* [bug#68524] [PATCH 0/2] Support root encryption and secure boot.
@ 2024-01-17 4:23 Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
` (7 more replies)
0 siblings, 8 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17 4:23 UTC (permalink / raw)
To: 68524; +Cc: Lilah Tascheter
Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary form,
uefi-uki-signed-bootloader. These use isolated fragments of the systemd project
(particularly the systemd-stub UEFI stub and supporting ukify tool) to install
combined kernel/arguments/initrd images to the EFI system partition. The
built-in UEFI boot manager can then deal with boot selection. While this does
require copying files from the store to the partition, it makes up for it in two
important ways:
1. Proper encrypted root support! GRUB is really fucking slow at decrypting the
store in my experience, and it's annoying to have to enter in the root password
twice. Since the kernel is loaded directly from the system partition, the first,
and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB not
supporting LUKS2 (or, at least, having bad issues with it on Guix).
2. Secure boot support! It's set up assuming the user has already created the
necessary keys (typically, in /root, as they should only be root-accessible).
Passing the paths to the db cert and key to uefi-uki-signed-bootloader will then
automatically sign the entire bootloader image. In combination with root
encryption, assuming a functioning motherboard UEFI installation, this should
fully secure Guix's boot chain.
This is ported from my personal channel, so uefi-uki-bootloader has been tested
for months. The main drawback is lack of kernel generation rollback in the case
of a botched upgrade, so I've been keeping around a manually-copied backup uki
image, but I haven't had any troubles with it so far. I have just verified
uefi-uki-signed-bootloader properly functions and boots in secure boot user
mode.
All in-system testing has been done on my channel, so the porting process may
have had issues, but I did make sure the added packages compile, and there
aren't any miscopies.
No clue how this works on non-x64 systems. I don't think there's enough ARM UEFI
systems in existance for it to matter that much anyway.
Thanks!
Lilah Tascheter (2):
gnu: bootloaders: Add uki packages.
gnu: bootloaders: Add uefi-uki-bootloader.
doc/guix.texi | 35 +++++++++---
gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++
gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++
3 files changed, 227 insertions(+), 8 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--
2.41.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages.
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
@ 2024-01-17 4:23 ` Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
` (6 subsequent siblings)
7 siblings, 0 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17 4:23 UTC (permalink / raw)
To: 68525; +Cc: Lilah Tascheter, Efraim Flashner, Vagrant Cascadian
* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
(systemd-version,systemd-source,systemd-stub,ukify): New variables.
Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d
---
gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index c73a0e665d..32cbb4e704 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages disk)
+ #:use-module (gnu packages efi)
#:use-module (gnu packages firmware)
#:use-module (gnu packages flex)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages gperf)
#:use-module (gnu packages linux)
#:use-module (gnu packages man)
#:use-module (gnu packages mtools)
@@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages valgrind)
#:use-module (gnu packages virtualization)
#:use-module (gnu packages xorg)
+ #:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
#:use-module (gnu packages python-xyz)
#:use-module (guix build-system gnu)
#:use-module (guix build-system meson)
#:use-module (guix build-system pyproject)
+ #:use-module (guix build-system python)
#:use-module (guix build-system trivial)
#:use-module (guix download)
#:use-module (guix gexp)
@@ -632,6 +636,96 @@ (define-public syslinux
;; Also contains:
license:expat license:isc license:zlib)))))
+(define systemd-version "255")
+(define systemd-source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/systemd/systemd")
+ (commit (string-append "v" systemd-version))))
+ (file-name (git-file-name "systemd" systemd-version))
+ (sha256
+ (base32
+ "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+ (let ((arch (cond ((target-x86-32?) "ia32")
+ ((target-x86-64?) "x64")
+ ((target-arm32?) "arm")
+ ((target-aarch64?) "aa64")
+ ((target-riscv64?) "riscv64"))))
+ (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+ (package
+ (name "systemd-stub")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system meson-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ `(list "-Defi=true" "-Dsbat-distro=guix"
+ "-Dsbat-distro-generation=1" ; package revision!
+ "-Dsbat-distro-summary=Guix System"
+ "-Dsbat-distro-url=https://guix.gnu.org"
+ ,(string-append "-Dsbat-distro-pkgname=" name)
+ ,(string-append "-Dsbat-distro-version=" version))
+ #:phases
+ #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
+ (modify-phases %standard-phases
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (invoke "ninja" stub
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count)) "1"))))
+ (replace 'install
+ (lambda _
+ (install-file stub (string-append #$output "/libexec"))))
+ (delete 'check)))))
+ (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+ (native-inputs (list gperf pkg-config python-3 python-jinja2))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI stub")
+ (description "Simple UEFi boot stub that loads a conjoined kernel image and
+supporting data to their proper locations, before chainloading to the kernel.
+Supports measured and/or verified boot environments.")
+ (license license:lgpl2.1+)))
+
+(define-public ukify
+ (package
+ (name "ukify")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system python-build-system)
+ (arguments
+ (list #:phases
+ #~(modify-phases %standard-phases
+ (replace 'build
+ (lambda _
+ (substitute* "src/ukify/ukify.py" ; added in python 3.11
+ (("datetime\\.UTC") "datetime.timezone.utc"))))
+ (delete 'check)
+ (replace 'install
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let* ((bin (string-append #$output "/bin"))
+ (file (string-append bin "/ukify"))
+ (binutils (assoc-ref inputs "binutils"))
+ (sbsign (assoc-ref inputs "sbsigntools")))
+ (mkdir-p bin)
+ (copy-file "src/ukify/ukify.py" file)
+ (wrap-program file
+ `("PATH" ":" prefix
+ (,(string-append binutils "/bin")
+ ,(string-append sbsign "/bin"))))))))))
+ (inputs (list binutils python-cryptography python-pefile sbsigntools))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI tool")
+ (description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
+image.")
+ (license license:lgpl2.1+)))
+
(define-public dtc
(package
(name "dtc")
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
@ 2024-01-17 4:23 ` Lilah Tascheter via Guix-patches
2024-01-17 4:48 ` [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
` (5 subsequent siblings)
7 siblings, 0 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17 4:23 UTC (permalink / raw)
To: 68526; +Cc: Lilah Tascheter
* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.
Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
doc/guix.texi | 35 ++++++++++----
gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+), 8 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
The bootloader to use, as a @code{bootloader} object. For now
@code{grub-bootloader}, @code{grub-efi-bootloader},
@code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
@cindex ARM, bootloaders
@cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
unbootable.
@end quotation
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, without
+an intermediary like GRUB. The main practical advantage of this is allowing
+root/store encryption without an extra GRUB password entry and slow decryption
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, except
+that it is a procedure that returns a bootloader compatible with UEFI secure
+boot. You must provide it with two paths, to an out-of-store secure boot db
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system generation.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
@item @code{targets}
This is a list of strings denoting the targets onto which to install the
bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
For @code{grub-bootloader}, for example, they should be device names
understood by the bootloader @command{installer} command, such as
@code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}). For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}. For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}). For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI file
+system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root directories
+served by your TFTP server.
