;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2024 Lilah Tascheter ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu bootloader uki) #:use-module (gnu bootloader) #:use-module (gnu packages bootloaders) #:use-module (gnu packages efi) #:use-module (gnu packages linux) #:use-module (gnu system boot) #:use-module (guix gexp) #:use-module (guix diagnostics) #:use-module (guix i18n) #:use-module (guix records) #:use-module (ice-9 match) #:export (uki-efi-bootloader)) ;; TODO: Support 32bit/mixed-mode UEFI. May be relevant: ;; https://github.com/systemd/systemd/issues/17056 (define (menu-entry+bootcfg->builder entry bootcfg) (match-menu-entry entry (label linux linux-arguments initrd chain-loader) (match-bootloader-configuration bootcfg (32bit? theme keypair) (cond ;; Support chainloader in order to allow arbitrary signed EFI ;; binaries. (chain-loader (match keypair ((cert key) #~(lambda (dest) (invoke/quiet #+(sbsigntools "/bin/sbsign") "--cert" #$cert "--key" #$key "--output" dest #$chain-loader) (invoke/quiet #+(sbsigntools "/bin/sbverify") "--cert" #$(car keypair) dest))) (#f #~(lambda (dest) (copy-file #$chain-loader dest))))) (linux (let* ((arch (efi-arch #:32? 32bit?)) (stub (file-append systemd-stub "/libexec/linux" arch ".efi.stub"))) #~(lambda (dest) (invoke/quiet #+(file-append ukify "/bin/ukify") "build" "--output" dest "--linux" #$linux "--initrd" #$initrd "--cmdline" (string-join (list #$@linux-arguments)) "--os-release" #$label "--stub" #$stub "--efi-arch" #$arch #$@(if theme #~("--splash" #$theme) '()) #$@(match keypair ((cert key) #~("--secureboot-certificate" #$cert "--secureboot-private-key" #$key)) (#f '())))))) (else (leave (G_ "uki-efi-bootloader doesn't support multiboot"))))))) ;; We cannot use Guix's build system to make UKI images for two reasons: ;; 1. signing is necessarily non-reproducable, especially since keys ;; should not be in the store, or else risk being publically accessible. ;; 2. Menu-entries may reference files which do not exist in the store. (define* (install-uki #:key bootloader-config current-boot-alternative old-boot-alternatives #:allow-other-keys) (define* (menu-entry->plan entry num #:optional (prefix "menu-entry")) #~(cons* #$(menu-entry+bootcfg->builder entry bootloader-config) #$(string-append prefix "-" (number->string num) ".efi") #$(menu-entry-label entry))) (define (boot-alternative->plan alt) (menu-entry->plan (boot-alternative->menu-entry alt) (boot-alternative-generation alt) "generation")) (install-efi bootloader-config (let ((entries (bootloader-configuration-menu-entries bootloader-config))) #~(list #$(boot-alternative->plan current-boot-alternative) #$@(map menu-entry->plan entries (iota (length entries))) #$@(map boot-alternative->plan old-boot-alternatives))))) (define uki-efi-bootloader (bootloader (name 'uki-efi) (default-targets (list (bootloader-target (type 'vendir) (offset 'esp) (path "EFI/Guix")))) (installer install-uki)))