ZFS and GPT boot - size issue bootblock v.s. default of sysinstall
Dirk-Willem van Gulik
dirkx at webweaving.org
Fri Dec 30 18:36:40 UTC 2016
> On 30 Dec 2016, at 19:25, Allan Jude <allanjude at freebsd.org> wrote:
>>
>>> The other option is to rebuild gptzfsboot without GELI support, and then
>>> it will be under 64 KB.
>>
>> Unfortunately - we rather rely on GELI and PKCS#11.
>
> This would only apply to gptzfsboot, the new feature I introduced in
> 11.0 that allows you to have even the /boot directory encrypted (rather
> than having an unencrypted ufs partition, or a 2nd zpool that is not
> encrypted).
>
> If you are upgrading from 10.x or earlier, you can use gptzfsboot
> without GELI, since it didn't exist before.
Ah - good to know. thanks for that!
We’re not quite there yet - as we need a modicum of PKCS#11 to negotiate with the TPM (or on low end archive machines; a USB smartcard/token) - i.e a tad beyond geli_passphrase().
Dw.
More information about the freebsd-hackers
mailing list