@item @code{menu-entries} (default: @code{'()})
A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+ #:use-module (gnu bootloader)
+ #:use-module (gnu packages bootloaders)
+ #:use-module (gnu packages efi)
+ #:use-module (gnu packages linux)
+ #:use-module (guix gexp)
+ #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+ (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+ (define (menu-entry->uki e)
+ (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
+ (computed-file "uki.efi"
+ (with-imported-modules (source-module-closure '((guix build utils)))
+ #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+ (use-modules (guix build utils))
+ (invoke #$(file-append ukify "/bin/ukify") "build"
+ "--linux" #$(menu-entry-linux e)
+ "--initrd" #$(menu-entry-initrd e)
+ "--os-release" #$(menu-entry-label e)
+ "--cmdline" (string-join args)
+ "--stub" #$stub
+ "-o" #$output)))))
+
+ (program-file "install-uki"
+ (with-imported-modules (source-module-closure '((guix build utils)))
+ #~(let* ((target (cadr (command-line)))
+ (vendir (string-append target "/EFI/Guix"))
+ (schema (string-append vendir "/boot.mgr"))
+ (findmnt #$(file-append util-linux "/bin/findmnt"))
+ (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
+ (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-ports))
+
+ (define disk
+ (call-with-port
+ (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
+ (lambda (port) (get-line port)))) ; only 1 line: the device
+
+ (when (file-exists? schema)
+ (call-with-input-file schema
+ (lambda (port)
+ (for-each (lambda (l)
+ (unless (string-null? l)
+ (system* efibootmgr "-B" "-L" l)))
+ (string-split (get-string-all port) #\lf)))))
+ (when (directory-exists? vendir) (delete-file-recursively vendir))
+
+ (mkdir-p vendir)
+ (call-with-output-file schema
+ (lambda (port)
+ (for-each (lambda (uki label)
+ (let* ((base (basename uki))
+ (out (string-append vendir "/" base)))
+ #$(if cert ; sign here so we can access root certs
+ #~(invoke
+ #$(file-append sbsigntools "/bin/sbsign")
+ "--cert" #$cert "--key" #$privkey
+ "--output" out uki)
+ #~(copy-file uki out))
+ (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
+ (string-append "\\EFI\\Guix\\" base))
+ (put-string port label)
+ (put-char port #\lf)))
+ (list #$@(map-in-order menu-entry->uki entries))
+ (list #$@(map-in-order menu-entry-label entries))))))))))
+
+(define install-uefi-uki
+ #~(lambda (bootloader target mount-point)
+ (invoke (string-append mount-point "/boot/install-uki.scm")
+ (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+ (bootloader
+ (name 'uefi-uki)
+ (package systemd-stub)
+ (installer install-uefi-uki)
+ (disk-image-installer #f)
+ (configuration-file "/boot/install-uki.scm")
+ (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+ (make-uefi-uki-bootloader cert privkey))
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages.
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
@ 2024-01-17 4:48 ` Lilah Tascheter via Guix-patches
2024-01-17 4:48 ` [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (4 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17 4:48 UTC (permalink / raw)
To: 68524; +Cc: Lilah Tascheter, Efraim Flashner, Vagrant Cascadian
* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
(systemd-version,systemd-source,systemd-stub,ukify): New variables.
Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d
---
gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++
1 file changed, 94 insertions(+)
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index c73a0e665d..32cbb4e704 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages disk)
+ #:use-module (gnu packages efi)
#:use-module (gnu packages firmware)
#:use-module (gnu packages flex)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages gperf)
#:use-module (gnu packages linux)
#:use-module (gnu packages man)
#:use-module (gnu packages mtools)
@@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages valgrind)
#:use-module (gnu packages virtualization)
#:use-module (gnu packages xorg)
+ #:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
#:use-module (gnu packages python-xyz)
#:use-module (guix build-system gnu)
#:use-module (guix build-system meson)
#:use-module (guix build-system pyproject)
+ #:use-module (guix build-system python)
#:use-module (guix build-system trivial)
#:use-module (guix download)
#:use-module (guix gexp)
@@ -632,6 +636,96 @@ (define-public syslinux
;; Also contains:
license:expat license:isc license:zlib)))))
+(define systemd-version "255")
+(define systemd-source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/systemd/systemd")
+ (commit (string-append "v" systemd-version))))
+ (file-name (git-file-name "systemd" systemd-version))
+ (sha256
+ (base32
+ "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+ (let ((arch (cond ((target-x86-32?) "ia32")
+ ((target-x86-64?) "x64")
+ ((target-arm32?) "arm")
+ ((target-aarch64?) "aa64")
+ ((target-riscv64?) "riscv64"))))
+ (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+ (package
+ (name "systemd-stub")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system meson-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ `(list "-Defi=true" "-Dsbat-distro=guix"
+ "-Dsbat-distro-generation=1" ; package revision!
+ "-Dsbat-distro-summary=Guix System"
+ "-Dsbat-distro-url=https://guix.gnu.org"
+ ,(string-append "-Dsbat-distro-pkgname=" name)
+ ,(string-append "-Dsbat-distro-version=" version))
+ #:phases
+ #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
+ (modify-phases %standard-phases
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (invoke "ninja" stub
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count)) "1"))))
+ (replace 'install
+ (lambda _
+ (install-file stub (string-append #$output "/libexec"))))
+ (delete 'check)))))
+ (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+ (native-inputs (list gperf pkg-config python-3 python-jinja2))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI stub")
+ (description "Simple UEFi boot stub that loads a conjoined kernel image and
+supporting data to their proper locations, before chainloading to the kernel.
+Supports measured and/or verified boot environments.")
+ (license license:lgpl2.1+)))
+
+(define-public ukify
+ (package
+ (name "ukify")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system python-build-system)
+ (arguments
+ (list #:phases
+ #~(modify-phases %standard-phases
+ (replace 'build
+ (lambda _
+ (substitute* "src/ukify/ukify.py" ; added in python 3.11
+ (("datetime\\.UTC") "datetime.timezone.utc"))))
+ (delete 'check)
+ (replace 'install
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let* ((bin (string-append #$output "/bin"))
+ (file (string-append bin "/ukify"))
+ (binutils (assoc-ref inputs "binutils"))
+ (sbsign (assoc-ref inputs "sbsigntools")))
+ (mkdir-p bin)
+ (copy-file "src/ukify/ukify.py" file)
+ (wrap-program file
+ `("PATH" ":" prefix
+ (,(string-append binutils "/bin")
+ ,(string-append sbsign "/bin"))))))))))
+ (inputs (list binutils python-cryptography python-pefile sbsigntools))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI tool")
+ (description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
+image.")
+ (license license:lgpl2.1+)))
+
(define-public dtc
(package
(name "dtc")
base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-17 4:48 ` [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
@ 2024-01-17 4:48 ` Lilah Tascheter via Guix-patches
2024-01-25 10:03 ` Herman Rimm via Guix-patches via
0 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17 4:48 UTC (permalink / raw)
To: 68524; +Cc: Lilah Tascheter, Efraim Flashner, Vagrant Cascadian
* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.
Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
doc/guix.texi | 35 ++++++++++----
gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 133 insertions(+), 8 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
The bootloader to use, as a @code{bootloader} object. For now
@code{grub-bootloader}, @code{grub-efi-bootloader},
@code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
@cindex ARM, bootloaders
@cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
unbootable.
@end quotation
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, without
+an intermediary like GRUB. The main practical advantage of this is allowing
+root/store encryption without an extra GRUB password entry and slow decryption
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, except
+that it is a procedure that returns a bootloader compatible with UEFI secure
+boot. You must provide it with two paths, to an out-of-store secure boot db
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system generation.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
@item @code{targets}
This is a list of strings denoting the targets onto which to install the
bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
For @code{grub-bootloader}, for example, they should be device names
understood by the bootloader @command{installer} command, such as
@code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}). For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}. For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}). For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI file
+system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root directories
+served by your TFTP server.
