Add EFI refactoring GELI support report from eric@metricspace.net.

While here, fix a typo. Reviewed by: wblock@freebsd.org Sponsored by: iXsystems
svn path=/head/; revision=49024
2016-07-01 14:29:08 +00:00 · 2016-07-01 14:29:08 +00:00 · f1910e8d16 · 2020-12-08 03:00:23 +00:00
commit f1910e8d16
parent e9d2697525
1 changed files with 126 additions and 1 deletions
--- a/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml
+++ b/en_US.ISO8859-1/htdocs/news/status/report-2016-04-2016-06.xml
@ -102,7 +102,7 @@
 	final release.</p>

      <p>The &os;&nbsp;11.0-RELEASE cycle started late May, one month
-	behind the orignal schedule.  The schedule slip was primarily
+	behind the original schedule.  The schedule slip was primarily
 	to accommodate for packaging the &os; base system with the
 	<tt>pkg(8)</tt> utility.  However, as work on this progressed,
 	it became apparent that there were too many outstanding
@ -326,4 +326,129 @@
 	report issues.</task>
    </help>
  </project>
+
+  <project cat='proj'>
+    <title>EFI Refactoring, GELI Support</title>
+
+    <contact>
+      <person>
+	<name>
+	  <given>Eric</given>
+	  <common>McCorkle</common>
+	</name>
+	<email>eric@metricspace.net</email>
+      </person>
+    </contact>
+
+    <links>
+      <url href="https://github.com/emc2/freebsd/tree/geli_efi">GELI Support Branch</url>
+      <url href="https://github.com/emc2/freebsd/tree/efize">EFI Refactoring Branch</url>
+    </links>
+
+    <body>
+      <p>The EFI bootloader has undergone considerable refactoring to
+	make more use of the EFI API.  The filesystem code in
+	<tt>boot1</tt> has been eliminated, and a single codebase for
+	filesystems now serves both <tt>boot1</tt> and
+	<tt>loader</tt>.  This codebase is organized around the EFI
+	driver model and it should be possible to export any
+	filesystem implementation as a standalone EFI driver without
+	too much effort.</p>
+
+      <p>Both <tt>boot1</tt> and <tt>loader</tt> have been refactored
+	to talk through the <tt>EFI_SIMPLE_FILE_SYSTEM</tt> interface.
+	In <tt>loader</tt>, this is accomplished with a dummy
+	filesystem driver that is just a translation layer between the
+	<tt>loader</tt> filesystem interface and
+	<tt>EFI_SIMPLE_FILE_SYSTEM</tt>.  A reverse translation layer
+	allows the existing filesystem drivers to function as EFI
+	drivers.</p>
+
+      <p>The EFI refactoring by itself exists in
+	<a href="https://github.com/emc2/freebsd/tree/efize">this branch</a>.</p>
+
+      <p>Additionally, GELI support has been added using the EFI
+	refactoring.  This allows booting from a GELI-encrypted
+	filesystem.  Note that the EFI system partition, which
+	contains <tt>boot1</tt>, must be a plaintext msdosfs
+	partition.  This patch adds an intake buffer to the crypto
+	framework, which allows injection of keys directly into a
+	loaded kernel, without the need to pass them through
+	arguments or environment variables.  This patch only uses the
+	intake buffer for EFI GELI support as legacy BIOS GELI support
+	still uses environment variables.</p>
+
+      <p>EFI GELI support depends on the
+	<a href="https://github.com/emc2/freebsd/tree/geli_efi">efize branch</a>.</p>
+
+      <p>These patches have been tested and used and should be able
+	to handle use by early adopters.  Note that the
+	<tt>LOADER_PATH</tt> variable has been changed to
+	<tt>/boot/loader.tst</tt>, to facilitate safe testing.</p>
+
+      <strong>IMPORTANT:</strong>
+
+      <p>As this is an encrypted filesystem patch, an error can
+	potentially leave data inaccessible.  It is
+	<em>strongly</em> recommended to use the following procedure
+	for testing:</p>
+
+      <ol>
+	<li>
+	  <p>Back up your data!</p>
+	</li>
+
+	<li>
+	  <p>Do not forget to back up your data!</p>
+	</li>
+
+	<li>
+	  <p>Install an EFI shell on the ESP.</p>
+	</li>
+
+	<li>
+	  <p>Install the patched <tt>boot1</tt> on the ESP to
+	    something like <tt>/boot/efi/BOOTX64.TST</tt>.</p>
+	</li>
+
+	<li>
+	  <p>Install the patched loader to <tt>/boot/loader.tst</tt>
+	    on your machine.</p>
+	</li>
+
+	<li>
+	  <p>Create a GELI partition outside of the normal boot
+	    partition.</p>
+	</li>
+
+	<li>
+	  <p>First, try booting <tt>/boot/efi/BOOTX64.TST</tt> and
+	    make sure it properly handles the encrypted partition.</p>
+	</li>
+
+	<li>
+	  <p>Copy a boot environment, including the patched loader, to
+	    the encrypted partition.</p>
+	</li>
+
+	<li>
+	  <p>Use the loader prompt to load a kernel from the encrypted
+	    partition.</p>
+	</li>
+
+	<li>
+	  <p>Try switching over to an encrypted main partition once
+	    everything else has worked.</p>
+	</li>
+      </ol>
+    </body>
+
+    <help>
+      <task>Testing is needed.</task>
+
+      <task>Code will need review and some <tt>style(9)</tt>
+	normalization must occur before this code goes into
+	FreeBSD.</task>
+    </help>
+  </project>
 </report>