I followed a guide [1] inspired by the wiki [2] with small deviations
[3] to set up cgd-on-root on 9.2_STABLE. It seems to work well, with
the minor annoyance that a root filesystem check is triggered after
each (re)boot.
Looking at /var/log/messages I can guess why: the cgd device is
destroyed before the root fs is (forcefully) unmounted:
$ cat /var/log/messages
...
... dk4 at cgd0 (cgdroot) deleted
... cgd0: detached
...
... forcefully unmounted /dev/dk4 on /altroot/ type ffs
... forcefully unmounted root_device on / type ffs
... rebooting...
...
$ uname -v
NetBSD 9.2_STABLE (GENERIC) #0: Thu Sep 23 10:13:28 UTC 2021
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
I wonder if my Frankenstein setup [3] might be the reason.
[1] <https://www.unitedbsd.com/d/461-netbsd-full-disk-encryption-with-cgd>
[2] <https://wiki.netbsd.org/security/cgdroot/>
[3] Where I went off track was to use gpt on cgd on gpt (rather than
disklabel on cgd on gpt). For cgdroot to be able to mount root from
gpt, I then pulled the unlock script from -current and recompiled the
ramdisk/cgdroot.kmod with the updated script:
<http://cvsweb.netbsd.org/bsdweb.cgi/src/distrib/common/cgdroot.rc?rev=1.5>
