|
version 1.13, 2017/02/10 11:08:32
|
version 1.15, 2018/01/14 04:12:25
|
|
Line 19 The boot partition on disk needs to cont
|
Line 19 The boot partition on disk needs to cont
|
| * a GENERIC kernel |
* a GENERIC kernel |
| * the `cgdroot.kmod` kernel module |
* the `cgdroot.kmod` kernel module |
| * the configuration file for CGD, `cgd.conf` |
* the configuration file for CGD, `cgd.conf` |
| * the encryption key for the volume to start from, named after its partition (like `wd0f`) |
* the CGD parameters file for the volume, named after its partition (like `wd0f`), which determines how the encryption key is derived and verified |
| |
|
| Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. |
Once loaded the memory disk mounts the `wd0a` partition onto `/etc/cgd`, and asks for the encryption passphrase as usual (with [[!template id=man name="cgdconfig" section="8"]]). If successful, the `cgd0a` volume configured is mounted on `/altroot`, and [[!template id=man name="init" section="8"]] is told via [[!template id=man name="sysctl" section="7"]] to chroot into this volume before actually booting. The system then starts normally. |
| |
|
|
Line 76 This setup is not entirely safe against
|
Line 76 This setup is not entirely safe against
|
| |
|
| It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration). |
It is also possible to boot a Xen DOM0 system with root filesystem encryption. However, Xen-enabled NetBSD kernels currently do not support loading modules at boot-time. The memory disk has to be placed directly inside the kernel instead (with [[!template id=man name="mdconfig" section="8"]] or a new kernel configuration). |
| |
|
| |
It should really be possible to install NetBSD this way with [[!template id=man name="sysinst" section="8"]]. Unfortunately this is not supported yet. |
| |
|
| References |
References |
| ---------- |
---------- |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to cgdroot.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / security