Solved loader.efi cannot boot native encrypted ZFS root

Hello FreeBSD community,

with the availability of native zfs(8) encryption in the upcoming FreeBSD 13.0-RELEASE I was wondering if we can boot a native encrypted zfs(8) root on uefi(8). I couldn't find the answer on the interwebs. So I grabbed the FreeBSD-13.0-RC2-amd64-disc1.iso, started it with emulators/virtualbox-ose, switched to Live CD, logged in as root and made a simple manual installation:
Code:
# partition disk

gpart create -s gpt ada0
gpart add -t efi -a 1m -s 256m -l efi ada0
gpart add -t freebsd-zfs -a 1m -l zroot ada0

# format partitions

newfs_msdos /dev/gpt/efi
zpool create -m / \
    -o ashift=12 \
    -o autotrim=on \
    -O atime=off \
    -O canmount=noauto \
    -O compression=on \
    -O encryption=on \
    -O keyformat=passphrase \
    -R /mnt \
    zroot /dev/gpt/zroot

# mount filesystems (zroot already mounted at /mnt)

mkdir /tmp/efi
mount -t msdosfs /dev/gpt/efi /tmp/efi

# install base system

tar -xf /usr/freebsd-dist/base.txz -C /mnt
tar -xf /usr/freebsd-dist/kernel.txz -C /mnt
echo 'zfs_load="YES"' >> /mnt/boot/loader.conf

# install bootloader

mkdir -p /tmp/efi/efi/boot
cp -a /mnt/boot/loader.efi /tmp/efi/efi/boot/bootx64.efi

# set bootfs property

zpool set bootfs=zroot zroot

# unmount and reboot

umount /tmp/efi
zpool export zroot
reboot
Unfortunately the loader responds with:
Code:
Setting currdev to zfs:zroot:
zio_read error: 5
zio_read error: 5
ZFS: i/o error - all block copies unavailable
Failed to find bootable partition
Now back to geli(8)? No problem with that. Will booting a native encrypted zfs(8) root be supported in the future?
 
This article gives a good advice about encrypted pools. It's related to ZoL, but that's what FreeBSD is using now, isn't it.
But for UEFI I also use vfs.root.mountfrom="zfs:mypool/root" in my /boot/loader.conf. Without it my EFI loader pretended not to see my zfs root... though my pool has encryption "enabled", not "on".
 
Thanks for your suggestion and the linked article. Unfortunately vfs.root.mountfrom="zfs:zroot" didn't help. I assume that loader.efi just doesn't know what to do with a zfs(8) encrypted root. As far as I know, it contains a standalone copy of the zfs(8) code just enough to get an (unencrypted) dataset to boot.
 
Booting from encrypted zfs datasets is not supported, indeed. I personally don't really see the usecase (encrypting zfs datasets makes much more sense for e.g. home directories, IMHO), but that doesn't mean it won't be added eventually.
 
Thanks for your suggestion and the linked article. Unfortunately vfs.root.mountfrom="zfs:zroot" didn't help. I assume that loader.efi just doesn't know what to do with a zfs(8) encrypted root. As far as I know, it contains a standalone copy of the zfs(8) code just enough to get an (unencrypted) dataset to boot.
Well in that case maybe try this.
Create a small UFS partition and place /boot/kernel/{kernel zfs.ko opensolaris.ko linux.ko & other modules you use } along with /boot/{ loader zfsloader & other loader stuff } in there. Among them /boot/loader.conf with that line about vfs.root.mountfrom.
Because whatever you need to mount root from encrypted zpool (kernel + zfs modules) will all be there in that unencrypted UFS partition.

...Finally, use freebsd-boot partition and legacy loader to boot stuff from your UFS partition. Which will proceed to mount root from your encrypted zpool. Good old method.
EDIT: (1) for that matter, even EFI loader can be used to boot stuff from that UFS partition pretty much the same way, I guess. (2) opensolaris.ko doesn't seem to be needed any more. At least, my kldstat doesn't show it loaded , only zfs.ko .
 
I might be saying something stupid but grub also knows:
set kFreeBSD.vfs.root.mountfrom=
I actually use grub. But since nobody else seems to be using it... Besides, grub cannot see (and boot) files from a zpool with encryption "enabled". So I had to use a separate partition for it.

I must also add that the only module one will need to load to proceed with the pool is just zfs.ko. No opensolaris.ko nor any other dependencies.
 
Thanks again free-and-bsd. I haven't tried it, but I'm sure something like this might work. But this solution seems more complicated than to just use geli(8) for an encrypted root.
"More complicated" depending on which is more important to you.
And YES, it definitely IS more complicated than just using bsdinstall start to end. Most certainly and beyond questioning. And so are many other solutions to non-standard situations described on this forum :) :) :).
 
Back
Top