From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp0.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id 0A3IHcNZp2WqzgAAqHPOHw:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Jan 2024 05:38:27 +0100
Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0.migadu.com with LMTPS
	id 0A3IHcNZp2WqzgAAqHPOHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 17 Jan 2024 05:38:27 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lunabee.space header.s=purelymail1 header.b=Fkwos72j;
	dkim=fail ("headers rsa verify failed") header.d=purelymail.com header.s=purelymail1 header.b=i1z3JQO4;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=gnu.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1705466307;
	h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=/2tv0iQs+MuOo1nV6kq6yBVw7yBdaUQCX9XiOE3c+3U=;
	b=NcXJbrjvKiCroZ4FiX8Ahoznrhe6nqhFgAScL4FVAa45A5wx+FbCSvjGx9yrN049gQ320j
	Sis2eLJRviWc+u5nMtyU8H2eLnXZo9bvzk2NQDSC/Fmp+dkOwoodw54DMpHPh5oNyuLWZD
	iLtaLPJ557955Nb9UgpIktY8z39CayzupoTfYiTgnSwqLVfcFCZekV4ahbkidGoaknlRUR
	5XPZieJeHCqaIJuJOHDxKJZcQbkn49DdWc1QdwV6vGkFrp5HI0qI8zA9KrAmdHcRCm256d
	sYXOveyS/hrGnxqG6tvBgHUnYF03rbwy1Fct8k2UzE/vbuEhDR9cgtHVOrLNeg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=lunabee.space header.s=purelymail1 header.b=Fkwos72j;
	dkim=fail ("headers rsa verify failed") header.d=purelymail.com header.s=purelymail1 header.b=i1z3JQO4;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=gnu.org
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1705466307; a=rsa-sha256; cv=none;
	b=lqP86AVrH1iGnrKaBaKY5pYMbNsZWBoy2lBna4RsjQbUtl0InspinJwMOlC5YEEGvDtV9j
	GhZMrc5rnQs7dH277VZevs5Rr0kAZY6ScCQj/Br6wIup/VMBL4bHTthwScBN/D+EGnH3Ew
	tu84SoiGRzch7p5RO5CBaT9kB9tNpSNjMzyLoUfQGkvz9YRog9DTCdcSJ4BfcpnUMRSoSY
	RT7zWCFc8o5CDLrjdKV8pLBEdOh61vuEZ7FXx0US1j78AIpHCcSDHZZOW4pwZPYnxBM7Jm
	GWbT9yQckhQxIedJUScAH+dl5KTUHKEuPJi8wEIJWyMG3ReIswfG0uzaGlgFhw==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 199BD59684
	for <larch@yhetil.org>; Wed, 17 Jan 2024 05:38:27 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1rPxgj-000267-9A; Tue, 16 Jan 2024 23:38:05 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rPxgh-00025j-FN
 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1rPxgh-0003Oq-9w
 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rPxgh-0005L2-VE
 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Resent-From: Lilah Tascheter <lilah@lunabee.space>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 17 Jan 2024 04:38:03 +0000
Resent-Message-ID: <handler.68526.B.170546625020439@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 68526
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 68526@debbugs.gnu.org
Cc: Lilah Tascheter <lilah@lunabee.space>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.170546625020439
 (code B ref -1); Wed, 17 Jan 2024 04:38:03 +0000
Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:30 +0000
Received: from localhost ([127.0.0.1]:50363 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1rPxg9-0005JZ-BM
 for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:29 -0500
Received: from lists.gnu.org ([2001:470:142::17]:33314)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@lunabee.space>) id 1rPxg7-0005JM-5k
 for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:27 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lilah@lunabee.space>)
 id 1rPxfy-00021q-Tc
 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:19 -0500
Received: from sendmail.purelymail.com ([34.202.193.197])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lilah@lunabee.space>)
 id 1rPxfw-0003Ml-Vb
 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:18 -0500
DKIM-Signature: a=rsa-sha256;
 b=Fkwos72jvVZG5SvfJuNiI4w1/SKRtYrD7+VYLxUFwj7c6RA+rSwRTqIPlIz0XJ+pxrIIdstSiUTeWKAtpipIVkVYH3qNKaAzsLFaktX4dwIRy7Z7dQIQInldyPEm2rDGlO9Cq3iIi6Eq0OZH+FoBCbE2Ima6AW8AfpLMVDvro1xUJv/4+KNnJL9rAcJ34faOa+jFnGFnCWEbe42a8MpwhJIcmlFNY3CnsVQqm/ZbxZbzfP4kU7EL9BEljLuNbArYSHH/MWoUF07GOG2hvysQ5GCzxO3vKE9QefHbTu3YIP3IpMLD0ojpLb/45MKRy/s9z9nV0P8WCk2UKmKhhiMM5A==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=i1z3JQO48x9asa+DU1inaIn046V0TTrtq7IZ76BX37jeJjvwbo5cgbBty9VS212h0FsMkB2BqDvWlDwufCoOgCEmmcGAnjxvk2PGC+Cf0tCVHMq4h48bno6yXt9d2ZzTpdPuY1TpHaljPgoTw2FeMtowgqa73pNNl7GwQHrC36S25sBxXVmb56BKyKfsFUVnmI9JiMaeo9kBpFHrda0N2WeEA1f5WCtSNVp7qvu9/A4HMi/0wpvq/jXBHjG2H7H55OJTPJ4PV4H+jhai5nAkper1p71BtTfilhyk3x5iftpdlhy+7b6H1+dKQSffBu8UOY4xjjmk04Sz5zMHw93T1Q==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: guix-patches@gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 17 Jan 2024 04:37:08 +0000 (UTC)
Date: Tue, 16 Jan 2024 22:23:04 -0600
Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705465384.git.lilah@lunabee.space>
In-Reply-To: <cover.1705465384.git.lilah@lunabee.space>
