From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id ENbIAGzEAGNQXAEAbAwnHQ (envelope-from ) for ; Sat, 20 Aug 2022 13:24:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id KPDDAGzEAGNsZgAA9RJhRA (envelope-from ) for ; Sat, 20 Aug 2022 13:24:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9952826827 for ; Sat, 20 Aug 2022 13:24:27 +0200 (CEST) Received: from localhost ([::1]:34220 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oPMaY-0005Qg-Ik for larch@yhetil.org; Sat, 20 Aug 2022 07:24:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39226) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oPMZk-0004x6-1k for guix-devel@gnu.org; Sat, 20 Aug 2022 07:23:36 -0400 Received: from sonic310-13.consmr.mail.bf2.yahoo.com ([74.6.135.123]:33707) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oPMZh-0003Ml-S7 for guix-devel@gnu.org; Sat, 20 Aug 2022 07:23:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.br; s=s2048; t=1660994607; bh=1L5mFgaau0LXJ85hqV7TE7BqEW8l1cU3Y8JiI1nkQLg=; h=From:To:Subject:Date:References:From:Subject:Reply-To; b=D5xgW8WHPd1FTU970ojyTAJwLZdVtghnhkCG1qbwiXQu/dVhJ8P2xb7gYq5kF/ArGyYtAQ9eEI/bUgyU/3INROvSEVP4JMDjHhRa7J+uOC4656VUwKArE7lzLHHtlmMBm9KeLCVRzNBvgStwHAsCS6+wpcFfB5nrvyavVeO7IUloavI3tktw9MqwaCwrIS2hMu4FCsM5UL6YhLFuZjq7xlrVgP43yudH/SeyQbm1betSOr1Jxq+5Gx2ufJoHxotdnkRnJrvzleYelzFHxRo2rvloL6HK4qaPWKuNzC7j+ADizD1+qQGNOswels9Du5TbejBFLZE9hkCKJQZSRrfepw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1660994607; bh=cu/hh8t2uW/t8jR8xbBkq8VYENYY2g+/8v8CL/PlM38=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=hPzHEvOPDyFu+tSzCluDI+2hTP9wMhS6CEzrbS2e01LWK5gRtzHqe7XF6yLHPWm0Usd9V26Ej679l1tP5KPWkM5ZydZr7LcbIYs3Jv7hzAxYowvy7gHK5778c3QAcxsxa1z33g+6uPrXhcbntuEa8ZwXP0+6fIcWznmDHOhWUMooqN2ntmCqrg7OiuB82pdzb2mBEaWEsfuUfMJa5Ieu+b/VrQR2+x4+EwxtHiCXAsOEsaqk8UiCFNpN3XgClDzDy+Tmr1PsbR5CW6yO1Q8I94iHmonF7dXcLO64sxKlALk21ReGlP484xIuyXKUlyVR4OPRICmfIrnVDt9mR5XgMw== X-YMail-OSG: YkSoyvoVM1nQwEpqAA8q0JUVfAoNq.9vC.sSkzpYeSQAuNKaE1ZVDkKzlouOdeH mx7qp6OczLQc8Qz4Doi2fWH.6s5dmLY563g5SN1lr7GqlMhb3hUlQOxFA6jDRDXYlZXSX7DJ78MA bZv7gqzmYTby5JeoMtG8Iw0m5MCCKlMEWuaa6rWu1jasHvmqJ0OLwFSlcZnK7vIknltkSINKXU3C T3dHGXCzyne47rEJId1vyMNa3gR3k.L3GGrZJOO8maxSDb1VM9.RjChS4ObhQGYw5VJaVH4Egnh6 Sf_uZhxyb0kDo163__LdOKrID2TKocHzS8jQwnNP6vsM0lSe_w7Jy64NJXXl.Oa_KfTKdijMOTYx wEhakflv0.NOUp3RtHe36TENyOaoRp5POOmBct1KWp5se01RuqYtYVAeV10q5uS2Bp03qLZ2b7c0 T2l5cub0IUkwB5Xqxq1FvAIctavmNS2uKXcRcQWCGp9lAPPBvf6a__uoQGddInVY5ORXI5v5Vo6V wjipEd5WfeFgBXH4X.B.d2MPjKCXWuTAykxz8wiQzu4mtbBGUryPS8rteuCGKGsXISzZbUKRlllr