 Bom dia pessoal, bem-vindos a Coimbra, essa palestra vai ser em português, eu espero que todo mundo comprene. Quick joke, sorry. Yeah, so I'm Vinicius, I'm a FreeBSD Parts Committer, and also part of the core team of the Tor Project. Eu usei FreeBSD for quite a while, eu started in the version 5, so I got like the easy way of that. And yeah, this is a continuation of the talk that I gave in the 2021 about auto-installing the BSD systems. In the previous talk I mentioned how you can install NetOpen, FreeBSD and Dragonfly. So here I'm extending that to PSSense through NAS and giving you an option that I use in one of my personal setups that you can remote unlock your root encrypted file system. So this will be our agenda, I put it in TRDR in the top. Go through the installers, then I will mention my setup, help, and at the end some demonstrations. So here I leave the links in the presentation, you can have and watch later, and the slides are there. This was in the other conference. So, quick disclaimer of course, if you want you can do your personal and different approach of doing the setup. If you do not want to use the IPXE setup that I will present here, you can basically use the tools that you have in the base repository. The source. Build your own image, either a MenStake or Iso image. And for FreeBSD only I'm talking here. Put the configuration file in it. So when you boot, you have your auto-installer reading the config and auto-installing the system. So long story short, you have the Iso and MenStake images that are already providing you in the download.FreeBSD.org. You can get them, mount, just inject your file in the image, build that again in your custom Iso or MenStake and boot it. So you don't need to have the IPXE setup if you don't want to have that. So that's one solution for that. Yeah, in the first presentation I gave an example using Puppet. So if you want to keep using Puppet, use Puppet. If you want to use Ansible, use Ansible. It's your choice. Like in the first presentation I mentioned IPXE and here I added like 5 slides more about that because I got some questions through email and IRC. I'll try to cover a little bit more from what I said in the previous talk. So IPXE, you can use it to boot an operating system via network. And I'm using this project here. I really like it. You can combine some scripting support as it has. Put into your needs to let's say boot certain machines into your DNS VLAN, into your web VLAN, email VLAN, e so on and so off. You can boot ISO images and combine a lot of things that you want to create for your setup. It has IPv6 support. It's pretty neat. It has also support for HTTPS and TLS. Here you see that I mentioned only 1.2 support for the TLS. The project can do 1.3, but now it's, as far as I know, it's not supported yet. They need to get some investments because it takes time for the developers to invest in time and resources and building that. These are the Cypher's algorithms that they support. Here's the official page, if you only got that information. Ipixi, you can also use to combine a nice feature that is, if you have your binaries that you want to boot, you can sign them. And you only boot them when you verify that the binary corresponds to the signature and then you start your opening system. So they use this image trust and then they verify if the signature corresponds to the binary and then they will kick off. Root certificates, if you want to have a self-signed certificate, your own CA, you can have that. In the FreeBSD port, we allow that. You can specify some extra variables in the environment and customize your setup to have your own CA for that case. By default, the Ipixi has its root CA, which cross-signs the Mozilla certificates. Let's say that. So in Practical, it uses and trusts the same certificates as a Firefox browser. Is that too fast? Making sense? Any questions? All good? Because I'm trying to fit the 40 minutes. Last time I was talking like that. No problem. So this is an example of a very basic configuration for the Ipixi. You got the IP addresses and all the things from the ACP. You don't really need to have this. You're just printing what you got from the ACP. Then you're syncing your clock. And the last comment, you're booting this image via network using ADTPS. This is, again, the Netboot project I mentioned in the first talk. If you want to get more from them, you go to, of course, their websites, or have a look on the streamings from the last presentation. So that configuration file gives us this. Here you can also see signature checks enable. So they do this thing, sign it binary, do the verification of the signature, and then you only boot that if it corresponds to the right signature. Another configuration file. As an example, you have the base config that you want to kind of, let's say, include in your other files. And you load this file if you have a hostname set for the machine. Or you see here the two pipes. Or you get the file with a MAC address for the machine. Or if you don't find any of those specific configuration files, you boot into a default menu that you create. And in my case, this