Solved Is Geli A Part Of The Bootloader?

fr33bsd

fr33bsd

Hi,

is geli part of the boot loader since you have to enter the password before the kernel is being loaded?
 
Without having looked at the source code, boot() will tell you, that the bootloader is actually three stages that end in loader().

Now, if you encrypt your root disk, you'll be asked for a secret way before loader appears. Also, geli() gives you a "-g" option:
Enable booting from this encrypted root
filesystem. The boot loader prompts for the
passphrase and loads loader(8) from the en-
crypted partition
Click to expand...
This leads me to believe that the bootleader before loader at least has some decryption capabilities built in.

I hope someone who's actually read or knows the code will correct me, if I'm wrong...
 
A geli encrypted disk actually boots from a non-encrypted boot. That loads the kernel (and geli(8)) which is then able to unlock the encrypted part of the disk.
 
SirDice said:
A geli encrypted disk actually boots from a non-encrypted boot. That loads the kernel (and geli(8)) which is then able to unlock the encrypted part of the disk.
Click to expand...
Yeah, but before loading the kernel you will be asked for password and it will also be verified (and it will be even used to decrypt the system boot disk later).

I guess this is the part of geli that is compiled into the kernel to support booting from crypted drive, right?
 
The kernel (and loader(8)) is on the non-encrypted boot pool/partition. Basically /boot is unencrypted and used to load and start the kernel. This is then able to decrypt the root filesystem (or pool) and then continues to boot from that.
 
Following links have a technical view on the design and implementation of FreeBSD (EFI) GELI support. I can't tell if there were changes since then or still valid:
ericmccorkleblog.wordpress.com

FreeBSD EFI GELI Support

I have completed my work to add support for the GELI disk encryption system to the FreeBSD EFI boot loader. This work started off intending to be a “simple” patch, but it became a much…
ericmccorkleblog.wordpress.com ericmccorkleblog.wordpress.com
ericmccorkleblog.wordpress.com

FreeBSD EFI boot/loader Refactor

I have just completed (for some value of “complete”) a project to refactor the FreeBSD EFI boot and loader code. This originally started out as an investigation of a possible avenue in…
ericmccorkleblog.wordpress.com ericmccorkleblog.wordpress.com
 
You must log in or register to reply here.
Back
Top