From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id IOCZGtYbyWWCYwEAqHPOHw:P1 (envelope-from ) for ; Sun, 11 Feb 2024 20:11:18 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id IOCZGtYbyWWCYwEAqHPOHw (envelope-from ) for ; Sun, 11 Feb 2024 20:11:18 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=iQ5mgpSf; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1707678678; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=JkK/ma766KIurRkk5n6xd7ypfOtPWCinqH1q22fRtao=; b=uL4gggiOZ4637kc2MH+B9TXTfV0f1dd5ESiSHkIcLu3fxZbnC2/1YVRPpK6/mTDpg0Wtpp DFEZAZVAMqzJjsSqhWkXxjKmS2yrAnvUVStMyKacPX43ECcyr8a82lA8YZXCyv4D320hp1 usDYmYK8xnt3UMaQL8ANJQjnj5PxsB+ttDMsSn9DPyUEawfA+7vvM4JitK8qpjxSGfgxwp DjLr2xBKgejrbB1WKqMDdQ2g5Tge/5T0o899Fa8H3l5P2FXswgYRoCY/GZCZkBxssJ6V+P qjLbYG9lEb3y5LY6YtdVkofIBQ9AJGxWg02Lq8KFG4L5ba2FT6++w/hk5GXTzg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=iQ5mgpSf; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1707678678; a=rsa-sha256; cv=none; b=dz7OQLU96aaqgSGHs/Gt/3ijkTicC5wuZxHab+SCBs36j8RRdmYzvk8akXeW8+tGjgmgIj VI9QKVy1Jdp+E6nE4z9mXcDxYtLLFRtDotUBsmiae/kByVkBiRvWKDonUvlYzodtaYE1fr b/yVbwi8db2wJ0Ig2KZwPdgpcpX9XyvyoM1SCx2CWfgISK38u59tP4LYuO34z138ZOKnVd Lf3wEI6s9r9XpxxNn5pK6MesvBfDliyeuCgoJnUCOVKPxBXSJ4n78LpSaFC2H8muAKr10m 8iF0577BdDyYSLGrdvHmEKmz4hZL9fmHU2UT+TNPXYhMfD9HQpuQLAS1skpbGg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 042B26F24C for ; Sun, 11 Feb 2024 20:11:18 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rZFE0-0004rA-BK; Sun, 11 Feb 2024 14:10:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rZFDy-0004qf-Pb for guix-patches@gnu.org; Sun, 11 Feb 2024 14:10:46 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rZFDy-0008Bz-HU for guix-patches@gnu.org; Sun, 11 Feb 2024 14:10:46 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rZFEE-0005Ps-Iv for guix-patches@gnu.org; Sun, 11 Feb 2024 14:11:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Resent-From: Hilton Chain Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 11 Feb 2024 19:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Lilah Tascheter Cc: Vagrant Cascadian , 68524@debbugs.gnu.org, Herman Rimm , Efraim Flashner Received: via spool by 68524-submit@debbugs.gnu.org id=B68524.170767862120712 (code B ref 68524); Sun, 11 Feb 2024 19:11:02 +0000 Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 19:10:21 +0000 Received: from localhost ([127.0.0.1]:40669 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rZFDX-0005Nx-Ch for submit@debbugs.gnu.org; Sun, 11 Feb 2024 14:10:20 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:48014) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rZEp7-0004Cz-Uo for 68524@debbugs.gnu.org; Sun, 11 Feb 2024 13:45:07 -0500 Date: Mon, 12 Feb 2024 02:39:22 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1707676992; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JkK/ma766KIurRkk5n6xd7ypfOtPWCinqH1q22fRtao=; b=iQ5mgpSfS2qwYxCFrYa2Ol4lXRHCHocHMS+eEK2R6A78Yf6ARyLaAPvdNhRmDOR6npXqMH jKyn/lHoU/mHua7lsCWUjmQ8Yhc+bnvB3tkEC/FBDq7ijeJ8fuI/NHsdrmAwPVPTDpSmOX vw3+E7MaVrzCmqJwEAT0NBem7SfUNLYfPZx3psp5ee8CngUIHnDgcZqc4ka/xYgvK2zhup 4L6s2b4frTwVyQ/8xlDgLakn5SFBBZkXAGuYyYXMHAWXe2J/Zh8dim59BGtKPyJJgjtM/l bIbW66+etjwfYqvrSKXhOxxsgK9x7+tJhtM16SsfeeRqIHi8j+1P3Ao2nV+/sw== Message-ID: <87a5o6n8v9.wl-hako@ultrarare.space> In-Reply-To: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@lunabee.space> References: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@lunabee.space> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Hilton Chain X-ACL-Warn: , Hilton Chain via Guix-patches From: Hilton Chain via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.17 X-Migadu-Queue-Id: 042B26F24C X-Spam-Score: -7.17 X-Migadu-Scanner: mx11.migadu.com X-TUID: ziMCa/pNmGBH Hi Lilah, On Sun, 28 Jan 2024 17:51:41 +0800, Lilah Tascheter via Guix-patches wrote: > > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: > Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gnu/bootloader/uki.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. > > Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da > --- > doc/guix.texi | 45 ++++++++++---- > gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > 3 files changed, 163 insertions(+), 12 deletions(-) > create mode 100644 gnu/bootloader/uki.scm > > diff --git a/doc/guix.texi b/doc/guix.texi > index c458befb76..30fd5d022b 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning > for @command{cryptsetup luksFormat}. You can check which key derivation > function is being used by a device by running @command{cryptsetup > luksDump @var{device}}, and looking for the PBKDF field of your > -keyslots. > +keyslots. UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can > +however use the default, more secure key derivation function. > @end quotation > > -Assuming you want to store the root partition on @file{/dev/sda2}, the > -command sequence to format it as a LUKS2 partition would be along these > -lines: > +Assuming you want to store the root partition on @file{/dev/sda2} and us= e GRUB > +as your bootloader, the command sequence to format it as a LUKS2 partiti= on would > +be along these lines: > > @example > cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 > @@ -41136,8 +41137,9 @@ Bootloader Configuration > The bootloader to use, as a @code{bootloader} object. For now > @code{grub-bootloader}, @code{grub-efi-bootloader}, > @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, > -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} > -and @code{u-boot-bootloader} are supported. > +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, > +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and > +@code{uefi-uki-signed-bootloader} are supported. > > @cindex ARM, bootloaders > @cindex AArch64, bootloaders > @@ -41244,6 +41246,25 @@ Bootloader Configuration > unbootable. > @end quotation > > +@vindex uefi-uki-bootloader > +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, w= ithout > +an intermediary like GRUB. The main practical advantage of this is allow= ing > +root/store encryption without an extra GRUB password entry and slow decr= yption > +step. > + > +@vindex uefi-uki-signed-bootloader > +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, ex= cept > +that it is a procedure that returns a bootloader compatible with UEFI se= cure > +boot. You must provide it with two paths: an out-of-store secure boot db > +certificate (in PEM format), and out-of-store db key, in that order. Please add two spaces between sentences, e.g. "Sentence 1. Sentence 2". I think "out-of-store" is not necessary here. :) > + > +@quotation Warning > +When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloade= r}, > +@emph{do not} turn off your computer if a system reconfigure failed at > +installing the bootloader. Until bootloader installation succeeds, your= system > +is in an unbootable state. > +@end quotation > + > @item @code{targets} > This is a list of strings denoting the targets onto which to install the > bootloader. > @@ -41252,12 +41273,12 @@ Bootloader Configuration > For @code{grub-bootloader}, for example, they should be device names > understood by the bootloader @command{installer} command, such as > @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, > -GNU GRUB Manual}). For @code{grub-efi-bootloader} and > -@code{grub-efi-removable-bootloader} they should be mount > -points of the EFI file system, usually @file{/boot/efi}. For > -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount > -points corresponding to TFTP root directories served by your TFTP > -server. > +GNU GRUB Manual}). For @code{grub-efi-bootloader}, > +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and > +@code{uefi-uki-signed-bootloader}, they should be mount points of the EF= I file > +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader= }, > +@code{targets} should be the mount points corresponding to TFTP root dir= ectories > +served by your TFTP server. > > @item @code{menu-entries} (default: @code{'()}) > A possibly empty list of @code{menu-entry} objects (see below), denoting > diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm > new file mode 100644 > index 0000000000..0ef62295d6 > --- /dev/null > +++ b/gnu/bootloader/uki.scm > @@ -0,0 +1,129 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =A9 2024 Lilah Tascheter > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see . > + > +(define-module (gnu bootloader uki) > + #:use-module (gnu bootloader) > + #:use-module (gnu packages bootloaders) > + #:use-module (gnu packages efi) > + #:use-module (gnu packages linux) > + #:use-module (guix gexp) > + #:use-module (guix modules) > + #:use-module (srfi srfi-1) > + #:export (uefi-uki-bootloader uefi-uki-signed-bootloader)) > + > +;; config generator makes script creating uki images > +;; install runs script > +;; install device is path to uefi dir > +(define vendor "Guix") > +(define script-loc "/boot/install-uki.scm") > + > +(define* (uefi-uki-configuration-file #:optional cert privkey) > + (lambda* (config entries #:key (old-entries '()) #:allow-other-keys) > + > + (define (menu-entry->args e) I'd prefer using =A1entry=A2 instead of =A1e=A2, same for some other nonobv= ious abbreviations. > + (let* ((boot (bootloader-configuration-bootloader config)) > + (stub (bootloader-package boot))) > + #~(list "--os-release" #$(menu-entry-label e) > + "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-in= itrd e) > + "--cmdline" (string-join (list #$@(menu-entry-linux-argument= s e))) > + "--stub" #$(file-append stub "/libexec/" (systemd-stub-name)) > + #$@(if cert #~("--secureboot-certificate" #$cert) #~()) > + #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()= )))) > + > + (define (enum-filenames . args) ; same