uefi, geli, zfs, bectl - UEFI encrypted boot with boot environments

M

martin_b

I have some questions for setting up a system using UEFI, encrypted zfs, and bectl:
  • Is there a way to make loader.efi directly decrypt a geli partition and find the zpool in it?
  • Is there a way to make loader.efi look for /boot in a child zfs of the boot pool? (e.g., in <bootpool>/<path>/boot, where boot is itself a zfs dataset)?
  • When using bectl(8), is there a way to switch multiple zfs datasets simultaneously?
  • It seems that when having only /boot unencrypted on its own zpool, the loader variable vfs.root.mountfrom must be set to point to the encrypted pool holding the root filesystem. This seems to contradict the requirements of bectl(8). How could this be solved?
Details below.

My goal is to set up the following system:
  • FreeBSD 14
  • UEFI GPT boot using /boot/loader.efi in an efi partition
  • Most (the goal would be all) of the zpools should be encrypted using geli
  • It should be possible to use boot environments with bectl(8)
  • Roll back /usr/local (together with /var/db/pkg, later maybe also /boot/modules) independently of the rest of the system
All my systems are setup using a scheme of <pool name>/<backup set number>/<filesystem path>. The root zfs and the <backup set number> have canmount=off, and the <backup set number> additionally has mountpoint=/. Additional zfs filesystems underneath also have canmount=off, with the exception of the leaves. For example, this gives (both pools mounted with -R /mnt)
Code: 
[0]# zfs list -o name,used,canmount,mountpoint
NAME                   USED  CANMOUNT  MOUNTPOINT
v922.1                6.97G  off       /mnt/zmnt/v922.1
v922.1/10              853M  off       /mnt/zmnt/v922.1/10
v922.1/10/default      853M  noauto    /mnt
v922.1/11             1.16M  off       /mnt
v922.1/11/usr          192K  off       /mnt/usr
v922.1/11/usr/tmp       96K  on        /mnt/usr/tmp
v922.1/11/var          900K  off       /mnt/var
v922.1/11/var/audit     96K  on        /mnt/var/audit
v922.1/11/var/crash     96K  on        /mnt/var/crash
v922.1/11/var/log      396K  on        /mnt/var/log
v922.1/11/var/mail     120K  on        /mnt/var/mail
v922.1/11/var/tmp       96K  on        /mnt/var/tmp
v922.1/12             6.13G  off       /mnt
v922.1/12/usr         6.10G  off       /mnt/usr
v922.1/12/usr/local   6.10G  on        /mnt/usr/local
v922.1/12/var         32.6M  off       /mnt/var
v922.1/12/var/db      32.5M  off       /mnt/var/db
v922.1/12/var/db/pkg  32.4M  on        /mnt/var/db/pkg
v922.2                 389M  on        /mnt/zmnt/v922.2
v922.2/10              194M  off       /mnt
v922.2/10/boot.XXX     194M  on        /mnt/boot.XXX
[0]# df | grep /mnt | sort -k6,6
v922.1/10/default      6262848   873800  5389048    14%    /mnt
v922.2/10/boot.XXX     1635672   198636  1437036    12%    /mnt/boot.XXX
v922.1/12/usr/local   11787532  6398484  5389048    54%    /mnt/usr/local
v922.1/11/usr/tmp      5389144       96  5389048     0%    /mnt/usr/tmp
v922.1/11/var/audit    5389144       96  5389048     0%    /mnt/var/audit
v922.1/11/var/crash    5389144       96  5389048     0%    /mnt/var/crash
v922.1/12/var/db/pkg   5422220    33172  5389048     1%    /mnt/var/db/pkg
v922.1/11/var/log      5389444      396  5389048     0%    /mnt/var/log
v922.1/11/var/mail     5389168      120  5389048     0%    /mnt/var/mail
v922.1/11/var/tmp      5389144       96  5389048     0%    /mnt/var/tmp
v922.2                 1635664   198628  1437036    12%    /mnt/zmnt/v922.2
/dev/gpt/v922.EFI      1032428     4820  1027608     0%    /mnt/zmnt/v922.2/boot/efi
[0]# ll /mnt/boot
lrwxr-xr-x  1 root wheel 16 Apr 20 16:53 /mnt/boot -> zmnt/v922.2/boot
[0]# gpart backup da1
GPT 128
1           efi       64  2097152 v922.EFI
2   freebsd-zfs  2097216  4194304 v922.2
3   freebsd-zfs  6291520 27262848 v922.1
[0]#

What I found out so far, plus questions:
  • At least /boot must be unencrypted because loader.efi does not seem to be capable of doing the geli decryption itself (like loader.lua). Or can it be done?
  • Therefore, it is necessary to create a GPT scheme with one efi and two freebsd-zfs partitions.
  • /boot/loader.efi gets copied to /EFI/BOOT/BOOTX64.EFI on the efi partition.
  • v922.1 is encrypted in the usual manner, with a key in /boot/keys and an additional passphrase. loader.conf is set up accordingly.
  • v922.2 is unencrypted and holds /boot. It is not possible to create a child zfs on it because loader.efi only looks in the root zfs (this is the reason for the boot.XXX above - its contents have been copied into v922.2 directly). Is there a possibility to have loader.efi find v922.2/10/boot?
  • For bectl(8) to work I need to introduce an additional level, in this case "default".
  • bectl(8) only manipulates the zfs filesystem designated as bootfs. For the setup above, can it be configured to also manipulate v922.1/12 and v922.2/10 (if I extend them to also have the additional "default" level)?
  • The setup above currently cannot find v922.1 even though loader.lua asks for the passphrase. I can most likely solve this myself.

-- Martin
 
You must log in or register to reply here.
Back
Top