Guide: FreeBSD 10.0 / NAS Intel ss4200 / headless install / "notso" full disc encrypt

[elliot.trance2]

TAGS: ss4200, intel, serial, console, freebsd

BETA-Phase
OK: I have tested the semi auto install [post=150305]read this[/post].

It works.

however I'm not totally happy with the result, as I forgot to integrate altering /etc/ttys within my stage2.sh script.


Constructive criticism is appreceated, if you find errors or you dislike certain methods just spit it out, I will not bite, other than that I will thank you. (Except somebody mixes up rudeness and ranting with criticism.)


Table of Contents:

A.) [post=150279]Install FreeBSD 10.0-RELEASE headless (+ encrypted root optional!)[/post]
B.) [post=150299]prepare a usb thumbdrive (usb stick) with scripts for semi automatic & headless installation[/post]
C.) [post=150300]configure ss4200 & putty to get along[/post]
D.) [post=150301]configure ss4200 to boot from usb-stick[/post]
E.) [post=150305]Using Scripts from Part.C to do Part.A in the blink of an eye
(SEMI AUTOMATIC)[/post]​

Prerequisites:

- ss4200 is equiped with a RS-232 Port and a 9pin dsub female interface is connected to it, all data lines are connected according to RS-232 standard
- same goes for the PC-side (pc only a usb2serial adapter is allowed)

The steps necessary to install those interfaces can be found on at (2)

This guide assumes that you have the barebone version of the ss4200 without a D.O.M. or compact flash card with an OS built into the system see
Hint01.

I assume that there is a sata hard drive connected to the lowest port number (the cables are labeled)

This will also work with other remote access enabled systems. But the ss4200 seems to be a bit more of a challange, as without a PCIe flex cable and PCIex1 graphics card it's hard to figure out what's really going on.
​

Warning:

The scripts and actions will erase all data on the drive "/dev/ada0". Remove all other drives from the system for installation. Make sure that all data is saved from the drive you intend on installing FreeBSD(not freenas) according to these steps.​

SCOPE:

The latter step-by-step-guide will confront the reader with the commands necessary to install FreeBSD using a USB-Stick into an encrypted root and utilize an encrypted swap-partition(defunc atm). The file system used is UFS2 with soft updates. (see Hint04)

Every step is marked with chapter number and the sub step as a letter e.g. "5.h)" means the 8th sub step from chapter 5.
If you have corrections or want to discuss certain steps please refer to these marks.

Those commands are also available in the form of to scripts "stage1.sh" & "stage2.sh", the pre-written config-files too. It should be possible for a "normal" user too get a FreeBSD up and running on a ss4200 using this plug & play manual. I heard from friends in real life that they bought the ss4200 bare bone and giving up. Nowadays the ss4200 is a cheap to buy and cheap to be extended NAS, the only problem is finding a way to install a propper OS on the machine.


The terminal emulator in use is putty on Windows.

After the system is installed you will have a bare minimum OS at your hand with a running ssh-server and an account that can log into the ssh-server and can "su" to "root". You will also be able to connect to the system using an RS232 Null Modem (cross over) cable. Using rs232 you will be directly able to log in as "root" need to configure FreeBSD to act the way you want it (e.g. file server, mail server etc..), this is not covered by this guide. Nor will I provide information on that topic.​

What's included what's missing(crypt):

[+] with gpart/gpt
[+] with pass phrase only
[+] with AES-128-XTS
[-] NO HMAC!! .. no data authentification (drawback: will not prevent data tempering), I had performance issues using an HMAC algorithm
[-] without gpart labels
[-] without an additional random encryption key (that would have been stored on your unencrypted /boot anyway)
[-] Your boot loader and kernel will be vulnerable to airport-customs/hotel/evil maid attacks
[-] The effort for infecting a system is lower than using Truecrypt as additional to the boot loader the kernel can be rewritten without you knowing(*)
​

*I view hacking an open source kernel easier than tinkering all the malicious code into a boot loader

