Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?

[Nick Holland]

On 09/28/17 05:58, ti...@openmailbox.org wrote:
>> On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org
>> wrote:
> ..
>>> What am I doing wrong, are there actually any installboot
>>> arguments that could help me make it work?
>> 
>> It looks like you're using GPT on both the physical and the 
>> softraid disk, correct?
>> 
>> In my setup, I have GPT on the physical disk (sd0) but an MBR on
>> the softraid volume. So perhaps try using an MBR on sd1 and see if
>> that helps? I am poking in the dark here. No idea if that will work
>> for you.
> 
> An MBR has a max of 2TB so over time the whole MBR thing needs to be
> discontinued, right, however this is a smaller disk so having MBR
> inside the softraid would work indeed.

By that logic, we should have quit using cheap disks when they went over
32MB.  Or 120MB.  Or 504MB.  Or 128GB.  Or ...
I have MBRs on 4TB SoftRaid volumes, works fine.

fdisk, make the "entire" disk (welllthe first 2TB) OpenBSD.
disklabel, change the boundaries of the OpenBSD part to be the entire
disk.  Done.

Nick.

Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?

[Stéphane Aulery]

Le 28/09/2017 à 10:13, Stefan Sperling a écrit :

On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote:

Le 27/09/2017 à 17:24, Stefan Sperling a écrit :

On Wed, Sep 27, 2017 at 04:11:45PM +0200, Kamil Cholewiński wrote:

On Wed, 27 Sep 2017, Francois Pussault  wrote:

maybe installing a tool like xrandr ?


Xrandr works only for X. I've skimmed wscons(4), wsdisplay(4),
wsconscfg(8), wsconsctl(8), nothing about rotation...


In -current, the console is rotated counter-clockwise if the display
isn't already upright:
https://marc.info/?l=openbsd-cvs=150266331224832=2
https://marc.info/?l=openbsd-cvs=150300131911666=2

This behaviour is hard-coded and cannot be configured. It helps machines which
need counter-clockwise rotation, but is not ideal because some machines need
clockwise rotation instead. There are plans to auto-detect and use the correct
rotation required in the future.


And if I use a monitor in portrait orientation ?


I have been using a monitor in portrait for many years and was never
bothered by the console being the wrong way (X is rotated of course).

In a rare situation where I need the console, I can make use of the
laws of physics and turn the monitor upright with my hands and arms.
This approach seems to work very reliably. I've never seen it fail.


It is not the game if you involve the invisible hand!

--
Stéphane Aulery

Re: regarding the default path for pkg_add in -current

[Marc Espie]

On Wed, Sep 27, 2017 at 08:57:10PM -0600, and...@quickstick.net wrote:
> Hello Folks !!
> 
> Regarding GENERIC.MP #115
> 
> I have a feeling you are about to roll into 6.2, however I just want to
> bring the following to your attention in case it matters.
> 
> I just did a clean install of -current using the bsd.rd dated 2017-09-27.
> Within the install sequence of questions, the default download path has been
> hardcoded to ../6.2/... as opposed to ../snapshots/..
> 
> I manually changed it to ../snapshots/ and it installed as expected.
> 
> Also, after login, pkg_add is very determined to use to the same ../6.2/..
> directory path. For the benefit of others who might find themselves in the
> same spot, the workaround is to use the full path while using pkg_add. In my
> case, it is:
> 
> $ doas pkg_add \
> https://ftp3.usa.openbsd.org/pub/OpenBSD/snapshots/amd64/pkgname

Unless you have good reasons to care about confidentiality, I'd advise
against https for pkg_add right now for performance reasons.

Re: relayd TLS load balancer for multiple websites

[Darren Tucker]

On 28 September 2017 at 06:32, mabi  wrote:
> Thanks for the pointer regarding SNI not being supported in relayd. I will go 
> on and find another solution, probably HAproxy.

