Here's a write-up on it -- it was /much /simpler than I expected and unlike my X220 didn't require screwing with group policy for Bitlocker to coexist with a dual-boot environment.
https://market-ticker.org/akcs-www?post=234936 Feel free to grab/reproduce/link to/whatever; hope this helps others. It runs very nicely on 12-RELEASE -- the only thing I've noted thus far is the expected lack of 5g WiFi support. On 1/26/2019 15:04, Karl Denninger wrote: > Nevermind! > > I set the "-g" flag on the provider and.... voila. Up she comes; the > loader figured out that it had to prompt for the password and it was > immediately good. > > Now THAT'S easy compared with the convoluted BS I had to do (two > partitions, fully "by-hand" install, etc) for 11 on my X220. > > Off to the races I go; now I have to figure out what I have to set in > Windows group policy so Bitlocker doesn't throw up every time I boot > FreeBSD (this took a bit with my X220 since the boot manager tickled > something that Bitlocker interpreted as "someone tampered with the > system.") Maybe this will be a nothingburger too (which would be great > if true.) > > I'm going to write this one up when I've got it all solid and post it on > my blog; hopefully it will help others. > > On 1/26/2019 14:26, Karl Denninger wrote: >> 1/26/2019 14:10, Warner Losh wrote: >>> On Sat, Jan 26, 2019 at 1:01 PM Karl Denninger <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Further question.... does boot1.efi (which I assume has to be >>> placed on >>> the EFI partition and then something like rEFInd can select it) >>> know how >>> to handle a geli-encrypted primary partition (e.g. for root/boot so I >>> don't need an unencrypted /boot partition), and if so how do I tell it >>> that's the case and to prompt for the password? >>> >>> >>> Not really. The whole reason we ditched boot1.efi is because it is >>> quite limited in what it can do. You must loader.efi for that. >>> >>> >>> (If not I know how to set up for geli-encryption using a non-encrypted >>> /boot partition, but my understanding is that for 12 the loader was >>> taught how to handle geli internally and thus you can now install >>> 12 -- >>> at least for ZFS -- with encryption on root. However, that wipes the >>> disk if you try to select it in the installer, so that's no good >>> -- and >>> besides, on a laptop zfs is overkill.) >>> >>> >>> For MBR stuff, yes. For loader.efi, yes. For boot1.efi, no: it did not >>> and will not grow that functionality. >>> >>> Warner >>> >> Ok, next dumb question -- can I put loader.efi in the EFI partition >> under EFI/FreeBSD as "bootx64.efi" there (from reading mailing list >> archives that appears to be yes -- just copy it in) and, if yes, how do >> I "tell" it that when it finds the freebsd-ufs partition on the disk it >> was started from (which, if I'm reading correctly, it will scan and look >> for) that it needs to geli attach the partition before it dig into there >> and find the rest of what it needs to boot? >> >> That SHOULD allow me to use an EFI boot manager to come up on initial >> boot, select FreeBSD and the loader.efi (named as bootx64.efi in >> EFI/FreeBSD) code will then boot the system. >> >> I've looked as the 12-RELEASE man page(s) and it's not obvious how you >> tell the loader to look for the partition and then attach it via GELI >> (prompting for the password of course) before attempting to boot it; >> obviously a "load" directive (e.g. geom_eli_load ="YES") makes no sense >> as the thing you'd "load" is on the disk you'd be loading it from and >> its encrypted.. .never mind that loader.conf violates the 8.3 filename >> rules for a DOS filesystem. >> >> Thanks! >> -- Karl Denninger [email protected] <mailto:[email protected]> /The Market Ticker/ /[S/MIME encrypted email preferred]/
smime.p7s
Description: S/MIME Cryptographic Signature
