Hello All, I am working on
My question would be - what is the best way to architecture this solution? Is there a single point in the bootloader where one can ensure that the kernel, modules and root filesystem are placed on the appropriate GELI device and unset the
/usr/src/stand/efi/loader
to enable reading a GELI passphrase from TPM2. I am almost there TPM2-wise, however in order to make the automatic boot secure I need to make sure that, whatever is booted next, cannot retrieve the kern.geom.eli.passphrase
kernel environment variable UNLESS the kernel, modules and the root filesystem are placed on the GELI device decrypted using that passphrase. I do not suspect that receiving an answer on the forums is possible but could you please recommend the appropriate Mailing List to reach out to the developers with the best chance of having the required know-how? Thank you in advance.My question would be - what is the best way to architecture this solution? Is there a single point in the bootloader where one can ensure that the kernel, modules and root filesystem are placed on the appropriate GELI device and unset the
kern.geom.eli.passphrase
otherwise?