For a small number of domains it would probably be feasible to get a
single certificate with multiple SANs.  Letsencrypt at least supports
this as long as all of the domains map (or can be made to map) to the
place requesting the certificate.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Maintaining process clarification

[Zbyszek Żółkiewski]

Hi Ingo,

thanks for the note, please find my notes below,


>> Example: In 6.1
> 
> I assume that means you are using -stable.
> 
>> there is package openvpn-2.4.1, how updates to the package are
>> handled? If there is critical issue with the package, then
>> "openvpn-2.4.1" is updated or it get new version numbering?
> 

yes, that is stable

> It gets a new version number, typically openvpn-2.4.1p0.
> If the fix is done via a new upstream release, the number
> may look something like openvpn-2.4.2.
> 
> In this particular case, it actually is openvpn-2.4.3p1 in both
> -stable and -current.
> 

actually in -stable i see only 2.4.1 , 2.4.3 is in snapshot


>> And yes - i know i can recompile by myself and i do not mind doing
>> that, but i would avoid recompiling almost all all the time if there
>> is already process 
> 
> Using -stable, you will have to compile port updates yourself:
> 
>  https://www.openbsd.org/faq/faq15.html#PortsSecurity

so to get latest updates (binary) from the packages i should run -current ?

> 
> Or use the third-party, but IMHO trustworthy third-party precompiled
> stable packages fro MTier:
> 
>  https://stable.mtier.org/

thanks, i will check that out

> That said, use the manual pages and the FAQ before asking questions,
> and do not use web search engines to search for answers to questions
> regarding OpenBSD.  Unlike in Linux, almost everything is documented
> precisely and concisely in the canonical places in the manual pages
> or FAQ, and documentation is almost always up to date.

yes, documentation quality is great, I need clarification on update process as 
it is very different from linux distributions.

_
Zbyszek Żółkiewski

Re: Strange sed substitution removes text

[kshe]

On Mon, 25 Sep 2017 18:16:15 +, Martijn van Duren wrote:
> Lets just wait until Ingo has time to look into it. He's still on
> holiday in Paris, so it might be a few days.

Hi,

I already reported this issue three months ago, along with other related
and unrelated bugs; see my second message in this thread:

https://marc.info/?t=14969951951

As one can infer from reading any of these messages, this is far from
being the only unresolved problem with OpenBSD's sed, so I doubt it is
worth asking anyone to look particularly into this one more deeply; in
fact, the whole substitute() function is flawed in multiple other
aspects and, together with the rest of the program, which is likewise
either plain wrong or embarrassingly suboptimal in almost every possible
way, disserves no more than to be thrown away and rewritten.  Because of
my personal need for a correct and elegant implementation, this is
exactly what I did in my local tree.  Nevertheless, I have not been too
impatient to share my code here as no one seemed to care when I
mentioned it to tech@, but perhaps this freshly posted report could make
someone interested after all.  (If so, however, I would still need to
take the time to write a fully fledged supporting justification before
submitting it, because, as I reckon, one does not simply reimplement sed
without explaining in depth why and how this had to be done.)

Regards,

kshe

Re: Maintaining process clarification

[Ingo Schwarze]

Hi Zbyszek,

Zbyszek wrote on Thu, Sep 28, 2017 at 11:43:35AM +0200:

> I am new to OpenBSD

Welcome.

> Example: In 6.1

I assume that means you are using -stable.

> there is package openvpn-2.4.1, how updates to the package are
> handled? If there is critical issue with the package, then
> "openvpn-2.4.1" is updated or it get new version numbering?

It gets a new version number, typically openvpn-2.4.1p0.
If the fix is done via a new upstream release, the number
may look something like openvpn-2.4.2.

In this particular case, it actually is openvpn-2.4.3p1 in both
-stable and -current.

> And yes - i know i can recompile by myself and i do not mind doing
> that, but i would avoid recompiling almost all all the time if there
> is already process 

Using -stable, you will have to compile port updates yourself:

  https://www.openbsd.org/faq/faq15.html#PortsSecurity

Or use the third-party, but IMHO trustworthy third-party precompiled
stable packages fro MTier:

  https://stable.mtier.org/

If you use -current instead of stable, just updating to a newer
snapshot is sufficient:

  https://www.openbsd.org/faq/faq5.html#Flavors


That said, use the manual pages and the FAQ before asking questions,
and do not use web search engines to search for answers to questions
regarding OpenBSD.  Unlike in Linux, almost everything is documented
precisely and concisely in the canonical places in the manual pages
or FAQ, and documentation is almost always up to date.

Yours,
  Ingo

Re: relayd TLS load balancer for multiple websites

[mabi]

Thanks for the pointer regarding SNI not being supported in relayd. I will go 
on and find another solution, probably HAproxy.