@item @code{menu-entries} (default: @code{'()})
A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+ #:use-module (gnu bootloader)
+ #:use-module (gnu packages bootloaders)
+ #:use-module (gnu packages efi)
+ #:use-module (gnu packages linux)
+ #:use-module (guix gexp)
+ #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+ (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+ (define (menu-entry->uki e)
+ (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
+ (computed-file "uki.efi"
+ (with-imported-modules (source-module-closure '((guix build utils)))
+ #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+ (use-modules (guix build utils))
+ (invoke #$(file-append ukify "/bin/ukify") "build"
+ "--linux" #$(menu-entry-linux e)
+ "--initrd" #$(menu-entry-initrd e)
+ "--os-release" #$(menu-entry-label e)
+ "--cmdline" (string-join args)
+ "--stub" #$stub
+ "-o" #$output)))))
+
+ (program-file "install-uki"
+ (with-imported-modules (source-module-closure '((guix build utils)))
+ #~(let* ((target (cadr (command-line)))
+ (vendir (string-append target "/EFI/Guix"))
+ (schema (string-append vendir "/boot.mgr"))
+ (findmnt #$(file-append util-linux "/bin/findmnt"))
+ (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
+ (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-ports))
+
+ (define disk
+ (call-with-port
+ (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
+ (lambda (port) (get-line port)))) ; only 1 line: the device
+
+ (when (file-exists? schema)
+ (call-with-input-file schema
+ (lambda (port)
+ (for-each (lambda (l)
+ (unless (string-null? l)
+ (system* efibootmgr "-B" "-L" l)))
+ (string-split (get-string-all port) #\lf)))))
+ (when (directory-exists? vendir) (delete-file-recursively vendir))
+
+ (mkdir-p vendir)
+ (call-with-output-file schema
+ (lambda (port)
+ (for-each (lambda (uki label)
+ (let* ((base (basename uki))
+ (out (string-append vendir "/" base)))
+ #$(if cert ; sign here so we can access root certs
+ #~(invoke
+ #$(file-append sbsigntools "/bin/sbsign")
+ "--cert" #$cert "--key" #$privkey
+ "--output" out uki)
+ #~(copy-file uki out))
+ (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
+ (string-append "\\EFI\\Guix\\" base))
+ (put-string port label)
+ (put-char port #\lf)))
+ (list #$@(map-in-order menu-entry->uki entries))
+ (list #$@(map-in-order menu-entry-label entries))))))))))
+
+(define install-uefi-uki
+ #~(lambda (bootloader target mount-point)
+ (invoke (string-append mount-point "/boot/install-uki.scm")
+ (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+ (bootloader
+ (name 'uefi-uki)
+ (package systemd-stub)
+ (installer install-uefi-uki)
+ (disk-image-installer #f)
+ (configuration-file "/boot/install-uki.scm")
+ (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+ (make-uefi-uki-bootloader cert privkey))
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-17 4:48 ` [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
@ 2024-01-25 10:03 ` Herman Rimm via Guix-patches via
2024-01-28 0:50 ` Lilah Tascheter via Guix-patches
0 siblings, 1 reply; 21+ messages in thread
From: Herman Rimm via Guix-patches via @ 2024-01-25 10:03 UTC (permalink / raw)
To: Lilah Tascheter, 68524
Hello,
On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote:
> * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
> uefi-uki-bootloader and uefi-uki-signed-bootloader.
> * gnu/bootloader/uki.scm: New file.
Remember to note your copyright and register new files in gnu/local.mk.
> +(define* (uefi-uki-configuration-file #:optional cert privkey)
> + (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
old-entries got mistyped as old-entires.
> + (define (menu-entry->uki e)
> + (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
Can you have systemd-stub be an argument of uefi-uki-configuration-file?
> + (when (file-exists? schema)
> + (call-with-input-file schema
> + (lambda (port)
> + (for-each (lambda (l)
> + (unless (string-null? l)
> + (system* efibootmgr "-B" "-L" l)))
You can make this quiet.
> + (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
Maybe this too?
> +(define install-uefi-uki
> + #~(lambda (bootloader target mount-point)
Get systemd-stub from bootloader with bootloader-package.
> + (invoke (string-append mount-point "/boot/install-uki.scm")
> + (string-append mount-point target))))
The way GRUB does it, if mount-point/boot/efi does not exist, try
install to /boot/efi in case the ESP got mounted there. Personally, I
think it's okay to only try install to mount-point/boot/efi.
> +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
> +;; use ukify genkey to generate cert and privkey. DO NOT include in store.
> +(define-public (uefi-uki-signed-bootloader cert privkey)
> + (make-uefi-uki-bootloader cert privkey))
Can you use define instead and export the bootloaders in define-module?
I expect define-public procedures in package modules which would have to
use an export procedure with many arguments otherwise.
The install-uki.scm config file is a nice idea. It can be used to
regenerate the UKI and corresponding UEFI boot entry. Now that I think
about it, can that be included as an example? Like:
uefi-uki-bootloader installs install-uki.scm to /boot, you can use it
to (re)create the UKI manually: sudo ./install-uki.scm /boot/efi/. If
you need to chroot to an existing system on /mnt, mount efivars first:
mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars.
This is required for efibootmgr to (re)install the UEFI entry for the
corresponding UKI.
This bootloader has been very useful to me. I could easily chainload the
UKI from an install image GRUB, whenever I messed up the UEFI boot entry
for the EFI stub bootloader I'm working on.
Thank you,
Herman
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-25 10:03 ` Herman Rimm via Guix-patches via
@ 2024-01-28 0:50 ` Lilah Tascheter via Guix-patches
0 siblings, 0 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-28 0:50 UTC (permalink / raw)
To: 68524; +Cc: Herman Rimm
Thanks for the notes! I'm working on a v2 right now.
> The way GRUB does it, if mount-point/boot/efi does not exist, try
> install to /boot/efi in case the ESP got mounted there. Personally, I
> think it's okay to only try install to mount-point/boot/efi.
Yeah, I'd be concerned about overriding my own bootloader if it could decide to
just not use mount-point.
> This bootloader has been very useful to me.
I'm so glad!!! :)
> I could easily chainload the UKI from an install image GRUB
Would it be more useful to have the EFI vendor dir for UKI be like, Guix-UKI
instead of just Guix, as to not delete a preexisting grub-efi-bootloader?
-lilah
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot.
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (2 preceding siblings ...)
2024-01-17 4:48 ` [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
@ 2024-01-28 9:51 ` Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
` (2 more replies)
2024-02-20 1:08 ` [bug#68524] [PATCH " Nikolaos Chatzikonstantinou
` (3 subsequent siblings)
7 siblings, 3 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-28 9:51 UTC (permalink / raw)
To: 68524; +Cc: vagrant, Lilah Tascheter, herman, efraim
Thank you so much Herman, that motherfucking typo was what made my old-entries
testing not work. I reworked the majority of the install-uki.scm code, and now
uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rollback!
Slightly jank, but it works. On install, we pretty much just cram as many
generations into the ESP as possible. ESPs are typically small, so we can't
assume that we can fit more than one UKI, so if we can't fit every extent
generation we just exit early.
We also don't waste space on root by adding each UKI to the store anymore.
They're all generated at install time. Added slightly more documentation too.
Otherwise, fixed everything Herman pointed out!
Decided not to add a manual section on manually running /boot/install-uki.scm
though. It's more of a quirk of getting around guix's bootloader assumptions
than meant to be run that way; I don't know if it's a good idea to direct
attention to it. I mean it Works, but it's more of a quick hack.
Lilah Tascheter (2):
gnu: bootloaders: Add uki packages.
gnu: bootloaders: Add uefi-uki-bootloader.
doc/guix.texi | 45 ++++++++----
gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++
gnu/local.mk | 1 +
gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++
4 files changed, 258 insertions(+), 12 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae
--
2.41.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages.
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
@ 2024-01-28 9:51 ` Lilah Tascheter via Guix-patches
2024-02-11 18:37 ` Hilton Chain via Guix-patches via
2024-01-28 9:51 ` [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-02-11 18:37 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Hilton Chain via Guix-patches via
2 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-28 9:51 UTC (permalink / raw)
To: 68524
Cc: vagrant, Lilah Tascheter, herman, efraim, Efraim Flashner,
Vagrant Cascadian
* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
(systemd-version,systemd-source,systemd-stub,ukify): New variables.
Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8
---
gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++
1 file changed, 95 insertions(+)
diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 986f0ac035..b0d4979f44 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -19,6 +19,7 @@
;;; Copyright © 2021 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2023 Herman Rimm <herman@rimm.ee>
+;;; Copyright © 2024 Lilah Tascheter <lilah@lunabee.space>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages compression)
#:use-module (gnu packages cross-base)
#:use-module (gnu packages disk)
+ #:use-module (gnu packages efi)
#:use-module (gnu packages firmware)
#:use-module (gnu packages flex)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages gcc)
#:use-module (gnu packages gettext)
+ #:use-module (gnu packages gperf)
#:use-module (gnu packages linux)
#:use-module (gnu packages man)
#:use-module (gnu packages mtools)
@@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders)
#:use-module (gnu packages valgrind)
#:use-module (gnu packages virtualization)
#:use-module (gnu packages xorg)
+ #:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
#:use-module (gnu packages python-xyz)
#:use-module (guix build-system gnu)
#:use-module (guix build-system meson)
#:use-module (guix build-system pyproject)
+ #:use-module (guix build-system python)
#:use-module (guix build-system trivial)
#:use-module (guix download)
#:use-module (guix gexp)
@@ -632,6 +637,96 @@ (define-public syslinux
;; Also contains:
license:expat license:isc license:zlib)))))
+(define systemd-version "255")
+(define systemd-source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/systemd/systemd")
+ (commit (string-append "v" systemd-version))))
+ (file-name (git-file-name "systemd" systemd-version))
+ (sha256
+ (base32
+ "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+ (let ((arch (cond ((target-x86-32?) "ia32")
+ ((target-x86-64?) "x64")
+ ((target-arm32?) "arm")
+ ((target-aarch64?) "aa64")
+ ((target-riscv64?) "riscv64"))))
+ (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+ (package
+ (name "systemd-stub")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system meson-build-system)
+ (arguments
+ (list
+ #:configure-flags
+ `(list "-Defi=true" "-Dsbat-distro=guix"
+ "-Dsbat-distro-generation=1" ; package revision!
+ "-Dsbat-distro-summary=Guix System"
+ "-Dsbat-distro-url=https://guix.gnu.org"
+ ,(string-append "-Dsbat-distro-pkgname=" name)
+ ,(string-append "-Dsbat-distro-version=" version))
+ #:phases
+ #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
+ (modify-phases %standard-phases
+ (replace 'build
+ (lambda* (#:key parallel-build? #:allow-other-keys)
+ (invoke "ninja" stub
+ "-j" (if parallel-build?
+ (number->string (parallel-job-count)) "1"))))
+ (replace 'install
+ (lambda _
+ (install-file stub (string-append #$output "/libexec"))))
+ (delete 'check)))))
+ (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+ (native-inputs (list gperf pkg-config python-3 python-jinja2))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI stub")
+ (description "Simple UEFi boot stub that loads a conjoined kernel image and
+supporting data to their proper locations, before chainloading to the kernel.
+Supports measured and/or verified boot environments.")
+ (license license:lgpl2.1+)))
+
+(define-public ukify
+ (package
+ (name "ukify")
+ (version systemd-version)
+ (source systemd-source)
+ (build-system python-build-system)
+ (arguments
+ (list #:phases
+ #~(modify-phases %standard-phases
+ (replace 'build
+ (lambda _
+ (substitute* "src/ukify/ukify.py" ; added in python 3.11
+ (("datetime\\.UTC") "datetime.timezone.utc"))))
+ (delete 'check)
+ (replace 'install
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let* ((bin (string-append #$output "/bin"))
+ (file (string-append bin "/ukify"))
+ (binutils (assoc-ref inputs "binutils"))
+ (sbsign (assoc-ref inputs "sbsigntools")))
+ (mkdir-p bin)
+ (copy-file "src/ukify/ukify.py" file)
+ (wrap-program file
+ `("PATH" ":" prefix
+ (,(string-append binutils "/bin")
+ ,(string-append sbsign "/bin"))))))))))
+ (inputs (list binutils python-cryptography python-pefile sbsigntools))
+ (home-page "https://systemd.io")
+ (synopsis "Unified kernel image UEFI tool")
+ (description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
+image.")
+ (license license:lgpl2.1+)))
+
(define-public dtc
(package
(name "dtc")
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
@ 2024-01-28 9:51 ` Lilah Tascheter via Guix-patches
2024-02-11 18:39 ` Hilton Chain via Guix-patches via
2024-02-11 18:37 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Hilton Chain via Guix-patches via
2 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-28 9:51 UTC (permalink / raw)
To: 68524; +Cc: vagrant, Lilah Tascheter, herman, efraim
* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
uefi-uki-bootloader and uefi-uki-signed-bootloader.
(Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]:
Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm.
Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da
---
doc/guix.texi | 45 ++++++++++----
gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++
gnu/local.mk | 1 +
3 files changed, 163 insertions(+), 12 deletions(-)
create mode 100644 gnu/bootloader/uki.scm
diff --git a/doc/guix.texi b/doc/guix.texi
index c458befb76..30fd5d022b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning
for @command{cryptsetup luksFormat}. You can check which key derivation
function is being used by a device by running @command{cryptsetup
luksDump @var{device}}, and looking for the PBKDF field of your
-keyslots.
+keyslots. UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can
+however use the default, more secure key derivation function.
@end quotation
-Assuming you want to store the root partition on @file{/dev/sda2}, the
-command sequence to format it as a LUKS2 partition would be along these
-lines:
+Assuming you want to store the root partition on @file{/dev/sda2} and use GRUB
+as your bootloader, the command sequence to format it as a LUKS2 partition would
+be along these lines:
@example
cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
@@ -41136,8 +41137,9 @@ Bootloader Configuration
The bootloader to use, as a @code{bootloader} object. For now
@code{grub-bootloader}, @code{grub-efi-bootloader},
@code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
@cindex ARM, bootloaders
@cindex AArch64, bootloaders
@@ -41244,6 +41246,25 @@ Bootloader Configuration
unbootable.
@end quotation
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, without
+an intermediary like GRUB. The main practical advantage of this is allowing
+root/store encryption without an extra GRUB password entry and slow decryption
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, except
+that it is a procedure that returns a bootloader compatible with UEFI secure
+boot. You must provide it with two paths: an out-of-store secure boot db
+certificate (in PEM format), and out-of-store db key, in that order.
+
+@quotation Warning
+When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloader},
+@emph{do not} turn off your computer if a system reconfigure failed at
+installing the bootloader. Until bootloader installation succeeds, your system
+is in an unbootable state.
+@end quotation
+
@item @code{targets}
This is a list of strings denoting the targets onto which to install the
bootloader.
@@ -41252,12 +41273,12 @@ Bootloader Configuration
For @code{grub-bootloader}, for example, they should be device names
understood by the bootloader @command{installer} command, such as
@code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}). For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}. For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}). For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI file
+system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root directories
+served by your TFTP server.
@item @code{menu-entries} (default: @code{'()})
A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..0ef62295d6
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,129 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Lilah Tascheter <lilah@lunabee.space>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+ #:use-module (gnu bootloader)
+ #:use-module (gnu packages bootloaders)
+ #:use-module (gnu packages efi)
+ #:use-module (gnu packages linux)
+ #:use-module (guix gexp)
+ #:use-module (guix modules)
+ #:use-module (srfi srfi-1)
+ #:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+(define vendor "Guix")
+(define script-loc "/boot/install-uki.scm")
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+ (lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
+
+ (define (menu-entry->args e)
+ (let* ((boot (bootloader-configuration-bootloader config))
+ (stub (bootloader-package boot)))
+ #~(list "--os-release" #$(menu-entry-label e)
+ "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-initrd e)
+ "--cmdline" (string-join (list #$@(menu-entry-linux-arguments e)))
+ "--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
+ #$@(if cert #~("--secureboot-certificate" #$cert) #~())
+ #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))))
+
+ (define (enum-filenames . args) ; same args as iota
+ (map (lambda (n) (string-append (number->string n) ".efi"))
+ (apply iota (map length args))))
+
+ (program-file "install-uki"
+ (with-imported-modules (source-module-closure '((guix build syscalls)
+ (guix build utils)))
+ #~(let* ((target (cadr (command-line)))
+ (vendir (string-append target "/EFI/" #$vendor))
+ (schema (string-append vendir "/boot.mgr"))
+ (findmnt #$(file-append util-linux "/bin/findmnt"))
+ (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
+ (use-modules (guix build syscalls) (guix build utils)
+ (ice-9 popen) (ice-9 textual-ports))
+
+ (define (out name) (string-append vendir "/" name))
+ (define disk
+ (call-with-port
+ (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
+ (lambda (port) (get-line port)))) ; only 1 line: the device
+
+ ;; delete all boot entries and files we control
+ (when (file-exists? schema)
+ (call-with-input-file schema
+ (lambda (port)
+ (for-each (lambda (l)
+ (unless (string-null? l)
+ (system* efibootmgr "-B" "-L" l "-q")))
+ (string-split (get-string-all port) #\lf)))))
+ (when (directory-exists? vendir) (delete-file-recursively vendir))
+ (mkdir-p vendir)
+
+ (define (install port boot? oos)
+ (lambda (args label name)
+ (let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
+ (put-string port label)
+ (put-char port #\lf)
+ (force-output port) ; make sure space is alloc'd
+ (apply invoke #$(file-append ukify "/bin/ukify")
+ "build" "-o" (out name) args)
+ ;; make sure we have enough space for next install-uki.scm
+ (when (and oos (< (free-disk-space vendir) minbytes)) (oos))
+ (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d" disk
+ "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-q"))))
+
+ (call-with-output-file schema
+ (lambda (port) ; prioritize latest UKIs in limited ESP space
+ (for-each (install port #t #f)
+ (list #$@(map-in-order menu-entry->args entries))
+ (list #$@(map-in-order menu-entry-label entries))
+ (list #$@(enum-filenames entries)))
+ (for-each ; old-entries can fail (out of space) we don't care
+ (lambda (args label name)
+ (define (cleanup . _) ; do exit early if out of space tho
+ (when (file-exists? (out name)) (delete-file (out name)))
+ (exit))
+ (with-exception-handler cleanup
+ (lambda _ ((install port #f cleanup) args label name))))
+ (list #$@(map-in-order menu-entry->args old-entries))
+ (list #$@(map-in-order menu-entry-label old-entries))
+ (list #$@(enum-filenames old-entries entries))))))))))
+
+(define install-uefi-uki
+ #~(lambda (bootloader target mount-point)
+ (invoke (string-append mount-point #$script-loc)
+ (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+ (bootloader
+ (name 'uefi-uki)
+ (package systemd-stub)
+ (installer install-uefi-uki)
+ (disk-image-installer #f)
+ (configuration-file script-loc)
+ (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
+
+;; IMPORTANT NOTE: if bootloader install fails, do not turn off your computer! until
+;; install succeeds, your system is unbootable.