What's included what's missing(serial):

[+] all commands written down into a script
[+] scripts for semi auto install
[-] no auto encrypt install / I think something like that exists for a ZFS/encrypted root setup​

This was "compiled" from the following sources, that actually didn't work that well without the "compiling", so thanks got to:

http://namor.userpage.fu-berlin.de/howto_fbsd9_encrypted_ufs.html
https://www.dan.me.uk/blog/2012/01/22/using-a-swap-file-instead-of-swap-partition-in-freebsd-8-x9-x/
https://www.dan.me.uk/blog/2012/05/05/full-disk-encryption-in-freebsd-9-x-well-almost/​

Tested on:

OS-Type : FreeBSD/amd64
OS-Version : 10.0-Release

Word of caution the behaviour of FreeBSD between 8.X, 9.1, 9.2, 9.3 and 10.0 is different, certain ways will work for a specific version, some even won't, when you are using the unaltered .img.
The best way to succeed is to alter the img file by Hand (also covered).
​

Hints:

Hint01: The IDE interface on ss4200 does not support UDMA modes, a fast ATA/IDE hard drive will be very slow, use a sata drive to boot from.

Hint02: Whenever posting dmesg output make sure you remove information about the "Serial Number"(s), as those uniquely identifiy your usb stick or even you.

Hint03: Whenever downloading WinSCP or Filezilla from Sourceforge, download the portable package and not the installer. The filezilla installer contained/contains add ware (5).
I checked the current one no addware was detected anymore, however putting addware into an installer of an open source software is fishy, don't take chances. (yes you can unclick five options to prevent this, but if you fail at one .. you have fun)

Hint04: ZFS on the ss4200 with 1 or 2gb ram and an upgraded CPU will be very slow, and UFS does everything I want.

Hint05: Howto boot the ss4200 from usb stick, a usb stick will be enumerated under "Hard Disk Drives" there you need to set your USB-Stick on the first place, on the ss4200 the usb stick is not seen as a "removable device". You need to repeat that procedure each time you disconnected the usb stick.

Hint06: AES 128 vs 256 - I chose 128bit AES because of performance considerations on the ss4200 and due to the essay by Bruce Schneier(6) detailing AES256 weaknesses. Also the first point of an attack on current crypto systems is the key derivation function PBKDF2(7,8).

Warning: At the moment I'm not really sure if leaving out the random key komponent results in removing the salt from the PBKDF2 which would make it possible to pre generate keys. I will look into that matter an correct the guide or state the facts I found out.

​

Disclaimer:

You are responsible for your own actions and errors and bear all consequences. Even careful testing off the method statement will not prevent all errors. Use at your own risk.​

Acronyms & special terms

"su" - "substitute user identity" - command to change the user and gain its rights FreeBSD/man su(1)

"root" - "root user" - the root user can do everything on the system, but will be prohibited from directly loggin in using ssh or an insecure shell Wikipedia/Superuser

"ssh" - Secure SHell - a method to connect to a shell over a network onto a system using a cryptographic secured communication Wikipedia/SSH

"RS-232" - standardized serial interface Wikipedia/RS-232

"putty/PuTTY" - is a client for ssh Wikipedia/PuTTY

"HMAC" - Hash-based message authentication code - Wikipedia/HMAC

"vi(m)" - simple small text editor included within the basic FreeBSD distribution - Wikipedia/vi

​

Hashes
sha1 fingerprint of the unaltered img file:

SHA1 (FreeBSD-10.0-RELEASE-amd64-memstick.img) = abf120c10f51372f7d5aabb04cf5cbaef5dbbabf

Links
(1) https://www.freebsd.org/doc/handbook/mirrors-ftp.html
(2) http://ss4200.pbworks.com/w/page/5122741/Console Access via RS232
(3) http://sourceforge.net/projects/win32diskimager/
(4) WinSCP
(5) SF/Filezilla/Reviews
(6) Bruce Schneier/AES weakness
(7) Wikipedia/PBKDF2
(8) Open Crypto Audit Project TrueCrypt

