From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id SN5JFyaWBWPHKgEAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 Aug 2022 05:08:22 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id IIpsFiaWBWMQyQAAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 Aug 2022 05:08:22 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 3F73C13A69
	for <larch@yhetil.org>; Wed, 24 Aug 2022 05:08:21 +0200 (CEST)
Received: from localhost ([::1]:33738 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1oQgkd-0007ue-UC
	for larch@yhetil.org; Tue, 23 Aug 2022 23:08:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:32800)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philip@philipmcgrath.com>)
 id 1oQgkE-0007uE-1Y
 for guix-devel@gnu.org; Tue, 23 Aug 2022 23:07:54 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:49343)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <philip@philipmcgrath.com>)
 id 1oQgkB-0000nz-P0
 for guix-devel@gnu.org; Tue, 23 Aug 2022 23:07:53 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 07EA95C00F7;
 Tue, 23 Aug 2022 23:07:48 -0400 (EDT)
Received: from imap52 ([10.202.2.102])
 by compute4.internal (MEProxy); Tue, 23 Aug 2022 23:07:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 philipmcgrath.com; h=cc:content-type:date:date:from:from
 :in-reply-to:in-reply-to:message-id:mime-version:references
 :reply-to:sender:subject:subject:to:to; s=fm1; t=1661310468; x=
 1661396868; bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6QhWgaE8slebJtu4=; b=Z
 ttVBQSAMpdhPZ7VE+It5Xh9LJ/qUYD0EZ77GUx3/ciXQF4C1ZRX/xYOZOpI43c+v
 5txTgt74hlttOkucYGNISwY+TcmbhwWCAOMJntDn4mG7o+6lo6v11mcZkXoQfi9s
 XLloOhsd+BxlSlL2RnAAw6B48N1H19DBl48TNm8Cdl4mOz0N6USvlwyJoQbYY6f9
 GojFSai32FyPZRlagKTBm8NVl8HMy2tq1eWzdaJBWJGcP9Tkq8l4DVgx9UayBxNq
 7QXauGuwLXzVsa9zHA7OYzAN2pv4osi7sFPfB9rbucsRxEDQWPmGyLWnPE4olvEr
 Z67zmsGGFLadwWeghznPg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:date:feedback-id
 :feedback-id:from:from:in-reply-to:in-reply-to:message-id
 :mime-version:references:reply-to:sender:subject:subject:to:to
 :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm1; t=1661310468; x=1661396868; bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6
 QhWgaE8slebJtu4=; b=MDdWMd4BirV72k38m4f+rvjwt9KTc2ZS9p2cgUQdQCrb
 tD9vQdt66egvv97BSp3OHSFzYj5Di7C6VSoIxAqfl4UDcUeRzF6/nwomkJAGZ7vf
 oP6HtonZREjzk1q38AyAs1/glWnk/UKf9xF1Rn2MJ7onps/tC5XO/laRJC7CmmeQ
 F/HEGje31qHWz37pj8f2sarsbsju8DA8GVx820/ebrN3wUONWoy46b9M4RDt6RWU
 +v1x/3yWI8lZxActVY/DX/Sg/lAjHN5hoXARRzi2SnMwNeKGD8DJmT43RDbi8Jtd
 9LQX8wsylrMt84ll7xBVvupCmjFPEiA2Cu9TUzrIjw==
X-ME-Sender: <xms:A5YFY1-irHztNy71dNvZEyMfUJvIDrlkMFfHgss5_efvpKeRUdxc8g>
 <xme:A5YFY5uY7IgxhHdXDsRmj_7xo9JwnIypAWe65_dX5kaBZH4S-ZhlF3NRiObJP_KB4
 QMWJg6dH3xQvXJkpcY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdejtddgieekucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
 ertderredtnecuhfhrohhmpedfrfhhihhlihhpucfotgfirhgrthhhfdcuoehphhhilhhi
 phesphhhihhlihhpmhgtghhrrghthhdrtghomheqnecuggftrfgrthhtvghrnhephfetud
 fgtddugeelvdegfedvueevheevfefgudeiuefhiefhudehveetheekhfdvnecuvehluhhs
 thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpsehphh
 hilhhiphhmtghgrhgrthhhrdgtohhm
X-ME-Proxy: <xmx:A5YFYzCUHO7TQnfs118aR4_VhLMK_DL07YvCTHOn4bSaIkrfvmo3RQ>
 <xmx:A5YFY5ekcZCTnT9V_7F_Fc4A0SAbILWCyyAE926H_uVogdiWveLjCw>
 <xmx:A5YFY6OCuoNTqRp1u0Ev9ed4KvEd-zS4HF821UbFEkL54eUHF2VaHw>
 <xmx:BJYFY3rMYY4v8plMuaYejdQclHBADgGE1s4ga8a276s-pdpb9simwQ>
Feedback-ID: i2b1146f3:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