+(define uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define (uefi-uki-signed-bootloader cert privkey)
+ (make-uefi-uki-bootloader cert privkey))
diff --git a/gnu/local.mk b/gnu/local.mk
index ab63bd5881..0a15251ddf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES = \
%D%/bootloader/extlinux.scm \
%D%/bootloader/u-boot.scm \
%D%/bootloader/depthcharge.scm \
+ %D%/bootloader/uki.scm \
%D%/ci.scm \
%D%/compression.scm \
%D%/home.scm \
--
2.41.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot.
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
@ 2024-02-11 18:37 ` Hilton Chain via Guix-patches via
2 siblings, 0 replies; 21+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-02-11 18:37 UTC (permalink / raw)
To: Lilah Tascheter; +Cc: Vagrant Cascadian, 68524, Herman Rimm, Efraim Flashner
Hi Lilah,
On Sun, 28 Jan 2024 17:51:38 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> Thank you so much Herman, that motherfucking typo was what made my old-entries
> testing not work. I reworked the majority of the install-uki.scm code, and now
> uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rollback!
> Slightly jank, but it works. On install, we pretty much just cram as many
> generations into the ESP as possible. ESPs are typically small, so we can't
> assume that we can fit more than one UKI, so if we can't fit every extent
> generation we just exit early.
>
> We also don't waste space on root by adding each UKI to the store anymore.
> They're all generated at install time. Added slightly more documentation too.
>
> Otherwise, fixed everything Herman pointed out!
>
> Decided not to add a manual section on manually running /boot/install-uki.scm
> though. It's more of a quirk of getting around guix's bootloader assumptions
> than meant to be run that way; I don't know if it's a good idea to direct
> attention to it. I mean it Works, but it's more of a quick hack.
>
> Lilah Tascheter (2):
> gnu: bootloaders: Add uki packages.
> gnu: bootloaders: Add uefi-uki-bootloader.
>
> doc/guix.texi | 45 ++++++++----
> gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++
> gnu/local.mk | 1 +
> gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++
> 4 files changed, 258 insertions(+), 12 deletions(-)
> create mode 100644 gnu/bootloader/uki.scm
>
>
> base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae
> --
> 2.41.0
Nicely done! I have tested ‘uefi-uki-bootloader’, and it works!
But currently ‘uefi-uki-bootloader’ doesn't match generation switching well, and
‘uefi-uki-signed-bootloader’ as a procedure further breaks that, right?
I think these issues have to be addressed to get the series merged.
Reviews are coming later.
Thanks
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages.
2024-01-28 9:51 ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
@ 2024-02-11 18:37 ` Hilton Chain via Guix-patches via
0 siblings, 0 replies; 21+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-02-11 18:37 UTC (permalink / raw)
To: Lilah Tascheter; +Cc: Vagrant Cascadian, 68524, Herman Rimm, Efraim Flashner
Hi Lilah,
On Sun, 28 Jan 2024 17:51:40 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
> (systemd-version,systemd-source,systemd-stub,ukify): New variables.
First of all, please split this commit into two commits, each adding a single
package.
(Other comments are between quote blocks.)
> Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8
> ---
> gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 95 insertions(+)
>
> diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
> index 986f0ac035..b0d4979f44 100644
> --- a/gnu/packages/bootloaders.scm
> +++ b/gnu/packages/bootloaders.scm
> @@ -19,6 +19,7 @@
> ;;; Copyright © 2021 Stefan <stefan-guix@vodafonemail.de>
> ;;; Copyright © 2022, 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
> ;;; Copyright © 2023 Herman Rimm <herman@rimm.ee>
> +;;; Copyright © 2024 Lilah Tascheter <lilah@lunabee.space>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders)
> #:use-module (gnu packages compression)
> #:use-module (gnu packages cross-base)
> #:use-module (gnu packages disk)
> + #:use-module (gnu packages efi)
> #:use-module (gnu packages firmware)
> #:use-module (gnu packages flex)
> #:use-module (gnu packages fontutils)
> #:use-module (gnu packages gcc)
> #:use-module (gnu packages gettext)
> + #:use-module (gnu packages gperf)
> #:use-module (gnu packages linux)
> #:use-module (gnu packages man)
> #:use-module (gnu packages mtools)
> @@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders)
> #:use-module (gnu packages valgrind)
> #:use-module (gnu packages virtualization)
> #:use-module (gnu packages xorg)
> + #:use-module (gnu packages python-crypto)
> #:use-module (gnu packages python-web)
> #:use-module (gnu packages python-xyz)
> #:use-module (guix build-system gnu)
> #:use-module (guix build-system meson)
> #:use-module (guix build-system pyproject)
> + #:use-module (guix build-system python)
> #:use-module (guix build-system trivial)
> #:use-module (guix download)
> #:use-module (guix gexp)
> @@ -632,6 +637,96 @@ (define-public syslinux
> ;; Also contains:
> license:expat license:isc license:zlib)))))
>
> +(define systemd-version "255")
> +(define systemd-source
> + (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/systemd/systemd")
> + (commit (string-append "v" systemd-version))))
> + (file-name (git-file-name "systemd" systemd-version))
> + (sha256
> + (base32
> + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
> +
> +(define-public (systemd-stub-name)
> + (let ((arch (cond ((target-x86-32?) "ia32")
> + ((target-x86-64?) "x64")
> + ((target-arm32?) "arm")
> + ((target-aarch64?) "aa64")
> + ((target-riscv64?) "riscv64"))))
> + (string-append "linux" arch ".efi.stub")))
How about exporting this procedure in the module definition instead?
> +
> +(define-public systemd-stub
> + (package
> + (name "systemd-stub")
> + (version systemd-version)
> + (source systemd-source)
> + (build-system meson-build-system)
> + (arguments
> + (list
> + #:configure-flags
> + `(list "-Defi=true" "-Dsbat-distro=guix"
> + "-Dsbat-distro-generation=1" ; package revision!
> + "-Dsbat-distro-summary=Guix System"
> + "-Dsbat-distro-url=https://guix.gnu.org"
> + ,(string-append "-Dsbat-distro-pkgname=" name)
> + ,(string-append "-Dsbat-distro-version=" version))
Please use a G-expression for #:configure-flags, replace ‘name’ and ‘version’
to ‘#$(package-name this-package)’ and ‘#$(package-version this-package)’.
"-Dmode=release" can be added, too.
> + #:phases
> + #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
> + (modify-phases %standard-phases
> + (replace 'build
> + (lambda* (#:key parallel-build? #:allow-other-keys)
> + (invoke "ninja" stub
> + "-j" (if parallel-build?
> + (number->string (parallel-job-count)) "1"))))
> + (replace 'install
> + (lambda _
> + (install-file stub (string-append #$output "/libexec"))))
> + (delete 'check)))))
> + (inputs (list libcap python-pyelftools `(,util-linux "lib")))
> + (native-inputs (list gperf pkg-config python-3 python-jinja2))
> + (home-page "https://systemd.io")
I think its homepage has an ending slash, as in "https://systemd.io/".
> + (synopsis "Unified kernel image UEFI stub")
> + (description "Simple UEFi boot stub that loads a conjoined kernel image and
> +supporting data to their proper locations, before chainloading to the kernel.
> +Supports measured and/or verified boot environments.")
> + (license license:lgpl2.1+)))
> +
> +(define-public ukify
> + (package
> + (name "ukify")
> + (version systemd-version)
> + (source systemd-source)
> + (build-system python-build-system)
> + (arguments
> + (list #:phases
> + #~(modify-phases %standard-phases
> + (replace 'build
> + (lambda _
> + (substitute* "src/ukify/ukify.py" ; added in python 3.11
> + (("datetime\\.UTC") "datetime.timezone.utc"))))
It's likely that only ‘systemd-source’ will be touched in the future, so I'd
suggest moving this substitution into ‘systemd-source’ as a snippet.
> + (delete 'check)
> + (replace 'install
> + (lambda* (#:key inputs #:allow-other-keys)
> + (let* ((bin (string-append #$output "/bin"))
> + (file (string-append bin "/ukify"))
> + (binutils (assoc-ref inputs "binutils"))
> + (sbsign (assoc-ref inputs "sbsigntools")))
Getting inputs' path with ‘assoc-ref’ is not recommended. ‘search-input-file’
or ‘this-package-input’ can be used instead.
> + (mkdir-p bin)
> + (copy-file "src/ukify/ukify.py" file)
> + (wrap-program file
> + `("PATH" ":" prefix
> + (,(string-append binutils "/bin")
> + ,(string-append sbsign "/bin"))))))))))
I'd suggest patching paths instead of wrapping programs when possible, for
example, I have made one when reviewing this patch:
--8<---------------cut here---------------start------------->8---
(replace 'install
(lambda* (#:key inputs #:allow-other-keys)
(let ((file (string-append #$output "/bin/ukify")))
(mkdir-p (dirname file))
(copy-file "src/ukify/ukify.py" file)
(substitute* file
(("(find_tool.'|'name': ')\\<(readelf|sbsign|sbverify)\\>"
_ pre cmd)
(string-append
pre (search-input-file
inputs (string-append "bin/" cmd))))))))
--8<---------------cut here---------------end--------------->8---
Note that one dependency, ‘pesign’, is currently missing from Guix, thus not
handled here.
I don't know if it has anything to do with our usage, but for the completeness
of the package, I think we can package this dependency, or adding a comment
around the ‘inputs’ field to indicate it's missing.
> + (inputs (list binutils python-cryptography python-pefile sbsigntools))
> + (home-page "https://systemd.io")
Same as the homepage mentioned above.
> + (synopsis "Unified kernel image UEFI tool")
> + (description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
> +kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
> +image.")
> + (license license:lgpl2.1+)))
> +
> (define-public dtc
> (package
> (name "dtc")
> --
> 2.41.0
Thanks
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-01-28 9:51 ` [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
@ 2024-02-11 18:39 ` Hilton Chain via Guix-patches via
2024-02-13 2:11 ` Lilah Tascheter via Guix-patches
0 siblings, 1 reply; 21+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-02-11 18:39 UTC (permalink / raw)
To: Lilah Tascheter; +Cc: Vagrant Cascadian, 68524, Herman Rimm, Efraim Flashner
Hi Lilah,
On Sun, 28 Jan 2024 17:51:41 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
> uefi-uki-bootloader and uefi-uki-signed-bootloader.
> (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]:
> Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader.
> * gnu/bootloader/uki.scm: New file.
> * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm.
>
> Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da
> ---
> doc/guix.texi | 45 ++++++++++----
> gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++
> gnu/local.mk | 1 +
> 3 files changed, 163 insertions(+), 12 deletions(-)
> create mode 100644 gnu/bootloader/uki.scm
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c458befb76..30fd5d022b 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning
> for @command{cryptsetup luksFormat}. You can check which key derivation
> function is being used by a device by running @command{cryptsetup
> luksDump @var{device}}, and looking for the PBKDF field of your
> -keyslots.
> +keyslots. UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can
> +however use the default, more secure key derivation function.
> @end quotation
>
> -Assuming you want to store the root partition on @file{/dev/sda2}, the
> -command sequence to format it as a LUKS2 partition would be along these
> -lines:
> +Assuming you want to store the root partition on @file{/dev/sda2} and use GRUB
> +as your bootloader, the command sequence to format it as a LUKS2 partition would
> +be along these lines:
>
> @example
> cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
> @@ -41136,8 +41137,9 @@ Bootloader Configuration
> The bootloader to use, as a @code{bootloader} object. For now
> @code{grub-bootloader}, @code{grub-efi-bootloader},
> @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
> -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
> -and @code{u-boot-bootloader} are supported.
> +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
> +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
> +@code{uefi-uki-signed-bootloader} are supported.
>
> @cindex ARM, bootloaders
> @cindex AArch64, bootloaders
> @@ -41244,6 +41246,25 @@ Bootloader Configuration
> unbootable.
> @end quotation
>
> +@vindex uefi-uki-bootloader
> +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, without
> +an intermediary like GRUB. The main practical advantage of this is allowing
> +root/store encryption without an extra GRUB password entry and slow decryption
> +step.
> +
> +@vindex uefi-uki-signed-bootloader
> +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, except
> +that it is a procedure that returns a bootloader compatible with UEFI secure
> +boot. You must provide it with two paths: an out-of-store secure boot db
> +certificate (in PEM format), and out-of-store db key, in that order.
Please add two spaces between sentences, e.g. "Sentence 1. Sentence 2".
I think "out-of-store" is not necessary here. :)
> +
> +@quotation Warning
> +When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloader},
> +@emph{do not} turn off your computer if a system reconfigure failed at
> +installing the bootloader. Until bootloader installation succeeds, your system
> +is in an unbootable state.
> +@end quotation
> +
> @item @code{targets}
> This is a list of strings denoting the targets onto which to install the
> bootloader.
> @@ -41252,12 +41273,12 @@ Bootloader Configuration
> For @code{grub-bootloader}, for example, they should be device names
> understood by the bootloader @command{installer} command, such as
> @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
> -GNU GRUB Manual}). For @code{grub-efi-bootloader} and
> -@code{grub-efi-removable-bootloader} they should be mount
> -points of the EFI file system, usually @file{/boot/efi}. For
> -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
> -points corresponding to TFTP root directories served by your TFTP
> -server.
> +GNU GRUB Manual}). For @code{grub-efi-bootloader},
> +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
> +@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI file
> +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader},
> +@code{targets} should be the mount points corresponding to TFTP root directories
> +served by your TFTP server.