0.) Before continueing

Before you continue with part A.) please make sure that you have puTTY up and running and that you see the bios post messages from your ss4200 in your terminal window. If you don't have that level of control, please read part D. how to gain it). You will also need to make sure that the bios will boot from the usb stick first if it doesn't follow part E.)​

 

[elliot.trance2]

[post=150278]Previous Post[/post]

1.) "Download File & Installation start"

a.)
Download the following image file FreeBSD-10.0-RELEASE-amd64-memstick.img from (Links/1)
[post=150299]And put it onto a usb stick, see Part.B for propper procedure.[/post]

b.)
Connect your prepared USB stick to the ss4200, check if the bios will boot from it.

Catch22:
If the stick was disconnected and the system was rebooted. The hard drive will again be the first device to boot from. (see Hint05)

c.)
Turn your ss4200 on (you will first hear the fans running at max speed, they will spin down after 3s)

Just goto substep e.) please, that method I wanted to describe worked on the 7.X and 8.X Releases.

.. this is currently not availible prepare the images first hand (Part.B.)

d.)
Tell your FreeBSD loader to inform the kernel that you are using a serial console ("comconsole") and that your terminal emulator is configured for "115200" bps

e.)
if everything worked out, you should shortly after the talkative kernel & init scripts see this:

f.)
enter "xterm" and press enter, vt100 also works, however it will be black&white and some keys on your keyboard might not work the way you think.

g.)
Choose install:

h.)
Don't play just choose the "default"

[post=150280]Next Post[/post]​

 

[elliot.trance2]

[post=150279]Previous Post[/post]

i.)
Select an appropriate name "SleepyHeadless" or so. It is indeed headless!

[/INDENT]

j.)
believe me best choice(see screenshot), get the actual ports later via "portsnap fetch extract", 32-bit compat .. yeah you might need it.

Now you will have to make the choice if you want to encrypt your root partition or not.
Option 1.) [post=150282]headless & encrypted [/post]
Option 2.) [post=150285]headless & no encryption [/post]
​

 

[elliot.trance2]

(Option 1) - headless & encrypted

[post=150280]Previous Post[/post]

k.)
Chose "shell"

​

I have compiled all commands and configfiles down to scripts therefore please have a look at [post=150299]see Part.B - scripts for semi automatic[/post] if you don't want to enter each and every command by yourself. This is "just" the explanatory part, to give more detail on commands & their paramters in use.

2.) "Partitioning the hard drive/manually"

a.)
This will [F]orcibly destroy a possible existings partitioning scheme on your hard disk [ada0]

gpart destroy -F ada0

NOTE: You will get an error message saying "invalid argument" when the drives partition/gpt-table is literally blank/zero'ed out. Then continue with step 2.b)

b.)
This will create the gpt scheme partitioning information on your hard disk

gpart create -s gpt ada0

c.)
This will allocate a partition of [64]k ize where the boot loader code will be copied to.

gpart add -s 64 -t freebsd-boot ada0

d.)
This will create a 5 Gbyte sized boot partition.
The filesystem indicator is set to freebsd-ufs.
This filesystem will not be encrypted.
On this filesystem the kernel will reside.

gpart add -s 5G -t freebsd-ufs ada0

e.)
This will create a 4 Gbyte sized swap partition.
The filesystem indicator is set to freebsd-swap.
This filesystem will later be encrypted with a one time key renewed after every reboot.

gpart add -s 4G -t freebsd-swap ada0

f.) missing /dev/ada0p4
This will create a TAKEWHATSLEFT Gbyte sized root partition.
This will be your encrypted playground.

gpart add -t freebsd-ufs ada0

3.) "Installing bootcode and formatting boot partition"

a.)
This will copy the bootloader code too the boot partition mentioned under 2.c

gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0

b.)
This will format the partition created at 2.d.
Both commands will work, chose one, use only one!

