installation on UEFI system w/ encrypted filesystem

To: netbsd-users%netbsd.org@localhost
Subject: installation on UEFI system w/ encrypted filesystem
From: "Tiago Seco" <tiago%seco.ws@localhost>
Date: Sun, 19 May 2019 13:18:23 +0000

Hello,

I've been trying to install NetBSD on a UEFI system with encrypted root.
I've tried to combine the instructions on
* https://wiki.netbsd.org/Installation_on_UEFI_systems/
* https://wiki.netbsd.org/security/cgdroot/
* https://archive.unitedbsd.com/t/netbsd-desktop-part-1-manual-netbsd-installation-on-gpt-uefi/284
* https://wiki.netbsd.org/users/mlelstv/using-large-disks/#index3h1

without success.

When booting the system, it is not trying to boot from hd0c, but from hd0a.
As far as I can tell, this is the first indication that I did something wrong,
since I specified in /EFI/boot/boot.cfg that it should load netbsd from hd0c.

I can specify:
> load hd0c:/EFI/boot/cgdroot.kmod
> boot hd0c:/EFI/boot/netbsd

The system does try to boot, but fails trying to exec /sbin/init.

Would it be possible for someone to go over the steps I followed and point out
what I'm doing wrong?

For reference, following are the steps I followed:

gpt destroy wd0
gpt create wd0
gpt add -a 2m -l "netbsd-cgd" -t ffs -s 236g wd0
gpt add -a 2m -l "swap" -t swap -s 2g wd0
gpt add -a 2m -l "EFI system" -t efi wd0

EFI=`dkctl wd0 listwedges | grep msdos| cut -d':' -f1`
CGD=`dkctl wd0 listwedges | grep 'netbsd-cgd'| cut -d':' -f1`
SWAP=`dkctl wd0 listwedges | grep 'swap'| cut -d':' -f1`

newfs_msdos -F 16 /dev/r$EFI
mount -t msdos /dev/$EFI /mnt
mkdir -p /mnt/EFI/boot
cp /usr/mdec/*.efi /mnt/EFI/boot

cgdconfig -g -V disklabel -o /mnt/EFI/boot/cgd.cfg aes-cbc 256
cgdconfig -V re-enter cgd0 /dev/$CGD /mnt/EFI/boot/cgd.cfg
newfs /dev/rcgd0a

cp /amd64/installation/miniroot/cgdroot.kmod /mnt/EFI/boot
cp /usr/mdec/boot* /mnt/EFI/boot

swapon /dev/$SWAP
mount /dev/cdg0a /mnt2
for D in var usr home; do mkdir /mnt2/$D; done
cd /mnt2
for set in \
kern-GENERIC base comp etc  games man misc modules\
tests text xbase xcomp xetc xfont xserver; do
tar -xzpf /amd64/binary/sets/$set.tar.xz
done

cp netbsd /mnt/EFI/boot/netbsd

cat > /mnt/EFI/boot/boot.cfg << EOF
menu=Boot normally:rndseed /etc/entropy-file;load hd0c:/EFI/boot/cgdroot.kmod;boot hd0c:/EFI/boot/netbsd
EOF

(it should be noted that I also tried with `load hd0c:cgdroot.kmod`, but it made
no difference)

installboot -vf /dev/r$EFI /mnt/EFI/boot/bootxx_fat16

cd /mnt2/dev
sh MAKEDEV all

cd /mnt2
mkdir kern
mkdir proc
mount_kernfs  kernfs   /mnt2/kern
mount_procfs  procfs   /mnt2/proc
mount_tmpfs  tmpfs   /mnt2/var/shm
mount_ptyfs  ptyfs   /mnt2/dev/pts
chroot  /mnt2 su -

cat > /etc/fstab << EOF
/dev/cgd0a              /       ffs     rw               1 1
/dev/wd0b               none    swap    sw,dp            0 0
kernfs                  /kern   kernfs  rw
ptyfs                   /dev/pts        ptyfs   rw
procfs                  /proc   procfs  rw
tmpfs                   /var/shm        tmpfs   rw,-m1777,-sram%25
EOF

echo "export LANG=\"en_US.UTF-8\"" >> /etc/profile
echo "export LC_CTYPE=\"en_US.UTF-8\"" >> /etc/profile
echo "export LC_ALL=\"\"" >> /etc/profile

exit
reboot

Thank you,

/ts

Follow-Ups:
- Re: installation on UEFI system w/ encrypted filesystem
  - From: Alexander Nasonov

Prev by Date: Re: Serialization of binary floating point numbers
Next by Date: Re: installation on UEFI system w/ encrypted filesystem
Previous by Thread: Rock-solid USB ethernet adapters?
Next by Thread: Re: installation on UEFI system w/ encrypted filesystem
Indexes:

Home | Main Index | Thread Index | Old Index