Install NetBSD 10.1 with FFS and CGD encryption on a UEFI based system.

netbsd-ffs-cgd-uefi.txt

## Introduction

I want to install NetBSD 10.1 alongside Windows 11 and FreeBSD 14.2. I'm using rEFInd to boot into either one of these OSes.

## Commands

1. Create a bootable FreeBSD amd64 USB key. Go to http://ftp.fr.netbsd.org/pub/NetBSD/images/10.1 
and download NetBSD-10.1-amd64-install.img.gz.
2. Burn the image onto a USB disk (dd or rufus). Make sure to enable the UEFI mode if you burn the ISO with rufus.
3. Boot off of the USB key and into the FreeBSD live system.
4. At the NetBSD blue installer menu, select "Utility menu" and "Run /bin/sh".
5. Small disclaimer.

I tried really really hard to fully encrypt my drive with CGD and boot NetBSD off of it. It simply didn't work. 
The reason being the cgd rc script pivots the root partition into /altroot and chroots into the directory. 
While this workaround might look like an elegant solution at first, it leads to more problems such as failure to load
firmware files located in /libdata and other oddities. I enventually gave up and settled with a non encrypted / partition. 

Such is life.

We will partition the system as such:
- an EFI partition.
- a single unencrypted root partition /.
- a CGD partition that will be further partitioned with disklabel and will contain the rest of our system.

Note that you don't have to create an EFI partition if you're dual bootin with another OS.

To partition the system according to the scheme described above, run the following commands:

gpt add -a 2m -s 128m -t efi -l EFI wd0
gpt add -a 2m -s 2G -t ffs -l netbsd-root wd0
gpt add -a 2m -t cgd -l netbsd-cgd wd0

At this point, running "dkctl wd0" should return something like that:

dk0: EFI
dk1: netbsd-root
dk2: netbsd-cgd

If you're dual booting with Windows or another OS, dk wedges (partitions) should have different/higher numbers.

6. Format the EFI partition, mount it and create the "EFI/boot" directories.

If you're dual booting with Windows or another OS, do not format the EFI partition but simply mount it.

newfs_msdos -F32 /dev/rdk0
mount /dev/dk0 /mnt
mkdir -p /mnt/EFI/boot

7. Copy the NetBSD EFI bootloader into "EFI/boot" and unmount the EFI partition.

cp -v /usr/mdec/*.efi /mnt/EFI/boot
umount /mnt

8. Format the root partition and mount it.

newfs -O 2 /dev/rdk1
mkdir /tmp/nbsd
mount /dev/dk1 /tmp/nbsd

9. Install the NetBSD bootloader onto the root partition.

installboot -v -o timeout=5 /dev/rdk1 /usr/mdec/bootxx_ffsv2

10. Create the "/etc/cgd" directory in the root partition.

mkdir /tmp/nbsd/etc/cgd

11. Set up the cipher, key length, and a random password salt for the "netbsd-cgd" partition created above.
We will use AES-XTS and a key length of 512.

cgdconfig -g -V disklabel -o /tmp/nbsd/etc/cgd/netbsd-cgd aes-xts 512

12. Create the "netbsd-cgd" cgd using the "/tmp/nbsd/etc/cgd/netbsd-cgd" configuration file and assign the "cgd0"
device to it. 
You will be prompted for a password twice. This is the password required to unlock the device. Make sure to remember it!

cgdconfig -V re-enter cgd0 NAME=netbsd-cgd /tmp/nbsd/etc/cgd/netbsd-cgd

You can check the device has been correctly created by running:

cgdconfig -l

13. Partition the "cgd0" cgd with disklabel. We will use the following letters for each partition.

disklabel -Ii cgd0

- a = swap = 4G
- b = /var = 1G
- e = /tmp = 1G
- f = /usr = remaining space

14. Write out the cgd configuration so that it's loaded by the kernel at boot time.

echo 'cgd0 NAME=netbsd-cgd /etc/cgd/netbsd-cgd' > /tmp/nbsd/etc/cgd/cgd.conf

15. Detach the cgd and attach it again to make sure the cgd is correctly configured.

cgdconfig -u cgd0
cgdconfig cgd0 NAME=netbsd-cgd /tmp/nbsd/etc/cgd/netbsd-cgd
<assword prompt>
disklabel cgd0

16. Format the cgd partitions configured with disklabel.

newfs -O 2 cgd0b
newfs -O 2 cgd0e
newfs -O 2 cgd0f

17. Create var, tmp and usr directories and mount them.

mkdir /tmp/nbsd/var /tmp/nbsd/tmp /tmp/nbsd/usr
mount /dev/cgd0b /mnt/var
mount /dev/cgd0e /mnt/tmp
mount /dev/cgd0f /mnt/usr

18. Extract the NetBSD distribution sets.

cd /amd64/binary/sets
for set in base comp etc games gpufw kern-GENERIC man misc modules tests text xbase xcomp xetc xfont xserver; do
  tar xvzpf $set.tar.xz -C /tmp/nbsd
done

19. Chroot into the system.

chroot /tmp/nbsd

20. Create devices.

cd dev
sh MAKEDEV all
cd /
mkdir /kern /proc

21. Configure /etc/fstab.

cat > /etc/fstab
/dev/cgd0a        none      swap    sw,dp		0 0
/dev/cgd0b        /var      ffs     rw      1 2
/dev/cgd0e        /tmp      ffs     rw      1 2
/dev/cgd0f        /usr      ffs     rw      1 2

# if you want to speed up /tmp access
# tmpfs             /tmp      tmpfs   rw,-m=1777,-s=ram%25
kernfs            /kern     kernfs  rw
ptyfs             /dev/pts  ptyfs   rw
procfs            /proc     procfs  rw
tmpfs             /var/shm  tmpfs   rw,-m1777,-sram%25
^D

22. Configure /etc/rc.conf.

cat > /etc/rc.conf
hostname=thinkbsd
rc_configured=YES
clear_tmp=YES
sshd=YES
inetd=NO
postfix=NO
^D

23. Configure locales.

cat >> /etc/profile
export LANG="en_US.UTF-8"
export LC_CTYPE="en_US.UTF_8"
export LC_ALL="en_US.UTF-8"
^D

24. Create your user and set password.

useradd -m -G wheel -k /etc/skel patrice
passwd patrice

25. Set root password and exit.

passwd root
exit

26. You're done!