Full Disk Encryption + SD Card for booting purposes

[Juh924]

Hello everybody,

I'm trying to reinstall FreeBSD on a Thinkpad T420 (I'm not planning on using GPT since it doesn't work on this Laptop), with full disk encryption + a 32GB mmcsd Card (for the moment, until I get my 1gb SD card) with the /boot partition.

I used those 2 "tutorials":

1) HOWTO: Quick GELI encryption guide ==> Using MBR but not a separate key to boot from
2) Help on installing with UFS+J, GELI, GPT, and boot from USB ===> Usin separate key to boot BUT with GPT solution.

Here is what i'm planning to do:
* Start FreeBSD Live CD

mount -u -o rw /
kldload sdhci mmc mmcsd

* Destroy previous partitionning (when i get the correct method, I'll use /dev/urandom)

dd if=/dev/zero of=/dev/ada0 bs=1m count=1
dd if=/dev/zero of=/dev/mmcsd0 bs=1m count=1

* Prepare and mount MMC/SD card (will have /boot partition)
(I've read somewhere that 768MB would be more than enough)

gpart create -s mbr mmcsd0
gpart add -t freebsd -a 4k -s 768m mmcsd0

===> I'm getting this message:

mmcsd0s1 added, but partition is not aligned on 4194304 bytes

I can't find a way to avoid this alignement error. Do you have any idea about how I could fix this?
Answer: Can be disregarded

gpart create -s bsd mmcsd0s1
gpart add -t freebsd-ufs -a 4k mmcsd0s1
gpart bootcode -b /boot/mbr mmcsd0
gpart bootcode -b /boot/boot mmcsd0s1
gpart set -a active -i 1 mmcsd0
newfs -L sdboot /dev/mmcsd0s1a

* Create the encrypted slice (using the whole HDD) + label it

gpart create -s mbr ada0
gpart add -t freebsd -a 4k ada0
glabel label -v thinkpad /dev/ada0s1

* Create the 256-bit key.

mkdir /mnt/sd
mount /dev/mmcsd0 /mnt/sd
mkdir -p /mnt/sd/boot/keys
dd if=/dev/urandom of=/mnt/sd/boot/keys/label_thinkpad.key bs=256k count=1

* Encrypt entire HDD using GELI with key file and password

kldload geom_eli
geli init -b -s 4096 -l256 -K /mnt/sd/boot/keys/label_thinkpad.key /dev/label/thinkpad
geli attach -k /mnt/sd/boot/keys/label_thinkpad.key /dev/label/thinkpad

* Partition the encrypted HDD (/tmp will be created using tmpfs in /etc/rc.conf)

gpart create -s bsd /dev/label/thinkpad.eli 
gpart add -t freebsd-ufs -s 2G /dev/label/thinkpad.eli      // /
gpart add -t freebsd-swap -s 4G /dev/label/thinkpad.eli      // swap
gpart add -t freebsd-ufs -s 6G /dev/label/thinkpad.eli      // /var
gpart add -t freebsd-ufs -s 35G /dev/label/thinkpad.eli     // /usr 
gpart add -t freebsd-ufs /dev/label/thinkpad.eli            // /home

* Newfs Everything except swap

glabel label -v swapfs /dev/label/thinkpad.elib
newfs -L rootfs -U -j /dev/label/thinkpad.elia
newfs -L varfs -U -j /dev/label/thinkpad.elid
newfs -L usrfs - U -j /dev/label/thinkpad.elie
newfs -L homefs -U -j /dev/label/thinkpad.elif

* Mount base system on /mnt/inst

mkdir /mnt/inst
mount /dev/ufs/rootfs /mnt/inst
mkdir /mnt/inst/var
mount /dev/ufs/varfs /mnt/inst/var
mkdir /mnt/inst/usr
mount /dev/ufs/usrfs /mnt/inst/usr
mkdir /mnt/inst/home
mount /dev/ufs/homefs /mnt/inst/home
mkdir /mnt/inst/boot

