This blog by userdetails his work in refactoring the FreeBSD EFI boot / loader code. Follow the link below for a full report on his findings.
I have just completed (for some value of “complete”) a project to refactor the FreeBSD EFI boot and loader code. This originally started out as an investigation of a possible avenue in my work on GELI full-disk encryption support for the EFI boot and loader, and grew into a project in its own right.
More generally, this fits into a bunch of work I’m pursuing or planning to pursue in order to increase the overall tamper-resistance of FreeBSD, but that’s another article.
To properly explain all this, I need to briefly introduce both the FreeBSD boot and loader architecture as well as EFI.
FreeBSD Boot Architecture
When an operating system starts, something has to do the work of getting the kernel (and modules, and often other stuff) off the disk and into memory, setting everything up, and then actually starting it. This is the boot loader. Boot loaders are often in a somewhat awkward position: they need to do things like read filesystems, detect some devices, load configurations, and do setup, but they don’t have the usual support of the operating system to get it done. Most notably, they are difficult to work with because if something goes wrong, there is very little in the way of recovery, debugging, or even logging. ….