Re: UEFI firmware and getting FreeBSD recognized by default: who to talk to?

From: Karl Denninger <karl_at_denninger.net>
Date: Sun, 23 Jun 2019 08:52:42 -0500
On 6/23/2019 02:36, Thomas Mueller wrote:
> from Karl Denninger and my previous post:
>
>>> This is scary (Bitlocker), sent me to Wikipedia to look up Bitlocker.
>>>
>>> Can you turn Bitlocker off after turning it on and get your system back?
>> You SHOULD (better have!) kept the recovery key.  If you have it, you
>> can boot with it.  Then turn it off and back on, and it will generate a
>> new key.
>>> Now I am even more scared to ever get a computer with MS-Windows! 
Bitlocker is optional and in fact defaults off.
>>> One think on my mind is if I need a new motherboard, would it have the undesired Secure Boot?  I guess I'd have to ask the seller and look on the motherboard manufacturer's website (MSI, ASRock, Asus, Gigabyte, or other). 
>>> I have no Secure Boot now.
>> Probably.  But you can shut THAT off (and should) provided you wish to
>> dual boot.  The exception is ARM-based systems, many of which are
>> secure-boot ONLY.  For Intel machines I've never run into one that can't
>> have it turned off (and I'd return it immediately if I found one.)
>>> I am trying to set up UEFI to boot my FreeBSD and NetBSD installations, and later, Linux.
>>>
>> Tom
>>
>> Easy.  Refind should do that and allow selection from a menu.
> Can one recover after losing the recovery key?  I think I would want to avoid Bitlocker from the outset (malware!).

No.  You can't recover in FreeBSD if you lose the Geli key either. 
That's the entire point of disk encryption; no key, no data.  End of
discussion.  Bitlocker has TWO keys (one normal one, which can either be
TPM-only if you have one in the machine or TPM + PIN, or, if there is no
TPM, a password) and a recovery key which is a very long set of octal
digit groups.  It will insist you save that recovery key somewhere NOT
on the encrypted volume (e.g. to a USB key, to a network drive, printed,
etc) during setup.  It also (stupidly, in my opinion) allows you to save
it to your "Microsoft account" which is IMHO exactly identical to giving
it to Microsoft, the NSA, and probably China's Communist Party too.  I
recommended against that option, obviously.

Geli has two key slots too, and you can set both, and allows a
"randomization source" (e.g. key file), that plus a password, or just a
password.  But if, in any encrypted disk environment, you lose the keys
for any reason you're screwed -- I hope you have backups! :)  Geli by
default only sets one key; the other has to be set manually.

Oh, Geli also has a "duress" command (I don't know of one for Bitlocker)
that instantly destroys the key blocks on the disk.  If you use that
then it's bye-bye even WITH the key unless you have backed them up to
some sort of other media (it does save the key blocks off during
initialization so you *can* back them up.)

It would be rather pointless to call a disk "encrypted" if, absent the
authentication means, you could manage to get into it.

> I was thinking about AMD Ryzen if I need to replace motherboard.  I would need a new CPU with any new motherboard, Intel or AMD-compatible, would also need new RAM (DDR4, I now have DDR3), and probaby a new case.
>
> But I would keep and transfer any hard drives that are still good.
>
> Can rEFInd find and boot FreeBSD, NetBSD, Haiku, etc?
Yes.
> I don't see any refind, however partially capitalized, in FreeBSD base system or ports, or NetBSD base system or pkgsrc.  I find efibootmgr now in FreeBSD, but not NetBSD, base system.
It's not a port or package; the software is not in any way
FreeBSD-specific.
> I would want to label boot options with the partition label (like WD2G18, WD2G19, WD2G20, WD2G21, and others) so I can see on the boot menu.
Refind automatically figures it out -- it "knows" what FreeBSD and
Windows are, for example.
> I also notice it is difficult to choose the root partition when booting UEFI.  I could create a zero-byte or very small file in root directory with the partition label name, like /WD2G18 on partition WD2G18 just to show up with ls.
>
> Tom

That's a function of the actual EFI loader in question for the specific
OS and is beyond the scope of UEFI itself.

In point of fact UEFI BIOS implementations are *supposed* to implement a
reasonable "boot manager" option to select from whatever various UEFI
loaders are installed on the machine.  In actual practice most of them
I've run into on various motherboards bite big ones and either their
alleged "manager" is worthless or nearly so; thus tools like Refind.

-- 
Karl Denninger
karl_at_denninger.net <mailto:karl_at_denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

Received on Sun Jun 23 2019 - 11:52:46 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:21 UTC