>
> @item @code{menu-entries} (default: @code{'()})
> A possibly empty list of @code{menu-entry} objects (see below), denoting
> diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
> new file mode 100644
> index 0000000000..0ef62295d6
> --- /dev/null
> +++ b/gnu/bootloader/uki.scm
> @@ -0,0 +1,129 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2024 Lilah Tascheter <lilah@lunabee.space>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu bootloader uki)
> + #:use-module (gnu bootloader)
> + #:use-module (gnu packages bootloaders)
> + #:use-module (gnu packages efi)
> + #:use-module (gnu packages linux)
> + #:use-module (guix gexp)
> + #:use-module (guix modules)
> + #:use-module (srfi srfi-1)
> + #:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
> +
> +;; config generator makes script creating uki images
> +;; install runs script
> +;; install device is path to uefi dir
> +(define vendor "Guix")
> +(define script-loc "/boot/install-uki.scm")
> +
> +(define* (uefi-uki-configuration-file #:optional cert privkey)
> + (lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
> +
> + (define (menu-entry->args e)
I'd prefer using ‘entry’ instead of ‘e’, same for some other nonobvious
abbreviations.
> + (let* ((boot (bootloader-configuration-bootloader config))
> + (stub (bootloader-package boot)))
> + #~(list "--os-release" #$(menu-entry-label e)
> + "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-initrd e)
> + "--cmdline" (string-join (list #$@(menu-entry-linux-arguments e)))
> + "--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
> + #$@(if cert #~("--secureboot-certificate" #$cert) #~())
> + #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))))
> +
> + (define (enum-filenames . args) ; same args as iota
> + (map (lambda (n) (string-append (number->string n) ".efi"))
> + (apply iota (map length args))))
"Same args as iota" doesn't explain the procudre, it actually accepts lists
instead of numbers, and only the first two lists are intended to be used, right?
I'd suggest just having two arguments with more descriptive names.
> +
> + (program-file "install-uki"
> + (with-imported-modules (source-module-closure '((guix build syscalls)
> + (guix build utils)))
> + #~(let* ((target (cadr (command-line)))
> + (vendir (string-append target "/EFI/" #$vendor))
> + (schema (string-append vendir "/boot.mgr"))
> + (findmnt #$(file-append util-linux "/bin/findmnt"))
> + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
> + (use-modules (guix build syscalls) (guix build utils)
> + (ice-9 popen) (ice-9 textual-ports))
> +
> + (define (out name) (string-append vendir "/" name))
> + (define disk
> + (call-with-port
> + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
> + (lambda (port) (get-line port)))) ; only 1 line: the device
(guix build syscalls) has procedures can be utilized for this, no need to invoke
findmnt.
> +
> + ;; delete all boot entries and files we control
> + (when (file-exists? schema)
> + (call-with-input-file schema
> + (lambda (port)
> + (for-each (lambda (l)
> + (unless (string-null? l)
> + (system* efibootmgr "-B" "-L" l "-q")))
Dispite the "-q" option, error messages will still be visible to user, please
use ‘invoke/quiet’ + error handling instead.
And I'd prefer long options.
> + (string-split (get-string-all port) #\lf)))))
‘#\newline’ is preferred over ‘#\lf’ in Guix source.
> + (when (directory-exists? vendir) (delete-file-recursively vendir))
> + (mkdir-p vendir)
> +
> + (define (install port boot? oos)
> + (lambda (args label name)
> + (let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
> + (put-string port label)
> + (put-char port #\lf)
> + (force-output port) ; make sure space is alloc'd
> + (apply invoke #$(file-append ukify "/bin/ukify")
‘invoke/quiet’ can be used.
> + "build" "-o" (out name) args)
> + ;; make sure we have enough space for next install-uki.scm
> + (when (and oos (< (free-disk-space vendir) minbytes)) (oos))
> + (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d" disk
> + "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-q"))))
You're calling the exception handler directly here, it might be better to move
the exception handling part into the procedure to avoid this.
> +
> + (call-with-output-file schema
> + (lambda (port) ; prioritize latest UKIs in limited ESP space
> + (for-each (install port #t #f)
> + (list #$@(map-in-order menu-entry->args entries))
> + (list #$@(map-in-order menu-entry-label entries))
> + (list #$@(enum-filenames entries)))
> + (for-each ; old-entries can fail (out of space) we don't care
> + (lambda (args label name)
> + (define (cleanup . _) ; do exit early if out of space tho
> + (when (file-exists? (out name)) (delete-file (out name)))
> + (exit))
> + (with-exception-handler cleanup
> + (lambda _ ((install port #f cleanup) args label name))))
> + (list #$@(map-in-order menu-entry->args old-entries))
> + (list #$@(map-in-order menu-entry-label old-entries))
> + (list #$@(enum-filenames old-entries entries))))))))))
These two ‘for-each’ can be merged into one.
> +
> +(define install-uefi-uki
> + #~(lambda (bootloader target mount-point)
> + (invoke (string-append mount-point #$script-loc)
> + (string-append mount-point target))))
> +
> +(define* (make-uefi-uki-bootloader #:optional cert privkey)
> + (bootloader
> + (name 'uefi-uki)
> + (package systemd-stub)
> + (installer install-uefi-uki)
> + (disk-image-installer #f)
> + (configuration-file script-loc)
> + (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
> +
> +;; IMPORTANT NOTE: if bootloader install fails, do not turn off your computer! until
> +;; install succeeds, your system is unbootable.
> +(define uefi-uki-bootloader (make-uefi-uki-bootloader))
> +;; use ukify genkey to generate cert and privkey. DO NOT include in store.
> +(define (uefi-uki-signed-bootloader cert privkey)
> + (make-uefi-uki-bootloader cert privkey))
They'll have the same bootloader name, making these two bootloaders
indistinguishable from boot-parameters.
> diff --git a/gnu/local.mk b/gnu/local.mk
> index ab63bd5881..0a15251ddf 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES = \
> %D%/bootloader/extlinux.scm \
> %D%/bootloader/u-boot.scm \
> %D%/bootloader/depthcharge.scm \
> + %D%/bootloader/uki.scm \
> %D%/ci.scm \
> %D%/compression.scm \
> %D%/home.scm \
> --
> 2.41.0
I tried to adjust uki.scm before commenting, so here's a paste of my adjusted
version, in case some of my comments are not expressed clearly:
https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000
Thanks
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-02-11 18:39 ` Hilton Chain via Guix-patches via
@ 2024-02-13 2:11 ` Lilah Tascheter via Guix-patches
2024-02-13 7:34 ` Lilah Tascheter via Guix-patches
0 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-02-13 2:11 UTC (permalink / raw)
To: 68524; +Cc: Vagrant Cascadian, Hilton Chain, Herman Rimm, Efraim Flashner
heyo!
thanks for the review :) I'll submit a revised patch, but had a question before
I get to work on it.
> I tried to adjust uki.scm before commenting, so here's a paste of my
> adjusted version, in case some of my comments are not expressed clearly:
> https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000
nighttime sky I didn't realize reinstall-bootloader existed. shit.
at this point, I don't think the install-uki.scm hack is a good idea. to get
this fully functioning, will probably have to do some more invasive edits to the
bootloader system, since the current one pretty much assumes an
extlinux/grubalike (which is what necessitated install-uki in the first place).
RFC on the following plan:
* add secure-boot-cert and secure-boot-key fields to bootloader-configuration.
* deprecate configuration-file and configuration-file-generator in the
bootloader struct, and instead create an install-configuration-file field,
similar to install-bootloader. default procedure will be to do the current
install-boot-cfg (gnu build install) using the deprecated fields.
* rework uki.scm to, instead, run efibootmgr in install-configuration-file and
install the uki.efi files in install-bootloader. remove the separation between
uefi-uki-signed-bootloader and uefi-uki-bootloader, instead working off the
new bootloader-configuration fields.
this plan should work with reinstall-bootloader, even though it uses the default
bootloader-configuration, since files are only signed during installation
proper.
opinions?
thanks,
lilah
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-02-13 2:11 ` Lilah Tascheter via Guix-patches
@ 2024-02-13 7:34 ` Lilah Tascheter via Guix-patches
2024-02-14 18:02 ` Hilton Chain via Guix-patches via
0 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-02-13 7:34 UTC (permalink / raw)
To: 68524; +Cc: Vagrant Cascadian, Hilton Chain, Herman Rimm, Efraim Flashner
> * add secure-boot-cert and secure-boot-key fields to bootloader-
> configuration.
>
> * deprecate configuration-file and configuration-file-generator in
> the bootloader struct, and instead create an install-configuration-file
> field, similar to install-bootloader. default procedure will be to do the
> current install-boot-cfg (gnu build install) using the deprecated fields.
