From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 2BjGBy5e7WPMWwEAbAwnHQ (envelope-from ) for ; Wed, 15 Feb 2023 23:35:26 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id qKnEBy5e7WN5FQEAauVa8A (envelope-from ) for ; Wed, 15 Feb 2023 23:35:26 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A48D12C9C5 for ; Wed, 15 Feb 2023 23:35:25 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pSQMP-0006f1-Nu; Wed, 15 Feb 2023 17:34:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pSQMN-0006UY-3k for guix-devel@gnu.org; Wed, 15 Feb 2023 17:34:43 -0500 Received: from libre.brussels ([144.76.234.112]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pSQMK-0003lm-Oz for guix-devel@gnu.org; Wed, 15 Feb 2023 17:34:42 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=libre.brussels; s=mail; t=1676500471; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QgM+zs0H++CYsS6rmRZy7ZN2oXqLgn+g9c5YYZJuE00=; b=GFwben9DCoNne+9WZwLPQYGr9TawkcNePTTwJaegKPBF/3OZGwvRAHVbq3UdkMElyQ0qCt YY8IzPTF6YfwNv8l4dEEDOA3D3dq+9FAnjL4sHFieLA/YKyyys28oGnBm9cMC8FAmZ8TGq 7UWp87n9qiUTV6QXKhRKavER09oNVQo= MIME-Version: 1.0 Date: Wed, 15 Feb 2023 23:34:31 +0100 From: indieterminacy To: Guix Devel Subject: Building Bootloader Images for Owner-Controlled Computers Message-ID: <1082f8b3a6d3411ba5ef8090d169a98e@libre.brussels> X-Sender: indieterminacy@libre.brussels Organization: Icebreaker Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=144.76.234.112; envelope-from=indieterminacy@libre.brussels; helo=libre.brussels X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=libre.brussels header.s=mail header.b=GFwben9D; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=libre.brussels ARC-Seal: i=1; s=key1; d=yhetil.org; t=1676500526; a=rsa-sha256; cv=none; b=Qkmav+vsLr/pvbgF6J/E7rpb79sSBt3tAp2E/dKRkPbp8tTGyDK7ntMsKLh2bXfxadKi8B Uo5f53N/UG+L3FxrjwTtXkzMV5PcMpXSWmsGczGr14/LtzpKTHpTDNkziewgqF8r4n4AWX 057vOjlIyWZefL5mADb2HRVBw9wDU3s4z8vz/uIK5870eYdXf28xfLsycrvBKVmXGP5OLf uTHxGJnqtUSJ0+LfzQHApBbqQ8m2YuWY7WD+KW2Rbp3fByfou+qOym899bBkZXCHu1PnU6 n4UcX+FmKGWFSj/zvRhy7TY2ZMu8FfuwKUeZZyZWRmhKBIDBZclWOZ41eS01Dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1676500526; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=QgM+zs0H++CYsS6rmRZy7ZN2oXqLgn+g9c5YYZJuE00=; b=ENE6SiKoyhcB5YUMW/qaHDzjb0P3GGRN80wIcLv7zcEOTkf9aetgoEJ0S21+4KOcNusCAO Q5msdGA5IW7wRQGxq/WU+4fRv1W0zaUdNwBtMzlg23saYrpHedIESJqVlb+wr1eT7lsjG5 3xJRymhBCnxdZIMiJJ0tmGO0p/Wu1BVxCSyAer1zxjhca2vMw7wbSZdkgZjCNDCnhyTCDN txQPKi07MXJ0BoTDsHHsOdqw8dt2LEeynpKd/78E0vEhb8FZU7IF76J7iCIauevJbVyo2Z nCK1hgK+ocmxqz7kjT8j32LArjx8gdkBInqfF1Xv1A3ocLE08ItnCJofHkPeAg== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -4.12 X-Spam-Score: -4.12 X-Migadu-Queue-Id: A48D12C9C5 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=libre.brussels header.s=mail header.b=GFwben9D; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=libre.brussels X-TUID: C/cKQeVt5Lf7 I noticed this recommendation of a Nix tool. Its not my specialism and Im only providing it for stimulation or as a conversation starter. ``` All the necessary components (coreboot, kernel, busybox-based initramfs with cryptsetup/lvm2) are stored entirely in the bootloader flash chip. This leaves no writable unencrypted media in the boot process when the flash chip's write protect pin is shorted. Ownerboot extends coreboot with a new normal/fallback mechanism. The flash chip holds two complete copies of the bootloader; only a single page (the bootblock) is shared between them. Each image can be flashed and write-protected indepedently of the other. The fallback image can be selected by /dev/watchdog, nvramtool, or physical input (front-panel button on servers, stylus eject on laptops). Because ownerboot is written in nix, it can ensure that these builds are deterministic. Ownerboot contains no binaries, and instantiates nixpkgs with config.allowNonSource=false; if you disable nix's binary substituter you are assured that all the software in your bootloader will be built from source on your local machine, all the way back to the compiler which compiles your compiler. ``` https://sr.ht/~amjoseph/ownerboot/ -- Jonathan McHugh indieterminacy@libre.brussels