Re: installation on UEFI system w/ encrypted filesystem

To: "Alexander Nasonov" <alnsn%yandex.ru@localhost>
Subject: Re: installation on UEFI system w/ encrypted filesystem
From: "Tiago Seco" <tiago%seco.ws@localhost>
Date: Sat, 25 May 2019 17:12:10 +0000

Hello,

I've been trying to re-install with some of the instructions provided, but sadly
to no avail.

> Are you on amd64 or aarch64? IIRC, load command doesn't work on
> aarch64 in efi boot.

I'm on amd64.

> In your case, you can rename "EFI system" to "cgd.conf" and copy
> cgd.conf to /mnt.

I've tried to accommodate for this in my new attempts.

What I'm trying to do now is having a separate boot partition, as can be seen
from the commands bellow, however I now get a 'loading hd0c:cgdroot.kmod FAILED'
error.
In addition to this, I am now using both a cgd.conf and wd0a.conf files for
cgd configuration.

If I uncompress the sets to $BOOT, I do end up with a bootable system, so I
believe the problem lies in the cgd configuration, and/or cgdroot.kmod (since
I'm not even prompted for a password ever, and not so much on the EFI part of
the setup).

If anyone can shed any light on what I'm doing wrong it would be greatly
appreciated.

please note, with regard to the boot.cfg file, I also tried:
* load /cgdroot.kmod
* load hd0c:/cgdroot.kmod
* load hd0c:cgdroot.kmod

Following are the instructions I'm following:
---

gpt destroy wd0
gpt create wd0
gpt add -a 2m -l "netbsd-cgd" -t ffs -s 234g wd0
gpt add -a 2m -l "swap" -t swap -s 2g wd0
gpt add -a 2m -l "cgd.conf" -t ffs -s 2g wd0
gpt add -a 2m -l "EFI system" -t efi wd0

EFI=`dkctl wd0 listwedges | grep msdos| cut -d':' -f1`
CGD=`dkctl wd0 listwedges | grep 'netbsd-cgd'| cut -d':' -f1`
BOOT=`dkctl wd0 listwedges | grep 'cgd.conf'| cut -d':' -f1`
SWAP=`dkctl wd0 listwedges | grep 'swap'| cut -d':' -f1`

newfs_msdos -F 16 /dev/r$EFI
mount -t msdos /dev/$EFI /mnt
mkdir -p /mnt/EFI/boot
cp /usr/mdec/*.efi /mnt/EFI/boot

newfs -O 2  $BOOT

mkdir /mnt_boot
mount /dev/$BOOT /mnt_boot
mkdir -p /mnt_boot/etc/cgd/
mkdir /mnt_root/altroot
touch /mnt_boot/etc/entropy-file

cgdconfig -g -V disklabel -o /mnt_boot/etc/cgd/wd0a.conf aes-cbc 256
cgdconfig -V re-enter cgd0 /dev/$CGD /mnt_boot/etc/cgd/wd0a.conf
echo 'cgd wd0a' > /mnt_boot/etc/cgd/cgd.conf

# since I'm unsure where cgd.conf should reside, I'm copying it to the root
cp /mnt_boot/etc/cgd.conf /mnt_boot #unsure where cgd.conf should reside
newfs /dev/rcgd0a

cp /amd64/installation/miniroot/cgdroot.kmod /mnt_boot
cp /usr/mdec/boot /mnt_boot

swapon /dev/$SWAP
mount /dev/cdg0a /mnt2
for D in var usr home; do mkdir /mnt2/$D; done
cd /mnt2
for set in
kern-GENERIC base comp etc  games man misc modules tests text xbase xcomp xetc xfont xserver; do
tar -xzpf /amd64/binary/sets/$set.tar.xz
done

cd /mnt_boot
for set in kern-GENERIC; do
tar -xzpf /amd64/binary/sets/$set.tar.xz
done


cat > /mnt_boot/boot.cfg << EOF
menu=Boot normally:rndseed /etc/entropy-file;load /cgdroot.kmod;boot /netbsd
EOF

