From nobody Sat Jun 24 09:23:47 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qp7vt14kqz4gQFV for ; Sat, 24 Jun 2023 09:23:54 +0000 (UTC) (envelope-from peterj@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qp7vt0gX7z46dt for ; Sat, 24 Jun 2023 09:23:54 +0000 (UTC) (envelope-from peterj@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687598634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=HqdlSLATwK0NH6Vfbvahio+jx3WZ4CrhvRIs12QehoE=; b=I7FTVLp9nAEQNiPOggVp+7nvYEX3GZ0PgcSnaVDLiyzAOvm3IXrr4H3rxG0W/46kiEPGMN zf/FF4aNeU9EZqUcDIJqGbjWLlV7ktDXl2EfhrA2Cf9vpNPxKMpH0Jz1p7zDjIBu1v26U/ UzW9O7o3MIt3gqep2d9rp/dpVoBi1/+Fo5Jq5X0iLOyi27mC3qzfQ82o4LkL4NpWw2a9V8 rBaD4VLl1tHD3aZioKhL7Vcm4OIoG3J4mp/EXEXHjOZ364+S8puKc7PVqP3Y0b/0AfpS7L Ki3po0akdgvjseo8Cm2LhRP7RR0GJbUKmslZiuoyKsNIMjzZ2Gc7yHRiHmzY7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687598634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=HqdlSLATwK0NH6Vfbvahio+jx3WZ4CrhvRIs12QehoE=; b=Kyinsw44077IJg/v4IzBbnwDuku/YRweWio8cHRIMXKnH82kqDutYNmS422M4gvzwVcFmU Eu3yLJFi1U1wrgNJVxaE4v5HHr4FELrEWeHhKlwATGPhqJhXA1TdmevfGUsQWb6kelnFAg pdduv9o9LZpr/Zi7xm1rMlV9haoMiPQZ053GQ1c5D0YIj1Zhc9bizgLhASkWceiRJjy23s 57Qi1KcovZzP7bpTO7TXbvXgq8h65CR1annALaxm3iQ+oFRKDSpaJSFhOGMYoJO4cueOOd La2C6C+HVGHLTHrXQmVlDUfYHcl0QZxL3rdESC7qhB12NY2KVYhHfc7yYytjAw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687598634; a=rsa-sha256; cv=none; b=VxVGxUgeWiNftoWFBM6c8VBRqevJR8/6HvrVPJJ/qqNOdm6PvRH3WHIiP8MLmeVeOgpJXq Nc25km71nj96AovwLFP3KBfS/xI28z4Mjho0f5YZ2drBoReIdlWJdT4ZtdRQepT5EYQd1u XcT35sbNtf1k1sLQTNZapgmu1N2vY9034UTy9guq/7wbHHLaWen5MayjhTV3p4M13REfQJ GA2zySuoevfUuHGL80XcuBMX9vP5JjJ9Y8aWrSY5neOBl1WVnKt6GvLRg0Ie+MS5E+URaY q3OvXBzVkHkn2VjomLQWlzxaoFJDq7M2Mnq1GHRaPTXnHgkXL3nDbvISsEw1TQ== Received: from server.rulingia.com (ppp239-208.static.internode.on.net [59.167.239.208]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) (Authenticated sender: peterj) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Qp7vs1qPgzt13 for ; Sat, 24 Jun 2023 09:23:53 +0000 (UTC) (envelope-from peterj@freebsd.org) Date: Sat, 24 Jun 2023 19:23:47 +1000 From: Peter Jeremy To: freebsd-fs@freebsd.org Subject: Diskless NFS over TLS Message-ID: List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="pMMMsGAub9mTKzPv" Content-Disposition: inline X-PGP-Key: http://www.rulingia.com/keys/peter.pgp X-ThisMailContainsUnwantedMimeParts: N --pMMMsGAub9mTKzPv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I have a number of aarch64 SBCs that run "diskless": U-Boot loads boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader config and kernel via NFS and passes the NFS root details to the kernel. I am contemplating whether it's possible to use secure NFS for at least the root mount[*]. The problem is that NFS-over-TLS relies on rpc.tlsclntd to perform the STARTTLS and that needs a functional userland to run it. Does anyone have any idea how to proceed? Maybe something like mfsroot with the real root then overlaid over it (though I haven't thought this through). (And I realise that protecting the keys is problematic). [*] It would be nice to secure TFTP and the kernel load but that's less feasible. --=20 Peter Jeremy --pMMMsGAub9mTKzPv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE7rKYbDBnHnTmXCJ+FqWXoOSiCzQFAmSWthxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEVF QjI5ODZDMzA2NzFFNzRFNjVDMjI3RTE2QTU5N0EwRTRBMjBCMzQACgkQFqWXoOSi CzQw9w/9GIO5/gqmwPda+myzM2Nu0U8OpmlEuNRQUIkbCY4+5qkqM9Sr1MBB8Cwy Ofy/CF9dPfPdvozxvNzmEIaeP8dvNvhcMmGGWoEVZuDlQyoK/Z5jhA5c/Saqfdzk A81eQEJQPZslxlQCb5XuObyeA2uV+Fvbjw/32Waf4bVaXt2fYDJ2TkCH55JLi0S7 MrPsQBB81heTKZHtfI0u8ZZgxLb763pvFIPZ2+fUqFPU+e83QeJK3xfch48ocRTj pKIQFLtYUUNW2aaUfacYzql5amaTtRvA0VCgzGCHQB1KPdotO40oTRYHHl/U9MVh AgS2/xFGnycWp3w5ZnKITr0wg3S/toDjpKCSF0FTd6SsKYiuzVroIRBYafZ3lNSH CpEIuw6r2BfJLfdjRlxUlLLn1JGxUT4ayDC5QlvSb9ipdMuCIQmGKjzIok7axwTN TZTErX/sTkbZAsWg+yiSGxImsgWZeLyf2IIRRoKatHePiw7SWPTP52MtXvA6dyrZ KiiBCzFPxGLy56FbYyu/ELYdVymSE4PpNKYkgwmuLaKmjn2dODVM/IR0ibUe2f71 SsCI0CIRk84nCYivLJWrzdG8KhXv07My0+Ja5JWmiXahp7SkSRkeC/gV5l3sPEqo 2TwEscodW+4oXniWdVGLlkx5/EcqeI0vRacNGOqnzJ/aKZEWS28= =krth -----END PGP SIGNATURE----- --pMMMsGAub9mTKzPv--