is what I have for me. So I can boot and install, slash auto install, Dragonfly, FreeBSD, Elk, which is my thing there. PfSense, Trunas, and the other ones. So I have this extra tools and utilities that I also can boot from home. Quick mention to the projects, read their copyrights specific for those two projects, which if they're not allowing you to do some particular changes, just don't or write to them, ask for permission. Yeah, do your thing. The image that I use to do all the setups is here linked to the presentation that will be available to you later. Yeah, for this case with the FreeBSD is the same setup as I mentioned in the first talk. I use it... I'm pretty sure that I'm putting all the main pages here, but I'm not telling you or people watching the stream that only by reading the main page you will be the expert. Just please read the main page, break things, you have the resources, then you will learn it. It's a reference for everything. Yeah, maybe before asking something, go to the main page first. Yeah, quick mention to the BSD install. It uses the BSD config utility that you can use to set up your accounts, this partitioning network, time date, and other CCTL knobs, and so on and so off. It's kind of the front-end and the back-end thing for understanding of that. So here, by default, is etc. slash install.cfg, which is the file containing the variables and your setup, so the parameter and the setup that you want to auto-install your FreeBSD. So this will be the file that I mentioned that you can for the FreeBSD example inject into your ISO image or your main stick. You don't need to do this IPX thing if you don't want to. So this is an example of that. The first part, the preamble, and then the setup part. This is mandatory because the scripts that the installer uses basically just split the name, too. And then you have the auto-installation of a very basic FreeBSD machine with this hostname starting SSH and doing NTPD. For PFSense, that's also based on a FreeBSD, in the same case for Trunas, all the projects are based on FreeBSD. Então, a lot of people were asking about how we can auto-install it and rescue the configuration file from before. So in short, you can fetch it from a remote location and just subscribe it. But I pointed to this location here that you can have a little better understanding how they do this. We don't have disks on the same machine and you are searching for the backup configuration on a different disk. So that file will give people better guidance on where to write the configuration file and what kind of patterns do you see when you look for a configuration file. By default, the config.xml.sh will not fetch everything from your restore backup. You just use that as a reference. By the time of these slides, I use the development version from the 27. And now 27 is released already. And the two changes that I see here from the very vanilla FreeBSD setup they had this TMP build room file that you can just cat, touch, put something there that they check it before doing the auto-installation. And instead of install.cfg, you have the installer config for them. It's just a difference from the versions of use it. And yeah, you can also read the code from the PFC repository. Get the references from what they use in part mode here. If you need to use this force boot method, you set it here in the preamble and it will auto-install it for you. Or you can extend that and put more things in here like, let's say, fetch your configuration file, paste it on, let's say, the Mac of the machine or serial from, I don't know, pick your choice of differentiating from which configuration you need. So, here you see the same mandatory thing from here. You have the setup part of it. For TrueNAS, that was fun. They come from the FreeNAS and they use this avatar project for some reason, they have some Python and installers. They use a very different approach, not really the BSD install, BSD config. We have installed.sh and installed.conf in a totally different format. But again, open source, you can get that from the repository over there. And it's a very simple configuration file that you can write to auto-install it. The big difference here for me was with the ISO image, you ship a memory disk and you need to extract that memory disk, mount it, which, for my case, I was using this NFS partition to boot the file system and everything. So, I needed to get the memory disk root and point to the correct partition. Here the references from the mem page and here are the reference to mem pages of tools that they use to build the memory disk, which is the thing that I use to build my elk solution. In short, once you have the memory disk mounted, you extract the things from the memory disk, put your home file systems, mount that as your reputation. And then you just inject the install.conf, which looks like this. Like a password, password adding clear tags in the configuration file, but yeah, it's all good. And now elk is a reference from the name of the acronym, which means encrypted and lovely cache environment. I needed to build a fancy name. Once again, I used the BSD