Re: Integrating a FreeBSD/GELI change
On 04/01/2017 09:57, Andrei Borzenkov wrote: > > There was proposed patch that stored secret in environment variable that > was later used by loader (I think; I am not sure whether loader part was > actually implemented). Search this list for subject > > Patch to support GELI passphrase passthrough > > from Kris Moore (October 2014) That was the old method, which was replaced by the new key intake metadata. The old way is still supported for the time being, but may be phased out eventually. signature.asc Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: Integrating a FreeBSD/GELI change
01.04.2017 15:57, Eric McCorkle пишет: > Hello, > > I've been working on a series of changes designed to expand FreeBSD's > full-disk encryption support via GELI (its preferred disk encryption > mechanism). One of the important parts of this landed in HEAD last night: > > https://github.com/freebsd/freebsd/commit/6a205a32527153697eb4df4114ff0cd3c7cd6fd8 > > This adds a general mechanism for passing keys into the FreeBSD kernel > at boot. At present, this is used exclusively by the GELI subsystem. > > FreeBSD currently supports full-disk encryption for i386 BIOS. I am > actively working on EFI support and would like to make sure that GRUB > also supports full-disk encryption as well (as GRUB is our best option > for a coreboot setup). > > > Basically, to add support for this, I'd need to do two things: > > 1) Ensure that GRUB can handle an entirely GELI-encrypted disk hosting a > FreeBSD system (I suspect it can, but I've never done a GRUB/GELI setup > before) > > 2) An additional metadata item needs to get generated when booting the > FreeBSD kernel that contains all the GELI keys. (For those who don't > know, FreeBSD has a kernel metadata mechanism that is used to pass some > information into the kernel: for example, the EFI console on EFI, some > BIOS information on i386 BIOS, and so on) > > > I've never submitted a patch to GRUB before, so I'm interested in 1) how > hard would this be, I suppose like with any other software project of reasonable size. > 2) where should I look in the source code, and GELI is in grub-core/disk/geli.c, generic framework for device encryption (which GELI plugs in) in grub-core/disk/cryptodisk.c and FreeBSD loader in grub-core/loader/i386/bsd*. There was proposed patch that stored secret in environment variable that was later used by loader (I think; I am not sure whether loader part was actually implemented). Search this list for subject Patch to support GELI passphrase passthrough from Kris Moore (October 2014) > 3) what is the procedure for submitting patches like this? > Just send patches to this list. Better inline using git send-email to make it easier to comment. signature.asc Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Integrating a FreeBSD/GELI change
Hello, I've been working on a series of changes designed to expand FreeBSD's full-disk encryption support via GELI (its preferred disk encryption mechanism). One of the important parts of this landed in HEAD last night: https://github.com/freebsd/freebsd/commit/6a205a32527153697eb4df4114ff0cd3c7cd6fd8 This adds a general mechanism for passing keys into the FreeBSD kernel at boot. At present, this is used exclusively by the GELI subsystem. FreeBSD currently supports full-disk encryption for i386 BIOS. I am actively working on EFI support and would like to make sure that GRUB also supports full-disk encryption as well (as GRUB is our best option for a coreboot setup). Basically, to add support for this, I'd need to do two things: 1) Ensure that GRUB can handle an entirely GELI-encrypted disk hosting a FreeBSD system (I suspect it can, but I've never done a GRUB/GELI setup before) 2) An additional metadata item needs to get generated when booting the FreeBSD kernel that contains all the GELI keys. (For those who don't know, FreeBSD has a kernel metadata mechanism that is used to pass some information into the kernel: for example, the EFI console on EFI, some BIOS information on i386 BIOS, and so on) I've never submitted a patch to GRUB before, so I'm interested in 1) how hard would this be, 2) where should I look in the source code, and 3) what is the procedure for submitting patches like this? Best, Eric signature.asc Description: OpenPGP digital signature ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel