From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id SN5JFyaWBWPHKgEAbAwnHQ (envelope-from ) for ; Wed, 24 Aug 2022 05:08:22 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id IIpsFiaWBWMQyQAAG6o9tA (envelope-from ) for ; Wed, 24 Aug 2022 05:08:22 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3F73C13A69 for ; Wed, 24 Aug 2022 05:08:21 +0200 (CEST) Received: from localhost ([::1]:33738 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oQgkd-0007ue-UC for larch@yhetil.org; Tue, 23 Aug 2022 23:08:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:32800) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQgkE-0007uE-1Y for guix-devel@gnu.org; Tue, 23 Aug 2022 23:07:54 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:49343) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQgkB-0000nz-P0 for guix-devel@gnu.org; Tue, 23 Aug 2022 23:07:53 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 07EA95C00F7; Tue, 23 Aug 2022 23:07:48 -0400 (EDT) Received: from imap52 ([10.202.2.102]) by compute4.internal (MEProxy); Tue, 23 Aug 2022 23:07:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= philipmcgrath.com; h=cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1661310468; x= 1661396868; bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6QhWgaE8slebJtu4=; b=Z ttVBQSAMpdhPZ7VE+It5Xh9LJ/qUYD0EZ77GUx3/ciXQF4C1ZRX/xYOZOpI43c+v 5txTgt74hlttOkucYGNISwY+TcmbhwWCAOMJntDn4mG7o+6lo6v11mcZkXoQfi9s XLloOhsd+BxlSlL2RnAAw6B48N1H19DBl48TNm8Cdl4mOz0N6USvlwyJoQbYY6f9 GojFSai32FyPZRlagKTBm8NVl8HMy2tq1eWzdaJBWJGcP9Tkq8l4DVgx9UayBxNq 7QXauGuwLXzVsa9zHA7OYzAN2pv4osi7sFPfB9rbucsRxEDQWPmGyLWnPE4olvEr Z67zmsGGFLadwWeghznPg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1661310468; x=1661396868; bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6 QhWgaE8slebJtu4=; b=MDdWMd4BirV72k38m4f+rvjwt9KTc2ZS9p2cgUQdQCrb tD9vQdt66egvv97BSp3OHSFzYj5Di7C6VSoIxAqfl4UDcUeRzF6/nwomkJAGZ7vf oP6HtonZREjzk1q38AyAs1/glWnk/UKf9xF1Rn2MJ7onps/tC5XO/laRJC7CmmeQ F/HEGje31qHWz37pj8f2sarsbsju8DA8GVx820/ebrN3wUONWoy46b9M4RDt6RWU +v1x/3yWI8lZxActVY/DX/Sg/lAjHN5hoXARRzi2SnMwNeKGD8DJmT43RDbi8Jtd 9LQX8wsylrMt84ll7xBVvupCmjFPEiA2Cu9TUzrIjw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrvdejtddgieekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfrfhhihhlihhpucfotgfirhgrthhhfdcuoehphhhilhhi phesphhhihhlihhpmhgtghhrrghthhdrtghomheqnecuggftrfgrthhtvghrnhephfetud fgtddugeelvdegfedvueevheevfefgudeiuefhiefhudehveetheekhfdvnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepphhhihhlihhpsehphh hilhhiphhmtghgrhgrthhhrdgtohhm X-ME-Proxy: Feedback-ID: i2b1146f3:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 71220C6008B; Tue, 23 Aug 2022 23:07:47 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.7.0-alpha0-841-g7899e99a45-fm-20220811.002-g7899e99a Mime-Version: 1.0 Message-Id: In-Reply-To: <87pmguugp0.fsf@jpoiret.xyz> References: <87h727tazd.fsf.ref@yahoo.com.br> <87h727tazd.fsf@yahoo.com.br> <87pmguugp0.fsf@jpoiret.xyz> Date: Tue, 23 Aug 2022 23:07:26 -0400 From: "Philip McGrath" To: "Josselin Poiret" , "Antonio Carlos Padoan Junior" , "Brian Cully" Subject: Re: secure boot Content-Type: text/plain Received-SPF: pass client-ip=66.111.4.29; envelope-from=philip@philipmcgrath.com; helo=out5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661310501; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=xFRZjF6CW74oV0BDqHtkMxqc6mQ6QhWgaE8slebJtu4=; b=O/jSB1JQBTxhOEV///gVIRkM91YmncebDfKkZxM3w5gGvDEoqKBCgopMGSrZ2VcEUM2Cb1 p+edRmPszETHdV79EPqus8aX8GHHxdhpTX6uhfg5Ij/mFeIEd4IoIV7GiZ/xliH0JGwLWt cPjxcUF3UIjQU+MvyF26029Fso5VblyrWHRuvNUafnNSKhdGrDczUzOtTrmdJ7vN/Ffjh+ OfkAEuIZOjIrqK1EsiHLZSWzQY7V8AzcRRrYUpWCO7+mPuR6mrL47ZP3UH9/1Lx0cIv4Qs CCT3G8usN94pCCSKAXLLeCLYtBoul5YUtIe2Zua8EbK3zY7C/hEz94gh8jkmBA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661310501; a=rsa-sha256; cv=none; b=Nht6LIUwK1SNsUZAXcWrQ+WYHGTX+MlBQBw9tsQc3au2YW8UdHuxZ2sZ1reWEoBC8Yqq+8 1ae1cMQtBme6wfXOYLYDqHi+NOgFCf9oYwQplGuWgD7EiIxrTpVbVSWk7/JWKtRSh4RidM bMxmoD5ht25zY+i3ZNDC0i8WwJulMz5Xug0NTZC/bXATkysMn7lrCGzQfjj5+2WdVxFsYU feSTIaFGKcnyEPn49SMSgX3nWhcIB0XzOxtuZxhBiMDBa4LDAQ+PL/uhULCXP7nxD0wuyu ousA99XIfxHf2XDym9yRfjWe9ugdT9pOAaJVdOfC5QlRoO2gmgXfjZv4L5uEew== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=fm1 header.b="Z ttVBQS"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=MDdWMd4B; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 2.30 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=philipmcgrath.com header.s=fm1 header.b="Z ttVBQS"; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm1 header.b=MDdWMd4B; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 3F73C13A69 X-Spam-Score: 2.30 X-Migadu-Scanner: scn1.migadu.com X-TUID: i0UZe+R8O7fQ On Sun, Aug 21, 2022, at 4:46 AM, Josselin Poiret wrote: > Hi Antonio, > > Antonio Carlos Padoan Junior writes: > >> As far as I understand, Guix doesn't provide means to automatically sign >> bootloaders and kernels in order to use UEFI secure boot after each system >> reconfigure (assuming a PKI is properly implemented). Hence, using >> secure boot with Guix is currently not viable (am i correct?). > > You're right, we don't really have any means to do that. It would have > to be done outside of the store, again, so that the private key doesn't > leak into it. > I could imagine a process like this: 1. Build the binary that needs to be signed. 2. Outside of the Guix build environment, create a detached signature for the binary using your secret key. 3. Add the detached signature to the Guix store, perhaps with 'local-file'. 4. Use Guix to attach the signature to the built binary. 5. Use the signed binary in your operating-system configuration. IIUC, executables that run in the UEFI environment need "secure boot" signatures to be attached, but you may be able to use detached signatures directly for other things that they want to verify by means other than "secure boot". I expect the things that need to be signed are small, build reproducibly, and change rarely, which might make this especially practical. -Philip