G2xN6BDmK0EbTNz95Hfcv2b3.zZA74tNsC73fzdTTkQXOtW1A4pE73pvt9Wg3pUADJUXDAOuQJON axUoqag9qRKRQVmPuZduvXwDCyZpSdq4t21IlfmuUQ1o6ByV4t.C_gdSySrLTTO0VVQ6qQNipyY1 J9OLjGB8QQiWHY_o8DdkOfWMwZuuCbVF.MlN2bEnTvRgphsVMOo3R12sr5eo6PtZXQ1HUR28O2Wy KmSYwS23WVzxnkLtrdDciXMKn1uzD5ZxJvEtRSBxFfFo0m.DlZMpFrw78OqjsIHHM.S9DdnVHvyZ Zbo4qxPzA0qcK81xnrzp6zkvGL9PrMUns79DYH.S8eFyfLUkh3x8sYiSI13BmyV8kfem0usit1_R mMgEsco6qnqqDdYjZ4cgzmu0Ulu0nRU3y6SY9dexICDrlArRLspu9o_pbcAv5XuakFzPSdcGz1iJ EkqGQ3P24v6CeHVymTiv9iA.maB2YlgixKtT88QIYrUX5hZvyyzMqkU326tBDB4w6XiEobCvVW94 NiTjO9iWj7AHI_UDlLyszaKC0JVZLvhbdN5C4BnTIos_UFkDSrljxjIo3ltKBTrCZJGMtXUH2lNY oduamD0P4v7nfkIuRnZ7ry0ufMe70J.vptNZqcxxUAyEfXgI6oPzB_Hle5S2zRC_9uIZtoLNTF1O 3QKEgHSbRiQohoxpZ3G0b5SF0AlaGQKtxIlqkHfxIMuoohM5mmTgnvvmZ9DgjqFql9PnIbXiv2b3 FTnoFIumM0h_MTC00f1hGotOr8WKqJjnpAiHP0Igp_bEijNMoNS391n4jQcLhJpuUkMjMi_GvwfD mTn7Z07pvwAHjxzjHH1Khbl.IiO880Clc6yJL1MnTT9.gG7Ps9A6oKynGb9slgm5J1xR9jDHRcfT iMnIFpWHJ822UTx_F8NUEfLJKSi.kJNOjzcIdlTYZdvoYqFm2hIbyuC7CoweVjRB0bqQNWVdx_RR XN6WSC9vtT3z.iDxKtnU9ADDK35N1ENb934OOInR89WJDsM.uSNSF1DMc2m51.Zo4SvGvM1Z8C6a IDOauUpi9ZVMNSSItm.tN76FIpKdMIRBk4_mB5yWgqMcJAIbI9Hvj9qcBq7sp7uZ.dh67CP3zSA1 kj2Gj12Q.ta8JkkyEHnWZN2nCJFeNQEib95zH0Qcf7wNP0G8QLSsFk_XaPUrAY7DTWEwMyuG1xom MQ4dQ9GdiDkaMwRoXfRM7vRdC.fQUym5dZ0Ecbn4THvTQbRe31wFtg8mOB4TyTAKU42YJ4fw4gUG OLRroaLBOW.Yte3IPNTarqSL7C3TuNEaCDU81iBomA7p7H7fUZAI6sgz7LWuTlsKtvJTq_BZpbm7 ftaabthxx3fKPJm3cVa9mKDBVbawYhz_yZjbG4qLK9N7uCdjnZq1fidjwF0g0e89.8h6LXD7DRIK Z.q_IoRtNF1UTviL7.Zyc31NViJ9aWVu.f8W3feYXVXtr1LgkaPiGrxn.G8UZuMI2gBNlXpNj8q_ DfhGTMhJpQ5C2PDRnVO7rCAcCy94s0UV_uwPqZwHITq0sSMk8mundeGRiNY2Bm6GxNmdlBTOXy3w mdeUeHZlQe8Cfl3mjQPS8dDLooMHWN1q_7EGgdocuLafSxQbBmOI9BRMJGWDon.ax8AQzHh8Rza. wwHCcZIQe1IzJsMTj64QcqdmGxlX8GFrzYKnG9euswQ-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Sat, 20 Aug 2022 11:23:27 +0000 Received: by hermes--canary-production-ir2-f74ffc99c-48gl8 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5a0936df414101f226f9cc12b4842d6d; Sat, 20 Aug 2022 11:23:20 +0000 (UTC) From: Antonio Carlos Padoan Junior To: guix-devel@gnu.org Subject: secure boot Date: Sat, 20 Aug 2022 13:23:18 +0200 Message-ID: <87h727tazd.fsf@yahoo.com.br> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain References: <87h727tazd.fsf.ref@yahoo.com.br> X-Mailer: WebService/1.1.20560 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo Received-SPF: pass client-ip=74.6.135.123; envelope-from=acpadoanjr@yahoo.com.br; helo=sonic310-13.consmr.mail.bf2.yahoo.