ZFS and GPT boot - size issue bootblock v.s. default of sysinstall
    Dirk-Willem van Gulik 
    dirkx at webweaving.org
       
    Fri Dec 30 18:36:40 UTC 2016
    
    
  
> On 30 Dec 2016, at 19:25, Allan Jude <allanjude at freebsd.org> wrote:
>> 
>>> The other option is to rebuild gptzfsboot without GELI support, and then
>>> it will be under 64 KB.
>> 
>> Unfortunately - we rather rely on GELI and PKCS#11.
> 
> This would only apply to gptzfsboot, the new feature I introduced in
> 11.0 that allows you to have even the /boot directory encrypted (rather
> than having an unencrypted ufs partition, or a 2nd zpool that is not
> encrypted).
> 
> If you are upgrading from 10.x or earlier, you can use gptzfsboot
> without GELI, since it didn't exist before.
Ah - good to know. thanks for that!
We’re not quite there yet - as we need a modicum of PKCS#11 to negotiate with the TPM (or on low end archive machines; a USB smartcard/token) - i.e a tad beyond geli_passphrase().
Dw.
    
    
More information about the freebsd-hackers
mailing list