Boot Process with GELI+ZFSonRoot on UEFI

spmzt

spmzt

Hi,

I want to learn about how exactly boot process of FreeBSD 13.1 with GELI + ZFS on Root on UEFI works. I read about loader(), UEFI(), geli() and, still I can not understand it.
Also I have some more specific questions too:
  1. I have two partitions. EFI and ZFS. The whole root filesystem is in ZFS partition which is encrypted by GELI. AFAIK, loader.conf and kernel modules are in /boot directory and it's encrypted. How does loader find out that the ZFS needs to be decrypted by which keys?
  2. In handbook Booting Process consists of three stages. I think by using UEFI, we are merging the first and second stage to a single one. The loader is the final stage of the three-stage bootstrap process. It is located on the file system, usually as /boot/loader. But our /boot directory is in ZFS partition which is encrypted by GELI. How does it load?
Thank you
 
At first the bootloader will try find out what he needs to open (3 options: ZFS, UFS or GELI), so it will unlock GELI and then find out what filesystem is. If there's no GELI, it'll skip this step and search for the /boot inside the ZFS or UFS. What is the root that should be read is on the EFI entry (efibootmgr command can show you that).

spmzt said:
How does loader find out that the ZFS needs to be decrypted by which keys?
Click to expand...
It asks you for a password at boot, isn't?
 
Menelkir said:
At first the bootloader will try find out what he needs to open (3 options: ZFS, UFS or GELI), so it will unlock GELI and then find out what filesystem is. If there's no GELI, it'll skip this step and search for the /boot inside the ZFS or UFS. What is the root that should be read is on the EFI entry (efibootmgr command can show you that).


It asks you for a password at boot, isn't?
Click to expand...
Are we talking about the loader program?
The manual of geli() says that the GEOM_ELI module will load by loader program.
Also the manual of loader says that the loader() itself is located at /boot/loader which is encrypted by GELI and also it's located in ZFS.
How our loader can start without knowing about GELI or ZFS?
 
spmzt said:
Hi,

I want to learn about how exactly boot process of FreeBSD 13.1 with GELI + ZFS on Root on UEFI works. I read about loader(), UEFI(), geli() and, still I can not understand it.
Also I have some more specific questions too:
  1. I have two partitions. EFI and ZFS. The whole root filesystem is in ZFS partition which is encrypted by GELI. AFAIK, loader.conf and kernel modules are in /boot directory and it's encrypted. How does loader find out that the ZFS needs to be decrypted by which keys?
  2. In handbook Booting Process consists of three stages. I think by using UEFI, we are merging the first and second stage to a single one. The loader is the final stage of the three-stage bootstrap process. It is located on the file system, usually as /boot/loader. But our /boot directory is in ZFS partition which is encrypted by GELI. How does it load?
Thank you
Click to expand...

This can help: https://klarasystems.com/articles/the-freebsd-boot-process/
 
spmzt said:
Are we talking about the loader program?
The manual of geli() says that the GEOM_ELI module will load by loader program.
Also the manual of loader says that the loader() itself is located at /boot/loader which is encrypted by GELI and also it's located in ZFS.
How our loader can start without knowing about GELI or ZFS?
Click to expand...
You have the loader.efi in your ESP partition that do that, loader.efi will try to open your encrypted partition and then read the contents of /boot.
Grub can do the same thing without even touching /boot/grub on linux world.
 
Menelkir said:
You have the loader.efi in your ESP partition that do that, loader.efi will try to open your encrypted partition and then read the contents of /boot.
Grub can do the same thing without even touching /boot/grub on linux world.
Click to expand...
Thank you for your reply.

So how can I configure loader.efi like what I was doing before on /boot/loader.conf.

For example, I want to set another keyfile location for geli in loader.efi instead of password prompt
 
spmzt said:
Thank you for your reply.

So how can I configure loader.efi like what I was doing before on /boot/loader.conf.

For example, I want to set another keyfile location for geli in loader.efi instead of password prompt
Click to expand...
I don't get it, you want to add a key to unlock without a password? Doesn't make the encryption pointless?
 
spmzt said:
on separate USB drive obviously.
At the end, it will become something like:

Reddit - Dive into anything

www.reddit.com www.reddit.com

FreeBSD Full Disk Encryption

web.archive.org web.archive.org
Click to expand...
As far as I understand it... If you use '-g' flag on GELI partition creation, then you have no option to use keys, just password. If you use unencrypted /boot partition ('-b' flag), than you get an option to use key-files. I, by my own, looking for a way to use separate drive for key storage, but with no success. It's a pity :(
 
You must log in or register to reply here.
Back
Top