From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oLVIIJrjA2PtZgAAbAwnHQ (envelope-from ) for ; Mon, 22 Aug 2022 22:14:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 8OhmH5rjA2MK1wAAG6o9tA (envelope-from ) for ; Mon, 22 Aug 2022 22:14:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 441D33A2E3 for ; Mon, 22 Aug 2022 22:14:18 +0200 (CEST) Received: from localhost ([::1]:45422 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oQDoP-0002ou-DP for larch@yhetil.org; Mon, 22 Aug 2022 16:14:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35092) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQDoC-0002om-5p for guix-devel@gnu.org; Mon, 22 Aug 2022 16:14:04 -0400 Received: from sonic312-21.consmr.mail.bf2.yahoo.com ([74.6.128.83]:45318) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oQDo9-0002E2-Ma for guix-devel@gnu.org; Mon, 22 Aug 2022 16:14:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.br; s=s2048; t=1661199236; bh=MMBEWoq5rFG7h/WhFTltmEZOrLGGNbHU6Qx89RTFnuI=; h=From:To:Subject:References:Date:In-Reply-To:From:Subject:Reply-To; b=U6aYss3KKT79QmAgeJ+HRbV/qc+CkdGzM9+HOn7cgx6tTlPUpUop4rv/JF8m42EEUq8Fxef7Ozldz6uBYyJS+xdMv5N5k41FRgM4oBFvzjjwMAaz2txrPB1q/Px/xyqpDtjWwILAzNJMvRbSvVgEnNwAV4MHl64Epfbql0bJrMRHT4XUZW0NjAtjxhD1Q0Wto+TFySIledddDkpB3o2bh+zCaPGTXTBpYq0i4qGvpWjd7/nHkJDb7j6J34IkXPRjtdPnEi7mAvNpPDKZ6hZ8UyvzqIgwPwQIsD5PWCzGC3Eo7R00CMMJEwEGII+wWnsOJl/MKF6X8JTFmdGnfKHqvw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1661199236; bh=sK21bx/sDjUaV088aQ0X4E4c07KVv3TN2DaMhPNJ4A3=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=dif2nZ6sfm5T3fF6VXqXfeJLUqLOWdTqIi2KgMvi8XJpg6rzd9vW3cf17mJgwzk84nym8SXh97KPP0x+TDdQ+B3SX88FdVplDJIwu5PLpQFzLJSqQtSGoXJHcBhdgGRy24rBlQU3lgPrGORUlnwVPLYyUj47B8xQd36NWpMtWr22PwC/vRDnPNeE6yp6N4TDTQcjNoz8D3EgsSd89HCj4i8e7Kudk9IlU1v7RxA/XVpwGKx6BMWjIvaG7Xsd1hJ0SdgDgo7W/r+JoTFYy94gwlgJD4TIEhCcNDdpD1QAdeo4XLm9uo6Nh1BW7LxoT9F8GoyuESqo9oNkCQ9pMq+7pg== X-YMail-OSG: frra10UVM1lYozBRxutQNaxNWRjrQsD4ppopX1kASU_M68aocZgQjx9J8_8EkrR pugsv6.fPDaazyg4kOjDn.WLfIDkqZLs.Ud6IIRIzpRbgd2IFd5yIsc7HK4fzg2CyKLdgc5C9SJR JNBWlWL4No7U8HLN6vHbOsJe.8U_RHLQajSLf0zxnapCFboK0WNO.BkM3q8sj4G7fjtprLStH3uP 8AYwlmvroQSuuEvEnCLmo_riBb1Kj8ccwmQOgYfiSSd8wVayKB6jAF4Rs0L6M00SvalT3idMqzZv RhCzsnj1_nOEyTvYCivWL7.ypEctGzmf1fD45HQRaP09S4cpKjdXCIpOG6bs1GNPJ6ydntLN.O6A _UuXVQUSeTO.7qXXIdnWDq1yXc7SWB2QNCTtrnE6mo.r1QWShawEnr3TklnLntT_lZjWlhWBGfdU sevnAbpyqzJwoas8_4Cde9q0TYUtT4cEpaVHjdNK1I3Qr0zNEeirFJNzKFNUg.DAz4X24LX1B1c7 y_nn0IoeW1WuU6gTszQrn_PmyirCC3OFjnXHrjrc1i3IuIE0mx5ujeD2exrP8UU3xx3M.mP3aizu