newfs -O 2 -U -m 0 -j /dev/ada0p2

or

newfs -U /dev/ada0p2

4.) "The Encryption"

a.)
You will create an encrypted container onto partition (from 2.f)
After entering the command you will be asked to enter an encryption pass phrase
This pass phrase is the future key to your data, you have to remember it.
This pass phrase must have a certain length and randomness to be resilient against brute force attacks without extreme measures(brutal force or a real real real big cluster)

A note on randomness:
- using upper, lower case characters
- special characters
- Numbers [0..9]


You will be asked a second time to enter the exact pass phrase as before, if you failed to enter the exact pass phrase, you will be asked again for an initial pass phrase and again and again and ...

This command will initialize /dev/ada0p4 to be encrypted using AES-XTS with the choice of being asked for a passphrase at boot using a keylength of 128 bits.

geli init -e AES-XTS -bl 128 /dev/ada0p4

b.)
After executing command 4.a successfully you will have "/dev/ada0p4" added with geli meta data, so please do not operate on "/dev/ada0p4"

You will now need to attach geli to /dev/ada0p4, and geli will spawn a clear text device you need to operate on named /dev/ada0p4.eli

geli attach /dev/ada0p4

5.) "formating mounting partitions"

a.)
After the command 4.b is executed:
data written to "/dev/ada0p4.eli" will be encrypted by GELI(AES+PASSPHRASE) and written to /dev/ada0p4

When geli has attached the encrypted ada0p4 the device ada0p4.eli will give you everything in the clear as long as geli is attached.

This means you will need to format the "/dev/ada0p4.eli" partition / Soft Updates / UFS2

newfs -O 2 -U /dev/ada0p4.eli

b.)
You will then mount "/dev/ada0p4.eli" to "/mnt"

mount /dev/ada0p4.eli /mnt

c.)
You will need to MaKe a DIRectory

mkdir /mnt/bootdir

d.)
you will then need to mount the partition (from 2.d, 3.b)

mount /dev/ada0p2 /mnt/bootdir

e.)
You will need to MaKe a DIRectory

mkdir /mnt/bootdir/boot

f.)
You will Change Directory

cd /mnt

g.)
You will create a symbolic link in your actual pwd! see 2.f) *HINT possible error*

ln -fs bootdir/boot

6.) "Let Sysinstall/bsdinstall take over"

a.)
You will need to enter the exit command

exit

​

[post=150280]Next Post[/post]

 

[elliot.trance2]

only headless installation without encryption

[post=150280]Previous Post[/post]

l.)
This will be shortened, for viewers discretion, assuming that you have an empty hard drive to play with, containing no needed data.

- Chose "manual"
- delete all other partitions on ada0
- select ada0 and choose (a)uto
- proceed yes
- Commit

Then the installer installs the files
​

[post=150294]Next Post[/post]

 

[elliot.trance2]

[post=150282](Option1 - crypt) Previous Post[/post]
[post=150285](Option2 - no crypt) Previous Post[/post]

- then the screen turns black, here you choose your root password, you need to remember that password! you need to enter the same password two times for confirmation purposes
- then configure your network interface (remember if you choose DHCP and you want to ssh, you should have a way to discover that dhcp/ip, portscanner or local name server/windows name server for example )
- IPv6 .. that's a philosophical question I just think 4billion is enough and IPv6 is "so" old but untested that its implementation have some suprises for network security to offer.
- choose a domain-name(example: "devilisland") and your ISPs name server, or any other openly accessible name server
- CMOS clock/time zone: do as you like
- tipp: disable dumpdev
- let sshd enabled

- add users YES
- choose a username example "thehoff", and Invite him to group "wheel"! etc.. choose the defaults anyway

- Exit
- Manual configurations :YES

keep in mind you are chroot into your newly installed root

edit /boot/loader.conf and add the following text:

Explanation
This will enable console redirection to serial console(only!) setting the speed to 115200bps, this will redirect all output(kernel & init) but this will not spawn a login!

boot_serial="YES"
console="comconsole"
comconsole_speed="115200"

edit /etc/ttys and change the following line:

ttyu0   "/usr/libexec/getty std.9600"   dialup  off secure

to

This line will tell getty to spawn a login on COM1 with 115200.

ttyu0   "/usr/libexec/getty std.115200"   xterm  on secure

If you write "insecure" your root user will be prohibitted from loging in via serial terminal.
​

 

[elliot.trance2]

Final Steps for working encrypted root partition

/bootdir/boot/loader.conf

- telling the kernel to mount from the encrypted device
- enabling crypto accelerators
- loading the geli support
- stating that no keyfile was used

vfs.root.mountfrom=”ufs:/dev/ada0p4.eli”
aesni_load=”YES”
geom_eli_load=”YES”
geli_ada0p4_keyfile0_load=”NO”

/etc/fstab

/dev/ada0p4.eli /         ufs  rw 0 0
/dev/ada0p2	/bootdir  ufs  rw 1 1
/dev/ada0p3.eli none      swap sw 0 0

/etc/rc.conf - depricated don't use - just for information

geli_swap_flags="-e AES-XTS -l 128 -s 4096 -d"

geli_swap_flags seems not to work on FreeBSD-10.0 anymore, I haven't found a good explanation(like having the swapspace transparently encrypted through the swapsystem level ruling it depricated) But I do the following work around till I have more information.

/etc/rc.local

#!/bin/sh
geli onetime -d -e AES-XTS -l 128 ada0p3
swapon /dev/ada0p3.eli

confirming with the command "swapinfo" that swap uses the .eli device

Device          1K-blocks     Used    Avail Capacity
/dev/ada0p3.eli   4194304        0  4194304     0%

 

[elliot.trance2]

B.) Prepare a memstick (usb stick) for headless installation + semi automatic using s

Title: C.) Prepare a memstick (usb stick) for headless installation + semi automatic using scripts

1.) choosing the right OS image file

Got to (1) and get a "...-memstick.img" file, ISO files won't work that way!
For 10.1 make sure that you don't download the "bootonly" image. Otherwise you would need to configure the network interface that the installer can download the necessary data from a mirror site (slower).

for example: FreeBSD-10.0-RELEASE-amd64-memstick.img is "right" choice.
​

2.) How to write a memstick image file to a usb stick

a.) using windows
In a windows environment then use software(3) - it's your own responsibility to figure out how.
Write the image on two different memsticks using software(3).

You need one to boot FreeBSD from, and another that you want to alter. There might be ways to do it with only one memstick, but I haven't figured these out yet.

b.) using FreeBSD/Linux
FreeBSD-only

cp FreeBSD-10.0-RELEASE-amd64-memstick.img /dev/daX

FreeBSD & Linux

dd if=FreeBSD-10.0-RELEASE-amd64-memstick.img of=/dev/daX bs=16M

​

3.) Choosing the right option

Boot from one of these sticks, on a "normal" headed computer (with a graphics card, a monitor and a keyboard).

Choose "Shell" at that screen.

​

4.) Identifying the memstick you want to reconfigure

Insert the second usb stick.
Wait approx. three seconds, then type in the command dmesg.
the last lines will tell you something like this:

da2 at umass-sim1 bus 1 scbus8 target 0 lun 0
da2: <Kingston DataTraveler 2.0 PMAP> Removable Direct Access SCSI-0 device
da2: Serial Number XXXXXXXXXXXXXXX
da2: 40.000MB/s transfers
da2: 954MB (1953792 512 byte sectors: 64H 32S/T 954C)
da2: quirks=0x3<NO_SYNC_CACHE,NO_6_BYTE>

Now you would know that the device file for your second memstick is accessible through /dev/da2. Look at the output above and adapt to your own output, this is an example.

see Hint02 about the "Serial Number".
​

5.) accessing the memstick's file system

Now mount that device under /mnt using the following command:

mount /dev/da2 /mnt

​

6.) Editing the configuration files

You will edit this file with "vi"
You will need to know "vi" has two modes. A command mode and an editor mode, when started your in command mode first, where no direct typing is possible.

