This patch adds drivers necessary to support GELI in the EFI loader. This patch is relative to the changes in https://reviews.freebsd.org/D10447.
The work has two main components: The first is an EFI KMS pseudo-device driver which serves as the method for passing keys between boot1 and loader. The second is the GELI driver itself, which uses the EFI driver interface. Another portion of the original work from this patch was committed as the keybufs patch; this work uses keybufs to send keys into the kernel.
This patch should correctly handle such cases as GPT schemes inside GELI volumes, nested GELI volumes, and others, assuming the underlying EFI implementation is fully-compliant. As such, it adds a freebsd-geli partition label (which also serves to avoid providing information about encrypted partition contents to attackers).
Finally, the patch creates a separate "boot_crypto" library under sys/boot. This is intentionally kept separate from the crypto code used by the i386 boot loader. This is due to the fact that the i386 loader is space-constrained, whereas EFI and modern firmware-based other loaders generally are not. The new boot_crypto library is intentionally designed to be extended to incorporate more ciphers (such as camellia and others supported by GELI), and quite possibly DSA algorithms for signature checking.
Note that a ZFS-related bug has been discovered in https://reviews.freebsd.org/D10447, which seems to affect this patch as well. However, the patch works for non-ZFS systems, and the ordinary code review can proceed while the bug is being investigated.