* Install FreeBSD

cd /usr/freebsd-dist
sh
for file in base.txz kernel.txz; do tar --unlink -xpvJf ${file} -C /mnt/inst done

* Add those lines to /mnt/inst/boot/loader.conf

# Delay boot to be sure the MMC/SD card is detected in order to boot
kern.cam.boot_delay = "10000"
# Encryption 
geom_eli_load = "YES"
geli_label_thinkpad_keyfile0_load="YES"
geli_label_thinkpad_keyfile0_type="label/thinkpad:geli_keyfile0"
geli_label_thinkpad_keyfile0_name="/boot/keys/label_thinkpad.key"
vfs.root.mountfrom="ufs:/dev/ufs/rootfs"

* Add those lines to /mnt/inst/etc/rc.conf (I'm not sure if there is enough space for /tmp though, could you help me?)

tmpmfs="YES"
tmpsize="500M"

* Add those lines to /mnt/inst/etc/fstab

/dev/ufs/rootfs      /         ufs    rw               1 1
/dev/label/swapfs    none      swap   sw               0 0
/dev/ufs/varfs       /var      ufs    rw               2 2
/dev/ufs/usrfs       /usr      ufs    rw               2 2
/dev/ufs/homefs      /home     ufs    rw               2 2

* Copy /mnt/inst/boot to /mnt/sd/boot

mount /dev/ufs/sdboot /mnt/sd
cp -Rvp /mnt/inst/boot /mnt/sd

Reboot and I think that's it.

Could you please check the whole thing and tell me what I'm doing wrong?

I tried with a USB instead of a MMCSD card: The laptop booted on thanks to the USB as planned but stopped with a "mountfrom" error. I haven't tried it again with a different "vfs entry" as I'm trying to get this to work with a SD Card. I won't be able to go forward until I solve the alignment issue.

Thank you very much!

 

[xibo]

I would recommend using labels instead of device names, and also using FFS labels instead of GEOM ones, both in loader.conf and fstab.

I don't know about the Thinkpad T420, but of all systems with SD card readers I have, none can boot from the SD card reader. And about the alignment error, just ignore it (4k alignment is used to improve performance on some HDDs)

 

[Juh924]

Thank you very much.

For the SD Card, I thought there was a way to get them bootable but if there isn't, I'll stay with my USB.
I'm still very new to freebsd and I'm not sure I understand what you mean by "using FFS labels instead of GEOM ones".


By the way, I just tried again this method with a USB key and here is the error I got, just after entering the passphrase:

Trying to mount root from ufs:/dev/ada0s1.elia []...
mountroot: waiting for device /dev/ada0s1.elia ...
Mounting from ufs:/dev/ada0s1.elia failed with error 19.

Loader variables:
  vfs.root.mountfrom=ufs:/dev/ada0s1.elia

mountroot>

I tried with

vfs.root.mountfrom="ufs:/dev/label/thinkpad.elia"

in /boot/loader.conf but I have the same error.

Thank you very much for your help

 

[wblock@]

SD cards can set up to boot like a hard drive, but not all computers are able to boot from their SD card readers.

FFS labels (really UFS labels) are a type of GEOM label. Read glabel(8). It lists a bunch of types of labels that are automatically detected and show up in various directories in /dev/. UFS labels show up in /dev/ufs/, GPT labels show up in /dev/gpt/, and so on.

 

[fonz]

I'll have a look at this later when I have more time. But as a preliminary note, I'd like to remark that the ability to boot from SD cards depends mostly on the machine itself. If your laptop supports booting from the card reader, then usually so does FreeBSD.

 

[xibo]

Have you copied the keyfiles to the USB flash, too?

You can specify

kern.geom.eli.debug=3

in loader.conf to have geli generate more information output (although the generated information might mostly not be too useful).

