Nevermind! I set the "-g" flag on the provider and.... voila. Up she comes; the loader figured out that it had to prompt for the password and it was immediately good.
Now THAT'S easy compared with the convoluted BS I had to do (two partitions, fully "by-hand" install, etc) for 11 on my X220. Off to the races I go; now I have to figure out what I have to set in Windows group policy so Bitlocker doesn't throw up every time I boot FreeBSD (this took a bit with my X220 since the boot manager tickled something that Bitlocker interpreted as "someone tampered with the system.") Maybe this will be a nothingburger too (which would be great if true.) I'm going to write this one up when I've got it all solid and post it on my blog; hopefully it will help others. On 1/26/2019 14:26, Karl Denninger wrote: > 1/26/2019 14:10, Warner Losh wrote: >> >> On Sat, Jan 26, 2019 at 1:01 PM Karl Denninger <[email protected] >> <mailto:[email protected]>> wrote: >> >> Further question.... does boot1.efi (which I assume has to be >> placed on >> the EFI partition and then something like rEFInd can select it) >> know how >> to handle a geli-encrypted primary partition (e.g. for root/boot so I >> don't need an unencrypted /boot partition), and if so how do I tell it >> that's the case and to prompt for the password? >> >> >> Not really. The whole reason we ditched boot1.efi is because it is >> quite limited in what it can do. You must loader.efi for that. >> >> >> (If not I know how to set up for geli-encryption using a non-encrypted >> /boot partition, but my understanding is that for 12 the loader was >> taught how to handle geli internally and thus you can now install >> 12 -- >> at least for ZFS -- with encryption on root. However, that wipes the >> disk if you try to select it in the installer, so that's no good >> -- and >> besides, on a laptop zfs is overkill.) >> >> >> For MBR stuff, yes. For loader.efi, yes. For boot1.efi, no: it did not >> and will not grow that functionality. >> >> Warner >> > Ok, next dumb question -- can I put loader.efi in the EFI partition > under EFI/FreeBSD as "bootx64.efi" there (from reading mailing list > archives that appears to be yes -- just copy it in) and, if yes, how do > I "tell" it that when it finds the freebsd-ufs partition on the disk it > was started from (which, if I'm reading correctly, it will scan and look > for) that it needs to geli attach the partition before it dig into there > and find the rest of what it needs to boot? > > That SHOULD allow me to use an EFI boot manager to come up on initial > boot, select FreeBSD and the loader.efi (named as bootx64.efi in > EFI/FreeBSD) code will then boot the system. > > I've looked as the 12-RELEASE man page(s) and it's not obvious how you > tell the loader to look for the partition and then attach it via GELI > (prompting for the password of course) before attempting to boot it; > obviously a "load" directive (e.g. geom_eli_load ="YES") makes no sense > as the thing you'd "load" is on the disk you'd be loading it from and > its encrypted.. .never mind that loader.conf violates the 8.3 filename > rules for a DOS filesystem. > > Thanks! > -- Karl Denninger [email protected] <mailto:[email protected]> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
