X-Loop: help-debbugs@HIDDEN Subject: [bug#68524] [PATCH 0/2] Support root encryption and secure boot. Resent-From: Lilah Tascheter <lilah@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: guix-patches@HIDDEN Resent-Date: Wed, 17 Jan 2024 04:38:02 +0000 Resent-Message-ID: <handler.68524.B.170546623020392 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: report 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524 <at> debbugs.gnu.org Cc: Lilah Tascheter <lilah@HIDDEN> X-Debbugs-Original-To: guix-patches@HIDDEN Received: via spool by submit <at> debbugs.gnu.org id=B.170546623020392 (code B ref -1); Wed, 17 Jan 2024 04:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxfq-0005Iq-7E for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxfo-0005IE-0X for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfg-0001zY-4i for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfe-0003KP-6e for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:36:59 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@HIDDEN Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: <cover.1705465384.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@HIDDEN; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for= m, uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro= ject (particularly the systemd-stub UEFI stub and supporting ukify tool) to inst= all combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this do= es require copying files from the store to the partition, it makes up for it i= n two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting= the store in my experience, and it's annoying to have to enter in the root pass= word twice. Since the kernel is loaded directly from the system partition, the f= irst, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n= ot supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created t= he necessary keys (typically, in /root, as they should only be root-accessible= ). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will= then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this shou= ld fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been te= sted for months. The main drawback is lack of kernel generation rollback in the = case of a botched upgrade, so I've been keeping around a manually-copied backup = uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process m= ay have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM= UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Lilah Tascheter <lilah@HIDDEN> Subject: bug#68524: Acknowledgement ([PATCH 0/2] Support root encryption and secure boot.) Message-ID: <handler.68524.B.170546623020392.ack <at> debbugs.gnu.org> References: <cover.1705465384.git.lilah@HIDDEN> X-Gnu-PR-Message: ack 68524 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 68524 <at> debbugs.gnu.org Date: Wed, 17 Jan 2024 04:38:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 68524 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 68524: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D68524 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN Subject: [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages. Resent-From: Lilah Tascheter <lilah@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN Resent-Date: Wed, 17 Jan 2024 04:50:02 +0000 Resent-Message-ID: <handler.68524.B68524.170546694732313 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524 <at> debbugs.gnu.org Cc: Lilah Tascheter <lilah@HIDDEN>, Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> X-Debbugs-Original-Xcc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Received: via spool by 68524-submit <at> debbugs.gnu.org id=B68524.170546694732313 (code B ref 68524); Wed, 17 Jan 2024 04:50:02 +0000 Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:07 +0000 Received: from localhost ([127.0.0.1]:50388 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxrO-0008P7-Ao for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:06 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:56886) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxrL-0008Oa-PF for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:04 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=CoI3a0pRAm8FbNI6FD17WBgNNP0lVrQWqvRheGosCqBdNUsq1umWlO4o3+UIsHu6CF/jAvPQy4SiK0mf4/1tk6eaoBgrz+8cj0QP6D0jw04fQBzleLUvpTOxfjDw9lm8igDyAAzJq4fEhRgFGIAmYP7EMONt/P+vYenF6aT5FY/xaKLLJilrOIEzANh7BxbXj4kuiRvLO2YVGGNHAxUKhcO++B4b6J61rqye3Yaura5cJYdJeIdJSbxJrUdTCtlcmDO5TmI5P/dNLUE5zRGhrNNS/8rf43rW1YI9i3esTBe+9tgjxi1sARIc5Pr9ACqDEukefZaSyg3eOvE0lOF72A==; s=purelymail1; d=lunabee.space; v=1; bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=XYG4r/YfWp2wEA28vFw2BCVIdy7WXuF0fHHICbo6H66fzW09vF1SXw0VQEZpwvAboLzWV5D05TPh8c0rwGZhIxBP6Ivc3bzzxfGRf7va6Rm1N/1dQcDFGIF9SDhA6pjQerbHgMJqe8/CDk22zYTb+qHq441lrPmTWCq6gmM4WDxwhe4RYEZqIQLgmloFN+KXDrH62UVyOASUeAZc8kpEa3UdPMfwUf/t32BrWh+PtZeqHuGhbNcLEL1rPuaVdRJfW74KOTUe+P4LwTmKsfZUUo/wBFS1MY63HOb6ovdYadIQ1ttbi0ZhqlOFEsUnb2P0WyTjg4RJZF19youJTI1aSA==; s=purelymail1; d=purelymail.com; v=1; bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:48:54 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> Date: Tue, 16 Jan 2024 22:48:10 -0600 Message-ID: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> In-Reply-To: <cover.1705465384.git.lilah@HIDDEN> References: <cover.1705465384.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure. (systemd-version,systemd-source,systemd-stub,ukify): New variables. Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d --- gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index c73a0e665d..32cbb4e704 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages disk) + #:use-module (gnu packages efi) #:use-module (gnu packages firmware) #:use-module (gnu packages flex) #:use-module (gnu packages fontutils) #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) + #:use-module (gnu packages gperf) #:use-module (gnu packages linux) #:use-module (gnu packages man) #:use-module (gnu packages mtools) @@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages valgrind) #:use-module (gnu packages virtualization) #:use-module (gnu packages xorg) + #:use-module (gnu packages python-crypto) #:use-module (gnu packages python-web) #:use-module (gnu packages python-xyz) #:use-module (guix build-system gnu) #:use-module (guix build-system meson) #:use-module (guix build-system pyproject) + #:use-module (guix build-system python) #:use-module (guix build-system trivial) #:use-module (guix download) #:use-module (guix gexp) @@ -632,6 +636,96 @@ (define-public syslinux ;; Also contains: license:expat license:isc license:zlib))))) =20 +(define systemd-version "255") +(define systemd-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/systemd/systemd") + (commit (string-append "v" systemd-version)))) + (file-name (git-file-name "systemd" systemd-version)) + (sha256 + (base32 + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) + +(define-public (systemd-stub-name) + (let ((arch (cond ((target-x86-32?) "ia32") + ((target-x86-64?) "x64") + ((target-arm32?) "arm") + ((target-aarch64?) "aa64") + ((target-riscv64?) "riscv64")))) + (string-append "linux" arch ".efi.stub"))) + +(define-public systemd-stub + (package + (name "systemd-stub") + (version systemd-version) + (source systemd-source) + (build-system meson-build-system) + (arguments + (list + #:configure-flags + `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix" + "-Dsbat-distro-generation=3D1" ; package revision! + "-Dsbat-distro-summary=3DGuix System" + "-Dsbat-distro-url=3Dhttps://guix.gnu.org" + ,(string-append "-Dsbat-distro-pkgname=3D" name) + ,(string-append "-Dsbat-distro-version=3D" version)) + #:phases + #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)= ))) + (modify-phases %standard-phases + (replace 'build + (lambda* (#:key parallel-build? #:allow-other-keys) + (invoke "ninja" stub + "-j" (if parallel-build? + (number->string (parallel-job-count)) "1")))) + (replace 'install + (lambda _ + (install-file stub (string-append #$output "/libexec")))= ) + (delete 'check))))) + (inputs (list libcap python-pyelftools `(,util-linux "lib"))) + (native-inputs (list gperf pkg-config python-3 python-jinja2)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI stub") + (description "Simple UEFi boot stub that loads a conjoined kernel imag= e and +supporting data to their proper locations, before chainloading to the kern= el. +Supports measured and/or verified boot environments.") + (license license:lgpl2.1+))) + +(define-public ukify + (package + (name "ukify") + (version systemd-version) + (source systemd-source) + (build-system python-build-system) + (arguments + (list #:phases + #~(modify-phases %standard-phases + (replace 'build + (lambda _ + (substitute* "src/ukify/ukify.py" ; added in python 3.= 11 + (("datetime\\.UTC") "datetime.timezone.utc")))) + (delete 'check) + (replace 'install + (lambda* (#:key inputs #:allow-other-keys) + (let* ((bin (string-append #$output "/bin")) + (file (string-append bin "/ukify")) + (binutils (assoc-ref inputs "binutils")) + (sbsign (assoc-ref inputs "sbsigntools"))) + (mkdir-p bin) + (copy-file "src/ukify/ukify.py" file) + (wrap-program file + `("PATH" ":" prefix + (,(string-append binutils "/bin") + ,(string-append sbsign "/bin")))))))))) + (inputs (list binutils python-cryptography python-pefile sbsigntools)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI tool") + (description "@command{ukify} joins together a UKI stub, linux kernel,= initrd, +kernel arguments, and optional secure boot signatures into a single, UEFI-= bootable +image.") + (license license:lgpl2.1+))) + (define-public dtc (package (name "dtc") base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0
X-Loop: help-debbugs@HIDDEN Subject: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Resent-From: Lilah Tascheter <lilah@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN Resent-Date: Wed, 17 Jan 2024 04:50:02 +0000 Resent-Message-ID: <handler.68524.B68524.170546695532337 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524 <at> debbugs.gnu.org Cc: Lilah Tascheter <lilah@HIDDEN>, Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> X-Debbugs-Original-Xcc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Received: via spool by 68524-submit <at> debbugs.gnu.org id=B68524.170546695532337 (code B ref 68524); Wed, 17 Jan 2024 04:50:02 +0000 Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:15 +0000 Received: from localhost ([127.0.0.1]:50393 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxrX-0008PU-17 for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:15 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:41784) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxrV-0008PG-Lu for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:14 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=IZOf4TyqkHhXBMqQt39pP1a4wFL9EAt3C+bVwSXsLfqKbAFssolLscbVpGi2SKbhVBS3I949BorLm/TFMHkeLTWyX+fgLfr4zZBltCNW+Y8a3Wt/dylxrlMnjyGVBpSnIyQVp7gIPGTEavk39sNAXeS1tS65fYivOLheGZWCn6jcqR0uYbOS5FukcU8JU8HPKtTE+ROi8i4X1Y0XiT3sDaTiWe9aYKHRdx01vcVdYHSqd9kTDpcrh6PUFyoEinbBLhDCeJZZhJoGVShk1zlsdkErV7/821PpXlrYkQl7kHDZPpA5rGgk7MKpVpP7JaDRBs3Z9pnr+xDSvEVOGvZZ+Q==; s=purelymail1; d=lunabee.space; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=qnznObJwJg0RW7Kb3ignaCnyzRmKdKzdLx3UJqpwwj1tYj2LqMUqwEiQ7pEPxOIwd+aZBMQQKFooJgrlfLFJ6VKfOUe4D7BrykIA6g4Bw3NiZXqZCQ+zBVPuZCl149ZzbXN/C9YqFrFRwElsrqa3mBI+3VlKE5/8512jKrmtiH5zKpOFRacGckSaRlyA1eZBRK4GYoPBecQpMcZzuhuXe3yVoryKZyXCv2NUktJHRToMYCMHwM1DIaZ2M3S02ug2M86AlIax7SSVmeZ4av9PnhfgrQZINe4GsT2Ylx2VlrJTeHnQDMgyWWb0u+t1CmjRls2XU0FvxAbsR5FYLsqw0Q==; s=purelymail1; d=purelymail.com; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:49:01 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> Date: Tue, 16 Jan 2024 22:48:11 -0600 Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN> In-Reply-To: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document uefi-uki-bootloader and uefi-uki-signed-bootloader. * gnu/bootloader/uki.scm: New file. Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21 --- doc/guix.texi | 35 ++++++++++---- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm diff --git a/doc/guix.texi b/doc/guix.texi index a66005ee9d..3029740f45 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40881,8 +40881,9 @@ Bootloader Configuration The bootloader to use, as a @code{bootloader} object. For now @code{grub-bootloader}, @code{grub-efi-bootloader}, @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} -and @code{u-boot-bootloader} are supported. +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader} are supported. =20 @cindex ARM, bootloaders @cindex AArch64, bootloaders @@ -40989,6 +40990,24 @@ Bootloader Configuration unbootable. @end quotation =20 +@vindex uefi-uki-bootloader +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit= hout +an intermediary like GRUB. The main practical advantage of this is allowin= g +root/store encryption without an extra GRUB password entry and slow decryp= tion +step. + +@vindex uefi-uki-signed-bootloader +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce= pt +that it is a procedure that returns a bootloader compatible with UEFI secu= re +boot. You must provide it with two paths, to an out-of-store secure boot d= b +certificate, and key, in that order. + +@quotation Note +This bootloader @emph{does not} support booting from any old system genera= tion. +You will also need enough space in your EFI System partition to store your +kernel and initramfs, though this likely won't be an issue. +@end quotation + @item @code{targets} This is a list of strings denoting the targets onto which to install the bootloader. @@ -40997,12 +41016,12 @@ Bootloader Configuration For @code{grub-bootloader}, for example, they should be device names understood by the bootloader @command{installer} command, such as @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, -GNU GRUB Manual}). For @code{grub-efi-bootloader} and -@code{grub-efi-removable-bootloader} they should be mount -points of the EFI file system, usually @file{/boot/efi}. For -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount -points corresponding to TFTP root directories served by your TFTP -server. +GNU GRUB Manual}). For @code{grub-efi-bootloader}, +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI = file +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader}, +@code{targets} should be the mount points corresponding to TFTP root direc= tories +served by your TFTP server. =20 @item @code{menu-entries} (default: @code{'()}) A possibly empty list of @code{menu-entry} objects (see below), denoting diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm new file mode 100644 index 0000000000..3131bae3d7 --- /dev/null +++ b/gnu/bootloader/uki.scm @@ -0,0 +1,106 @@ +;;; GNU Guix --- Functional package management for GNU +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu bootloader uki) + #:use-module (gnu bootloader) + #:use-module (gnu packages bootloaders) + #:use-module (gnu packages efi) + #:use-module (gnu packages linux) + #:use-module (guix gexp) + #:use-module (guix modules)) + +;; config generator makes script creating uki images +;; install runs script +;; install device is path to uefi dir + +(define* (uefi-uki-configuration-file #:optional cert privkey) + (lambda* (config entries #:key (old-entires '()) #:allow-other-keys) + + (define (menu-entry->uki e) + (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam= e))) + (computed-file "uki.efi" + (with-imported-modules (source-module-closure '((guix build utils)= )) + #~(let ((args (list #$@(menu-entry-linux-arguments e)))) + (use-modules (guix build utils)) + (invoke #$(file-append ukify "/bin/ukify") "build" + "--linux" #$(menu-entry-linux e) + "--initrd" #$(menu-entry-initrd e) + "--os-release" #$(menu-entry-label e) + "--cmdline" (string-join args) + "--stub" #$stub + "-o" #$output))))) + + (program-file "install-uki" + (with-imported-modules (source-module-closure '((guix build utils))) + #~(let* ((target (cadr (command-line))) + (vendir (string-append target "/EFI/Guix")) + (schema (string-append vendir "/boot.mgr")) + (findmnt #$(file-append util-linux "/bin/findmnt")) + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")= )) + (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p= orts)) + + (define disk + (call-with-port + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target= ) + (lambda (port) (get-line port)))) ; only 1 line: the devic= e + + (when (file-exists? schema) + (call-with-input-file schema + (lambda (port) + (for-each (lambda (l) + (unless (string-null? l) + (system* efibootmgr "-B" "-L" l))) + (string-split (get-string-all port) #\lf))))) + (when (directory-exists? vendir) (delete-file-recursively vend= ir)) + + (mkdir-p vendir) + (call-with-output-file schema + (lambda (port) + (for-each (lambda (uki label) + (let* ((base (basename uki)) + (out (string-append vendir "/" base))) + #$(if cert ; sign here so we can access root= certs + #~(invoke + #$(file-append sbsigntools "/bin/sbs= ign") + "--cert" #$cert "--key" #$privkey + "--output" out uki) + #~(copy-file uki out)) + (invoke efibootmgr "-c" "-L" label "-d" disk= "-l" + (string-append "\\EFI\\Guix\\" base)) + (put-string port label) + (put-char port #\lf))) + (list #$@(map-in-order menu-entry->uki entries)) + (list #$@(map-in-order menu-entry-label entries)))))))))= ) + +(define install-uefi-uki + #~(lambda (bootloader target mount-point) + (invoke (string-append mount-point "/boot/install-uki.scm") + (string-append mount-point target)))) + +(define* (make-uefi-uki-bootloader #:optional cert privkey) + (bootloader + (name 'uefi-uki) + (package systemd-stub) + (installer install-uefi-uki) + (disk-image-installer #f) + (configuration-file "/boot/install-uki.scm") + (configuration-file-generator (uefi-uki-configuration-file cert privke= y)))) + +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader)) +;; use ukify genkey to generate cert and privkey. DO NOT include in store. +(define-public (uefi-uki-signed-bootloader cert privkey) + (make-uefi-uki-bootloader cert privkey)) --=20 2.41.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.