>  Original Message 
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 3:02 PM
> UTC Time: September 28, 2017 1:02 PM
> From: mcmer-open...@tor.at
> To: mabi 
> openbsd-misc 
>
> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>> I was wondering if it is possible to use relayd as load balancer with
>> TLS termination for multiple different websites residing on different
>> server.
>
> With a public IP per website: yes. Else: no.
>
> reyk@, 2014-07-24, "no SNI yet"
> https://marc.info/?l=openbsd-misc=140621533620964
>
> recent thread:
> https://marc.info/?l=openbsd-misc=150599591326006
>
> Marcus
>
> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
> from seeing these messages.

Re: relayd TLS load balancer for multiple websites

[Marcus MERIGHI]

m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
> I was wondering if it is possible to use relayd as load balancer with
> TLS termination for multiple different websites residing on different
> server.

With a public IP per website: yes. Else: no. 

reyk@, 2014-07-24, "no SNI yet"
https://marc.info/?l=openbsd-misc=140621533620964

recent thread:
https://marc.info/?l=openbsd-misc=150599591326006

Marcus

btw, protonmail's "text/plain, base64, utf-8" reportedly keeps people
from seeing these messages.

Re: relayd TLS load balancer for multiple websites

[mabi]

Thanks Bryan for your example.

I saw in your example you only use the example.com domain. I would be using 
multiple domains such as example1.com, example2.com, exampleX.com, and so on. 
Would it also work in that case? Again I suppose here that I need to have all 
these different domains in one single SSL certificate file, right?

On the relayd.conf man page I read that the second "forward to" config 
parameter in a "relay" entity is used as backup in case the first "forward to" 
table is down. So one could think in your config that your second "forward to 
" would be used as you backup table.

Finally what is the purpose of setting the Connection HTTP header to close as 
you have here below?

match request header set "Connection" value "close"

>  Original Message 
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 2:21 PM
> UTC Time: September 28, 2017 12:21 PM
> From: bryanlhar...@gmail.com
> To: mabi 
> openbsd-misc 
>
> Here is what I did, which I learned from the httpd & relayd book by Michael W 
> Lucas (I recommend).  I cannot remember why I set the top header options, I 
> must have been trying to learn about them.  The host ones are to figure out 
> the site and send the connection to the table above.
>
> ext_addr="..."
> int_addr="127.0.0.1"
> vm1_addr="192.0.2.11"
> vm2_addr="192.0.2.12"
> vm3_addr="192.0.2.13"
> vm4_addr="192.0.2.14"
>
> table  { $int_addr }
> table  {
>   $vm1_addr
>   $vm2_addr
>   $vm3_addr
>   $vm4_addr
> }
>
> # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> http protocol https {
>   # playing with these options
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>   match request header set "Keep-Alive" value "$TIMEOUT"
>   match request header set "Connection" value "close"
>
>   match request header "Host" value "website.example.com" forward to 
>   match request header "Host" value "example.com" forward to 
>   match request header "Host" value "www.example.com" forward to 
>
> }
>
> relay wwwtls {
>   # Run as a SSL/TLS accelerator
>   listen on $ext_addr port 443 tls
>   protocol https
>
>   forward to  port 80 check tcp
>   forward to  port 80 mode loadbalance check tcp
> }
>
> V/r,
> Bryan
>
> On Thu, Sep 28, 2017 at 7:32 AM, mabi  wrote:
>
>> Hi,
>>
>> I was wondering if it is possible to use relayd as load balancer with TLS 
>> termination for multiple different websites residing on different server.
>>
>> From reading the man page I understand that for this purpose I will need to 
>> use one "relay" entity per website which will then have its own "http 
>> protocol" entity. If this is correct, this means I will require one public 
>> IP address per website which seems to me a bit a waste hence my asking.
>>
>> The alternative would be to have one "relay" entity but this means I can 
>> only have one "http protocol" entity assigned to it from my understanding. 
>> This also means that I would have to have to use one single SSL certificate 
>> file which includes every CN for each of my website. My feeling tells me 
>> that this does not sound good practice. Then how would relayd know that 
>> website www.website1.com has to be forwarded to the hosts in  and 
>> that website www.website2.com has to be forwarded to the hosts in ? 
>> Would you in the "http protocol" entity filter using the HTTP "Host" header 
>> (such as SNI)?
>>
>> Sorry for all these questions but I am trying to find out the best way/good 
>> practice to setup a relayd TLS load balancer for a different 
>> websites/webapps/domains and can't find much documentation about this 
>> specific case.
>>
>> Note here that I will be using the acme-client for all of the domains.
>>
>> Thanks for your input.
>>
>> Best,
>> Mabi

Re: FF vs. Chrome/Chromium

[Boudewijn Dijkstra]

Op Wed, 27 Sep 2017 16:44:01 +0200 schreef Theo de Raadt  
:

Firefox has W^X compliance and so runs with the secure defaults.


it uses page aliasing, which is a shitty way of being compliant


Do you mean dual-mapping a.k.a. double-mapping?  I found some old patches  
using a temporarily file and mmap w/ fd to achieve this, but they never  
went in.


