Diskless NFS over TLS

From: Peter Jeremy <peterj_at_freebsd.org>
Date: Sat, 24 Jun 2023 09:23:47 UTC
I have a number of aarch64 SBCs that run "diskless": U-Boot loads
boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader
config and kernel via NFS and passes the NFS root details to the kernel.

I am contemplating whether it's possible to use secure NFS for at least
the root mount[*].  The problem is that NFS-over-TLS relies on
rpc.tlsclntd to perform the STARTTLS and that needs a functional
userland to run it.

Does anyone have any idea how to proceed?  Maybe something like mfsroot
with the real root then overlaid over it (though I haven't thought this
through).  (And I realise that protecting the keys is problematic).

[*] It would be nice to secure TFTP and the kernel load but that's less
    feasible.
-- 
Peter Jeremy