Can't boot from encrypted partition

Petr Hejl petr.hejl at freedev.cz
Thu Mar 15 23:20:59 UTC 2018 

OK, I experimented a little and now I can reply to myself :).

The EFI bootloader (meaning the BOOTX64.EFI) is not yet capable of
unlocking an encrypted device. Either that or the function is not
implemented correctly.

I went through the steps I described earlier while temporarily switching
my motherboard to CSM mode. The only other difference being:

/dev/ada0
  |- /dev/ada0p1 (freebsd-boot, 128K)

and a bootcode written to the device.

The bootloader asked for the password, unlocked the second partition,
loaded the loader and the machine booted OK. So it's definitely the EFI
bootloader.

One other thing is weird, though. The geli manpage states:

geli init [-bgPTv] ...

However, both -b AND -g options can and probably even have to be given
at the same time. I created the geli container with '-g' only and the
boot process crashed when looking for the ZFS pool "root", stating there
is none. After adding the '-b' via

geli configure -b /dev/ada0p2

it works OK. The bootloader gives some strange error (didn't catch it,
sorry) but succeeds in unlocking the partition anyway. So I'm guessing
it should probably be corrected to

geli init [-bPTv][-g] ...

Does anybody know whether it works for EFI in 11.1-STABLE?

Thank you.

> Hello, FreeBSD community.
> 
> I need help with booting from an encrypted partition. Until now, my EFI
> machine booted from an unencrypted ZFS, while the rest of the system
> resided on an encrypted ZFS. The layout was like this:
> 
> /dev/ada0
>   |- /dev/ada0p1 (efi, 800k)
>   |- /dev/ada0p2 (freebsd-zfs, 1G)
>   |- /dev/ada0p3 (freebsd-zfs, geli-encrypted, 931G)
> 
> That worked OK. Since FreeBSD >= 11.0 should be able to boot an entirely
> encrypted system (let alone the EFI loader, of course), I'd like to get
> to that point (installing 11.1-RELEASE on amd64). So I create my layout
> like this:
> 
> gpart create -s gpt /dev/ada0
> gpart add -t efi -l efi -s 800k /dev/ada0
> gpart add -t freebsd-zfs -l system /dev/ada0
> dd if=/boot/boot1.efifat of=/dev/ada0p1
> geli init -g -l 256 -s 4096 /dev/ada0p2
> 
> So the only difference is that there is no separate partition for /boot
> and the ZFS partition is encrypted with 'geli init -g' rather than 'geli
> init -b'.
> 
> The new layout is then:
> 
> /dev/ada0
>   |- /dev/ada0p1 (efi, 800k)
>   |- /dev/ada0p2 (freebsd-zfs, geli-encrypted, 931G)[/CODE]
> 
> After that, I install the system as usual, in the way it's always worked.
> 
> geli manpage says:
> 
> " ...
> -g Enable booting from this encrypted root
> filesystem.  The boot loader prompts for the
> passphrase and loads loader from the
> encrypted partition.
> ..."
> 
> The problem is, that it doesn't. When the EFI loader starts, it says it
> can't find any UFS or ZFS partitions, thus no /boot/loader.efi and ends
> with:
> 
> panic: No bootable partitions found
> 
> I have no idea what's wrong.
> 
> Thank you for any advice.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20180316/a50cae8e/attachment.sig>

More information about the freebsd-questions mailing list