>
> * rework uki.scm to, instead, run efibootmgr in install-
> configuration-file and install the uki.efi files in install-bootloader.
> remove the separation between uefi-uki-signed-bootloader and
> uefi-uki-bootloader, instead working off the new bootloader-configuration
> fields.
amending: also edit the bootloader-installer and bootloader-disk-image-installer
procedures to provide the bootloader-configuration in some manner.
lilah
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
2024-02-13 7:34 ` Lilah Tascheter via Guix-patches
@ 2024-02-14 18:02 ` Hilton Chain via Guix-patches via
0 siblings, 0 replies; 21+ messages in thread
From: Hilton Chain via Guix-patches via @ 2024-02-14 18:02 UTC (permalink / raw)
To: Lilah Tascheter; +Cc: Vagrant Cascadian, 68524, Herman Rimm, Efraim Flashner
Hi Lilah,
On Tue, 13 Feb 2024 15:34:55 +0800,
Lilah Tascheter wrote:
>
> > * add secure-boot-cert and secure-boot-key fields to bootloader-
> > configuration.
How about using a pair instead of two fields? And because the usage depends on
the bootlodaer, I'd like to use a generic name.
e.g. signing-keypair
=> '("/path/to/certificate" . "/path/to/private.key")
> > * deprecate configuration-file and configuration-file-generator in
> > the bootloader struct, and instead create an install-configuration-file
> > field, similar to install-bootloader. default procedure will be to do the
> > current install-boot-cfg (gnu build install) using the deprecated fields.
I'd prefer ‘configuration-installer’, since the installation target may not be a
file. :)
I don't think the deprecation is necessary though, other bootloaders don't have
to duplicate this part of code, and in my opinion the following definition does
make sense.
--8<---------------cut here---------------start------------->8---
(define uefi-uki-bootloader
(bootloader
(name 'uefi-uki)
(package systemd-stub)
(installer install-uefi-uki)
(configuration-installer install-uefi-uki-configuration)
(configuration-file #f)
(configuration-file-generator #f)))
--8<---------------cut here---------------end--------------->8---
> > * rework uki.scm to, instead, run efibootmgr in install-
> > configuration-file and install the uki.efi files in install-bootloader.
> > remove the separation between uefi-uki-signed-bootloader and
> > uefi-uki-bootloader, instead working off the new bootloader-configuration
> > fields.
>
> amending: also edit the bootloader-installer and bootloader-disk-image-installer
> procedures to provide the bootloader-configuration in some manner.
I agree that <bootloader> needs modifying, since unified kernel images currently
cannot be well described. And to support proper generation switching, some
fields of <bootloader-configuration> need exposing.
As this now involves deeper change, I think it's better to post the plan on
guix-devel@gnu.org for wider visibility and potential discussions.
Thanks
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 0/2] Support root encryption and secure boot
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (3 preceding siblings ...)
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
@ 2024-02-20 1:08 ` Nikolaos Chatzikonstantinou
2024-03-08 8:09 ` Lilah Tascheter via Guix-patches
` (2 subsequent siblings)
7 siblings, 0 replies; 21+ messages in thread
From: Nikolaos Chatzikonstantinou @ 2024-02-20 1:08 UTC (permalink / raw)
To: 68524
What does it mean that "LUKS password entry is in the initrd"? Is the
password in plain sight?
Regards,
Nikolaos Chatzikonstantinou
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 0/2] Support root encryption and secure boot
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (4 preceding siblings ...)
2024-02-20 1:08 ` [bug#68524] [PATCH " Nikolaos Chatzikonstantinou
@ 2024-03-08 8:09 ` Lilah Tascheter via Guix-patches
2024-03-08 10:41 ` [bug#68524] Nikolaos Chatzikonstantinou
2024-03-23 19:40 ` [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
7 siblings, 0 replies; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-03-08 8:09 UTC (permalink / raw)
To: 68524; +Cc: nchatz314
nah, what I meant by that is instead of entering your password while
you're booted into grub, you enter it while booted into your initrd.
either way nothing touches the disk.
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524]
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (5 preceding siblings ...)
2024-03-08 8:09 ` Lilah Tascheter via Guix-patches
@ 2024-03-08 10:41 ` Nikolaos Chatzikonstantinou
2024-03-23 19:40 ` [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
7 siblings, 0 replies; 21+ messages in thread
From: Nikolaos Chatzikonstantinou @ 2024-03-08 10:41 UTC (permalink / raw)
To: 68524
Great, thank you for clarifying. This is awesome work. Does it mean
however that Guix becomes tied to systemd in some way when this
feature is used? Or is the feature sufficiently isolated that no
systemd process takes place?
I've also looked briefly into this from another angle, trying to
either patch GRUB or to use kexec and boot from a USB. I'm glad that
you were able to do this, thanks a lot!
Regards,
Nikolaos Chatzikonstantinou
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 0/2] Support root encryption and secure boot
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
` (6 preceding siblings ...)
2024-03-08 10:41 ` [bug#68524] Nikolaos Chatzikonstantinou
@ 2024-03-23 19:40 ` Lilah Tascheter via Guix-patches
2024-03-24 9:38 ` Nikolaos Chatzikonstantinou
7 siblings, 1 reply; 21+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-03-23 19:40 UTC (permalink / raw)
To: 68524; +Cc: nchatz314
sorry for the late responses; I don't actually get sent your replies
unless you cc me.
and yeah don't worry it's isolated. there's only two bits of systemd
used, systemd-boot-stub and ukify. ukify is pretty much just a single
python script, and systemd-boot-stub is just a bit of code tacked on to
the boot process to handle combining the kernel, args, and initrd
together. no daemons or code past the bootloader at all!
of note I'm currently in the process of rewriting the entire guix
bootloader stack to make this work a Lot nicer. sooo hopefully that
gets finished soon.
^ permalink raw reply [flat|nested] 21+ messages in thread
* [bug#68524] [PATCH 0/2] Support root encryption and secure boot
2024-03-23 19:40 ` [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
@ 2024-03-24 9:38 ` Nikolaos Chatzikonstantinou
0 siblings, 0 replies; 21+ messages in thread
From: Nikolaos Chatzikonstantinou @ 2024-03-24 9:38 UTC (permalink / raw)
To: Lilah Tascheter; +Cc: 68524
On Sat, Mar 23, 2024 at 3:40 PM Lilah Tascheter <lilah@lunabee.space> wrote:
> and yeah don't worry it's isolated. there's only two bits of systemd
> used, systemd-boot-stub and ukify. ukify is pretty much just a single
> python script, and systemd-boot-stub is just a bit of code tacked on to
> the boot process to handle combining the kernel, args, and initrd
> together. no daemons or code past the bootloader at all!
>
> of note I'm currently in the process of rewriting the entire guix
> bootloader stack to make this work a Lot nicer. sooo hopefully that
> gets finished soon.
Very exciting! I am looking forward to looking at the code.
Regards,
Nikolaos Chatzikonstantinou
^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-03-24 9:48 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-17 4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-17 4:23 ` [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-01-17 4:48 ` [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-17 4:48 ` [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-01-25 10:03 ` Herman Rimm via Guix-patches via
2024-01-28 0:50 ` Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-28 9:51 ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-02-11 18:37 ` Hilton Chain via Guix-patches via
2024-01-28 9:51 ` [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-02-11 18:39 ` Hilton Chain via Guix-patches via
2024-02-13 2:11 ` Lilah Tascheter via Guix-patches
2024-02-13 7:34 ` Lilah Tascheter via Guix-patches
2024-02-14 18:02 ` Hilton Chain via Guix-patches via
2024-02-11 18:37 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Hilton Chain via Guix-patches via
2024-02-20 1:08 ` [bug#68524] [PATCH " Nikolaos Chatzikonstantinou
2024-03-08 8:09 ` Lilah Tascheter via Guix-patches
2024-03-08 10:41 ` [bug#68524] Nikolaos Chatzikonstantinou
2024-03-23 19:40 ` [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-03-24 9:38 ` Nikolaos Chatzikonstantinou
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).