If an encrypted install is attempted and fails for any reason, the disk
cannot be erased by the installer because the partition is in use by GELI
At the start of the installation process, all ZFS pools are exported and
all GELI instances are detached, to allow a restarted install to proceed
PR: 210814
Reported by: jonathan
MFC after: 10 days
The pools are exported and reimported in order to write the bootcode
This causes an error when the bootpool is later mounted by common code
The bootpool is now imported with the -N flag to prevent mounting
Reported by: Michael Dexter
MFC after: 5 days
This patch add new 'hardening' file responsible for new bsdinstall
'System Hardening' menu allowing users to set some sane and carefully
picked system security options (like random process id's, hiding
other users/groups processes and others).
All options are OFF by default in this patch due to POLA principle
with intention to turn change some of them to ON by default in future.
Reviewed by: adrian, allanjude, bdrewery, nwhitehorn
Approved by: adrian, allanjude
MFC after: 7 days
Not having the correct date and time makes many PKI based things not work
In 10 and 11, it can mean that Unbound, ntpd, and sshd won't start
Submitted by: des (original patch)
MFC after: 7 days
Apply the LenovoFix (fake partition in pMBR is 2nd rather than 1st)
and GPT Active fix (mark the fake pMBR partition active) to respective
hardware that is confirmed to require such to boot correct.
Submitted by: Sam Fourman Jr. <sfourman@gmail.com> (ThinkPad W520)
Submitted by: Matthias Apitz <guru@unixarea.de> (Latitude E6330)
Approved by: re (gjb)
Sponsored by: ScaleEngine Inc.
A separate bootpool is used when the selected partition type is MBR
or when the disk is GELI encrypted and a UEFI loader is selected.
BIOS avoids the bootpool by using bootcode and loader that support GELI.
bsdinstall did not remount the bootpool after creating the main pool,
which caused an error when mkdir tried to create /boot/zfs
PR: 210717
Approved by: re (gjb)
Sponsored by: ScaleEngine Inc.
A larger EFI file system size will facilitate multi-boot configurations
and the installation other EFI applications like firmware update tools.
200MB matches OS X.
Note that this changes only the partition size, not the file system that
bsdinstall places there. We need to do both, but as the partition size
is difficult to adjust later make this change for now so that at least
systems installed with FreeBSD 11.0 have a partition layout with room
to grow.
Reviewed by: allanjude, imp
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D6935
Fix an error where vfs.root.mountfrom was not always set as required
when creating a bootpool. After the recent geliboot changes, it was only
set if the main pool was encrypted.
Also resolve an error where the bootpool was unmounted twice causing
bsdinstall to stop with an error message about the failed command.
Approved by: re (gjb)
Sponsored by: BSDCan Hacker Lounge
Allow to setup country and/or regulatory domain before scanning
(since channel list is affected by regulatory restrictions this may
impact scan results).
PR: 182600 (originally)
Differential Revision: https://reviews.freebsd.org/D6325
Do not set canmount=noauto on the boot environment at create time, because
this causes / to not be mounted, and since the chroot is read only, new
mountpoints cannot be created.
The property is set later, when other properties are adjusted
Reported by: HardenedBSD
Sponsored by: ScaleEngine Inc.
In this configuration, a separate bootpool is not required.
This allows ZFS Boot Environments to be used with GELI encrypted ZFS pools.
Support for GPT+EFI+GELI is planned for the future.
Tested by: Joseph Mingrone, HardenedBSD
Relnotes: yes
Sponsored by: ScaleEngine Inc.
Differential Revision: https://reviews.freebsd.org/D5869
The root file system is mounted early via vfs.root.mountfrom.
The canmount=noauto property only affects the zfs rc.d script.
This ensures that the 'default' BE is not mounted overtop of another BE when
one is selected from the beastie menu
Sponsored by: ScaleEngine Inc.
The POSIX version of basename() doesn't use a 'const char *' argument;
the function may overwrite its input buffer. Instead of copying the
input string, let's just simplify this code by using our getprogname()
function that already returns the name of the application in the right
format.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D6094
Installs both pmbr+gptzfsboot as well as boot1.efifat in separate partitions
The resulting system can be booted with either UEFI or BIOS/CSM.
Preference is controlled by the user's firmware boot settings.
This is now the default for zfsboot installs
PR: 208629
Submitted by: Galael LAPLANCHE <ganael.laplanche@corp.ovh.com> (original version)
If a user requested encrypted swap, but 0 sized, it would still be added to fstab
PR: 208630
Submitted by: Ganael LAPLANCHE <ganael.laplanche@corp.ovh.com>
MFC after: 2 weeks
Sponsored by: ScaleEngine Inc.
If the bootpool does not start at the first sector of the BSD partition
then zfsldr seeks to the wrong offset inside the ZFS vdev label, and is
unable to find zfsboot, so the system does not boot
If 4k alignment is requested, align the BSD partition in the MBR table,
and align the swap and data pool, but the bootpool must start at sector 1
While here, if 4k alignment is requested, disable MBR CHS alignment, as
this results in not-4k aligned partitions.
Reported by: Alex Wilkinson
MFC after: 5 days
Sponsored by: ScaleEngine Inc.
The Dell Precision Tower 5810 fails to boot from GPT in Legacy/BIOS mode
without the Active flag in the Protective MBR. Suggest the workaround
during installation.
Since an increasing number of Dell systems exhibit this behavior,
I imagine all Dells past a certain date will do so. I would like
to suggest the workaround for all Dells with a BIOS date of, say,
2014 or later, but I would need to test a variety of systems before
committing such a change.
Reviewed by: allanjude, dteske
MFC after: 5 days
Relnotes: We should probably suggest using GPT+Active on "recent" Dells.
Sponsored by: Dell Inc.
Differential Revision: https://reviews.freebsd.org/D4075
- Rework MANIFEST generation and parsing via bsdinstall(8).
- Allow selecting debugging distribution sets during install.
- Rework bsdinstall(8) to fetch remote debug distribution sets
when they are not available on the local install medium.
- Allow selecting additional non-GENERIC kernels during install.
At present, GENERIC is still required, and installed by default.
Tested with: head@r293203
Sponsored by: The FreeBSD Foundation