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1660994667; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1L5mFgaau0LXJ85hqV7TE7BqEW8l1cU3Y8JiI1nkQLg=; b=Ni8LD0TfJ3M1rTOuKwQGP76CnSfTwteSTf+mPdlExYrsUuHIRYMNi2Ftu1CYWQir0XblrX MYbkSWL+uSYtMV/S2oHglEfh/yFzSpRvKzScvm0QFvGOERlmNaPrW6hC5GVGpUo9hHNW73 LHSjN1K1CPjKklHE5HRnQ5eMD+bNqOSanNoO0LrI9l82xa58Uc+KN9vv+IKFdBT1+vSI38 MzvQPxzSeyrQGtU7tL1NMVlBrH6GMEyxDtnT47jVAgEQe7PBhS9TD2DgNepZ9c12gwGaAv J5V+FPW5kDhzuW2itssd4CoMA6XxGoGAU9RUb1wM2GrJ2Z4UbH0Gs2wPH7ENnA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1660994667; a=rsa-sha256; cv=none; b=B5DIVOOgr754B/h2BOOWbFcXe+cwXwvRXw3lPCLHyKpdtci6+cYmwNOZjIx3Kgre3+g86F 13I9FRs75rR8e49NhKSihEnGExJccr5jl7dhPgkolPUY6Ny8PpL+GxsRAtW4KyGLZcg/tq 1VN9r+pgkUbvrcXeKE890nyrgLh94A7ecSZF73Q+oh6O6ZAS7tv37QVuvlYC1jTTjRARtt IauMW0sO7NpBb43MK+Cfh+4RUX48tp6aUPFdDPI57rXhChG4ffZ3SOnxv+pyvMwDM5Om6+ XZ+Q/khCanpXENr5DPEkNr3961hi4NKDmBL9cmj2Zk8G09UXOL13NvbS0+vwpw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=yahoo.com.br header.s=s2048 header.b=D5xgW8WH; dmarc=pass (policy=reject) header.from=yahoo.com.br; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -9.15 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=yahoo.com.br header.s=s2048 header.b=D5xgW8WH; dmarc=pass (policy=reject) header.from=yahoo.com.br; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 9952826827 X-Spam-Score: -9.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: QiCTXm4u60ra Hello, I hope my question makes sense. It concerns Guix grub UEFI bootloaders. I would like to understand in which extent Guix functional approach helps to secure the computer with regards to an early boot malicious code/malware infection. As far as I understand, Guix doesn't provide means to automatically sign bootloaders and kernels in order to use UEFI secure boot after each system reconfigure (assuming a PKI is properly implemented). Hence, using secure boot with Guix is currently not viable (am i correct?). In this context, can I assume that the risk of not having secure boot is minimized by the fact that in each system reconfiguration, the early boot chain is overwritten is such a way that, if a malicious is introduced somehow, it will be also overwritten? Am I correct? In addition, how much more difficult it is to introduce such malicious code in a Guix system giving its functional approach and store system? (in comparison with others Linux distributions). I know that Guix provides an amazing approach to secure software supply chain, but I as wondering if not having secure boot can be considered a major drawback for Guix. Best regards -- Antonio Carlos PADOAN JUNIOR GPG fingerprint: 243F 237F 2DD3 4DCA 4EA3 1341 2481 90F9 B421 A6C9