install and BSD config as a reference, looking on the source code, how it auto installs. You know, like when you're installing the FreeBSD, you can just hit auto UFS or ZFS partition scheme. So, I use that as a reference to know where. Do I need to put the EFI partition, the FreeBSD boot partition and all that. So, I use that as a reference. Again, many pages all over. And for me, I had like this two different words. So, to say, let's say I have like this SSH, D and the elk word. For me, I opted to split this thing into a MD file, which I created with makeFS, compress it with MKUZIP and mounted in read-only mode. So, once I'm there with this system, I can jump to this one. I'm not sure if some of you attended the talk yesterday about the booting FreeBSD with the K-boot. Someone mentioned about the reroute. I use that here. So, basically, I got the path of how I could do the installation on my own with that reference over there. And I have these two different words here. For the SSHG memory disk that I built, I set that to be non-readable. I have like some custom things that I want to set. The mount point, the geom li put to zero in a way that when I boot that and FreeBSD attacks that I have an encrypted partition there, it doesn't really locks its boot by asking for the passphrase, the password or whatever. So, I can boot to the end of the memory disk with the SSH running. So, that was important for me. And, yeah, maybe a very few people will use this. You have this Onion service running there so you can really access your machine to unlock it remotely via Tor Onion service. And if you want to prevent access for the console, you put this insecure console mode on TTY so you can only really log in via SSH. Extended features from the ZFS that we can use now with the encrypted data sets. Here's the main page for reference. So, on top of the geom li partition I have this encrypted ZFS root partition for the data sets. So, you will build a chain of unlock procedures that you will achieve when you go through the memory disk image. So, this is the thing that I use. This is the BSD config. If someone never saw that, this is a little overview of what proof of concept, actually, the setup that I have at home looks like. I have the free BSD port partition, EFI portation, the UFS, ZFS portations. And here, in 350 megabytes, it's the UZIP image that I mount in read-only mode. They compress it, it gets like 1 gigabyte. So, with that, I build, again, the SSHD and the ELK environments. The SSHD is the memory disk read-only partition, and the ELK is my thing, which has my credentials, whatever that. SSH private key, the things that I use to do git commits. Anyway, it's my remote machine. To unlock that, you verify, then you pick your needs. So, if you want to be sure that you're connecting to the correct machine, you just don't blindly, as a lot of people do, just accept every kind of hash when you're SSHing to a machine. So, when you do the first setup, you put the hash of the, let's say, SSH key scan into your git repository locally in your laptop. So, you compare that using, let's say, minus o, user no files, and use that as a reference. So, you know that you're really connecting to the correct machine. Or you can, again, as I put the main pages as a reference, you can build your SSHD config to support only certain types of your ciphers, hash algorithms, and whatever. So, before connecting, in your unlock script, you can verify if the host has the same keys, if the ciphers that you set up are the ciphers that you expect that machine has, and so on and so forth. So, you can also combine proxy commands to jump to a machine. You do the SSH command to the machine you want to unlock. Compare the SSH fingerprint also with the DNS record that you can put the DNS here, whatever, and be sure that you are jumping to the correct machine. You will need to use, like, KLD load to load the ZFS modules that you do not want to load by default. Or do the JLi load to unlock the JLi partition. Use the ZPU import load keys. Here, if you use the encrypted data sets, then you'll see that you will have, like, a chain of dependencies that you need to follow to unlock the really root encrypted partition, which will be this here, the Tengamandapio root partition that you want to mount. So, the last step will be, with KM, you set the variable from the root mount from, and then you just re-root into that. So, you jump from the read-only memory disk file into the root encrypted partition that you have. Re-root. Yeah, that's just the one page. Yeah. Sorry, my mistake, maybe. Yeah, is the reboot minus R, I think. So, here's the console of the MD file, which is encrypted and you have, like, nothing running there, just this very default SSH service that you can only log in via SSH, because your custom needs block the persons that could log in in front of the machine. So, if you have that, theoretically, in a data center, so theoretically, if someone has the password, they could try to, theoretically, log in without you knowing, but they will either pop up some log information, but they will be able to use the machine without the SSH credentials. So, for this example, that's not possible because I blocked the login via console and they can only log in via SSH. And this is the case. That was SSH. There was a 14.0 current, only NTP, and SSH running, like, nothing besides that. And from this machine, which, again, the environment here is the read-only MD file, the compressed one. And from here I can jump to the other system. Cool questions. I'm talking too fast. Yeah, because last time I was scared to be getting, like, one hour and blocking everybody for lunch, so I can get a fino, you know, a few. For the demos, I put it here because I didn't really want to spend some time showing you the whole thing, but I have the videos I can show you. Yeah. No. The DACP points to the... What's the name of that? Server. Yeah, from the DACP to get the server that will serve you the IPXE, and then you kind of jump from one to the other one. If you cannot do this, IPXE can do that via HTTP, yes, and you can, if you want to have, let's say, an HG proxy, yeah. Yeah. Yeah. Chains of booting, yeah. The number of features from what we get from IPXE is huge, is huge. For example, also the default PXE boot from FreeBSD only supports TFTP and NFS, so we cannot really just point to an HTTP, normal HTTP address and boot from that. And yeah, that, for me, kind of broke my legs, so to say. When I was trying to do this booting via HTTP in a very old machine, which didn't have the support already. Here I can... Yeah, it's okay. It's just booting the PfSense. It will auto-install it. Apart from my custom setup, I would say that it's 90% in a way that the only reference that I have is BSD config, which I can use to wipe the disks and then start my thing. Because the tools are there, but they don't really... It's maybe a very specific setup to have this remote unlock possibility to do this with your machine. But, yeah, from FreeBSD I got only the... Only. BSD config and BSD install, which is the default installer, and you go through the part where you do the disk partitioning. I kind of stop there and the rest I do on my own. Yeah. Yeah. The default one, you can also escape to a terminal, to a shell, and then call it again just passing the script as a parameter. And then you do it. Yeah, this is just auto-installing the trunas. Here you hit the point of install.sh. They basically just hammer the hard drive and do the installation. The video is a little weird. Yeah, now it's just hanging like writing the system. Let's just skip that to here. Ah, there. Yeah, it's a video of everything. It's just easy for me. Yeah. The virtualbox is a bit manager. So it's a KVM. Yeah, that is just booting the system that just got installed. Yeah. And you can install that in a VM. A lot of people have problems with that, but it works, which is this presentation. I didn't even try on ARM, to be honest, but it should work. Yeah, trunas does what it does. I mean, your journey starts very early on on iTunes. Yeah, I make my own. I generate the key pair. I generate the sshd config. I write to the root, to the temporary thing, and then I do the mkfs and then compress it. Yes. Correcto. Yeah, I kind of do that. I strip all the main page, clang, everything just for space purpose, sizing purpose. Then I build the md file, compress it, and then 350 megabytes. It doesn't include the installation set. No, no. No, this is what I installed This is the md after the installation. So with the installation set, that is the tar balls, that is different. Ah, yeah, the boot thing from Matru... I don't remember that. I use it as a reference. I use it as a reference. I use it as a reference. I use it as a reference. I use it as a reference. I use it as a reference. The tricky part was that we had to configure the sqc whatever you want. That was the key idea. I think when he started that, we couldn't really have all the support that we have today. The server basically, yeah, I can see loading the sqc as previously installation kind of record and then you will call it home to get the configuration or what should be installed here and so on. So then we have some sort of additional server on the other side to fetch the additional configuration. So you don't need to change the latest installation otherwise for all the variations you have in it. So the last part here is that he passed away from the FreeBSD community in the open source community in Brazil. He passed away in 2011. So when I started this I kind of was the anniversary of 10 years that he passed it. So I would just dedicate that to him. So the motto of Irado was and then you learned shit. He was like pretty direct on that. So was not flaming, like having big discussions on mailing list, nothing like that. He was a very nice dude giving people the right guidance so they can learn and implement their solution themselves without being so lazy. So I also learned a lot from them. So that's it. And there we are. I would love to do that. That's some just NDAs involved. There is some like another case with a little script that allows you to jump from release to stable to current without compiling everything. Also NDA on that. Thank you.