I have some questions for setting up a system using UEFI, encrypted zfs, and bectl:
My goal is to set up the following system:
What I found out so far, plus questions:
-- Martin
- Is there a way to make loader.efi directly decrypt a geli partition and find the zpool in it?
- Is there a way to make loader.efi look for /boot in a child zfs of the boot pool? (e.g., in <bootpool>/<path>/boot, where boot is itself a zfs dataset)?
- When using
bectl(8)
, is there a way to switch multiple zfs datasets simultaneously? - It seems that when having only /boot unencrypted on its own zpool, the loader variable
vfs.root.mountfrom
must be set to point to the encrypted pool holding the root filesystem. This seems to contradict the requirements ofbectl(8)
. How could this be solved?
My goal is to set up the following system:
- FreeBSD 14
- UEFI GPT boot using /boot/loader.efi in an efi partition
- Most (the goal would be all) of the zpools should be encrypted using geli
- It should be possible to use boot environments with
bectl(8)
- Roll back /usr/local (together with /var/db/pkg, later maybe also /boot/modules) independently of the rest of the system
canmount=off
, and the <backup set number> additionally has mountpoint=/
. Additional zfs filesystems underneath also have canmount=off
, with the exception of the leaves. For example, this gives (both pools mounted with -R /mnt
)
Code:
[0]# zfs list -o name,used,canmount,mountpoint
NAME USED CANMOUNT MOUNTPOINT
v922.1 6.97G off /mnt/zmnt/v922.1
v922.1/10 853M off /mnt/zmnt/v922.1/10
v922.1/10/default 853M noauto /mnt
v922.1/11 1.16M off /mnt
v922.1/11/usr 192K off /mnt/usr
v922.1/11/usr/tmp 96K on /mnt/usr/tmp
v922.1/11/var 900K off /mnt/var
v922.1/11/var/audit 96K on /mnt/var/audit
v922.1/11/var/crash 96K on /mnt/var/crash
v922.1/11/var/log 396K on /mnt/var/log
v922.1/11/var/mail 120K on /mnt/var/mail
v922.1/11/var/tmp 96K on /mnt/var/tmp
v922.1/12 6.13G off /mnt
v922.1/12/usr 6.10G off /mnt/usr
v922.1/12/usr/local 6.10G on /mnt/usr/local
v922.1/12/var 32.6M off /mnt/var
v922.1/12/var/db 32.5M off /mnt/var/db
v922.1/12/var/db/pkg 32.4M on /mnt/var/db/pkg
v922.2 389M on /mnt/zmnt/v922.2
v922.2/10 194M off /mnt
v922.2/10/boot.XXX 194M on /mnt/boot.XXX
[0]# df | grep /mnt | sort -k6,6
v922.1/10/default 6262848 873800 5389048 14% /mnt
v922.2/10/boot.XXX 1635672 198636 1437036 12% /mnt/boot.XXX
v922.1/12/usr/local 11787532 6398484 5389048 54% /mnt/usr/local
v922.1/11/usr/tmp 5389144 96 5389048 0% /mnt/usr/tmp
v922.1/11/var/audit 5389144 96 5389048 0% /mnt/var/audit
v922.1/11/var/crash 5389144 96 5389048 0% /mnt/var/crash
v922.1/12/var/db/pkg 5422220 33172 5389048 1% /mnt/var/db/pkg
v922.1/11/var/log 5389444 396 5389048 0% /mnt/var/log
v922.1/11/var/mail 5389168 120 5389048 0% /mnt/var/mail
v922.1/11/var/tmp 5389144 96 5389048 0% /mnt/var/tmp
v922.2 1635664 198628 1437036 12% /mnt/zmnt/v922.2
/dev/gpt/v922.EFI 1032428 4820 1027608 0% /mnt/zmnt/v922.2/boot/efi
[0]# ll /mnt/boot
lrwxr-xr-x 1 root wheel 16 Apr 20 16:53 /mnt/boot -> zmnt/v922.2/boot
[0]# gpart backup da1
GPT 128
1 efi 64 2097152 v922.EFI
2 freebsd-zfs 2097216 4194304 v922.2
3 freebsd-zfs 6291520 27262848 v922.1
[0]#
What I found out so far, plus questions:
- At least /boot must be unencrypted because loader.efi does not seem to be capable of doing the geli decryption itself (like loader.lua). Or can it be done?
- Therefore, it is necessary to create a GPT scheme with one efi and two freebsd-zfs partitions.
- /boot/loader.efi gets copied to /EFI/BOOT/BOOTX64.EFI on the efi partition.
- v922.1 is encrypted in the usual manner, with a key in /boot/keys and an additional passphrase. loader.conf is set up accordingly.
- v922.2 is unencrypted and holds /boot. It is not possible to create a child zfs on it because loader.efi only looks in the root zfs (this is the reason for the boot.XXX above - its contents have been copied into v922.2 directly). Is there a possibility to have loader.efi find v922.2/10/boot?
- For
bectl(8)
to work I need to introduce an additional level, in this case "default". bectl(8)
only manipulates the zfs filesystem designated as bootfs. For the setup above, can it be configured to also manipulate v922.1/12 and v922.2/10 (if I extend them to also have the additional "default" level)?- The setup above currently cannot find v922.1 even though loader.lua asks for the passphrase. I can most likely solve this myself.
-- Martin