EQ4ghgxBY7Cdvg0W.d1VT351nTFYHKA46NGbmmKNUphR9CkMXklmx87omA.DqlkPnb0RRrEmXY.N 7K0CPrgSOvKk8Ro5C1uV1wrl6eoZ1B5CDCmpKHLdTQS_QDW4Bo37x5qVN77dxK7LVBzYgJ2xrM2b n9qqvrm8d8Xy8e5bZ09WVMo9Dch4KxLTH70x_eIqeq2fu9RDRDl4s8o9p72j4oUhclUb2wtYyNYf 5MMmFbLup4E8L2WTXB8egx_6eR72cPOJRihGwpQU4sGeuy_AjbavkcqS9j8VBF9pG7g77IG2HSe6 oYDqf57_Cj2OKpc54.o0GEqRuB0FTDLNsXBRX5IUlGitSMKJ3iXVfY27hjB0FLrp7YhKR8FkN4qc k0IuQ3ahVwdpTPbeXVUqR5pw6Q3yO2ZRhCId4WUx6CwabucarMiAXvSr0Umm2svBfwXNhGpJ4mZb pCcI_vGAtA8ZTzh_K6E9_ZBYNETCum1F3pfaPfjlCjWw4Cr63L1kqJAwZ8xEO.gtf1HBQna6GY_9 LV6_a7ROig.j1SMdo7KLhUkvoHi8aHr9KfLxzQGMdyjuR7N6rkrYx0E3sllAELBW1in9OZRsJP2z j3CwRxtt3xF17BYQkynLl_tWHbTH2o2w4hS.W.MVlEWVMFmB66CxFnzOaFFIHJLnrqqqX6tOTWui ciXxd0wCgBNG6GpDLn91mWS7dnq8evB3uKB99AdkLFOSQtWlBfS7UbZVF9fmLxqUWWpGjDYqNp.I AjcciZ.YjnP59jvfb52yaPOGKpOE44hTP2d80pvaZYC7PMze0Xwh3iaupFPTgeaYlIzVMcaXe_m4 8zXAEnEf1RQvJ78k4loctOMPLXPu3Dsewzmw4Er2F6_FuDPPeOE2KSjXzQEXPA7oUgQWw7yxDJN8 2jSMR.54ea8gK3AGowI7Olps60fbvuRG9wXQ7YrKyoOZavLAhsJEQN173X.hqsQKBZP97kyN7sYB mMU7m0T0c4q5fhh9hyU1HJocwHbajRtBkG5GEYPJX35LARYMQm2Du1NxfHeORwEr8dJArXWoiGVI 9GH2L51nOqs8vDA2X22sjMoqVJ9jv3jC5ON5W7TJLIyoC6vgVhYHMhp1z4EwfEr8CIb8AcIewDFW D_W1F5bJj1xy_HUBX2ChesDKNkcjdD0WEfKuge6XqYu6kPc5ryCbS.6YbYXL_fjrxyiyDvQnBNhM JW1PoBn1fRUuU0Y9euTeUNF5hC5JNqA2wDNbkMoC5m2ydvTXv85ewKVyYCkwKINSbCutzkIo5qmn edFTijkxQVizTsghtc3S5xqSYfoaFYe.mjK.zK.JXtBL5BqaypzHlqQHDt0bFEvgx.NoYq4Lf.l0 rCODbLYxN7q4IvlMzgQJ62gl6w6cpMuSDcN5Y2IdUM8RnrD8lqSioRs7Scz5_6SzGdzeuwm_Pybf vYztb.3aqBhfsyvUGVGKXRZ0kysTBtGTdYP.gHkuNshg7pWwcGz4igWCx.KfIkf_GqwGYccE6GIS .JVsFw38tjhHrgFYssWI4_wQqeOrazW3OQDlk7k08iMc5SQKJgikOD9Jd.FOHbfwqjmxKD5IXniy vxkkUIZAYzofxFTE3W7BxCmmPMBpqWancpGlL6vnlNtdJZhHewC5DjUBU9yUxeF8yaLmSSX5iFBw JQ8JU1gPXNAKxkwcaKhqasUAIkZfDOcXh1lHUwBhy7QhcHw-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Mon, 22 Aug 2022 20:13:56 +0000 Received: by hermes--canary-production-ir2-f74ffc99c-mrpc2 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 0340314b54cd2e65cab9d713023865ee; Mon, 22 Aug 2022 20:13:52 +0000 (UTC) From: Antonio Carlos Padoan Junior To: guix-devel Subject: Re: secure boot References: <87h727tazd.fsf.ref@yahoo.com.br> <87h727tazd.fsf@yahoo.com.br> <87pmguugp0.fsf@jpoiret.xyz> Date: Mon, 22 Aug 2022 22:13:50 +0200 In-Reply-To: <87pmguugp0.fsf@jpoiret.xyz> (Josselin Poiret's message of "Sun, 21 Aug 2022 10:46:51 +0200") Message-ID: <87a67wrq81.fsf@yahoo.com.br> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Mailer: WebService/1.1.20560 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.128.83; envelope-from=acpadoanjr@yahoo.com.br; helo=sonic312-21.