# Automatic GELI passphrase from TPM2 - ensuring that the next stage is secure



## sadaszewski (Nov 25, 2021)

Hello All, I am working on `/usr/src/stand/efi/loader` to enable reading a GELI passphrase from TPM2. I am almost there TPM2-wise, however in order to make the automatic boot secure I need to make sure that, whatever is booted next, cannot retrieve the `kern.geom.eli.passphrase` kernel environment variable UNLESS the kernel, modules and the root filesystem are placed on the GELI device decrypted using that passphrase. I do not suspect that receiving an answer on the forums is possible but could you please recommend the appropriate Mailing List to reach out to the developers with the best chance of having the required know-how? Thank you in advance.

My question would be - what is the best way to architecture this solution? Is there a single point in the bootloader where one can ensure that the kernel, modules and root filesystem are placed on the appropriate GELI device and unset the `kern.geom.eli.passphrase` otherwise?


----------



## LordInateur (Dec 18, 2021)

Responding to bump this, because I'm very interested in applying this solution to our fleet. If you ever get this working, I'd love to hear about it.


----------



## T-Daemon (Dec 18, 2021)

Patched freebsd-src fork is available for testing. From bug report PR 260138.


----------

