Solved Can't boot from encrypted partition.

N

natharan

Hello, FreeBSD community.

I need help with booting from an encrypted partition. Until now, my EFI machine booted from an unencrypted ZFS, while the rest of the system resided on an encrypted ZFS. The layout was like this:
Code: 
/dev/ada0
     |- /dev/ada0p1 (efi, 800k)
     |- /dev/ada0p2 (freebsd-zfs, 1G)
     |- /dev/ada0p3 (freebsd-zfs, geli-encrypted, 931G)

That worked OK. Since FreeBSD >= 11.0 should be able to boot an entirely encrypted system (let alone the EFI loader, of course), I'd like to get to that point (installing 11.1-RELEASE on amd64). So I create my layout like this:
Code: 
gpart create -s gpt /dev/ada0
gpart add -t efi -l efi -s 800k /dev/ada0
gpart add -t freebsd-zfs -l system /dev/ada0
dd if=/boot/boot1.efifat of=/dev/ada0p1
geli init -g -l 256 -s 4096 /dev/ada0p2

So the only difference is that there is no separate partition for /boot and the ZFS partition is encrypted with geli init -g rather than geli init -b.

The new layout is then:
Code: 
/dev/ada0
  |- /dev/ada0p1 (efi, 800k)
  |- /dev/ada0p2 (freebsd-zfs, geli-encrypted, 931G)

After that, I install the system as usual, in the way it's always worked.

geli() says:
geli said:
-g
Enable booting from this encrypted root
filesystem. The boot loader prompts for the
passphrase and loads loader() from the
encrypted partition.
Click to expand...

The problem is, that it doesn't. When the EFI loader starts, it says it can't find any UFS or ZFS partitions, thus no /boot/loader.efi and ends with:
BOOTX64.EFI said:
panic: No bootable partitions found
Click to expand...

I have no idea what steps I missed.

Thank you for any advice.
 
OK, I experimented a little and now I can reply to myself :).

The EFI bootloader (meaning the BOOTX64.EFI) is not yet capable of unlocking an encrypted device. Either that or the function is not implemented correctly.

I went through the steps I described in post #1 while temporarily switching my motherboard to CSM mode. The only other difference being:
Code: 
/dev/ada0
  |- /dev/ada0p1 (freebsd-boot, 128K)
and a bootcode written to the device.

The bootloader asked for the password, unlocked the second partition, loaded loader() and the machine booted OK. So it's definitely the EFI bootloader.

One other thing is weird, though. The geli() states:
Code: 
geli init [-bgPTv] ...
However, both -b AND -g options can and probably even have to be given at the same time. I created the geli container with -g only and the boot process crashed when looking for the ZFS pool "root", stating there is none. After adding the -b via geli configure -b /dev/ada0p2 it works OK. The bootloader gives some strange error (didn't catch it, sorry) but succeeds in unlocking the partition anyway. So it should probably be corrected to
Code: 
geli init [-bPTv][-g] ...

Does anybody know whether it works for EFI in 11.1-STABLE?
 
Hi again,

just to make the information here complete, I attach a reply I got from the freebsd-questions mailing list:

Kyle Evans kevans at freebsd.org said:
I can't speak to the rest of your observations, but indeed this isn't
supported with the EFI loader at the moment- there's work in progress
on head towards a model where this can work, but unfortunately we're
still not there yet.
Click to expand...
 
You must log in or register to reply here.
Back
Top