UFS labels differ from GEOM labels by the fact that GEOM is FreeBSD's block storage interface while UFS is a filesystem. GEOM labels are assigned with glabel() while UFS labels are assigned either at filesystem creation time with the -L option to newfs() or on an unmounted filesystem with tunefs().

The input prompt that appears when mountroot fails allows listing all present storage devices (I think it's done by inputing ``?''). Maybe that list can be helpful (especially if the devices names got messed up).

 

[Juh924]

Thanks a lot.

I had a typo in the "vfs entry". (/dev/thinkpad.elia instead of /dev/label/thinkpad.elia) Now, it works with a USB key. I'm still trying on getting the SD card to work. I think my thinkpad doesn't support that feature but my other computer does so ... still working on it.

I'll try newfs now.

 

[Juh924]

Hello again,

With the newfs labels, it doesn't seem to work anymore, when using a USB key. I got the same error as before with

mountroot>

and when I type ?, partitions as /dev/ufs/{rootfs, varfs, usrfs or homefs} aren't shown.

Could you help me find why?

Also, why not use newfs but glabel for swap partition and freebsd slice (ada0s1 for example)?

Thanks a lot.

 

[Saeediranzad]

Hi!

I am a newbie here. I used a flash memory as the installing CD and then installed FreeBSD on an 16 GB SD card.

1. I can boot from SD, but it needs flash too. It gives an error about mounting.
2. I installed GNOME and can launch it, but it's very slow!
   I thought an SD slot should be faster than USB, isn't it?
3. FreeBSD recognizes and finds NTFS drives easily, but not EXT4 (Linux); why?

 

[xibo]

Hi!
I am a newbie here.
I used a flash memory as the installing CD and then installed FreeBSD on an 16GB SD card.
1-I can boot from SD, but it needs flash too. It gives an error about mounting.

The OP poster has used

Here is what i'm planning to do:

• Start FreeBSD Live CD
  

  mount -u -o rw /
  kldload sdhci mmc mmcsd

Assuming this was indeed required to do, you will need to modify loader.conf accordingly to indicate the requirement to load the referred three kernel modules.

mmc_load="YES"
mmcsd_load="YES"
sdhci_load="YES"

2- I installed Gnome and can launch it, but it's very slow!
I thought SD slot should be faster than USB, isn't it?

I don't know about bulk transfer rates, but all MMC cards I had so far had considerably large physical block sizes, which means you will end up writing a high amount of unmodified data, that on top of this also needs to be read previously. You could consider increasing the UFS logical block size, which is 32 KiB by default, to at least the physical block size, which is more than 1 MiB for most MMCs I had, however that requires formatting the partition.

Specifying noatime which was not done by the OP is considered a good point to start filesystem performance tuning independent of the specifics, which reduces the amount of writes done in background at the expense of not being able to track read access timestamps of files (most people are interested in modification access timestamps only).

There's a man page on common performance exploitabilities called tuning(7).

3-FreeBSD recognizes and finds NTFS drives easily, but not EXT4 (Linux); why?

The only reason that would get in mind to me is that the partition table is corrupt. Otherwise FreeBSD can not access ext4 partitions (unless it is an ext2 partition that was handled by the Linux' ext4 module in compatibility mode), but it can see their presence on the storage media nevertheless.

There is also a userspace driver for ext4fs in ports: sysutils/fusefs-ext4fuse, however the disk geometry/partition subsystem is required to provide access to the ext4 device nevertheless.

 

[Saeediranzad]

Thank you Xibo!

1. I said I used flash memory as Live CD and then installed on an SD card. Now I want to boot from SD without the help of flash memory. Sorry if I didn't get the point.
2. Block size is 64 KiB right now. Then it should be 1 Mib. How to do that when I format it?
3. This a problem. So if I decide to install FreeBSD on a separate partition of the HDD, can I see it on the boot loader of Linux (GRUB)? Right now I have three systems on the HDD (Windows 8.1, Mint, Manjaro).