Solved WinBSD - Encrypted Dualboot - GELI - Need assistance

quakerdoomer

quakerdoomer

Merry Christmas. Merry Pagan Holidays. Merry whatever wish to be marry about. Happy Holidays!!

I installed Windows10 on a laptop - allocated 97 GB to C: :-P
I'll enable BitLocker later.

Now I have around 140 GB of free space remaining. With limited amount of RAM, I intend to skip ZFS this time and resort to UFS(2).
Would appreciate your help to get FreeBSD onto the free space with GELI

The automated FDE via the setup is only available for the entire disk, not for remaining amount of free space.
So here we are:

Trying to get Windows and FreeBSD 15 Dual boot - with GELI encryption:
Partition table as of now:

ada0 GPT
ada0p1 100 M type efi
ada0p1 16 M type ms-reserved
ada0p3 97 G type ms-basic-data
ada0p4 663M ms-recovery

I have created
ada0p5 type freebsd-ufs 136 GB
and
ada0p6 type freebsd-swap 4 GB
ada0p7 type freebsd-ufs 438 MB #Do I need this for /boot ?

I have done a geli init on ada0p5 and it attaches and detaches successfully.

How do I now proceed. I take I will need to manually decompress some base and other tgz files.
What then, where does /boot go?

LLMs are useless. They say "now proceed with your FreeBSD installation" . Please guide if possible.
Help appreciated. Thank you kind person O:‑)
 
The first question is not will you use encryption or not.
The first question is which boot loader will you use ?
And how will you on boot switch between Windows & FreeBSD ?
Many, many possible setups are possible , so LLM cannot answer nor I.

As far as i know grub is unare of encryption.
Maybe by booting pressing key you can choose.
There are also specific Windows bootloader applications.
If they find the freebsd boot partition it will work.
-----------------------------------------------------------------------
Fyi,


In the traditional FreeBSD BIOS/MBR boot sequence,
boot0 and boot1 represent the first two stages of the bootstrap process.


boot0 (Stage 0: The Boot Manager)

  • Location: Resides in the Master Boot Record (MBR), the very first 512-byte sector of the hard drive.
  • Function: It is a minimal boot manager. Its primary task is to scan the partition table and let the user select which "slice" (partition) to boot from.
  • Interaction: If installed, it displays a simple menu (e.g., F1 Win, F2 FreeBSD).
  • Size: Restricted to roughly 446 bytes of code because it must share the 512-byte MBR sector with the drive's partition table.
  • Configuration: Managed using the boot0cfg(8) utility.

boot1 (Stage 1: The Partition Boot Sector)

  • Location: Resides in the first sector of the FreeBSD slice (partition) chosen by boot0.
  • Function: It is the first stage of FreeBSD-specific code. Because it is also limited to 512 bytes, it lacks a filesystem driver. Its sole purpose is to locate and load the more complex boot2 from the next few sectors of the disk.
  • Interaction: Entirely automated; users typically do not see or interact with it.
  • Relationship to boot2: On disk, boot1 and boot2 are often stored as a single concatenated file called /boot/boot, which the FreeBSD installer writes to the beginning of the FreeBSD slice.

Summary of the Sequence

  1. BIOS loads boot0 (Stage 0) from the MBR.
  2. boot0 allows the user to select a slice and then loads boot1 (Stage 1) from the first sector of that slice.
  3. boot1 loads boot2 (Stage 2), which has enough intelligence to find and execute the final loader (Stage 3) from the actual filesystem.
Note: For modern systems using UEFI instead of BIOS, this legacy MBR-based system is replaced by boot1.efi and the loader.efi binary located on an EFI System Partition (ESP).
 
@Alain De Vos Thank you for your quick response.
Can't I place boot1.efi and the loader.efi binary on ada0p1 100 M type efi ??
I will manage the boot part. Could you guide me as to how do I get the OS onto ada0p5 ?
 
You said you wanted to get the OS onto ada0p5. This mfsbsd contains what you need to get the OS installed onto ada0p5.

