* Integrating a FreeBSD/GELI change
@ 2017-04-01 12:57 Eric McCorkle
2017-04-01 13:57 ` Andrei Borzenkov
0 siblings, 1 reply; 3+ messages in thread
From: Eric McCorkle @ 2017-04-01 12:57 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1.1: Type: text/plain, Size: 1481 bytes --]
Hello,
I've been working on a series of changes designed to expand FreeBSD's
full-disk encryption support via GELI (its preferred disk encryption
mechanism). One of the important parts of this landed in HEAD last night:
https://github.com/freebsd/freebsd/commit/6a205a32527153697eb4df4114ff0cd3c7cd6fd8
This adds a general mechanism for passing keys into the FreeBSD kernel
at boot. At present, this is used exclusively by the GELI subsystem.
FreeBSD currently supports full-disk encryption for i386 BIOS. I am
actively working on EFI support and would like to make sure that GRUB
also supports full-disk encryption as well (as GRUB is our best option
for a coreboot setup).
Basically, to add support for this, I'd need to do two things:
1) Ensure that GRUB can handle an entirely GELI-encrypted disk hosting a
FreeBSD system (I suspect it can, but I've never done a GRUB/GELI setup
before)
2) An additional metadata item needs to get generated when booting the
FreeBSD kernel that contains all the GELI keys. (For those who don't
know, FreeBSD has a kernel metadata mechanism that is used to pass some
information into the kernel: for example, the EFI console on EFI, some
BIOS information on i386 BIOS, and so on)
I've never submitted a patch to GRUB before, so I'm interested in 1) how
hard would this be, 2) where should I look in the source code, and 3)
what is the procedure for submitting patches like this?
Best,
Eric
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Integrating a FreeBSD/GELI change
2017-04-01 12:57 Integrating a FreeBSD/GELI change Eric McCorkle
@ 2017-04-01 13:57 ` Andrei Borzenkov
2017-04-01 16:32 ` Eric McCorkle
0 siblings, 1 reply; 3+ messages in thread
From: Andrei Borzenkov @ 2017-04-01 13:57 UTC (permalink / raw)
To: The development of GNU GRUB
[-- Attachment #1.1: Type: text/plain, Size: 2226 bytes --]
01.04.2017 15:57, Eric McCorkle пишет:
> Hello,
>
> I've been working on a series of changes designed to expand FreeBSD's
> full-disk encryption support via GELI (its preferred disk encryption
> mechanism). One of the important parts of this landed in HEAD last night:
>
> https://github.com/freebsd/freebsd/commit/6a205a32527153697eb4df4114ff0cd3c7cd6fd8
>
> This adds a general mechanism for passing keys into the FreeBSD kernel
> at boot. At present, this is used exclusively by the GELI subsystem.
>
> FreeBSD currently supports full-disk encryption for i386 BIOS. I am
> actively working on EFI support and would like to make sure that GRUB
> also supports full-disk encryption as well (as GRUB is our best option
> for a coreboot setup).
>
>
> Basically, to add support for this, I'd need to do two things:
>
> 1) Ensure that GRUB can handle an entirely GELI-encrypted disk hosting a
> FreeBSD system (I suspect it can, but I've never done a GRUB/GELI setup
> before)
>
> 2) An additional metadata item needs to get generated when booting the
> FreeBSD kernel that contains all the GELI keys. (For those who don't
> know, FreeBSD has a kernel metadata mechanism that is used to pass some
> information into the kernel: for example, the EFI console on EFI, some
> BIOS information on i386 BIOS, and so on)
>
>
> I've never submitted a patch to GRUB before, so I'm interested in 1) how
> hard would this be,
I suppose like with any other software project of reasonable size.
> 2) where should I look in the source code, and
GELI is in grub-core/disk/geli.c, generic framework for device
encryption (which GELI plugs in) in grub-core/disk/cryptodisk.c and
FreeBSD loader in grub-core/loader/i386/bsd*.
There was proposed patch that stored secret in environment variable that
was later used by loader (I think; I am not sure whether loader part was
actually implemented). Search this list for subject
Patch to support GELI passphrase passthrough
from Kris Moore (October 2014)
> 3) what is the procedure for submitting patches like this?
>
Just send patches to this list. Better inline using git send-email to
make it easier to comment.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Integrating a FreeBSD/GELI change
2017-04-01 13:57 ` Andrei Borzenkov
@ 2017-04-01 16:32 ` Eric McCorkle
0 siblings, 0 replies; 3+ messages in thread
From: Eric McCorkle @ 2017-04-01 16:32 UTC (permalink / raw)
To: grub-devel
[-- Attachment #1.1: Type: text/plain, Size: 521 bytes --]
On 04/01/2017 09:57, Andrei Borzenkov wrote:
>
> There was proposed patch that stored secret in environment variable that
> was later used by loader (I think; I am not sure whether loader part was
> actually implemented). Search this list for subject
>
> Patch to support GELI passphrase passthrough
>
> from Kris Moore (October 2014)
That was the old method, which was replaced by the new key intake
metadata. The old way is still supported for the time being, but may be
phased out eventually.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-01 16:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-01 12:57 Integrating a FreeBSD/GELI change Eric McCorkle
2017-04-01 13:57 ` Andrei Borzenkov
2017-04-01 16:32 ` Eric McCorkle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).