GELI with UEFI supporting Boot Environments goes to HEAD when?

Discussion:

(too old to reply)

Tommi Pernila

2017-11-15 10:28:37 UTC

Hi All,

Anyone have an idea when the GELI with UEFI supporting Boot
Environments goes to HEAD?

The Phabricator reviews for this seem to done.
Also recently I have seen quite a few commits done by @imp which touch GELI,
Are these related to this feature or something else?

So it could be that this feature is already in HEAD, or are still some
parts pending?

Boot environments with a bootpool do not work. Support for GELI with
UEFI is coming soon. This will allow you to move /boot into the GELI
encrypted pool, and get rid of the bootpool, and properly use boot
environments.
--
Allan Jude

Br,

Tommi

Warner Losh

2017-11-15 14:47:54 UTC

Permalink

Post by Tommi Pernila
Hi All,
Anyone have an idea when the GELI with UEFI supporting Boot
Environments goes to HEAD?
The Phabricator reviews for this seem to done.
Are these related to this feature or something else?
So it could be that this feature is already in HEAD, or are still some
parts pending?

It will be available once we move to loader.efi and ditch boot1.efi, which
is some weeks away.

Warner

Post by Tommi Pernila

Br,
Tommi

Eric McCorkle

2017-11-15 16:06:14 UTC

Permalink

I'll reply in more detail later on, when I'm not on a phone

On Wed, Nov 15, 2017 at 3:28 AM, Tommi Pernila

Post by Tommi Pernila
Hi All,
Anyone have an idea when the GELI with UEFI supporting Boot
Environments goes to HEAD?
The Phabricator reviews for this seem to done.

touch

Post by Tommi Pernila
GELI,
Are these related to this feature or something else?
So it could be that this feature is already in HEAD, or are still

some

Post by Tommi Pernila
parts pending?

It will be available once we move to loader.efi and ditch boot1.efi, which
is some weeks away.
Warner

Post by Tommi Pernila

Br,
Tommi

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Tommi Pernila

2017-11-15 15:35:29 UTC

Permalink

Post by Warner Losh

It will be available once we move to loader.efi and ditch boot1.efi, which
is some weeks away.
Warner

Ok.

Thanks Warner and Eric for all of your work :)

-Tommi

Post by Warner Losh

Post by Tommi Pernila

Br,
Tommi

Eric McCorkle

2017-11-16 02:29:44 UTC

Permalink

Right, so basically, the remaining GELI patches are against loader, and
most of them can go in independently of the work on removing boot1.
There's a unanimous consensus on getting rid of boot1 which includes its
original author, so that's going to happen.

For GELI, we have the following (not necessarily in order):

a) Adding the KMS interfaces, pseudo-device, and kernel keybuf interactions
b) Modifications to the efipart driver
c) boot crypto
d) GELI partition types (not strictly necessary)

Then there's the GELI driver itself. (a) and (c) are good to land, (b)
needs some more work after Toomas Soome pointed out a legitimate
problem, and (d) actually needs a good bit more code (but again, it's
more cosmetic). Additionally, the GELI driver will need further mods to
efipart to be written (nothing too big). But we could go ahead with (a)
and (c), as they've already been proven to work.

I'd wanted to have this stuff shaped up sooner, but I'm preoccupied with
the 7th RISC-V workshop at the end of the month.

Once this stuff is all in, loader should handle any GELI volumes it
finds, and it should Just Work once boot1 is gone.

Tommi Pernila

2018-02-21 03:56:54 UTC

Permalink

Hi Eric,

could you provide a brief update how the work is going?

Br,

Tommi

On Nov 16, 2017 04:29, "Eric McCorkle" <***@metricspace.net> wrote:

Right, so basically, the remaining GELI patches are against loader, and
most of them can go in independently of the work on removing boot1.
There's a unanimous consensus on getting rid of boot1 which includes its
original author, so that's going to happen.