 id 71220C6008B; Tue, 23 Aug 2022 23:07:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-841-g7899e99a45-fm-20220811.002-g7899e99a
Mime-Version: 1.0
Message-Id: <d49e7ac5-805b-4d08-ac33-61b3e3a9e27b@www.fastmail.com>
In-Reply-To: <87pmguugp0.fsf@jpoiret.xyz>
References: <87h727tazd.fsf.ref@yahoo.com.br> <87h727tazd.fsf@yahoo.com.br>
 <87pmguugp0.fsf@jpoiret.xyz>
Date: Tue, 23 Aug 2022 23:07:26 -0400
From: "Philip McGrath" <philip@philipmcgrath.com>
To: "Josselin Poiret" <dev@jpoiret.xyz>,
 "Antonio Carlos Padoan Junior" <acpadoanjr@yahoo.com.br>,
 "Brian Cully" <guix-devel@gnu.org>
Subject: Re: secure boot
Content-Type: text/plain
Received-SPF: pass client-ip=66.111.4.29;
 envelope-from=philip@philipmcgrath.com; helo=out5-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1661310501;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6QhWgaE8slebJtu4=;
	b=O/jSB1JQBTxhOEV///gVIRkM91YmncebDfKkZxM3w5gGvDEoqKBCgopMGSrZ2VcEUM2Cb1
	p+edRmPszETHdV79EPqus8aX8GHHxdhpTX6uhfg5Ij/mFeIEd4IoIV7GiZ/xliH0JGwLWt
	cPjxcUF3UIjQU+MvyF26029Fso5VblyrWHRuvNUafnNSKhdGrDczUzOtTrmdJ7vN/Ffjh+
	OfkAEuIZOjIrqK1EsiHLZSWzQY7V8AzcRRrYUpWCO7+mPuR6mrL47ZP3UH9/1Lx0cIv4Qs
	CCT3G8usN94pCCSKAXLLeCLYtBoul5YUtIe2Zua8EbK3zY7C/hEz94gh8jkmBA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661310501; a=rsa-sha256; cv=none;
	b=Nht6LIUwK1SNsUZAXcWrQ+WYHGTX+MlBQBw9tsQc3au2YW8UdHuxZ2sZ1reWEoBC8Yqq+8
	1ae1cMQtBme6wfXOYLYDqHi+NOgFCf9oYwQplGuWgD7EiIxrTpVbVSWk7/JWKtRSh4RidM
	bMxmoD5ht25zY+i3ZNDC0i8WwJulMz5Xug0NTZC/bXATkysMn7lrCGzQfjj5+2WdVxFsYU
	feSTIaFGKcnyEPn49SMSgX3nWhcIB0XzOxtuZxhBiMDBa4LDAQ+PL/uhULCXP7nxD0wuyu
	ousA99XIfxHf2XDym9yRfjWe9ugdT9pOAaJVdOfC5QlRoO2gmgXfjZv4L5uEew==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=fm1 header.b="Z ttVBQS";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=MDdWMd4B;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: 2.30
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=fm1 header.b="Z ttVBQS";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=MDdWMd4B;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 3F73C13A69
X-Spam-Score: 2.30
X-Migadu-Scanner: scn1.migadu.com
X-TUID: i0UZe+R8O7fQ

On Sun, Aug 21, 2022, at 4:46 AM, Josselin Poiret wrote:
> Hi Antonio,
>
> Antonio Carlos Padoan Junior <acpadoanjr@yahoo.com.br> writes:
>
>> As far as I understand, Guix doesn't provide means to automatically sign
>> bootloaders and kernels in order to use UEFI secure boot after each system
>> reconfigure (assuming a PKI is properly implemented).  Hence, using
>> secure boot with Guix is currently not viable (am i correct?).
>
> You're right, we don't really have any means to do that.  It would have
> to be done outside of the store, again, so that the private key doesn't
> leak into it.
>

I could imagine a process like this:

 1. Build the binary that needs to be signed.
 2. Outside of the Guix build environment, create a detached signature
    for the binary using your secret key.
 3. Add the detached signature to the Guix store, perhaps with 'local-file'.
 4. Use Guix to attach the signature to the built binary.
 5. Use the signed binary in your operating-system configuration.

IIUC, executables that run in the UEFI environment need "secure boot" signatures to be attached, but you may be able to use detached signatures directly for other things that they want to verify by means other than "secure boot".

I expect the things that need to be signed are small, build reproducibly, and change rarely, which might make this especially practical.

-Philip