Date: Wed, 1 Jun 2016 10:34:08 -0500 From: Karl Denninger <karl@denninger.net> To: freebsd-hackers@freebsd.org Subject: Re: EFI GELI support ready for testers Message-ID: <85c26cf4-5c28-526c-71f7-8ff463e0d4bd@denninger.net> In-Reply-To: <609c25ce-7d3e-cdc5-534f-e885e20abd40@freebsd.org> References: <519CC1FC-84DF-4710-8E62-AF26D8AED2CF@metricspace.net> <20160528083656.GT38613@kib.kiev.ua> <d6b96a6c-4e92-35a5-e78b-cc674b6d2f25@freebsd.org> <20160528172618.GB38613@kib.kiev.ua> <6A9DADE0-B214-424A-BB14-0B0848F0D08D@metricspace.net> <20160529091827.GD38613@kib.kiev.ua> <46B3F9E2-A25B-4F9D-B35F-11AC782495B1@metricspace.net> <alpine.BSF.2.20.1606011623410.3503@laptop.wojtek.intra> <20160601144738.GA14531@britannica.bec.de> <609c25ce-7d3e-cdc5-534f-e885e20abd40@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms000606020208080605040407 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 6/1/2016 10:14, Allan Jude wrote: > On 2016-06-01 10:47, Joerg Sonnenberger wrote: >> On Wed, Jun 01, 2016 at 04:29:16PM +0200, Wojciech Puchar wrote: >>>> It's undesirable because the whole point of ZFS is to have one ZFS >>>> volume for the whole system. >>> This sounds more like a religious dogma than anything else. >> >> If "ZFS volume" means "ZFS pool" here, it is also blatant bullshit. >> There are a lot of reasons for having more than one ZFS pool, the >> easiest being separating SSDs and HDDs for fast vs cheap storage. >> >> Joerg >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to >> "freebsd-hackers-unsubscribe@freebsd.org" >> > > Again, my only motivation for adding GELI encryption support to > gptzfsboot was to allow ZFS Boot Environments, one of the biggest > selling features of ZFS-on-root, to work with GELI encrypted disks. > > For boot environments to work, your kernel must reside in the / (root) > ZFS dataset, so it can be snapshotted and cloned along with the rest > of the base system. > > You can still use multiple pools. > > But for this useful feature to work, you need to be able to use a > single pool, so I made it so. I added support for UFS, because it was > only ~10 more lines of code. > > In my geliboot work, no new crypto code is introduced. It just reuses > GELI and OpenCrypto. > > The entire geliboot codebase is only 450 lines including license and > comments, mostly of boilerplate, and 100 lines of .h file to bridge > the gap between the kernel and the boot2/loader environments. > I just want to add to this -- using Geli-encrypted volumes is fine as things sit now, _*but*_ you cannot do so _*and*_ have BEADM (boot environments) work properly which is a huge problem from a standpoint of deployment and maintainability for complex installations /where//kernel and system updates are made from time to time to either fix bugs or roll forward new versions. /This becomes a quite-material issue as security problems are found and fixed. With BE you clone the running environment, install the patch onto the cloned copy and reboot. Further, the previous (unpatched) copy remains available until you wish to dump it should there prove to be a problem with the patch or update you deployed. / /BE is a big deal in this regard, as it makes reverting such a change a near-instant operation if it goes sideways on you and sometimes these sorts of things *do* go sideways. Without root-on-boot for the booting pool, however, you have to manually sync things back and forth and the risk of a mistake is quite high -- and a mistake can cost you data on a production system. Reducing the attack surface (somewhat) is a (convenient) side effect; the real benefit is in maintainability as patches and new versions are released. --=20 Karl Denninger karl@denninger.net <mailto:karl@denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms000606020208080605040407 