installboot -vf /dev/r$BOOT /mnt2/usr/mdec/bootxx_ffsv2

cd /mnt2/dev
sh MAKEDEV all

cd /mnt2
mkdir kern
mkdir proc
mount_kernfs  kernfs   /mnt2/kern
mount_procfs  procfs   /mnt2/proc
mount_tmpfs  tmpfs   /mnt2/var/shm
mount_ptyfs  ptyfs   /mnt2/dev/pts
chroot  /mnt2 su -

cat > /etc/fstab << EOF
/dev/cgd0a              /       ffs     rw               1 1
/dev/wd0b               none    swap    sw,dp            0 0
kernfs                  /kern   kernfs  rw
ptyfs                   /dev/pts        ptyfs   rw
procfs                  /proc   procfs  rw
tmpfs                   /var/shm        tmpfs   rw,-m1777,-sram%25
EOF

echo "export LANG=\"en_US.UTF-8\"" >> /etc/profile
echo "export LC_CTYPE=\"en_US.UTF-8\"" >> /etc/profile
echo "export LC_ALL=\"\"" >> /etc/profile

echo 'cgd=YES' > /etc/rc.conf

exit
reboot

---

/ts


On Sun, May 19, 2019, at 1:51 PM, Alexander Nasonov wrote:
> Tiago Seco wrote:
> > Hello,
> > 
> > I've been trying to install NetBSD on a UEFI system with encrypted root.
> > ...
> > When booting the system, it is not trying to boot from hd0c, but from hd0a.
> 
> If you intend to use cgdroot.kmod, the system should create a md(4)
> disk and boot from it rather than hd0. When loaded, cgdroot.kmod
> should take care of it.
> 
> > As far as I can tell, this is the first indication that I did something wrong,
> > since I specified in /EFI/boot/boot.cfg that it should load netbsd from hd0c.
> > 
> > I can specify:
> > > load hd0c:/EFI/boot/cgdroot.kmod
> > > boot hd0c:/EFI/boot/netbsd
> 
> Are you on amd64 or aarch64? IIRC, load command doesn't work on
> aarch64 in efi boot.
> 
> > The system does try to boot, but fails trying to exec /sbin/init.
> 
> The system should load an image which contains /sbin/init and other
> tools required to decrypt a real root.
> 
> > gpt destroy wd0
> > gpt create wd0
> > gpt add -a 2m -l "netbsd-cgd" -t ffs -s 236g wd0
> > gpt add -a 2m -l "swap" -t swap -s 2g wd0
> > gpt add -a 2m -l "EFI system" -t efi wd0
> > 
> > EFI=`dkctl wd0 listwedges | grep msdos| cut -d':' -f1`
> > CGD=`dkctl wd0 listwedges | grep 'netbsd-cgd'| cut -d':' -f1`
> > SWAP=`dkctl wd0 listwedges | grep 'swap'| cut -d':' -f1`
> > 
> > newfs_msdos -F 16 /dev/r$EFI
> > mount -t msdos /dev/$EFI /mnt
> > mkdir -p /mnt/EFI/boot
> > cp /usr/mdec/*.efi /mnt/EFI/boot
> > 
> > cgdconfig -g -V disklabel -o /mnt/EFI/boot/cgd.cfg aes-cbc 256
> > cgdconfig -V re-enter cgd0 /dev/$CGD /mnt/EFI/boot/cgd.cfg
> 
> cgdroot.kmod looks for a gpt label "cgd.conf" and it expects
> to find a file "cgd.conf" in its root.
> 
> In your case, you can rename "EFI system" to "cgd.conf" and copy
> cgd.conf to /mnt.
> 
> -- 
> Alex
>

References:
- installation on UEFI system w/ encrypted filesystem
  - From: Tiago Seco
- Re: installation on UEFI system w/ encrypted filesystem
  - From: Alexander Nasonov

Prev by Date: Re: Um pulseaudio...
Next by Date: Re: nfs: operation not permitted to change network attribute
Previous by Thread: Re: installation on UEFI system w/ encrypted filesystem
Next by Thread: WiFi card comes up as device lo0
Indexes:

Home | Main Index | Thread Index | Old Index