unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
* [bug#68524] [PATCH 0/2] Support root encryption and secure boot.
@ 2024-01-17  4:23 Lilah Tascheter via Guix-patches
  2024-01-17  4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
                   ` (12 more replies)
  0 siblings, 13 replies; 32+ messages in thread
From: Lilah Tascheter via Guix-patches @ 2024-01-17  4:23 UTC (permalink / raw)
  To: 68524; +Cc: Lilah Tascheter

Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary form,
uefi-uki-signed-bootloader. These use isolated fragments of the systemd project
(particularly the systemd-stub UEFI stub and supporting ukify tool) to install
combined kernel/arguments/initrd images to the EFI system partition. The
built-in UEFI boot manager can then deal with boot selection. While this does
require copying files from the store to the partition, it makes up for it in two
important ways:

1. Proper encrypted root support! GRUB is really fucking slow at decrypting the
store in my experience, and it's annoying to have to enter in the root password
twice. Since the kernel is loaded directly from the system partition, the first,
and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB not
supporting LUKS2 (or, at least, having bad issues with it on Guix).

2. Secure boot support! It's set up assuming the user has already created the
necessary keys (typically, in /root, as they should only be root-accessible).
Passing the paths to the db cert and key to uefi-uki-signed-bootloader will then
automatically sign the entire bootloader image. In combination with root
encryption, assuming a functioning motherboard UEFI installation, this should
fully secure Guix's boot chain.

This is ported from my personal channel, so uefi-uki-bootloader has been tested
for months. The main drawback is lack of kernel generation rollback in the case
of a botched upgrade, so I've been keeping around a manually-copied backup uki
image, but I haven't had any troubles with it so far. I have just verified
uefi-uki-signed-bootloader properly functions and boots in secure boot user
mode.

All in-system testing has been done on my channel, so the porting process may
have had issues, but I did make sure the added packages compile, and there
aren't any miscopies.

No clue how this works on non-x64 systems. I don't think there's enough ARM UEFI
systems in existance for it to matter that much anyway.

Thanks!

Lilah Tascheter (2):
  gnu: bootloaders: Add uki packages.
  gnu: bootloaders: Add uefi-uki-bootloader.

 doc/guix.texi                |  35 +++++++++---
 gnu/bootloader/uki.scm       | 106 +++++++++++++++++++++++++++++++++++
 gnu/packages/bootloaders.scm |  94 +++++++++++++++++++++++++++++++
 3 files changed, 227 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm


base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
-- 
2.41.0





^ permalink raw reply	[flat|nested] 32+ messages in thread

end of thread, other threads:[~2024-10-21 15:42 UTC | newest]

Thread overview: 32+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-17  4:23 [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-17  4:23 ` [bug#68525] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-17  4:23 ` [bug#68526] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-01-17  4:48 ` [bug#68524] [PATCH 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-01-17  4:48   ` [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-01-25 10:03     ` Herman Rimm via Guix-patches via
2024-01-28  0:50       ` Lilah Tascheter via Guix-patches
2024-01-28  9:51 ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-01-28  9:51   ` [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages Lilah Tascheter via Guix-patches
2024-02-11 18:37     ` Hilton Chain via Guix-patches via
2024-01-28  9:51   ` [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader Lilah Tascheter via Guix-patches
2024-02-11 18:39     ` Hilton Chain via Guix-patches via
2024-02-13  2:11       ` Lilah Tascheter via Guix-patches
2024-02-13  7:34         ` Lilah Tascheter via Guix-patches
2024-02-14 18:02           ` Hilton Chain via Guix-patches via
2024-02-11 18:37   ` [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot Hilton Chain via Guix-patches via
2024-02-20  1:08 ` [bug#68524] [PATCH " Nikolaos Chatzikonstantinou
2024-03-08  8:09 ` Lilah Tascheter via Guix-patches
2024-03-08 10:41 ` [bug#68524] Nikolaos Chatzikonstantinou
2024-03-23 19:40 ` [bug#68524] [PATCH 0/2] Support root encryption and secure boot Lilah Tascheter via Guix-patches
2024-03-24  9:38   ` Nikolaos Chatzikonstantinou
2024-07-29  5:11 ` [bug#68524] Fwd: " Ryan S via Guix-patches via
2024-08-15 13:14 ` [bug#68524] Rewrite Posted Lilah Tascheter via Guix-patches
2024-08-15 17:18   ` Nikolaos Chatzikonstantinou
2024-09-25 11:11 ` [bug#68524] [PATCH v3 0/5] Support root encryption and secure boot Herman Rimm via Guix-patches via
2024-09-25 11:11   ` [bug#68524] [PATCH v3 1/5] gnu: packages: Add pesign Herman Rimm via Guix-patches via
2024-09-25 11:12   ` [bug#68524] [PATCH v3 2/5] gnu: packages: Add ukify Herman Rimm via Guix-patches via
2024-09-25 11:12   ` [bug#68524] [PATCH v3 3/5] gnu: packages: Add systemd-stub Herman Rimm via Guix-patches via
2024-09-25 11:12   ` [bug#68524] [PATCH v3 4/5] gnu: system: Fix bootloader crypto device recognition Herman Rimm via Guix-patches via
2024-09-25 11:12   ` [bug#68524] [PATCH v3 5/5] gnu: bootloaders: Add uki-efi-bootloader Herman Rimm via Guix-patches via
2024-10-18  5:47 ` [bug#68524] One problem with uki bootloader amano.kenji via Guix-patches via
2024-10-21 15:41 ` [bug#68524] Can uki be used with grub? amano.kenji via Guix-patches via

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).