Re: Diskless NFS over TLS
- Reply: Rick Macklem : "Re: Diskless NFS over TLS"
- In reply to: Peter Jeremy : "Diskless NFS over TLS"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 24 Jun 2023 13:15:24 UTC
On Sat, Jun 24, 2023 at 2:24 AM Peter Jeremy <peterj@freebsd.org> wrote: > > I have a number of aarch64 SBCs that run "diskless": U-Boot loads > boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader > config and kernel via NFS and passes the NFS root details to the kernel. > > I am contemplating whether it's possible to use secure NFS for at least > the root mount[*]. The problem is that NFS-over-TLS relies on > rpc.tlsclntd to perform the STARTTLS and that needs a functional > userland to run it. At this point, I do not think the "tls" option can be added via "mount -u". I had assumed that users would want "on the wire encryption, etc" to be done right away, before any non-encrypted data travels across the wire. I suppose allowing "tls" to be added via "mount -u" could be added to the code. What do others think about this? (It means that the file system mount would be running insecure for a while.) Can you put all the data that needs to be secured on a separate volume and mount that from /etc/fstab? (I'm sure you have thought of this, but...) Note that there is overhead in using NFS-over-TLS (mostly CPU overhead, assuming you do not have hardware offload), so you only want to use it when there is data that needs to be secured. rick > > Does anyone have any idea how to proceed? Maybe something like mfsroot > with the real root then overlaid over it (though I haven't thought this > through). (And I realise that protecting the keys is problematic). > > [*] It would be nice to secure TFTP and the kernel load but that's less > feasible. > -- > Peter Jeremy