Press "i" to enter editor mode
Press "ESC-KEY" to exit editor mode back into command mode
Enter ":wq"  followed by striking the "ENTER-KEY" to write the file and quit the editor when in command mode.
Enter ":q!"  followed by striking the "ENTER-KEY" to NOT write and quit the editor when in command mode.
BACKSPACE works different
USE DEL and COMMAND Mode to edit typos

Then enter the boot loader directory of your intended installer memstick

cd /mnt/boot

Now edit "loader.conf" using "vi", if you see ascii garbage it mostly means you forgot to add ".conf", double press ESC, type ":q!" as command to quit vi and redo the step.

vi loader.conf

Add the following lines using editor mode.

boot_serial="YES"
console="comconsole"
comconsole_speed="115200"

Then save the file to stick and quit "vi" using the command mode.


​

7.) Safely unmount the usb stick

Leave the directory /mnt/boot

cd /

Now you can unmount the memstick stick.

umount /mnt

I like to play it safe, and tell the kernel to please "sync" write all data that was not yet been written.
("remove safely" under Windows)

sync

Disconnect the memstick stick, mark it only to be used for a headless install.

Now you can boot your ss4200 with this memstick, and when PuTTY is configured correctly, the ss4200 is configured to boot from that usb stick.
​

8.) Adding Semi-auto scripts

If you want to additionally add the scripts for semi-automatic root encryption.
Please repeat step 5.) and mount the memstick again.
​

9.) Create scripts and pre config files

a.) the "stage1.sh" script

mkdir /mnt/root/scripts

create a file named "stage1.sh"

echo >> stage1.sh

add the following lines to "stage1.sh"

gpart destroy -F ada0
gpart create -s gpt ada0
gpart add -s 64 -t freebsd-boot ada0
gpart add -s 5G -t freebsd-ufs ada0
gpart add -s 4G -t freebsd-swap ada0
gpart add -t freebsd-ufs ada0
gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0
newfs -U /dev/ada0p2
geli init -e AES-XTS -bl 128 /dev/ada0p4
geli attach /dev/ada0p4
newfs -O 2 -U /dev/ada0p4.eli
mount /dev/ada0p4.eli /mnt
mkdir /mnt/bootdir
mount /dev/ada0p2 /mnt/bootdir
mkdir /mnt/bootdir/boot
cd /mnt
ln -fs bootdir/boot
mkdir /mnt/bootdir/scripts
cd /root/scripts
cp rc.conf.pre /mnt/bootdir/scripts
cp fstab.pre /mnt/bootdir/scripts
cp loader.conf.pre /mnt/bootdir/scripts
cp loader.conf.serial /mnt/bootdir/scripts
cp stage2.sh /mnt/bootdir/scripts

b.) the "loader.conf.pre" for encrypted root

echo >> loader.conf.pre

add the following lines to "loader.conf.pre"

vfs.root.mountfrom=”ufs:/dev/ada0p4.eli”
aesni_load=”YES”
geom_eli_load=”YES”
geli_ada0p4_keyfile0_load=”NO”

c.) the "loader.conf.serial" for headless operation

echo >> loader.conf.serial

add the following lines to "loader.conf.pre"

boot_serial="YES"
console="vidconsole,comconsole"
comconsole_speed="115200"

d.) the "fstab.pre" based on the result from "stage1.sh"

echo >> fstab.pre

add the following lines to "fstab.pre"