All you need to do is extract the two files I mentioned.
 
quakerdoomer said:
ada0p7 type freebsd-ufs 438 MB #Do I need this for /boot ?
Click to expand...
It depends how you want the setup.
  1. Whole Root-on-UFS encrypted
  2. Separate /boot unencrypted, rest of the OS encrypted
  3. OS on separate partition unencrypted, important data partition encrypted
1. Can be geli(8) initialized with the -g option. For decryption, this will ask on machine power up every time for the passphrase, regardless if FreeBSD or Windows is booted. This can be inconvenient.

2. requires additional configuration to link /boot

3. Not much to comment, self explanatory

quakerdoomer said:
I have done a geli init on ada0p5 and it attaches and detaches successfully.

How do I now proceed. I take I will need to manually decompress some base and other tgz files.
Click to expand...
With version 15 you need to decide if you want to use pkgbase (Technical Preview) or former distfiles (kernel.txz, base.txz).

Pkgbase can be installed from the installer media (pkg-install(8) from the local repository, if disc1.iso, dvd1.iso, memstick.img), distfiles must be fetched and extracted (tar(1)).

To get the distfiles, no need to install additional 3rd party applications, fetch(1) will do. There is not enough space on the installer media to store them, they can be saved on a external device or on the newly created file system, where the OS goes.

quakerdoomer said:
Can't I place boot1.efi and the loader.efi binary on ada0p1 100 M type efi ??
Click to expand...
Sure, this is possible. Create on the ESP /efi/freebsd directory and copy /boot/loader.efi into it. boot1.efi(8) is deprecated, you don't need it to boot the system.

From FreeBSD, you can create a UEFI menu entry, which can be chosen from the UEFI boot menu (see efibootmgr(8)).
 
Thank you everyone for your response. As always, such a great community!

Now for the unpleasant stuff.

balanga Yes indeed we can use wget and curl to download verified files from freebsd.org. What makes mfbsd so special? Especially when it is neither mentioned nor promoted as safe on FreeBSD's website. I asked but the question was dodged and instead I got the response - You wanted X, this does X!

Alain De Vos T-Daemon
Anyways, I already managed to copy the base kernel dist etc etc files. I copied it from another FBSD 15 instance. I even added loader.efi in my UEFI and pointed it to the partition with the boot files. It starts and shows the FreeBSD text beastie splash image, does its thing BUT it fails ultimately because my ada0p5 is not decrypted.

I have set
aesni_load and and geom_eli_load
to YES in loader.conf. What else do I need to do?
fstab points /dev/ada0p5.eli to / rw

The boot loader should ideally ask me the password to unlock /dev/ada0p5 but it does not and directly goes to the splash screen and fails when it finally tries /dev/ada0p5 :(

Random LLM says:
Add this to loader.rc
Code: 
set currdev=ad0p5
geli attach ad0p5
Is it hallucinating again? Perhaps it mean ada0p5, which even if it did, does it make sense?


Any clue?
 
I entered the following inside /boot/loader.conf
Code: 
aesni_load="YES"
geom_eli_load="YES" (ensures the GELI module is available)
geli_ada0p5_keyfile0_load="YES"
geli_ada0p5_keyfile0_type="ada0p5:geli_keyfile0"
geli_ada0p5_keyfile0_name="/boot/gelikeyfile"
Didn't help. Please note that /boot/gelikeyfile was created using geli backup command

Also escaped to the boot prompt by pressing 3 and did these:
Code: 
load /boot/kernel/kernel
load /boot/kernel/geom_eli.ko
load /boot/kernel/aesni.ko
load_geli ada0p5.eli /boot/gelikeyfile
boot

Still it gets stuck at mountroot> and says press? List valid disk boot devices blah blah .. :(

P.S. Do I even need the gelikeyfile? I know the password to the partition.
 
quakerdoomer said:
Thank you everyone for your response. As always, such a great community!

