1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
| | ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2024 Lilah Tascheter <lilah@lunabee.space>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu bootloader uki)
#:use-module (gnu bootloader)
#:use-module (gnu packages bootloaders)
#:use-module (gnu packages efi)
#:use-module (gnu packages linux)
#:use-module (gnu system boot)
#:use-module (guix gexp)
#:use-module (guix diagnostics)
#:use-module (guix i18n)
#:use-module (guix records)
#:export (uki-efi-bootloader))
;; TODO: support 32bit/mixed-mode UEFI.
;; https://github.com/systemd/systemd/issues/17056 may be relevant
(define bootcfg->menu-entry->builder
(match-record-lambda <bootloader-configuration> (32bit? theme keypair)
(match-record-lambda <menu-entry>
(label linux linux-arguments initrd chain-loader)
;; support chainloader in order to allow arbitrary signed EFI binaries
(cond
((and chain-loader keypair)
#~(lambda (dest)
(invoke/quiet #+(sbsigntools "/bin/sbsign")
"--cert" #$(car keypair) "--key" #$(cdr keypair)
"--output" dest #$chain-loader)
(invoke/quiet #+(sbsigntools "/bin/sbverify")
"--cert" #$(car keypair) dest)))
(chain-loader #~(lambda (dest) (copy-file #$chain-loader dest)))
(linux
(let* ((arch (efi-arch #:32? 32bit?))
(stub (file-append systemd-stub
"/libexec/linux" arch ".efi.stub")))
#~(lambda (dest)
(invoke/quiet #+(file-append ukify "/bin/ukify")
"build" "--output" dest
"--linux" #$linux "--initrd" #$initrd
"--cmdline" (string-join (list #$@linux-arguments))
"--os-release" #$label "--stub" #$stub "--efi-arch" #$arch
#$@(if theme #~("--splash" #$theme) '())
#$@(if keypair #~("--secureboot-certificate" #$(car keypair)
"--secureboot-private-key" #$(cdr keypair))
'())))))
(else (leave (G_ "uki-efi-bootloader doesn't support multiboot")))))))
;; we cannot use guix's build system to make UKI images for two reasons:
;; 1. signing is necessarily non-reproducable, especially since keys should not
;; be in the store, or else risk being publically accessible.
;; 2. menu-entries may reference files which do not exist in the store.
(define* (install-uki #:key bootloader-config
current-boot-alternative
old-boot-alternatives
#:allow-other-keys)
(define* (menu-entry->plan entry num #:optional (prefix "menu-entry"))
#~(cons* #$((bootcfg->menu-entry->builder bootloader-config) entry)
#$(string-append prefix "-" (number->string num) ".efi")
#$(menu-entry-label entry)))
(define (boot-alternative->plan alt)
(menu-entry->plan (boot-alternative->menu-entry alt)
(boot-alternative-generation alt)
"generation"))
(install-efi bootloader-config
(let ((entries (bootloader-configuration-menu-entries bootloader-config)))
#~(list #$(boot-alternative->plan current-boot-alternative)
#$@(map menu-entry->plan entries (iota (length entries)))
#$@(map boot-alternative->plan old-boot-alternatives)))))
(define uki-efi-bootloader
(bootloader
(name 'uki-efi)
(default-targets (list (bootloader-target
(type 'vendir)
(offset 'esp)
(path "EFI/Guix"))))
(installer install-uki)))
|