[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Integrating a FreeBSD/GELI change
From: |
Andrei Borzenkov |
Subject: |
Re: Integrating a FreeBSD/GELI change |
Date: |
Sat, 1 Apr 2017 16:57:05 +0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 |
01.04.2017 15:57, Eric McCorkle пишет:
> Hello,
>
> I've been working on a series of changes designed to expand FreeBSD's
> full-disk encryption support via GELI (its preferred disk encryption
> mechanism). One of the important parts of this landed in HEAD last night:
>
> https://github.com/freebsd/freebsd/commit/6a205a32527153697eb4df4114ff0cd3c7cd6fd8
>
> This adds a general mechanism for passing keys into the FreeBSD kernel
> at boot. At present, this is used exclusively by the GELI subsystem.
>
> FreeBSD currently supports full-disk encryption for i386 BIOS. I am
> actively working on EFI support and would like to make sure that GRUB
> also supports full-disk encryption as well (as GRUB is our best option
> for a coreboot setup).
>
>
> Basically, to add support for this, I'd need to do two things:
>
> 1) Ensure that GRUB can handle an entirely GELI-encrypted disk hosting a
> FreeBSD system (I suspect it can, but I've never done a GRUB/GELI setup
> before)
>
> 2) An additional metadata item needs to get generated when booting the
> FreeBSD kernel that contains all the GELI keys. (For those who don't
> know, FreeBSD has a kernel metadata mechanism that is used to pass some
> information into the kernel: for example, the EFI console on EFI, some
> BIOS information on i386 BIOS, and so on)
>
>
> I've never submitted a patch to GRUB before, so I'm interested in 1) how
> hard would this be,
I suppose like with any other software project of reasonable size.
> 2) where should I look in the source code, and
GELI is in grub-core/disk/geli.c, generic framework for device
encryption (which GELI plugs in) in grub-core/disk/cryptodisk.c and
FreeBSD loader in grub-core/loader/i386/bsd*.
There was proposed patch that stored secret in environment variable that
was later used by loader (I think; I am not sure whether loader part was
actually implemented). Search this list for subject
Patch to support GELI passphrase passthrough
from Kris Moore (October 2014)
> 3) what is the procedure for submitting patches like this?
>
Just send patches to this list. Better inline using git send-email to
make it easier to comment.
signature.asc
Description: OpenPGP digital signature