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC Bl8wggZbMIIEQ6ADAgECAgEpMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE1MDQyMTAyMjE1OVoXDTIwMDQxOTAyMjE1OVowWjEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxHjAcBgNVBAMTFUthcmwgRGVubmluZ2VyIChPQ1NQKTCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmEWPhAdphrWd4K5VTvE5pxL3blRQPyGF3ApjUjgtavqU1Y8pbI3Byg XDj2/Uz9Si8XVj/kNbKEjkRh5SsNvx3Fc0oQ1uVjyCq7zC/kctF7yLzQbvWnU4grAPZ3IuAp 3/fFxIVaXpxEdKmyZAVDhk9az+IgHH43rdJRIMzxJ5vqQMb+n2EjadVqiGPbtG9aZEImlq7f IYDTnKyToi23PAnkPwwT+q1IkI2DTvf2jzWrhLR5DTX0fUYC0nxlHWbjgpiapyJWtR7K2YQO aevQb/3vN9gSojT2h+cBem7QIj6U69rEYcEDvPyCMXEV9VcXdcmW42LSRsPvZcBHFkWAJqMZ Myiz4kumaP+s+cIDaXitR/szoqDKGSHM4CPAZV9Yh8asvxQL5uDxz5wvLPgS5yS8K/o7zDR5 vNkMCyfYQuR6PAJxVOk5Arqvj9lfP3JSVapwbr01CoWDBkpuJlKfpQIEeC/pcCBKknllbMYq yHBO2TipLyO5Ocd1nhN/nOsO+C+j31lQHfOMRZaPQykXVPWG5BbhWT7ttX4vy5hOW6yJgeT/ o3apynlp1cEavkQRS8uJHoQszF6KIrQMID/JfySWvVQ4ksnfzwB2lRomrdrwnQ4eG/HBS+0l eozwOJNDIBlAP+hLe8A5oWZgooIIK/SulUAsfI6Sgd8dTZTTYmlhAgMBAAGjgfQwgfEwNwYI KwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgw CQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIB DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUxRyULenJaFwX RtT79aNmIB/u5VkwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYw FIESa2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBPf3cYtmKowmGIYsm6 eBinJu7QVWvxi1vqnBz3KE+HapqoIZS8/PolB/hwiY0UAE1RsjBJ7yEjihVRwummSBvkoOyf G30uPn4yg4vbJkR9lTz8d21fPshWETa6DBh2jx2Qf13LZpr3Pj2fTtlu6xMYKzg7cSDgd2bO sJGH/rcvva9Spkx5Vfq0RyOrYph9boshRN3D4tbWgBAcX9POdXCVfJONDxhfBuPHsJ6vEmPb An+XL5Yl26XYFPiODQ+Qbk44Ot1kt9s7oS3dVUrh92Qv0G3J3DF+Vt6C15nED+f+bk4gScu+ JHT7RjEmfa18GT8DcT//D1zEke1Ymhb41JH+GyZchDRWtjxsS5OBFMzrju7d264zJUFtX7iJ 3xvpKN7VcZKNtB6dLShj3v/XDsQVQWXmR/1YKWZ93C3LpRs2Y5nYdn6gEOpL/WfQFThtfnat HNc7fNs5vjotaYpBl5H8+VCautKbGOs219uQbhGZLYTv6okuKcY8W+4EJEtK0xB08vqr9Jd0 FS9MGjQE++GWo+5eQxFt6nUENHbVYnsr6bYPQsZH0CRNycgTG9MwY/UIXOf4W034UpR82TBG 1LiMsYfb8ahQJhs3wdf1nzipIjRwoZKT1vGXh/cj3gwSr64GfenURBxaFZA5O1acOZUjPrRT n3ci4McYW/0WVVA3lDGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH RmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExD MRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5 c3RlbXMgTExDIENBAgEpMA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA2MDExNTM0MDhaME8GCSqGSIb3DQEJBDFCBEDs H0I3oeVdXJFC74F431Ur+od2udoNQ7A2vTZTZ9CrTDdSJvy9w+njLnh5ykEqqoM6vZNL1xrQ V5yOVylhpQs1MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAK BggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI KoZIhvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1z IExMQzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3Vk YSBTeXN0ZW1zIExMQyBDQQIBKTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYT AlVTMRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1 ZGEgU3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG 9w0BCQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECASkwDQYJKoZIhvcNAQEBBQAEggIAXxQRFS/z CfLKJ7f+Vx+FEleHoJFprT3s/3nlerYqtjDZFgzrpAyZ8nsqFdTtrrdd4ujz1pGIfk51czxD tuZjwdJKNyUPmjUCKOFNVZNeeQ3OIafhneRblp2LbWl6MUvOnQgQ2fu7fpp5wG+JqDzgYj0e BfcQJKwfZAlrJV0fVK0StOmeK7sgFCfnmAl4pf2GXV9wIZDgLfiB99Blw9aQGysakXAmQCeA hIRFbjc/vWvEH5o7vHOGitPNm028Zthyy0lDfzoJdsYEtHqkOaNV9u3LqFt1QTV2yGaR4EV1 sWvm6UilrKtZ7uzSL7LFxzxkxgNMHp270XegFJwbz0OR1nBl7w6vGKPlmrd3HVoZuuvvSG2M GZgo6Pff9PPLSv/2Q4og35JkHZBVqU3KTw9kYMfevf2+QsxVlKitDb5OFvnsWdgjglKYHaPV N4tMpuqPvUMmTJn/7cWbx0zOdBElnzXcJItvzuaAdgFBy1ds2ya2N84YtT2YKixmS4adJDR4 JWnHI7JTe/yowuiX/cfRD+m9FOmxpCOtNZAoJztolXMIn1nLY38wCr1BY87MiSKaEHxxMU5f iPMZl4oOOQfDXU+nl+nHRz627f9aDE9dEMJ3NFtHZyrU5sYgKp3hz8tcqc15n8R4qId+cIuL LQiVFk6+3LWgcCh+7OvOnC+ZiFsAAAAAAAA= --------------ms000606020208080605040407--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85c26cf4-5c28-526c-71f7-8ff463e0d4bd>