On Mon, Jan 25, 2021 at 08:08:20PM +0100, Jan Stary wrote:
I am trying to set up the bootloader on an external
USB stick to boot my FDE-encrypted disk:
Why? You say you can boot from the disk itself.
See the original linked email discussion from my post for the reasons
why. Short answer: if you have your bootloader with you at all times in
your pocket, an evil maid can't tamper with it to recover your FDE
encryption key.
I managed to get the thing not to panic by using
the -a flag, i.e
boot> boot sr0a:/bsd -a
Unfortunately, when I use the kernel-suggested default devices (root
device on sd1a, swap device sd1b) then I boot the OS on my USB stick,
rather than the OS on the FDE encrypted drive.
If I tell it to boot sd0a (root) / sd0a (swap) then it panicks with
"cannot mount root". (probably because sd0 is an encrypted drive)
If I type ? then it gives me the options:
exit em0 sd0[a-p] sd1[a-p]
If I try telling it to boot sr0a as the root device, then it again just
prompts me with the available options given above -- evidently it can't
find sr0a.
It looks to me like -- even though it is prompting me for the FDE
encryption password after I enter the 'boot sr0a:/bsd -a' command -- the
kernel is ether not decrypting or not mounting the softraid disk.
Booting with the '-c' option and typing 'list' shows that there is a
softraid entry:
6 softraid0 at root flags 0x0
Attempting to enable it with 'enable 6' returns the message
6 softraid0 already enabled
The kernel does not accept 'softraid0a' as a root device name.
'machine diskinfo' at the boot> prompt reveals that the hard disk is hd1
and the USB stick is hd0. However, the post-probe list of available
disks is
hd0 hd1 sr0*
so I assume there is no point to trying to boot sr1a.
Any ideas why the kernel isn't seeing sr0a as a root device?
