diff options
author | Dru Lavigne <dru@FreeBSD.org> | 2016-07-01 14:29:08 +0000 |
---|---|---|
committer | Dru Lavigne <dru@FreeBSD.org> | 2016-07-01 14:29:08 +0000 |
commit | f1910e8d1668d59db179025aaa9df77372713c8f (patch) | |
tree | aeeef75df101d1a07e7972747a2390aa7db6d3d0 | |
parent | e9d26975258bb6fc13e744e6e54a2137e92a8a51 (diff) | |
download | doc-f1910e8d1668d59db179025aaa9df77372713c8f.tar.gz doc-f1910e8d1668d59db179025aaa9df77372713c8f.zip |
Add EFI refactoring GELI support report from eric@metricspace.net.
While here, fix a typo.
Reviewed by: wblock@freebsd.org
Sponsored by: iXsystems
Notes
Notes:
svn path=/head/; revision=49024
-rw-r--r-- | en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml | 127 |
1 files changed, 126 insertions, 1 deletions
diff --git a/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml b/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml index c389fe0b6d..ed601362ca 100644 --- a/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml +++ b/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml @@ -102,7 +102,7 @@ final release.</p> <p>The &os; 11.0-RELEASE cycle started late May, one month - behind the orignal schedule. The schedule slip was primarily + behind the original schedule. The schedule slip was primarily to accommodate for packaging the &os; base system with the <tt>pkg(8)</tt> utility. However, as work on this progressed, it became apparent that there were too many outstanding @@ -326,4 +326,129 @@ report issues.</task> </help> </project> + + <project cat='proj'> + <title>EFI Refactoring, GELI Support</title> + + <contact> + <person> + <name> + <given>Eric</given> + <common>McCorkle</common> + </name> + <email>eric@metricspace.net</email> + </person> + </contact> + + <links> + <url href="https://github.com/emc2/freebsd/tree/geli_efi">GELI Support Branch</url> + <url href="https://github.com/emc2/freebsd/tree/efize">EFI Refactoring Branch</url> + </links> + + <body> + <p>The EFI bootloader has undergone considerable refactoring to + make more use of the EFI API. The filesystem code in + <tt>boot1</tt> has been eliminated, and a single codebase for + filesystems now serves both <tt>boot1</tt> and + <tt>loader</tt>. This codebase is organized around the EFI + driver model and it should be possible to export any + filesystem implementation as a standalone EFI driver without + too much effort.</p> + + <p>Both <tt>boot1</tt> and <tt>loader</tt> have been refactored + to talk through the <tt>EFI_SIMPLE_FILE_SYSTEM</tt> interface. + In <tt>loader</tt>, this is accomplished with a dummy + filesystem driver that is just a translation layer between the + <tt>loader</tt> filesystem interface and + <tt>EFI_SIMPLE_FILE_SYSTEM</tt>. A reverse translation layer + allows the existing filesystem drivers to function as EFI + drivers.</p> + + <p>The EFI refactoring by itself exists in + <a href="https://github.com/emc2/freebsd/tree/efize">this branch</a>.</p> + + <p>Additionally, GELI support has been added using the EFI + refactoring. This allows booting from a GELI-encrypted + filesystem. Note that the EFI system partition, which + contains <tt>boot1</tt>, must be a plaintext msdosfs + partition. This patch adds an intake buffer to the crypto + framework, which allows injection of keys directly into a + loaded kernel, without the need to pass them through + arguments or environment variables. This patch only uses the + intake buffer for EFI GELI support as legacy BIOS GELI support + still uses environment variables.</p> + + <p>EFI GELI support depends on the + <a href="https://github.com/emc2/freebsd/tree/geli_efi">efize branch</a>.</p> + + <p>These patches have been tested and used and should be able + to handle use by early adopters. Note that the + <tt>LOADER_PATH</tt> variable has been changed to + <tt>/boot/loader.tst</tt>, to facilitate safe testing.</p> + + <strong>IMPORTANT:</strong> + + <p>As this is an encrypted filesystem patch, an error can + potentially leave data inaccessible. It is + <em>strongly</em> recommended to use the following procedure + for testing:</p> + + <ol> + <li> + <p>Back up your data!</p> + </li> + + <li> + <p>Do not forget to back up your data!</p> + </li> + + <li> + <p>Install an EFI shell on the ESP.</p> + </li> + + <li> + <p>Install the patched <tt>boot1</tt> on the ESP to + something like <tt>/boot/efi/BOOTX64.TST</tt>.</p> + </li> + + <li> + <p>Install the patched loader to <tt>/boot/loader.tst</tt> + on your machine.</p> + </li> + + <li> + <p>Create a GELI partition outside of the normal boot + partition.</p> + </li> + + <li> + <p>First, try booting <tt>/boot/efi/BOOTX64.TST</tt> and + make sure it properly handles the encrypted partition.</p> + </li> + + <li> + <p>Copy a boot environment, including the patched loader, to + the encrypted partition.</p> + </li> + + <li> + <p>Use the loader prompt to load a kernel from the encrypted + partition.</p> + </li> + + <li> + <p>Try switching over to an encrypted main partition once + everything else has worked.</p> + </li> + </ol> + </body> + + <help> + <task>Testing is needed.</task> + + <task>Code will need review and some <tt>style(9)</tt> + normalization must occur before this code goes into + FreeBSD.</task> + </help> + </project> </report> |