References: <cover.1705465384.git.lilah@lunabee.space>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@lunabee.space;
 helo=sendmail.purelymail.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, 
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
From: Lilah Tascheter via Guix-patches <guix-patches@gnu.org>
Reply-To: Lilah Tascheter <lilah@lunabee.space>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -7.18
X-Migadu-Queue-Id: 199BD59684
X-Spam-Score: -7.18
X-Migadu-Scanner: mx11.migadu.com
X-TUID: NoPiZfHB+jWI

* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
  uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.

Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
 doc/guix.texi          |  35 ++++++++++----
 gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
 The bootloader to use, as a @code{bootloader} object.  For now
 @code{grub-bootloader}, @code{grub-efi-bootloader},
 @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
=20
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
 unbootable.
 @end quotation
=20
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit=
hout
+an intermediary like GRUB. The main practical advantage of this is allowin=
g
+root/store encryption without an extra GRUB password entry and slow decryp=
tion
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce=
pt
+that it is a procedure that returns a bootloader compatible with UEFI secu=
re
+boot. You must provide it with two paths, to an out-of-store secure boot d=
b
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system genera=
tion.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
 @item @code{targets}
 This is a list of strings denoting the targets onto which to install the
 bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
 For @code{grub-bootloader}, for example, they should be device names
 understood by the bootloader @command{installer} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}.  For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}).  For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI =
file
+system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root direc=
tories
+served by your TFTP server.
=20
 @item @code{menu-entries} (default: @code{'()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+    (define (menu-entry->uki e)
+      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam=
e)))
+      (computed-file "uki.efi"
+        (with-imported-modules (source-module-closure '((guix build utils)=
))
+          #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+              (use-modules (guix build utils))
+              (invoke #$(file-append ukify "/bin/ukify") "build"
+                "--linux" #$(menu-entry-linux e)
+                "--initrd" #$(menu-entry-initrd e)
+                "--os-release" #$(menu-entry-label e)
+                "--cmdline" (string-join args)
+                "--stub" #$stub
+                "-o" #$output)))))
+
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/Guix"))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")=
))
+            (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p=
orts))
+
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target=
)
+                (lambda (port) (get-line port)))) ; only 1 line: the devic=
e
+
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l)))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vend=
ir))
+
+            (mkdir-p vendir)
+            (call-with-output-file schema
+              (lambda (port)
+                (for-each (lambda (uki label)
+                            (let* ((base (basename uki))
+                                   (out (string-append vendir "/" base)))
+                              #$(if cert ; sign here so we can access root=
 certs
+                                  #~(invoke
+                                      #$(file-append sbsigntools "/bin/sbs=
ign")
+                                      "--cert" #$cert "--key" #$privkey
+                                      "--output" out uki)
+                                  #~(copy-file uki out))
+                              (invoke efibootmgr "-c" "-L" label "-d" disk=
 "-l"
+                                (string-append "\\EFI\\Guix\\" base))
+                              (put-string port label)
+                              (put-char port #\lf)))
+                  (list #$@(map-in-order menu-entry->uki entries))
+                  (list #$@(map-in-order menu-entry-label entries)))))))))=
)
+
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point "/boot/install-uki.scm")
+              (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file "/boot/install-uki.scm")
+    (configuration-file-generator (uefi-uki-configuration-file cert privke=
y))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
--=20
2.41.0