args as iota > + (map (lambda (n) (string-append (number->string n) ".efi")) > + (apply iota (map length args)))) "Same args as iota" doesn't explain the procudre, it actually accepts lists instead of numbers, and only the first two lists are intended to be used, r= ight? I'd suggest just having two arguments with more descriptive names. > + > + (program-file "install-uki" > + (with-imported-modules (source-module-closure '((guix build syscal= ls) > + (guix build utils)= )) > + #~(let* ((target (cadr (command-line))) > + (vendir (string-append target "/EFI/" #$vendor)) > + (schema (string-append vendir "/boot.mgr")) > + (findmnt #$(file-append util-linux "/bin/findmnt")) > + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr= "))) > + (use-modules (guix build syscalls) (guix build utils) > + (ice-9 popen) (ice-9 textual-ports)) > + > + (define (out name) (string-append vendir "/" name)) > + (define disk > + (call-with-port > + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" targ= et) > + (lambda (port) (get-line port)))) ; only 1 line: the dev= ice (guix build syscalls) has procedures can be utilized for this, no need to i= nvoke findmnt. > + > + ;; delete all boot entries and files we control > + (when (file-exists? schema) > + (call-with-input-file schema > + (lambda (port) > + (for-each (lambda (l) > + (unless (string-null? l) > + (system* efibootmgr "-B" "-L" l "-q"))) Dispite the "-q" option, error messages will still be visible to user, plea= se use =A1invoke/quiet=A2 + error handling instead. And I'd prefer long options. > + (string-split (get-string-all port) #\lf))))) =A1#\newline=A2 is preferred over =A1#\lf=A2 in Guix source. > + (when (directory-exists? vendir) (delete-file-recursively ve= ndir)) > + (mkdir-p vendir) > + > + (define (install port boot? oos) > + (lambda (args label name) > + (let ((minbytes (* 2 (stat:size (stat #$script-loc))))) > + (put-string port label) > + (put-char port #\lf) > + (force-output port) ; make sure space is alloc'd > + (apply invoke #$(file-append ukify "/bin/ukify") =A1invoke/quiet=A2 can be used. > + "build" "-o" (out name) args) > + ;; make sure we have enough space for next install-uki= .scm > + (when (and oos (< (free-disk-space vendir) minbytes)) = (oos)) > + (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d= " disk > + "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-= q")))) You're calling the exception handler directly here, it might be better to m= ove the exception handling part into the procedure to avoid this. > + > + (call-with-output-file schema > + (lambda (port) ; prioritize latest UKIs in limited ESP spa= ce > + (for-each (install port #t #f) > + (list #$@(map-in-order menu-entry->args entries)) > + (list #$@(map-in-order menu-entry-label entries)) > + (list #$@(enum-filenames entries))) > + (for-each ; old-entries can fail (out of space) we don't= care > + (lambda (args label name) > + (define (cleanup . _) ; do exit early if out of spac= e tho > + (when (file-exists? (out name)) (delete-file (out = name))) > + (exit)) > + (with-exception-handler cleanup > + (lambda _ ((install port #f cleanup) args label na= me)))) > + (list #$@(map-in-order menu-entry->args old-entries)) > + (list #$@(map-in-order menu-entry-label old-entries)) > + (list #$@(enum-filenames old-entries entries)))))))))) These two =A1for-each=A2 can be merged into one. > + > +(define install-uefi-uki > + #~(lambda (bootloader target mount-point) > + (invoke (string-append mount-point #$script-loc) > + (string-append mount-point target)))) > + > +(define* (make-uefi-uki-bootloader #:optional cert privkey) > + (bootloader > + (name 'uefi-uki) > + (package systemd-stub) > + (installer install-uefi-uki) > + (disk-image-installer #f) > + (configuration-file script-loc) > + (configuration-file-generator (uefi-uki-configuration-file cert priv= key)))) > + > +;; IMPORTANT NOTE: if bootloader install fails, do not turn off your com= puter! until > +;; install succeeds, your system is unbootable. > +(define uefi-uki-bootloader (make-uefi-uki-bootloader)) > +;; use ukify genkey to generate cert and privkey. DO NOT include in stor= e. > +(define (uefi-uki-signed-bootloader cert privkey) > + (make-uefi-uki-bootloader cert privkey)) They'll have the same bootloader name, making these two bootloaders indistinguishable from boot-parameters. > diff --git a/gnu/local.mk b/gnu/local.mk > index ab63bd5881..0a15251ddf 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES =3D \ > %D%/bootloader/extlinux.scm \ > %D%/bootloader/u-boot.scm \ > %D%/bootloader/depthcharge.scm \ > + %D%/bootloader/uki.scm \ > %D%/ci.scm \ > %D%/compression.scm \ > %D%/home.scm \ > -- > 2.41.0 I tried to adjust uki.scm before commenting, so here's a paste of my adjust= ed version, in case some of my comments are not expressed clearly: https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000 Thanks