From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id oMciEbtZp2Wz8gAAe85BDQ:P1 (envelope-from ) for ; Wed, 17 Jan 2024 05:38:19 +0100 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id oMciEbtZp2Wz8gAAe85BDQ (envelope-from ) for ; Wed, 17 Jan 2024 05:38:19 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lunabee.space header.s=purelymail1 header.b=TbHhiSD+; dkim=fail ("headers rsa verify failed") header.d=purelymail.com header.s=purelymail1 header.b=DR8rWUsc; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1705466299; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=Ixi7vrb0BMk8TO9COmeLPGVKT4tMQFKlCAw/I0Omb5E=; b=kYlO87d/CR4rvxZHUjQU9z97AjmeZkjV2LwltaZphAJUOGyX1Y2tGFJwD04c5TigYDX8OV Fv/CyFk9ZWjVqN9K/Ghd8wRwqPCXqYvW8FxF1tKPcAXbS2NND9Tnd1nX4p5nIrwxSiwcr/ wqVCiMHPgl4kstsEvcdpGsbtK0nUT+PBDb66Ut2c9/FXmTCr+jSqHbuONM93KekgoKFK+f Kchl4HdMDWGMT1YmliIP9IzpUBBshrOLBoIyNXSzNz9NIGVL/Dv1TDhY4RGTpN5T6IVO1f TD7jNGTeiHDT8wRZjEWQbpFCIKGWn7xn/hIhecU4UvC3xobVfUbDH+B/Mqa38A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1705466299; a=rsa-sha256; cv=none; b=NqT1FbQrNzpBjsub4LLL2bx9VsRBhz1JGb0w/yFAvYYHgzNuWeBJ1tcau2nhF7D6pDiUrs MOPZVDbvR/U/3RoI55/LdcnBpVlB9uvqvIKFxkK9S/2joJBITrOdet8ZG8bF6+yKrI/mqw vTWhVY0fufbc5+OsIiGQ7m26zn7zl1fnpkhehRwJAJ8NaLc7xf5lk9GySGFBYqAzLMh6tP ddY0d1gUwnZmIXnBj8XKvnyncYzHCbt+XzLX/5P7bIlKnnGe/sWnL9/PV572LLcYP+v5Ay cBjrp6LouEu00fuYUn+5LGfZ45J3AE29mgAfxP1HWcJdiY+p2s3OFbp3e55tXw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=lunabee.space header.s=purelymail1 header.b=TbHhiSD+; dkim=fail ("headers rsa verify failed") header.d=purelymail.com header.s=purelymail1 header.b=DR8rWUsc; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id BB2BC875C for ; Wed, 17 Jan 2024 05:38:18 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPxgj-000269-HN; Tue, 16 Jan 2024 23:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxgh-00025l-KK for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rPxgf-0003Ok-M2 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rPxgg-0005Kb-B8 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#68524] [PATCH 0/2] Support root encryption and secure boot. Resent-From: Lilah Tascheter Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 17 Jan 2024 04:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524@debbugs.gnu.org Cc: Lilah Tascheter X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.170546623020392 (code B ref -1); Wed, 17 Jan 2024 04:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxfq-0005Iq-7E for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxfo-0005IE-0X for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfg-0001zY-4i for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfe-0003KP-6e for guix-patches@gnu.org; Tue, 16 Jan 2024 23:36:59 -0500 DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@lunabee.space; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Lilah Tascheter via Guix-patches Reply-To: Lilah Tascheter Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Scanner: mx10.migadu.com X-Migadu-Spam-Score: -7.19 X-Spam-Score: -7.19 X-Migadu-Queue-Id: BB2BC875C X-TUID: jPJ4lfaQ+Zl6 Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for= m, uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro= ject (particularly the systemd-stub UEFI stub and supporting ukify tool) to inst= all combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this do= es require copying files from the store to the partition, it makes up for it i= n two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting= the store in my experience, and it's annoying to have to enter in the root pass= word twice. Since the kernel is loaded directly from the system partition, the f= irst, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n= ot supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created t= he necessary keys (typically, in /root, as they should only be root-accessible= ). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will= then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this shou= ld fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been te= sted for months. The main drawback is lack of kernel generation rollback in the = case of a botched upgrade, so I've been keeping around a manually-copied backup = uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process m= ay have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM= UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0