From nobody Sat Jun 24 13:15:24 2023 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QpF3D0ksBz4hQl4 for ; Sat, 24 Jun 2023 13:15:36 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QpF3C6DKKz3qs2; Sat, 24 Jun 2023 13:15:35 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ot1-x32a.google.com with SMTP id 46e09a7af769-6b2c3ec38f0so1134760a34.1; Sat, 24 Jun 2023 06:15:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687612534; x=1690204534; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=WxpVDXwCONP1VcwVyktmnZT3p7v2/ulBE9znRvyUs3c=; b=ffkGQJdstANTkOLfGg85EcPpKUFL70l7MwD9f6Z6DwDTaBTXL2tCKpuq6CTGm6Y2zo bYsYWsCnzLJ7HRyNGQe1HTM7RI/K0nuN4SgTMivFju1z0/qHvLEJCbq/HIGrxLVyYZT6 f4by8p6FLAhqtg7CHSArdFeG8yStCaauLNY8os6eL3hVOxqdlYEhWz6I6Le0IsNxWU1m 7Z/B3F5/Co61c9E+Q9XQX16/rPXlrNm4Xa7JoHmhpdebTbcW+avdYJRKX59wPmnwG1Sc 1pLZWV6UOgSpDfsDBxMM1HwOTl/3wTFDC44YJDFROLye8r8EKFinKCck4gPIOm1xeUdd zFIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687612534; x=1690204534; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WxpVDXwCONP1VcwVyktmnZT3p7v2/ulBE9znRvyUs3c=; b=jHPpNy8UNpKiqvYSVwf77bay3rzcbCjViqBxvBBAmdaWCjCf0/m/lAe7oB4SS8IC53 Mhst1fUnwi8b+c18rUB+woQFzs8J5XAl/pnbzz8/AYXmCxeBtJjstxLg6vwou7eN0Bda dHH8dMvG2/c0v3q0KjPKZCJew8YXVIzRCpkjY+oqGZUaTNF1wCIaeAuBMS+qUte9CMte LYGAy6rV+bm7jrUIO8QedmI4jq7wasXz7qZ1M8IVfKK4S0IDVjFD5GWmP3uTNJYT3My7 CHzBS/UuKJ4ydiEcVFspsSH6C6avKizaFodmRFFmFJK2YZZnAojRYe9a+S1yH0yVCy4V GPJw== X-Gm-Message-State: AC+VfDwPCCTgXhV3HHJ/oC1lgX7RWcDDr6inR+CiJzUqj58aeCL/UQL3 HpE3pjz+jZD3kIx2DP8tx46NIfvCkLiJhdBs1XS+A7g= X-Google-Smtp-Source: ACHHUZ70TakM+fzUt9j6+ex4wDJ9r7rIHJQiiRhqoYIlXsZEjV/lSgh+cC/jtBmGwe35+fqdnEQxykJbWiB5XTdMsR0= X-Received: by 2002:a05:6808:1788:b0:3a1:a90d:c796 with SMTP id bg8-20020a056808178800b003a1a90dc796mr3759833oib.46.1687612534063; Sat, 24 Jun 2023 06:15:34 -0700 (PDT) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 References: In-Reply-To: From: Rick Macklem Date: Sat, 24 Jun 2023 06:15:24 -0700 Message-ID: Subject: Re: Diskless NFS over TLS To: Peter Jeremy Cc: freebsd-fs@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4QpF3C6DKKz3qs2 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Sat, Jun 24, 2023 at 2:24=E2=80=AFAM Peter Jeremy w= rote: > > I have a number of aarch64 SBCs that run "diskless": U-Boot loads > boot.scr.uimg, loader.efi and the DTB via TFTP, EFI loads the loader > config and kernel via NFS and passes the NFS root details to the kernel. > > I am contemplating whether it's possible to use secure NFS for at least > the root mount[*]. The problem is that NFS-over-TLS relies on > rpc.tlsclntd to perform the STARTTLS and that needs a functional > userland to run it. At this point, I do not think the "tls" option can be added via "mount -u". I had assumed that users would want "on the wire encryption, etc" to be done right away, before any non-encrypted data travels across the wire. I suppose allowing "tls" to be added via "mount -u" could be added to the code. What do others think about this? (It means that the file system mount would be running insecure for a while.= ) Can you put all the data that needs to be secured on a separate volume and mount that from /etc/fstab? (I'm sure you have thought of this, but...) Note that there is overhead in using NFS-over-TLS (mostly CPU overhead, assuming you do not have hardware offload), so you only want to use it when there is data that needs to be secured. rick > > Does anyone have any idea how to proceed? Maybe something like mfsroot > with the real root then overlaid over it (though I haven't thought this > through). (And I realise that protecting the keys is problematic). > > [*] It would be nice to secure TFTP and the kernel load but that's less > feasible. > -- > Peter Jeremy