BSDCan2016 - v1.1.24a
BSDCan 2016
The Technical BSD Conference
Speakers | |
---|---|
Allan Jude |
Schedule | |
---|---|
Day | Talks #2 - 11 June - 2016-06-11 |
Room | DMS 1120 |
Start time | 11:15 |
Duration | 01:00 |
Info | |
ID | 674 |
Event type | Lecture |
Track | Security |
Language used for presentation | English |
Booting from Encrypted Disks on FreeBSD
GELI in the boot code
FreeBSD has supported disk encryption with GBDE and GELI since 2002 and 2005 respectively. However, booting the system required storing the loader and kernel unencrypted so that the requisite GEOM module could be loaded to handle decryption. This became a significantly larger stumbling block with the introduction of ZFS, as having multiple separate partitions detracts from the advantages of ZFS, and also causes headaches when upgrading the operating system. With the growing popularity of ZFS Boot Environments, a solution was needed that allowed the kernel and loader to remain part of the primary file system, even if it was encrypted. This paper provides an overview of the design of the GELI enabled boot code and loader, as well as the numerous challenges encountered during their development.
A walk through the tale of woe that was implementing support for GELI in the FreeBSD bootcode and loader. Hear the story of a very junior developer persisting through countless complications and roadblocks to finally arrive at working code. Learn just how complicated it is to boot a computer, and how much worse it can get. In the end, we are left with working ZFS Boot Environments, even with fully encrypted pools.
Overview:
The x86 boot process
MBR
GPT
Investigation Stage
Initial Implementation
Roadblocks
Dealing with UFS
Overcoming Limits
Adding More Encryption
Password Caching