For GELI, we have the following (not necessarily in order):

a) Adding the KMS interfaces, pseudo-device, and kernel keybuf interactions
b) Modifications to the efipart driver
c) boot crypto
d) GELI partition types (not strictly necessary)

Then there's the GELI driver itself. (a) and (c) are good to land, (b)
needs some more work after Toomas Soome pointed out a legitimate
problem, and (d) actually needs a good bit more code (but again, it's
more cosmetic). Additionally, the GELI driver will need further mods to
efipart to be written (nothing too big). But we could go ahead with (a)
and (c), as they've already been proven to work.

I'd wanted to have this stuff shaped up sooner, but I'm preoccupied with
the 7th RISC-V workshop at the end of the month.

Once this stuff is all in, loader should handle any GELI volumes it
finds, and it should Just Work once boot1 is gone.

Eric McCorkle

2018-02-21 23:15:47 UTC

Permalink

The GELI work could be merged at this point, though it won't be usable
without an additional patch to enable loader-only operation. The
patches are currently up for review:

This is the order in which they'd need to be merged:

https://reviews.freebsd.org/D12732

This one changes the efipart device. Toomas Soome identified some
problems, which I have addressed. He has not re-reviewed it, however.

https://reviews.freebsd.org/D12692

This adds some crypto code needed for GELI. It simply adds new code,
and doesn't conflict with anything.

https://reviews.freebsd.org/D12698

This adds the EFI KMS interface code, and has the EFI loader pass keys
into the keybuf interface.

I can't post the main GELI driver until those get merged, as it depends
on them. It can be found on the geli branch on my github freebsd
repository, however.

Additionally, you need this patch, which allows loader.efi to function
when installed directly to the ESP:

https://reviews.freebsd.org/D13497

Post by Tommi Pernila
Hi Eric,
could you provide a brief update how the work is going?
Br,
Tommi
Right, so basically, the remaining GELI patches are against loader, and
most of them can go in independently of the work on removing boot1.
There's a unanimous consensus on getting rid of boot1 which includes its
original author, so that's going to happen.
a) Adding the KMS interfaces, pseudo-device, and kernel keybuf interactions
b) Modifications to the efipart driver
c) boot crypto
d) GELI partition types (not strictly necessary)
Then there's the GELI driver itself. (a) and (c) are good to land, (b)
needs some more work after Toomas Soome pointed out a legitimate
problem, and (d) actually needs a good bit more code (but again, it's
more cosmetic). Additionally, the GELI driver will need further mods to
efipart to be written (nothing too big). But we could go ahead with (a)
and (c), as they've already been proven to work.
I'd wanted to have this stuff shaped up sooner, but I'm preoccupied with
the 7th RISC-V workshop at the end of the month.
Once this stuff is all in, loader should handle any GELI volumes it
finds, and it should Just Work once boot1 is gone.

Eric McCorkle

2018-02-22 00:03:15 UTC

Permalink

FYI, I just IFC'ed everything, and the current patches are still fine.

Also, the full GELI + standalone loader has been deployed on one of my
laptops for some time now.

Post by Eric McCorkle
The GELI work could be merged at this point, though it won't be usable
without an additional patch to enable loader-only operation. The
https://reviews.freebsd.org/D12732
This one changes the efipart device. Toomas Soome identified some
problems, which I have addressed. He has not re-reviewed it, however.
https://reviews.freebsd.org/D12692
This adds some crypto code needed for GELI. It simply adds new code,
and doesn't conflict with anything.
https://reviews.freebsd.org/D12698
This adds the EFI KMS interface code, and has the EFI loader pass keys
into the keybuf interface.
I can't post the main GELI driver until those get merged, as it depends
on them. It can be found on the geli branch on my github freebsd
repository, however.
Additionally, you need this patch, which allows loader.efi to function
https://reviews.freebsd.org/D13497

_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-current

Tommi Pernila

2018-02-22 06:18:26 UTC

Permalink

Awesome, thanks for the update and the work that you have done!

Now we just need some more reviewers eyes on the code :)

Br,

Tommi

Post by Eric McCorkle
FYI, I just IFC'ed everything, and the current patches are still fine.
Also, the full GELI + standalone loader has been deployed on one of my
laptops for some time now.

Post by Tommi Pernila
Hi Eric,
could you provide a brief update how the work is going?
Br,
Tommi
Right, so basically, the remaining GELI patches are against loader,

and