Pre-boot authentication / geli-aware bootcode
Robert Simmons
rsimmons0 at gmail.com
Fri Jun 15 20:41:41 UTC 2012
On Fri, Jun 15, 2012 at 4:24 PM, Pawel Jakub Dawidek <pjd at freebsd.org> wrote:
> On Fri, Jun 15, 2012 at 04:22:18PM -0400, Robert Simmons wrote:
>> On Fri, Jun 15, 2012 at 5:31 AM, Alaksiej Carniajeu <ac at belngo.info> wrote:
>> > Hi,
>> >
>> > It's not possible. But, you could have your /boot on a bootable
>> > usbstick, together with some keyfiles, and start from it. From
>> > security point of view, it is even better, than the whole drive
>> > encryption TrueCrypt offers, because the former relies on password
>> > only.
>>
>> This is what I thought. Now, if I wanted to add this functionality, I
>> would need to modify:
>> /head/sys/boot/i386/pmbr/pmbr.s
>> and
>> /head/sys/boot/i386/gptboot/gptboot.c
>
> I'd leave pmbr.s alone, it is definiately too early to play with
> decryption. You need to modify gptboot and loader for UFS or gptzfsboot
> and zfsloader for ZFS.
All of the decryption work is handled by the geom_eli kernel module,
correct? I would assume that looking at the code in
/head/sys/geom/eli
and seeing how it's done there would be a good place to start.
More information about the freebsd-geom
mailing list