boot1-compatible GELI and GPT code?

Allan Jude allanjude at freebsd.org
Sun Mar 20 18:43:51 UTC 2016 

On 2016-03-20 13:13, Eric McCorkle wrote:
> Hello everyone,
> 
> I'm working (among other things) on expanding the capabilities of the EFI boot block to be able to load GELI-encrypted partitions, which may contain a GPT partition table, in order to support full-disk encryption.
> 
> I'm wondering, is there any code for reading either of these formats that could be used in boot1 hiding out anywhere?  It'd be best to avoid rewriting this stuff if possible.
> 
> Also, I haven't investigated the capabilities of loader with regard to GELI yet beyond cursory inspection.  Most importantly, I need to know if loader can handle GPTs and other partition formats inside a GELI, or just single filesystems.
> 
> As an additional note, it'd be best if there was a method for having boot1 pass the key(s) along to loader and ultimately the kernel, so the users don't have to input their keys 3 times.  I'm open to suggestions as to how to do this.  My initial thought is to create some kind of variable in both loader and kernel, then use the elf data to locate it and directly inject the data prior to booting.  The rationale is to avoid mechanisms like arguments that could potentially reveal the keys.
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
> 

I presented a paper on my work in this area (booting from a GELI
encrypted partition, it does not GELI encrypt the GPT table) at
AsiaBSDCon last weekend, and committed it this week.

Here is the paper: http://allanjude.com/bsd/AsiaBSDCon2016_geliboot.pdf

The commit was: r296963 https://svnweb.freebsd.org/changeset/base/296963

I am interested in applying this work to UEFI as well.

Is there much advantage to encrypted the GPT table as well? Currently my
setup leaves the partition table, and the code up to boot2 unencrypted.
Only encrypting the actual OS partition (/boot/{zfs,}loader,
/boot/kernel, etc). Swap is encrypted separately with a unique
throw-away key per reboot.

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20160320/c42c71a7/attachment.sig>

More information about the freebsd-hackers mailing list