This blog:
https://jandemooij.nl/blog/2015/12/29/wx-jit-code-enabled-in-firefox/
suggests that it is simply switching between RW and RX using mprotect.

Can you please elaborate?


--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/

Re: relayd TLS load balancer for multiple websites

[Bryan Harris]

Here is what I did, which I learned from the httpd & relayd book by Michael
W Lucas (I recommend).  I cannot remember why I set the top header options,
I must have been trying to learn about them.  The host ones are to figure
out the site and send the connection to the table above.

ext_addr="..."
int_addr="127.0.0.1"
vm1_addr="192.0.2.11"
vm2_addr="192.0.2.12"
vm3_addr="192.0.2.13"
vm4_addr="192.0.2.14"

table  { $int_addr }
table  {
  $vm1_addr
  $vm2_addr
  $vm3_addr
  $vm4_addr
}

# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
http protocol https {
  # playing with these options
  match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
  match request header append "X-Forwarded-By" value
"$SERVER_ADDR:$SERVER_PORT"
  match request header set "Keep-Alive" value "$TIMEOUT"
  match request header set "Connection" value "close"

  match request header "Host" value "website.example.com" forward to

  match request header "Host" value "example.com" forward to 
  match request header "Host" value "www.example.com" forward to 

}

relay wwwtls {
  # Run as a SSL/TLS accelerator
  listen on $ext_addr port 443 tls
  protocol https

  forward to  port 80 check tcp
  forward to  port 80 mode loadbalance check tcp
}

V/r,
Bryan

On Thu, Sep 28, 2017 at 7:32 AM, mabi  wrote:

> Hi,
>
> I was wondering if it is possible to use relayd as load balancer with TLS
> termination for multiple different websites residing on different server.
>
> From reading the man page I understand that for this purpose I will need
> to use one "relay" entity per website which will then have its own "http
> protocol" entity. If this is correct, this means I will require one public
> IP address per website which seems to me a bit a waste hence my asking.
>
> The alternative would be to have one "relay" entity but this means I can
> only have one "http protocol" entity assigned to it from my understanding.
> This also means that I would have to have to use one single SSL certificate
> file which includes every CN for each of my website. My feeling tells me
> that this does not sound good practice. Then how would relayd know that
> website www.website1.com has to be forwarded to the hosts in  and
> that website www.website2.com has to be forwarded to the hosts in
> ? Would you in the "http protocol" entity filter using the HTTP
> "Host" header (such as SNI)?
>
> Sorry for all these questions but I am trying to find out the best
> way/good practice to setup a relayd TLS load balancer for a different
> websites/webapps/domains and can't find much documentation about this
> specific case.
>
> Note here that I will be using the acme-client for all of the domains.
>
> Thanks for your input.
>
> Best,
> Mabi

relayd TLS load balancer for multiple websites

[mabi]

Hi,

I was wondering if it is possible to use relayd as load balancer with TLS 
termination for multiple different websites residing on different server.

From reading the man page I understand that for this purpose I will need to use 
one "relay" entity per website which will then have its own "http protocol" 
entity. If this is correct, this means I will require one public IP address per 
website which seems to me a bit a waste hence my asking.

The alternative would be to have one "relay" entity but this means I can only 
have one "http protocol" entity assigned to it from my understanding. This also 
means that I would have to have to use one single SSL certificate file which 
includes every CN for each of my website. My feeling tells me that this does 
not sound good practice. Then how would relayd know that website 
www.website1.com has to be forwarded to the hosts in  and that website 
www.website2.com has to be forwarded to the hosts in ? Would you in the 
"http protocol" entity filter using the HTTP "Host" header (such as SNI)?

Sorry for all these questions but I am trying to find out the best way/good 
practice to setup a relayd TLS load balancer for a different 
websites/webapps/domains and can't find much documentation about this specific 
case.

Note here that I will be using the acme-client for all of the domains.

Thanks for your input.

Best,
Mabi

Re: Mount LUKS and truecrypt external volumes

[Stuart Henderson]

On 2017-09-26, x9p  wrote:
> Walking through ports i could not find alternatives to mount Linux LUKS
> encrypted storages and Truecrypt-compatible storages.

There aren't any in ports. It might be worth trying porting FUSE-based
implementations, though FUSE on OpenBSD is missing a few things so
porting might be a bit awkward, and it's not the most reliable thing
in the world ever, but it mostly works (at least it doesn't trigger
panics all that often any more).

If you want high quality FDE on OpenBSD, use softraid(4) crypto.

Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?

[tinkr]

> On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org wrote:
..
>> What am I doing wrong, are there actually any installboot arguments that 
>> could help me make it work?
> 
> It looks like you're using GPT on both the physical and the
> softraid disk, correct?
> 
> In my setup, I have GPT on the physical disk (sd0) but an MBR
> on the softraid volume. So perhaps try using an MBR on sd1 and
> see if that helps?
> I am poking in the dark here. No idea if that will work for you.

An MBR has a max of 2TB so over time the whole MBR thing needs to be 
discontinued, right, however this is a smaller disk so having MBR inside the 
softraid would work indeed.

I mostly chose softraid in the first place for symmetry.

I'll try make the softraid contain an MBR and let you know.


Indeed I'm on 6.1, so I see that's why I run BOOTX64 3.32 rather than the 
newest BOOTX64 3.33 of -current. As soon as I try -current (or 6.2) I'll retry 
the whole installation and let you know too.

Thanks again,
Tinker

Maintaining process clarification

[Zbyszek Żółkiewski]

Hi,

I am new to OpenBSD and after 15 years of work with linux i find OpenBSD as 
very refreshing experience among bloated server software platforms, so guys 
thanks for that. 

My questions is about updating packages using pkg_add -u , i am kind of 
confused about how it works. 
Example: In 6.1 there is package openvpn-2.4.1, how updates to the package are 
handled? If there is critical issue with the package, then "openvpn-2.4.1” is 
updated or it get new version numbering? I have used to that distros add own 
numbering like 2.4.1_u1 and so one - to give a clue that package was 
updated/patched. 

And yes - i know i can recompile by myself and i do not mind doing that, but i 
would avoid recompiling almost all all the time if there is already process 

thanks, 

_
Zbyszek Żółkiewski

Re: FF vs. Chrome/Chromium

[Artur Pedziwilk]

> On 27 Sep 2017, at 16:44, Theo de Raadt  wrote:
> 
> you really shouldn't be promising that to anyone.  it might not happen,
> their design might not allow it.
> 
> pledge in giant programs is very rare.  chrome got LUCKY, and there is
> no evidence that firefox will also.

There was also another interesting presentation by Landry Breuil
about "7 years of maintaining firefox "
with "- sandboxing w/ `pledge()` ?"

https://www.openbsd.org/papers/eurobsdcon2017_seven_years_of_maintaining_firefox.md

but not sure if recordings will be available.

Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?

[Stefan Sperling]

On Thu, Sep 28, 2017 at 08:48:31AM -, ti...@openmailbox.org wrote:
> In a world where such weird laptop manufacturers exist, OpenBSD
> having framebuffer rotation would fix the whole setup.

Yes, and as was already stated there are developers (not me) who plan to
do that work and might even generously share their results with all of us.
Just be patient, please.

Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?

[tinkr]

> On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote:
..
>> And if I use a monitor in portrait orientation ?
> 
> I have been using a monitor in portrait for many years and was never
> bothered by the console being the wrong way (X is rotated of course).
> 
> In a rare situation where I need the console, I can make use of the
> laws of physics and turn the monitor upright with my hands and arms.
> This approach seems to work very reliably. I've never seen it fail.

If it's a laptop, the angle between the laptop (correctly oriented) and the 
screen (oriented 90 degrees away from you) is 90 degrees, and you would need to 
tilt your head 90 degrees instead (as the screen can't be tilted), or tilt your 
hands 90 degrees while tilting the laptop 90 degrees too, or carry an external 
keyboard with you, in which case the laptop but not me would need to be tilted.

In a world where such weird laptop manufacturers exist, OpenBSD having 
framebuffer rotation would fix the whole setup. But doing it with X is cool too 
of course, at the very least for now.

Re: Can I rotate the framebuffer (e.g. using wsdisplay) in OpenBSD?

[Stefan Sperling]

On Thu, Sep 28, 2017 at 12:55:41AM +0200, Stéphane Aulery wrote:
> Le 27/09/2017 à 17:24, Stefan Sperling a écrit :
> > On Wed, Sep 27, 2017 at 04:11:45PM +0200, Kamil Cholewiński wrote:
> > > On Wed, 27 Sep 2017, Francois Pussault  wrote:
> > > > maybe installing a tool like xrandr ?
> > > 
> > > Xrandr works only for X. I've skimmed wscons(4), wsdisplay(4),
> > > wsconscfg(8), wsconsctl(8), nothing about rotation...
> > 
> > In -current, the console is rotated counter-clockwise if the display
> > isn't already upright:
> > https://marc.info/?l=openbsd-cvs=150266331224832=2
> > https://marc.info/?l=openbsd-cvs=150300131911666=2
> > 
> > This behaviour is hard-coded and cannot be configured. It helps machines 
> > which
> > need counter-clockwise rotation, but is not ideal because some machines need
> > clockwise rotation instead. There are plans to auto-detect and use the 
> > correct
> > rotation required in the future.
> 
> And if I use a monitor in portrait orientation ?

I have been using a monitor in portrait for many years and was never
bothered by the console being the wrong way (X is rotated of course).

In a rare situation where I need the console, I can make use of the
laws of physics and turn the monitor upright with my hands and arms.
This approach seems to work very reliably. I've never seen it fail.

Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?

[Stefan Sperling]

On Wed, Sep 27, 2017 at 05:02:06PM -, ti...@openmailbox.org wrote:
> > On Wed, Sep 27, 2017 at 10:31:22AM -, ti...@openmailbox.org wrote:
> >>  >> OpenBSD/amd64 BOOTX64 3.32

Are you running -current?
(We would already know that if you had included a dmesg -- tsk tsk).

In -current, boot is version "3.33", not "3.32".

> I then booted the machine (by typing "boot sr0a:/bsd" in the boot console 
> again of course) and did "installboot -v sd1", and it gave:
> 
>  Using / as root
>  installing bootstrap on /dev/rsd0c
>  using first-stage /usr/mdec/biosboot, second-stage /usr/mdec/boot
>  sd1: softraid volume with 1 disk(s)
>  sd1: installing boot loader on softraid volume
>  /usr/mdec/boot is 6 blocks x 16384 bytes
>  copying /usr/mdec/BOOTIA32.EFI to 
> /tmp/installboot.1lt1hgtQYa/efi/BOOT/BOOTIA32.EFI
>  copying /usr/mdec/BOOTIX64.EFI to 
> /tmp/installboot.1lt1hgtQYa/efi/BOOT/BOOTIX64.EFI
> 
> Rebooting, that also did not help.

That looks OK, though. Passing the softraid disk is correct.

> I tried with "fdisk -e sd1" and disabling the 1 (EFI) partition by setting 
> its type to 0 (so that installboot would not try to install any EFI files to 
> sd1i) and then doing "installboot sd1", and that did not help too.
> 
> What am I doing wrong, are there actually any installboot arguments that 
> could help me make it work?

It looks like you're using GPT on both the physical and the
softraid disk, correct?

In my setup, I have GPT on the physical disk (sd0) but an MBR
on the softraid volume. So perhaps try using an MBR on sd1 and
see if that helps?
I am poking in the dark here. No idea if that will work for you.

Re: softraid crypto with keydisk and password

[Stefan Sperling]

On Thu, Sep 28, 2017 at 04:15:20AM +0200, Erling Westenvik wrote:
> On Thu, Sep 28, 2017 at 09:11:49AM +1000, tomr wrote:
> > I remember seeing a post, I think on undeadly.org, which went through
> > having the bootloader on password-encrypted usb drive, that also
> > contains a keyfile for the main disk. It said something like "I also
> > wanted the laptop to appear broken, and the disk full of random data, if
> > the usb drive wasn't present - rather than stopping at a password prompt"
> 
> Here you go:
> 
> http://www.undeadly.org/cgi?action=article=20110530221728

Hi, I am the author of this undeadly article.
It is now very old and full of outdated information.

Follow this FAQ section instead:
http://www.openbsd.org/faq/faq14.html#softraid