GNU logs - #68524, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#68524] [PATCH 0/2] Support root encryption and secure boot.
Resent-From: Lilah Tascheter <lilah@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 17 Jan 2024 04:38:02 +0000
Resent-Message-ID: <handler.68524.B.170546623020392 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 68524 <at> debbugs.gnu.org
Cc: Lilah Tascheter <lilah@HIDDEN>
Feedback-ID: 8937:2070:null:purelymail
From: Lilah Tascheter <lilah@HIDDEN>
Date: Tue, 16 Jan 2024 22:23:02 -0600
Message-ID: <cover.1705465384.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@HIDDEN;
 helo=sendmail.purelymail.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for=
m,
uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro=
ject
(particularly the systemd-stub UEFI stub and supporting ukify tool) to inst=
all
combined kernel/arguments/initrd images to the EFI system partition. The
built-in UEFI boot manager can then deal with boot selection. While this do=
es
require copying files from the store to the partition, it makes up for it i=
n two
important ways:

1. Proper encrypted root support! GRUB is really fucking slow at decrypting=
 the
store in my experience, and it's annoying to have to enter in the root pass=
word
twice. Since the kernel is loaded directly from the system partition, the f=
irst,
and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n=
ot
supporting LUKS2 (or, at least, having bad issues with it on Guix).

2. Secure boot support! It's set up assuming the user has already created t=
he
necessary keys (typically, in /root, as they should only be root-accessible=
).
Passing the paths to the db cert and key to uefi-uki-signed-bootloader will=
 then
automatically sign the entire bootloader image. In combination with root
encryption, assuming a functioning motherboard UEFI installation, this shou=
ld
fully secure Guix's boot chain.

This is ported from my personal channel, so uefi-uki-bootloader has been te=
sted
for months. The main drawback is lack of kernel generation rollback in the =
case
of a botched upgrade, so I've been keeping around a manually-copied backup =
uki
image, but I haven't had any troubles with it so far. I have just verified
uefi-uki-signed-bootloader properly functions and boots in secure boot user
mode.

All in-system testing has been done on my channel, so the porting process m=
ay
have had issues, but I did make sure the added packages compile, and there
aren't any miscopies.

No clue how this works on non-x64 systems. I don't think there's enough ARM=
 UEFI
systems in existance for it to matter that much anyway.

Thanks!

Lilah Tascheter (2):
  gnu: bootloaders: Add uki packages.
  gnu: bootloaders: Add uefi-uki-bootloader.

 doc/guix.texi                |  35 +++++++++---
 gnu/bootloader/uki.scm       | 106 +++++++++++++++++++++++++++++++++++
 gnu/packages/bootloaders.scm |  94 +++++++++++++++++++++++++++++++
 3 files changed, 227 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--=20
2.41.0

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Lilah Tascheter <lilah@HIDDEN>
Subject: bug#68524: Acknowledgement ([PATCH 0/2] Support root encryption
 and secure boot.)
Message-ID: <handler.68524.B.170546623020392.ack <at> debbugs.gnu.org>
References: <cover.1705465384.git.lilah@HIDDEN>
X-Gnu-PR-Message: ack 68524
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 68524 <at> debbugs.gnu.org
Date: Wed, 17 Jan 2024 04:38:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 68524 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
68524: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D68524
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN:

Subject: [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages.
Resent-From: Lilah Tascheter <lilah@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
Resent-Date: Wed, 17 Jan 2024 04:50:02 +0000
Resent-Message-ID: <handler.68524.B68524.170546694732313 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 68524 <at> debbugs.gnu.org
Cc: Lilah Tascheter <lilah@HIDDEN>, Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN>
Feedback-ID: 8937:2070:null:purelymail
From: Lilah Tascheter <lilah@HIDDEN>
Date: Tue, 16 Jan 2024 22:48:10 -0600
Message-ID: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
In-Reply-To: <cover.1705465384.git.lilah@HIDDEN>
References: <cover.1705465384.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
  (systemd-version,systemd-source,systemd-stub,ukify): New variables.

Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d
---
 gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index c73a0e665d..32cbb4e704 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cross-base)
   #:use-module (gnu packages disk)
+  #:use-module (gnu packages efi)
   #:use-module (gnu packages firmware)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages gperf)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages man)
   #:use-module (gnu packages mtools)
@@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages valgrind)
   #:use-module (gnu packages virtualization)
   #:use-module (gnu packages xorg)
+  #:use-module (gnu packages python-crypto)
   #:use-module (gnu packages python-web)
   #:use-module (gnu packages python-xyz)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system pyproject)
+  #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
   #:use-module (guix download)
   #:use-module (guix gexp)
@@ -632,6 +636,96 @@ (define-public syslinux
                      ;; Also contains:
                      license:expat license:isc license:zlib)))))
=20
+(define systemd-version "255")
+(define systemd-source
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+           (url "https://github.com/systemd/systemd")
+           (commit (string-append "v" systemd-version))))
+    (file-name (git-file-name "systemd" systemd-version))
+    (sha256
+      (base32
+        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+  (let ((arch (cond ((target-x86-32?) "ia32")
+                ((target-x86-64?) "x64")
+                ((target-arm32?) "arm")
+                ((target-aarch64?) "aa64")
+                ((target-riscv64?) "riscv64"))))
+    (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+  (package
+    (name "systemd-stub")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system meson-build-system)
+    (arguments
+      (list
+        #:configure-flags
+        `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix"
+               "-Dsbat-distro-generation=3D1" ; package revision!
+               "-Dsbat-distro-summary=3DGuix System"
+               "-Dsbat-distro-url=3Dhttps://guix.gnu.org"
+               ,(string-append "-Dsbat-distro-pkgname=3D" name)
+               ,(string-append "-Dsbat-distro-version=3D" version))
+        #:phases
+        #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)=
)))
+            (modify-phases %standard-phases
+              (replace 'build
+                (lambda* (#:key parallel-build? #:allow-other-keys)
+                  (invoke "ninja" stub
+                    "-j" (if parallel-build?
+                           (number->string (parallel-job-count)) "1"))))
+              (replace 'install
+                (lambda _
+                  (install-file stub (string-append #$output "/libexec")))=
)
+              (delete 'check)))))
+    (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+    (native-inputs (list gperf pkg-config python-3 python-jinja2))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI stub")
+    (description "Simple UEFi boot stub that loads a conjoined kernel imag=
e and
+supporting data to their proper locations, before chainloading to the kern=
el.
+Supports measured and/or verified boot environments.")
+    (license license:lgpl2.1+)))
+
+(define-public ukify
+  (package
+    (name "ukify")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system python-build-system)
+    (arguments
+      (list #:phases
+            #~(modify-phases %standard-phases
+                (replace 'build
+                  (lambda _
+                    (substitute* "src/ukify/ukify.py" ; added in python 3.=
11
+                      (("datetime\\.UTC") "datetime.timezone.utc"))))
+                (delete 'check)
+                (replace 'install
+                  (lambda* (#:key inputs #:allow-other-keys)
+                    (let* ((bin (string-append #$output "/bin"))
+                           (file (string-append bin "/ukify"))
+                           (binutils (assoc-ref inputs "binutils"))
+                           (sbsign (assoc-ref inputs "sbsigntools")))
+                      (mkdir-p bin)
+                      (copy-file "src/ukify/ukify.py" file)
+                      (wrap-program file
+                        `("PATH" ":" prefix
+                          (,(string-append binutils "/bin")
+                           ,(string-append sbsign "/bin"))))))))))
+    (inputs (list binutils python-cryptography python-pefile sbsigntools))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI tool")
+    (description "@command{ukify} joins together a UKI stub, linux kernel,=
 initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-=
bootable
+image.")
+    (license license:lgpl2.1+)))
+
 (define-public dtc
   (package
     (name "dtc")

base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--=20
2.41.0

Message sent to efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN:

Subject: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Resent-From: Lilah Tascheter <lilah@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
Resent-Date: Wed, 17 Jan 2024 04:50:02 +0000
Resent-Message-ID: <handler.68524.B68524.170546695532337 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 68524 <at> debbugs.gnu.org
Cc: Lilah Tascheter <lilah@HIDDEN>, Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN>
Feedback-ID: 8937:2070:null:purelymail
From: Lilah Tascheter <lilah@HIDDEN>
Date: Tue, 16 Jan 2024 22:48:11 -0600
Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
In-Reply-To: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
  uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.

Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
 doc/guix.texi          |  35 ++++++++++----
 gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
 The bootloader to use, as a @code{bootloader} object.  For now
 @code{grub-bootloader}, @code{grub-efi-bootloader},
 @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
=20
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
 unbootable.
 @end quotation
=20
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit=
hout
+an intermediary like GRUB. The main practical advantage of this is allowin=
g
+root/store encryption without an extra GRUB password entry and slow decryp=
tion
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce=
pt
+that it is a procedure that returns a bootloader compatible with UEFI secu=
re
+boot. You must provide it with two paths, to an out-of-store secure boot d=
b
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system genera=
tion.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
 @item @code{targets}
 This is a list of strings denoting the targets onto which to install the
 bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
 For @code{grub-bootloader}, for example, they should be device names
 understood by the bootloader @command{installer} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}.  For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}).  For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI =
file
+system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root direc=
tories
+served by your TFTP server.
=20
 @item @code{menu-entries} (default: @code{'()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+    (define (menu-entry->uki e)
+      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam=
e)))
+      (computed-file "uki.efi"
+        (with-imported-modules (source-module-closure '((guix build utils)=
))
+          #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+              (use-modules (guix build utils))
+              (invoke #$(file-append ukify "/bin/ukify") "build"
+                "--linux" #$(menu-entry-linux e)
+                "--initrd" #$(menu-entry-initrd e)
+                "--os-release" #$(menu-entry-label e)
+                "--cmdline" (string-join args)
+                "--stub" #$stub
+                "-o" #$output)))))
+
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/Guix"))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")=
))
+            (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p=
orts))
+
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target=
)
+                (lambda (port) (get-line port)))) ; only 1 line: the devic=
e
+
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l)))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vend=
ir))
+
+            (mkdir-p vendir)
+            (call-with-output-file schema
+              (lambda (port)
+                (for-each (lambda (uki label)
+                            (let* ((base (basename uki))
+                                   (out (string-append vendir "/" base)))
+                              #$(if cert ; sign here so we can access root=
 certs
+                                  #~(invoke
+                                      #$(file-append sbsigntools "/bin/sbs=
ign")
+                                      "--cert" #$cert "--key" #$privkey
+                                      "--output" out uki)
+                                  #~(copy-file uki out))
+                              (invoke efibootmgr "-c" "-L" label "-d" disk=
 "-l"
+                                (string-append "\\EFI\\Guix\\" base))
+                              (put-string port label)
+                              (put-char port #\lf)))
+                  (list #$@(map-in-order menu-entry->uki entries))
+                  (list #$@(map-in-order menu-entry-label entries)))))))))=
)
+
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point "/boot/install-uki.scm")
+              (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file "/boot/install-uki.scm")
+    (configuration-file-generator (uefi-uki-configuration-file cert privke=
y))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
--=20
2.41.0

Last modified: Sat, 20 Jan 2024 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.