Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:15 2024
Received: from localhost ([127.0.0.1]:50393 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rPxrX-0008PU-17
for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:15 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:41784)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <lilah@HIDDEN>) id 1rPxrV-0008PG-Lu
for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:14 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
b=IZOf4TyqkHhXBMqQt39pP1a4wFL9EAt3C+bVwSXsLfqKbAFssolLscbVpGi2SKbhVBS3I949BorLm/TFMHkeLTWyX+fgLfr4zZBltCNW+Y8a3Wt/dylxrlMnjyGVBpSnIyQVp7gIPGTEavk39sNAXeS1tS65fYivOLheGZWCn6jcqR0uYbOS5FukcU8JU8HPKtTE+ROi8i4X1Y0XiT3sDaTiWe9aYKHRdx01vcVdYHSqd9kTDpcrh6PUFyoEinbBLhDCeJZZhJoGVShk1zlsdkErV7/821PpXlrYkQl7kHDZPpA5rGgk7MKpVpP7JaDRBs3Z9pnr+xDSvEVOGvZZ+Q==;
s=purelymail1; d=lunabee.space; v=1;
bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject;
DKIM-Signature: a=rsa-sha256;
b=qnznObJwJg0RW7Kb3ignaCnyzRmKdKzdLx3UJqpwwj1tYj2LqMUqwEiQ7pEPxOIwd+aZBMQQKFooJgrlfLFJ6VKfOUe4D7BrykIA6g4Bw3NiZXqZCQ+zBVPuZCl149ZzbXN/C9YqFrFRwElsrqa3mBI+3VlKE5/8512jKrmtiH5zKpOFRacGckSaRlyA1eZBRK4GYoPBecQpMcZzuhuXe3yVoryKZyXCv2NUktJHRToMYCMHwM1DIaZ2M3S02ug2M86AlIax7SSVmeZ4av9PnhfgrQZINe4GsT2Ylx2VlrJTeHnQDMgyWWb0u+t1CmjRls2XU0FvxAbsR5FYLsqw0Q==;
s=purelymail1; d=purelymail.com; v=1;
bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=;
h=Feedback-ID:Received:From:To:Subject;
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462;
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Wed, 17 Jan 2024 04:49:01 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Tue, 16 Jan 2024 22:48:11 -0600
Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
In-Reply-To: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
Vagrant Cascadian <vagrant@HIDDEN>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.
Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
doc/guix.texi | 35 ++++++++++----
gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+), 8 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
The bootloader to use, as a @code{bootloader} object. For now
@code{grub-bootloader}, @code{grub-efi-bootloader},
@code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
=20
@cindex ARM, bootloaders
@cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
unbootable.
@end quotation
=20
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit=
hout
+an intermediary like GRUB. The main practical advantage of this is allowin=
g
+root/store encryption without an extra GRUB password entry and slow decryp=
tion
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce=
pt
+that it is a procedure that returns a bootloader compatible with UEFI secu=
re
+boot. You must provide it with two paths, to an out-of-store secure boot d=
b
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system genera=
tion.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
@item @code{targets}
This is a list of strings denoting the targets onto which to install the
bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
For @code{grub-bootloader}, for example, they should be device names
understood by the bootloader @command{installer} command, such as
@code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}). For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}. For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}). For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI =
file
+system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root direc=
tories
+served by your TFTP server.