Now for the unpleasant stuff.

balanga Yes indeed we can use wget and curl to download verified files from freebsd.org. What makes mfbsd so special? Especially when it is neither mentioned nor promoted as safe on FreeBSD's website. I asked but the question was dodged and instead I got the response - You wanted X, this does X!
Click to expand...
I'm just saying that FreeBSD providesa built in utility - fetch so you don't net to get wget or curl.

As for mfsbsd, it is built from FreeBSD source code. I only offerred some advice. You are perfectly free to reject it. Many people on this forum find it to be an excellent tool when it comes to installing or repairing FreeBSD. You too may appreciate it one day.
 
balanga said:
I'm just saying that FreeBSD providesa built in utility - fetch so you don't net to get wget or curl.

As for mfsbsd, it is built from FreeBSD source code. I only offerred some advice. You are perfectly free to reject it. Many people on this forum find it to be an excellent tool when it comes to installing or repairing FreeBSD. You too may appreciate it one day.
Click to expand...

I booted using a live media and already had the files, so I would not need any other iso/img. I would have gladly used mfbsd had you answered why one should prefer it over legit FreeBSD resources (which offer v15 kernel whereas mfbsd still doesn't) if one just wants base and kernel. Thanks anyways.
 
T-Daemon said:
1. Can be geli(8) initialized with the -g option. For decryption, this will ask on machine power up every time for the passphrase, regardless if FreeBSD or Windows is booted. This can be inconvenient.

2. requires additional configuration to link /boot
Click to expand...
So I guess I am missing the '-g' param. Does this mean I need to reinit the whole fs :(
 
quakerdoomer said:
So I guess I am missing the '-g' param. Does this mean I need to reinit the whole fs
Click to expand...
No, you don't need to reinit the provider.

Boot up a installer media, drop to "Live System", attach provider, mount file system, remove what you added in local.rc and /boot/loader.conf, configure the provider to boot from the root file system: geli configure -g ada0p5

Afterwards, you can check the providers flags by calling geli list | grep -e name -e Flags. It will show the "-g" option set "GELIBOOT" flag for ada0p5 (besides other flags, automatically set, or you might have set during initialization).
 
Hello T-Daemon. Thank you for solving this. Everything is working now!
I now get the prompt to decrypt the partition. I also removed the entries from loader.rc and loader.conf AND corrected the fstype in fstab for the boot partition. It was mislabeled as msdosfs, changed it to ufs, which it actually is.

I learned that /boot is different than the boot partition. Does the boot partition only need /boot/efi/efi/loader.efi and a few other efi files.. is that it?
If I am using the EFI option and have already provided the loader.efi file to it, do I still need a separate boot partition?
 
Got a Thinkpad x390 with Win11, Fedora and FreeBSD with bitlocker, LUKS and Geli.
If I remember right, I first installed Windows and partitioned, then Fedora, then FreeBSD 14 with UFS on Geli.
 
quakerdoomer said:
I learned that /boot is different than the boot partition. Does the boot partition only need /boot/efi/efi/loader.efi and a few other efi files.. is that it?
If I am using the EFI option and have already provided the loader.efi file to it, do I still need a separate boot partition?
Click to expand...
The term "boot partition" may be misleading, a more accurate term is ESP (EFI system partition). Only the EFI FreeBSD loader (loader.efi(8) ) is needed in the ESP to boot FreeBSD (/efi/freebsd/loader.efi in this case), no other files, and no separate ESP (boot partition) is required, the existing ESP can be used.
 
T-Daemon said:
The term "boot partition" may be misleading, a more accurate term is ESP (EFI system partition). Only the EFI FreeBSD loader (loader.efi(8) ) is needed in the ESP to boot FreeBSD (/efi/freebsd/loader.efi in this case), no other files, and no separate ESP (boot partition) is required, the existing ESP can be used.
Click to expand...
Thank you. LOL I assigned 1 GB for this file. Will keep what you mentioned in mind for the next time.
 
You must log in or register to reply here.
Back
Top