jsZjAzzZ1edsTuMg@mail.gmail.com> <a961425a-ea40-1dd3-6342-d1b3f22515ce@denninger.net> <59c4f20f-0526-0d0a-4a67-f6ad7b00899d@denninger.net>

This is a cryptographically signed message in MIME format.

--------------ms070802070405090207010308
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Here's a write-up on it -- it was /much /simpler than I expected and
unlike my X220 didn't require screwing with group policy for Bitlocker
to coexist with a dual-boot environment.

https://market-ticker.org/akcs-www?post=3D234936

Feel free to grab/reproduce/link to/whatever; hope this helps others.=C2=A0=

It runs very nicely on 12-RELEASE -- the only thing I've noted thus far
is the expected lack of 5g WiFi support.

On 1/26/2019 15:04, Karl Denninger wrote:
> Nevermind!
>
> I set the "-g" flag on the provider and.... voila.=C2=A0 Up she comes; =
the
> loader figured out that it had to prompt for the password and it was
> immediately good.
>
> Now THAT'S easy compared with the convoluted BS I had to do (two
> partitions, fully "by-hand" install, etc) for 11 on my X220.
>
> Off to the races I go; now I have to figure out what I have to set in
> Windows group policy so Bitlocker doesn't throw up every time I boot
> FreeBSD (this took a bit with my X220 since the boot manager tickled
> something that Bitlocker interpreted as "someone tampered with the
> system.")=C2=A0 Maybe this will be a nothingburger too (which would be =
great
> if true.)
>
> I'm going to write this one up when I've got it all solid and post it o=
n
> my blog; hopefully it will help others.
>
> On 1/26/2019 14:26, Karl Denninger wrote:
>> =C2=A01/26/2019 14:10, Warner Losh wrote:
>>> On Sat, Jan 26, 2019 at 1:01 PM Karl Denninger <karl@denninger.net
>>> <mailto:karl@denninger.net>> wrote:
>>>
>>>     Further question....=C2=A0 does boot1.efi (which I assume has to =
be
>>>     placed on
>>>     the EFI partition and then something like rEFInd can select it)
>>>     know how
>>>     to handle a geli-encrypted primary partition (e.g. for root/boot =
so I
>>>     don't need an unencrypted /boot partition), and if so how do I te=
ll it
>>>     that's the case and to prompt for the password?
>>>
>>>
>>> Not really. The whole reason we ditched boot1.efi is because it is
>>> quite limited in what it can do. You must loader.efi for that.
>>> =C2=A0
>>>
>>>     (If not I know how to set up for geli-encryption using a non-encr=
ypted
>>>     /boot partition, but my understanding is that for 12 the loader w=
as
>>>     taught how to handle geli internally and thus you can now install=

>>>     12 --
>>>     at least for ZFS -- with encryption on root.=C2=A0 However, that =
wipes the
>>>     disk if you try to select it in the installer, so that's no good
>>>     -- and
>>>     besides, on a laptop zfs is overkill.)
>>>
>>>
>>> For MBR stuff, yes. For loader.efi, yes. For boot1.efi, no: it did no=
t
>>> and will not grow that functionality.
>>>
>>> Warner
>>> =C2=A0
>> Ok, next dumb question -- can I put loader.efi in the EFI partition
>> under EFI/FreeBSD as "bootx64.efi" there (from reading mailing list
>> archives that appears to be yes -- just copy it in) and, if yes, how d=
o
>> I "tell" it that when it finds the freebsd-ufs partition on the disk i=
t
>> was started from (which, if I'm reading correctly, it will scan and lo=
ok
>> for) that it needs to geli attach the partition before it dig into the=
re
>> and find the rest of what it needs to boot?
>>
>> That SHOULD allow me to use an EFI boot manager to come up on initial
>> boot, select FreeBSD and the loader.efi (named as bootx64.efi in
>> EFI/FreeBSD) code will then boot the system.
>>
>> I've looked as the 12-RELEASE man page(s) and it's not obvious how you=

>> tell the loader to look for the partition and then attach it via GELI
>> (prompting for the password of course) before attempting to boot it;
>> obviously a "load" directive (e.g. geom_eli_load =3D"YES") makes no se=
nse
>> as the thing you'd "load" is on the disk you'd be loading it from and
>> its encrypted.. .never mind that loader.conf violates the 8.3 filename=

>> rules for a DOS filesystem.
>>
>> Thanks!
>>
--=20
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

--------------ms070802070405090207010308
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL
MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf
BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4
MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD
dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1
ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI
KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD
0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY
vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn
uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24
SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E
6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH
YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL
h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd
zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE
FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q
EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ
TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5
c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY
MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN
gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9
oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj
tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K
uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv
HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK
17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/
Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA
6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY
UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO
62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp
ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD
QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx
MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw
FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A
16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg
96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg
y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs
YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg
6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX
SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM
cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN
5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l
CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg
CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v
b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF
oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG
SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O
BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC
GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE
BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh
IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ
zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN
AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR
dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu
2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X
lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK
FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q
IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA
1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL
shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ
qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE
QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwMTI3MTg1MTE4
WjBPBgkqhkiG9w0BCQQxQgRAbxd2DNvShSUe2WBHZ4ilFPL2C9h9lDkXwQtrBRP6nys26/KT
xP22yphqpddYRR+IJMgQv6oZsqcYMr7gphE0WjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM
TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM
QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg
gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz
dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0
ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF
AASCAgAstQuUtkD0oVQbz9NB087flc1MMH2DlyyuwVAMADpWTTjuW78D3wpSx+9GpZcbXxKC
HCpHZ2UDXCqKF7JwvsJmhVIYCnc8ld16hKxR4GnEg3se8qx1uzLl3wn+nmYTu9FbsKveKDg1
xqRsseXVuCygzbTnN1VliDAAPn6wdvg67UMBiQjrYedRr1ub6rUh3B2kfN1LOff7dET+2APm
uXCqXdAC3PmHFhlaDT0AHROXWVHDcjAvpfMDap++tR24eMle47SW6CK487/gCt5PamSMi8Ip
e41ZP66G+gbTuV/lzGqIrKP0CcZl4/QhTUASQqSJv8i8z2j/gye0gEVZ8Dh9vp1majfhGXIu
00YcfDcD2NVeWicRLZBmTS5AExM7Br472bGRcanK5FXKr/pASlpLamZwbRfpDEhZ7/VHFAt0
IlZvu3odw+BYs0Xx8LwmOntS/UFIUIa8M8UcKPWKuQSS6u/5eX0xyuC+oizGt/wFbXXLhpaP
jkyzPUHEAQR2wrb+IfG1aswNWQpF+IR5ZJGPZbwCc76+akx/EcMak8M7jnudUJmn1vk1grqZ
A+YEMoBCZLCViAs/97W4sGjOk9KWXb7L9gIAQoEW7B280N2B46vEaQgrDkAdO1oBN8LqZ7Cr
+xGVLy/69KELuHJ9ztLSY/44Paf8VTA9TyKxJZNrcAAAAAAAAA==
--------------ms070802070405090207010308--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?751a3212-016f-e5ae-d6b3-fab90ca78a7f>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation