On Mon, Jul 22, 2013 at 10:29:40AM +0300, Andriy Gapon wrote: > I think that this setup (on ZFS level) is quite untypical, although not > impossible on FreeBSD (and perhaps only FreeBSD). > It's untypical because you have separate boot pool (where loader, loader.conf > and kernel are taken from) and root pool (where "/" is mounted from). As I said elsewhere, it is pretty typical when full disk encryption is used. The /boot/ has to be unencrypted and can be stored on eg. USB pendrive which is never left unattended, unlike laptop which can be left in eg. a hotel room, but with entire disk encrypted. > So, I see three ways of resolving the problem that my changes caused for your > configuration. > > 1. [the easiest] Put zpool.cache loading instructions that used to be in > defaults/loader.conf into your loader.conf. This way everything should work as > before -- zpool.cache would be loaded from your boot pool. > > 2. Somehow (I don't want to go into any technical details here) arrange that > your root pool has /boot/zfs/zpool.cache that describes your boot pool. This is > probably hard given that your /boot is a symlink at the moment. This probably > would be easier to achieve if zpool.cache lived in /etc/zfs. > > 3. [my favorite] Remove an artificial difference between your boot and root > pools, so that they are a single root+boot pool (as zfs gods intended). As far > as I understand your setup, you use GELI to protect some sensitive data. > Apparently your kernel is not sensitive data, so I wonder if your /bin/sh or > /sbin/init are really sensitive either. > So perhaps you can arrange your unencrypted pool to hold all of the base system > (boot + root) and put all your truly sensitive filesystems (like e.g. /home or > /var/data or /opt/xyz) onto your encrypted pool. If all you care about is laptop being stolen, then that would work. If you however want to be protected from someone replacing your /sbin/init with something evil then you use encryption or even better integrity verification also supported by GELI. Remember, tools not policies. There is also option number 4 - backing out your commit. When I saw your commit removing those entries from defaults/loader.conf, I thought it is fine, as we now don't require zpool.cache to import the root pool, which was, BTW, very nice and handy improvement. Now that we know it breaks existing installations I'd prefer the commit to be backed out. This is because apart from breaking some existing installations it doesn't gain us anything. > So I understand that my change causes a problem for a setup like yours, but I > believe that the change is correct. The change is clearly incorrect or incomplete as it breaks existing installations and doesn't allow for full disk encryption configuration on ZFS-only systems. BTW. If moving zpool.cache to /etc/zfs/ will work for both cases that's fine by me, although the migration might be tricky. -- Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:39 UTC