/dev/ada0p4.eli /         ufs  rw 0 0
/dev/ada0p2	/bootdir  ufs  rw 1 1
/dev/ada0p3.eli none      swap sw 0 0

e.) the "rc.conf.pre" config file

echo >> rc.conf.pre

add the following lines to "stage2.sh"

geli_swap_flags="-e AES-XTS -l 128 -s 4096 -d"

f.) the "stage2.sh" script

echo >> stage2.sh

add the following lines to "stage2.sh"

cd /bootdir/scripts
cp fstab.pre /etc/fstab
cat rc.conf.pre >> /etc/rc.conf
cat loader.conf.serial loader.conf.pre >> /bootdir/boot/loader.conf

 

[elliot.trance2]

C.) configure ss4200 & putty to get along

[post=150278]Back to TOC[/post]

The first hurdle you need to take when playing with your ss4200 is that you need to figure out what bps the rs232 is set to by default. To find that out by trying can be a tideous task. But you need to concentrate and "brute force" those combinations and write down the result on putty and reboot the ss4200 again and again and ..

The ss4200 offers 5 speeds for remote console operation over rs232
115200, 57600, 38400, 19200, 9600

My suggestion is that you should save those five different bps rates into five serial profiles for putty and name them accordingly (serial_1115200 for example)

These options should work at one point in time (the speed is exchanged)

Even that the flow control setting of my ss4200 and putty differ, it works without problems

ss4200 / no flow control vs. putty / XON-XOFF Software flow control

 

[elliot.trance2]

D.) configure ss4200 to boot from usb-stick

[post=150278]Back to TOC[/post]

This details the Hint05

This how you need to set the boot order, in order to boot from a usb stick first:

If it is not set, just select it from the drop down menu:

 

[elliot.trance2]

Using Scripts from Part.C to do Part.A in the blink of an eye

Part A.) was intended to be educational going through every command necessary.

This is how to do it quick!

You need to have done [post=150299]Part B.[/post] and that stick is read to boot according to [post=150299]Part B.[/post]

Part A.)
Section 1.) will be executed
Section 2-5.) not instead there you will execute

sh stage1.sh

That contains all commands from Section 2-5.) if you make an error just restart the script!

[post=150294]This is also a must have[/post]
and then you just execute

sh stage2.sh

You need to tell [post=150294]getty to spawn a console[/post],
this I forgot within the scripts.

[post=150298]This is already been done by the stage2.sh[/post]

 

[elliot.trance2]

Errors you might experience

Encrypted Root

When you have an encrypted root partition you will need to enter the passphrase each time you boot. That's not a bug that's a feature.

You might not directly see the "Enter passphrase 3 tries" message
because some kernel message interfer.

Just press enter once, wait 3s, than you will see the message again,
but only two tries left.
​

gpt/partition on ss4200

GPTBOOT might mention an allignment error, just ignore it. I don't have a solution till 9.3 or so there was no such error.

But if anybody has an explanation or a fix, please don't hold back

All metadata for encryption and decryption is on /dev/ada0p4
Remember that the meta data is at the beginning and at the end of the partition. The one at the end is a backup, and geli can restore it's metadata from there.

GEOM_ELI: Device ada0p4.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software
GEOM: ada2: the secondary GPT header is not in the last LBA.
GEOM_PART: integrity check failed (ada2, GPT)
GEOM: diskid/DISK-SADJWIIW: the secondary GPT header is not in the last LBA.
GEOM_PART: integrity check failed (diskid/DISK-SADJWIIW, GPT)
Trying to mount root from ufs:/dev/ada0p4.eli []...

​

ss4200 setup mentions integrated graphics adapter

it has none, ok, we have no vga connector, but don't disable it, just enable it, and give those 8mb memory away, you have engouh, and will spare much trouble for "vidconsole".
​

on the sanity of sending a passphrase through serial console

- Serial comunication/rs232 uses voltage differences to transmit signals, the Voltage ranges are within the +/-10-15V range
- most serial-cross over-cables are not heavily shielded
- the transfer speed is rather low 115200bps is low, 9600bps is just extreme low

Taking these points into consideration I conclude that an eaves dropping attack is possible with very low effort, and on remarkable long range.

​