Thursday, February 01, 2018

OBSD 6.2 AMD64 can't get keydisk crypto softraid boot going neither with UEFI (nor MBR), is it even supported yet?

Hi,

This is experiences from an upgrade from 6.0 to 6.2.

I know MBR USB keydisk boot worked on 6.0. This is an attempt to
upgrade to 6.2 with UEFI.

A potential error source I have is that that I'm also switching boot
medium from SATA to NVME. NVME as boot medium does not affect the
OpenBSD installer, so within the scope of the OpenBSD installer, the
switch to NVME is without impact, however yet the installer does
complain, see below.

The issue is that I don't get the machine to boot with a keydisk crypto
softraid boot partition.

Reproduction steps:

* Write install62.fs to a USB memory stick

* Set the machine to UEFI boot mode (machine has no safe boot setting)

* Boot machine from USB memory stick.

OpenBSD kernel boots and the disks are sd0 = NVME SSD, sd1 = boot
USB stick, sd2 = keydisk USB stick

* Go to the shell by using the (S) option.

* Reset sd0 and sd1 by:

dd if=/dev/random of=/dev/sd0c bs=1M count=100
dd if=/dev/random of=/dev/sd2c bs=1M count=100
fdisk -igy -b 960 sd0
fdisk -igy sd2

* To ensure that any previous BSD disklabel is properly forgotten by
OpenBSD, reboot, and get back in the S option.

* Set up BSD disklabels:

disklabel -E sd0
a a (to add an "a" partition)
(enter for the default offset)
(enter to occupy all disk)
RAID (to make a softraid)
w
q

disklabel -E sd2
a a (to add an "a" partition)
1024 (to start 512KB into disk)
1024 (to create an 512KB-sized partition)
RAID (to create a softraid)
w
q

* Set up USB keydisk softraid:

bioctl -C force -c C -l /dev/sd0a -k /dev/sd2a softraid0

And its output is:

sd3 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd3: XXXXXXMB, 512 bytes/sector, XXXXXXXXXX sectors

And so sd3 is the softraid.

* Proceed with OpenBSD installer via "/install".

The interaction at the disk-related install steps is done as follows:

Available disks are: sd0 sd1 sd2 sd3
Which disk is the root disk? ('?' for details) [sd0] sd3
No valid MBR or GPT.
Use (W)hole disk MBR, whole disk (G)PT or (E)dit? [gpt]
Setting OpenBSD GPT partition to whole sd3...done
The allocated layout for sd3 is:
# (SNIP)
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] c
> a a (to add an "a" partition in the softraid)
offset: [1024] (enter to use default offset)
size: [XXXXXXXXXXX] (enter to fill all disk)
FS type: (enter to make it a 4.2BSD filesystem)
mount point: [none] / (to make it root partition)
Rounding size to bsize (128 sectors): XXXXXXXXXX
> w
> q

* Following through the installer to completion.

Unfortunately at completion the installer outputs this error
message:

Failed to install boot blocks.
You will not be able to boot OpenBSD from sd3.

This message is output by the install script when installboot
returns failure.

To fix this, I tried any of the following three:

installboot -r /mnt sd0

installboot sd0 /mnt/usr/mdec/biosboot /usr/mdec/boot

installboot -r /mnt sd0 /mnt/usr/mdec/biosboot /usr/mdec/boot

* On some attempts here, I checked that the UEFI boot partition was
correct by:

mount /dev/sd0i /mnt2
ls /mnt2/efi/boot

And indeed bootia32.efi and bootx64.efi are there.

* Sync, reboot.


Problems:

* The problem at reboot is that the BIOS not acknowledges any UEFI-
bootable disks at all. The BIOS shows this by jumping into the BIOS
menu at boot, and not listing any bootable devices. (This BIOS only
lists prospective bootable devices, which has a quite wide
definition, however I think it does not list any identified disk.)

Also the BIOS' "go into the UEFI shell of the harddrive" menu option
does not work.

If putting the BIOS in MBR ("legacy") mode, it lists the SSD and one
or more (didn't check) USB memory stick, but the boot attempt leads
to either empty screen, or I think, a boot failure message.


* The OpenBSD installer USB memory stick is UEFI-booted. I tried to
boot from it to try to boot the SSD from the OpenBSD boot console
that way.

I need to re-check this one but the boot loader shows something like
"disk: hd0 hd1* hd2*", and doing any "boot hd1a:/bsd",
"boot hd2a:/bsd", "boot hd1:/bsd", "boot hd2:/bsd".

If I recall right, at one attempt instead it showed
"disk: hd0* hd1 hd2* sr0", however doing "boot sr0a:/bsd", if I
remember right, failed with "unknown KDF type 2" message or maybe
totally.

I would need to re-check this point more to get accurate data.

I tried redoing all this in MBR mode to see if that would work out:

* I'd set the BIOS to UEFI mode at OpenBSD install time, as the
OpenBSD installer USB memory stick is UEFI

* Do the partitioning the same as above but with the fdisk part as
"fdisk -iy sd0", "fdisk -iy sd2" instead.

* Do the installation the same as above but instead of GPT (the
preselected "gpt" option), specify MBR (by "M").

* At installer completion, the same error message is shown as above, i.e.:

Failed to install boot blocks.
You will not be able to boot OpenBSD from sd3.

* I tried to fix it with the same installboot steps as above.

* At reboot, change the BIOS to boot from MBR (legacy mode).

The OpenBSD boot loader fails as follows:

Using drive 0, partition 3.
Loading......
probing: pc0 com0 com1 mem[635K 3295M 247M XXXXM a20=on]
disk: fd0 hd0+ sr0*
>> OpenBSD/amd64 BOOT 3.33
unknown KDF type 2
open(sr0a:/etc/boot.conf): Operation not permitted
boot>
unknown KDF type 2
open sr0a:/bsd: Operation not permitted
failed(1), will try /bsd


This leads me to ask:

1) Is the UEFI boot loader for USB keydisk crypto softraid really
stable?

2) Is the UEFI boot loader good for any crypto softraid?

3) Since this one is a big question, I'll make a separate email of it:

If this machine's BIOS does not support NVME SSD boot, how can I
create an OpenBSD USB boot disk that would boot OpenBSD from the
NVME SSD-stored crypto softraid for me?

This could be done either by

* The OpenBSD kernel being stored on the USB stick, loading from
it, and then using the NVME SSD as both root disk, swap disk,
and dump disk, or,

* The OpenBSD boot loader would load the OpenBSD kernel from the
NVME SSD.

Please let me know what you think.

Thanks!
Tinker

No comments:

Post a Comment