Re: installation on UEFI system w/ encrypted filesystem

[Alexander Nasonov <alnsn%yandex.ru@localhost>]

Tiago Seco wrote:
> Hello,
> 
> I've been trying to install NetBSD on a UEFI system with encrypted root.
> ...
> When booting the system, it is not trying to boot from hd0c, but from hd0a.

If you intend to use cgdroot.kmod, the system should create a md(4)
disk and boot from it rather than hd0. When loaded, cgdroot.kmod
should take care of it.

> As far as I can tell, this is the first indication that I did something wrong,
> since I specified in /EFI/boot/boot.cfg that it should load netbsd from hd0c.
> 
> I can specify:
> > load hd0c:/EFI/boot/cgdroot.kmod
> > boot hd0c:/EFI/boot/netbsd

Are you on amd64 or aarch64? IIRC, load command doesn't work on
aarch64 in efi boot.

> The system does try to boot, but fails trying to exec /sbin/init.

The system should load an image which contains /sbin/init and other
tools required to decrypt a real root.

> gpt destroy wd0
> gpt create wd0
> gpt add -a 2m -l "netbsd-cgd" -t ffs -s 236g wd0
> gpt add -a 2m -l "swap" -t swap -s 2g wd0
> gpt add -a 2m -l "EFI system" -t efi wd0
> 
> EFI=`dkctl wd0 listwedges | grep msdos| cut -d':' -f1`
> CGD=`dkctl wd0 listwedges | grep 'netbsd-cgd'| cut -d':' -f1`
> SWAP=`dkctl wd0 listwedges | grep 'swap'| cut -d':' -f1`
> 
> newfs_msdos -F 16 /dev/r$EFI
> mount -t msdos /dev/$EFI /mnt
> mkdir -p /mnt/EFI/boot
> cp /usr/mdec/*.efi /mnt/EFI/boot
> 
> cgdconfig -g -V disklabel -o /mnt/EFI/boot/cgd.cfg aes-cbc 256
> cgdconfig -V re-enter cgd0 /dev/$CGD /mnt/EFI/boot/cgd.cfg

cgdroot.kmod looks for a gpt label "cgd.conf" and it expects
to find a file "cgd.conf" in its root.

In your case, you can rename "EFI system" to "cgd.conf" and copy
cgd.conf to /mnt.

-- 
Alex