=20
@item @code{menu-entries} (default: @code{'()})
A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+ #:use-module (gnu bootloader)
+ #:use-module (gnu packages bootloaders)
+ #:use-module (gnu packages efi)
+ #:use-module (gnu packages linux)
+ #:use-module (guix gexp)
+ #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+ (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+ (define (menu-entry->uki e)
+ (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam=
e)))
+ (computed-file "uki.efi"
+ (with-imported-modules (source-module-closure '((guix build utils)=
))
+ #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+ (use-modules (guix build utils))
+ (invoke #$(file-append ukify "/bin/ukify") "build"
+ "--linux" #$(menu-entry-linux e)
+ "--initrd" #$(menu-entry-initrd e)
+ "--os-release" #$(menu-entry-label e)
+ "--cmdline" (string-join args)
+ "--stub" #$stub
+ "-o" #$output)))))
+
+ (program-file "install-uki"
+ (with-imported-modules (source-module-closure '((guix build utils)))
+ #~(let* ((target (cadr (command-line)))
+ (vendir (string-append target "/EFI/Guix"))
+ (schema (string-append vendir "/boot.mgr"))
+ (findmnt #$(file-append util-linux "/bin/findmnt"))
+ (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")=
))
+ (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p=
orts))
+
+ (define disk
+ (call-with-port
+ (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target=
)
+ (lambda (port) (get-line port)))) ; only 1 line: the devic=
e
+
+ (when (file-exists? schema)
+ (call-with-input-file schema
+ (lambda (port)
+ (for-each (lambda (l)
+ (unless (string-null? l)
+ (system* efibootmgr "-B" "-L" l)))
+ (string-split (get-string-all port) #\lf)))))
+ (when (directory-exists? vendir) (delete-file-recursively vend=
ir))
+
+ (mkdir-p vendir)
+ (call-with-output-file schema
+ (lambda (port)
+ (for-each (lambda (uki label)
+ (let* ((base (basename uki))
+ (out (string-append vendir "/" base)))
+ #$(if cert ; sign here so we can access root=
certs
+ #~(invoke
+ #$(file-append sbsigntools "/bin/sbs=
ign")
+ "--cert" #$cert "--key" #$privkey
+ "--output" out uki)
+ #~(copy-file uki out))
+ (invoke efibootmgr "-c" "-L" label "-d" disk=
"-l"
+ (string-append "\\EFI\\Guix\\" base))
+ (put-string port label)
+ (put-char port #\lf)))
+ (list #$@(map-in-order menu-entry->uki entries))
+ (list #$@(map-in-order menu-entry-label entries)))))))))=
)
+
+(define install-uefi-uki
+ #~(lambda (bootloader target mount-point)
+ (invoke (string-append mount-point "/boot/install-uki.scm")
+ (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+ (bootloader
+ (name 'uefi-uki)
+ (package systemd-stub)
+ (installer install-uefi-uki)
+ (disk-image-installer #f)
+ (configuration-file "/boot/install-uki.scm")
+ (configuration-file-generator (uefi-uki-configuration-file cert privke=
y))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+ (make-uefi-uki-bootloader cert privkey))
--=20
2.41.0
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN:bug#68524; Package guix-patches.
Full text available.
Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:06 2024
Received: from localhost ([127.0.0.1]:50388 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1rPxrO-0008P7-Ao
for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:06 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:56886)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <lilah@HIDDEN>) id 1rPxrL-0008Oa-PF
for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:04 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
b=CoI3a0pRAm8FbNI6FD17WBgNNP0lVrQWqvRheGosCqBdNUsq1umWlO4o3+UIsHu6CF/jAvPQy4SiK0mf4/1tk6eaoBgrz+8cj0QP6D0jw04fQBzleLUvpTOxfjDw9lm8igDyAAzJq4fEhRgFGIAmYP7EMONt/P+vYenF6aT5FY/xaKLLJilrOIEzANh7BxbXj4kuiRvLO2YVGGNHAxUKhcO++B4b6J61rqye3Yaura5cJYdJeIdJSbxJrUdTCtlcmDO5TmI5P/dNLUE5zRGhrNNS/8rf43rW1YI9i3esTBe+9tgjxi1sARIc5Pr9ACqDEukefZaSyg3eOvE0lOF72A==;
s=purelymail1; d=lunabee.space; v=1;
bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Received:From:To:Subject;
DKIM-Signature: a=rsa-sha256;
b=XYG4r/YfWp2wEA28vFw2BCVIdy7WXuF0fHHICbo6H66fzW09vF1SXw0VQEZpwvAboLzWV5D05TPh8c0rwGZhIxBP6Ivc3bzzxfGRf7va6Rm1N/1dQcDFGIF9SDhA6pjQerbHgMJqe8/CDk22zYTb+qHq441lrPmTWCq6gmM4WDxwhe4RYEZqIQLgmloFN+KXDrH62UVyOASUeAZc8kpEa3UdPMfwUf/t32BrWh+PtZeqHuGhbNcLEL1rPuaVdRJfW74KOTUe+P4LwTmKsfZUUo/wBFS1MY63HOb6ovdYadIQ1ttbi0ZhqlOFEsUnb2P0WyTjg4RJZF19youJTI1aSA==;
s=purelymail1; d=purelymail.com; v=1;
bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=;
h=Feedback-ID:Received:From:To:Subject;
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462;
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
Wed, 17 Jan 2024 04:48:54 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH 1/2] gnu: bootloaders: Add uki packages.
Date: Tue, 16 Jan 2024 22:48:10 -0600
Message-ID: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
In-Reply-To: <cover.1705465384.git.lilah@HIDDEN>
References: <cover.1705465384.git.lilah@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
Vagrant Cascadian <vagrant@HIDDEN>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
(systemd-version,systemd-source,systemd-stub,ukify): New variables.
Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d
---
gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index c73a0e665d..32cbb4e704 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages disk)
+ #:use-module (gnu packages efi)
#:use-module (gnu packages firmware)
#:use-module (gnu packages flex)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages gperf)
#:use-module (gnu packages linux)
#:use-module (gnu packages man)
#:use-module (gnu packages mtools)
@@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages valgrind)
#:use-module (gnu packages virtualization)
#:use-module (gnu packages xorg)
+ #:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
#:use-module (gnu packages python-xyz)
#:use-module (guix build-system gnu)
#:use-module (guix build-system meson)
#:use-module (guix build-system pyproject)
+ #:use-module (guix build-system python)
#:use-module (guix build-system trivial)
#:use-module (guix download)
#:use-module (guix gexp)
@@ -632,6 +636,96 @@ (define-public syslinux
;; Also contains:
license:expat license:isc license:zlib)))))
=20
+(define systemd-version "255")
+(define systemd-source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/systemd/systemd")
+ (commit (string-append "v" systemd-version))))
+ (file-name (git-file-name "systemd" systemd-version))
+ (sha256
+ (base32
+ "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+ (let ((arch (cond ((target-x86-32?) "ia32")
+ ((target-x86-64?) "x64")
+ ((target-arm32?) "arm")
+ ((target-aarch64?) "aa64")
+ ((target-riscv64?) "riscv64"))))
+ (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+ (package
+ (name "systemd-stub")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system meson-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix"
+ "-Dsbat-distro-generation=3D1" ; package revision!
+ "-Dsbat-distro-summary=3DGuix System"
+ "-Dsbat-distro-url=3Dhttps://guix.gnu.org"
+ ,(string-append "-Dsbat-distro-pkgname=3D" name)
+ ,(string-append "-Dsbat-distro-version=3D" version))
+ #:phases
+ #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)=
)))
+ (modify-phases %standard-phases
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (invoke "ninja" stub
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count)) "1"))))
+ (replace 'install
+ (lambda _
+ (install-file stub (string-append #$output "/libexec")))=
)
+ (delete 'check)))))
+ (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+ (native-inputs (list gperf pkg-config python-3 python-jinja2))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI stub")
+ (description "Simple UEFi boot stub that loads a conjoined kernel imag=
e and
+supporting data to their proper locations, before chainloading to the kern=
el.
+Supports measured and/or verified boot environments.")
+ (license license:lgpl2.1+)))
+
+(define-public ukify
+ (package
+ (name "ukify")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system python-build-system)
+ (arguments
+ (list #:phases
+ #~(modify-phases %standard-phases
+ (replace 'build
+ (lambda _
+ (substitute* "src/ukify/ukify.py" ; added in python 3.=
11
+ (("datetime\\.UTC") "datetime.timezone.utc"))))
+ (delete 'check)
+ (replace 'install
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let* ((bin (string-append #$output "/bin"))
+ (file (string-append bin "/ukify"))
+ (binutils (assoc-ref inputs "binutils"))
+ (sbsign (assoc-ref inputs "sbsigntools")))
+ (mkdir-p bin)
+ (copy-file "src/ukify/ukify.py" file)
+ (wrap-program file
+ `("PATH" ":" prefix
+ (,(string-append binutils "/bin")
+ ,(string-append sbsign "/bin"))))))))))
+ (inputs (list binutils python-cryptography python-pefile sbsigntools))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI tool")
+ (description "@command{ukify} joins together a UKI stub, linux kernel,=
initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-=
bootable
+image.")
+ (license license:lgpl2.1+)))
+
(define-public dtc
(package
(name "dtc")
base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--=20
2.41.0
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN:bug#68524; Package guix-patches.
Full text available.Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:37:10 2024 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxfq-0005Iq-7E for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxfo-0005IE-0X for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfg-0001zY-4i for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfe-0003KP-6e for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:36:59 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@HIDDEN Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH 0/2] Support root encryption and secure boot. Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: <cover.1705465384.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@HIDDEN; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for= m, uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro= ject (particularly the systemd-stub UEFI stub and supporting ukify tool) to inst= all combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this do= es require copying files from the store to the partition, it makes up for it i= n two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting= the store in my experience, and it's annoying to have to enter in the root pass= word twice. Since the kernel is loaded directly from the system partition, the f= irst, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n= ot supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created t= he necessary keys (typically, in /root, as they should only be root-accessible= ). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will= then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this shou= ld fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been te= sted for months. The main drawback is lack of kernel generation rollback in the = case of a botched upgrade, so I've been keeping around a manually-copied backup = uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process m= ay have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM= UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0
Lilah Tascheter <lilah@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#68524; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.