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661199258; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=MMBEWoq5rFG7h/WhFTltmEZOrLGGNbHU6Qx89RTFnuI=; b=K+s2Dz4qIzZAVWDWk/So9Bec3aZbmhnmdgqgTqAw5vzSmRLv4FSyfY+I7zfeNUUOSUWcGc YNx11fXvtV38gW7wgilFHlY5Rq6+fihEvRRJsYTOTaEvssdnrirABxTwSuJndPfv70kUHg qW8AJscFB9hQ0DmtkxjhaKsxTLFOK9RaCYzGUddZzrViz4TBcqPcJG8wfh+JGnRcO589hj bmNaMSRSWPCMiQWdwjrwTmJukMy87fExz7YA6LbQnmHcyHEdlfAtL8Tq0AdjLzGS3Zf5dr HJtTwLLmh9WOPwWrFscX7ZR64lC3gvP7NtFLey+4Y2S928TIm/t/5Z0xzYayvA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661199258; a=rsa-sha256; cv=none; b=MwKELbEQfPur+/9igosUHloGxIbI3yJCG4zUtJB81fS4UzkC4HGuin1eIy+d6EJsdp0XwR WfNK6Cgv2qdAMgPRdtO3fvlhEqsENDLMk0iAmMZQ/3RVMtIC3FpPFUcPPTHnpEltakABrm ksBptiX0iI+3GHGOz5O1PdwwpeZwTNoTcKRILheMzhDaa2r6skgpmbAYNxkLjffYrEC75p 6LbL1jv7OnCRSCXkUHoM6czNwSO7TNlHuBp/BDOggdArmHtKiQeqpD3KxImoSTccctdGR3 +JJRd0udLpmOAfMwQ2pPFEjynDz2NS94W+5EWNSwLZHqRnqKS9ahNgcq4YZM6w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=yahoo.com.br header.s=s2048 header.b=U6aYss3K; dmarc=pass (policy=reject) header.from=yahoo.com.br; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -7.61 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=yahoo.com.br header.s=s2048 header.b=U6aYss3K; dmarc=pass (policy=reject) header.from=yahoo.com.br; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 441D33A2E3 X-Spam-Score: -7.61 X-Migadu-Scanner: scn0.migadu.com X-TUID: mI2EIIhExtj+ Thank you for your answer! Josselin Poiret writes: > Hi Antonio, > > Antonio Carlos Padoan Junior writes: > >> As far as I understand, Guix doesn't provide means to automatically sign >> bootloaders and kernels in order to use UEFI secure boot after each system >> reconfigure (assuming a PKI is properly implemented). Hence, using >> secure boot with Guix is currently not viable (am i correct?). > > You're right, we don't really have any means to do that. It would have > to be done outside of the store, again, so that the private key doesn't > leak into it. > Can we imagine signing the kernel outside the guix layer, I mean, directly into the store without using guix commands? I understand this would break conceptually the Guix functional characterization, and it is not very "clean". But despite these points, any other side effects expected? I'm not sure if my question is convenient for this list, if it is not, sorry for the inconvenience. Best regards, -- Antonio Carlos PADOAN JUNIOR GPG fingerprint: 243F 237F 2DD3 4DCA 4EA3 1341 2481 90F9 B421 A6C9