GNU bug report logs - #68524
[PATCH 0/2] Support root encryption and secure boot.

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 21 Oct 2024 15:41:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 21 11:41:46 2024
Received: from localhost ([127.0.0.1]:52977 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1t2uXS-00086D-0Z
	for submit <at> debbugs.gnu.org; Mon, 21 Oct 2024 11:41:46 -0400
Received: from mail-40137.protonmail.ch ([185.70.40.137]:64139)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <amano.kenji@HIDDEN>) id 1t2uXO-00085t-3p
 for 68524 <at> debbugs.gnu.org; Mon, 21 Oct 2024 11:41:44 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
 s=uf4ctmxiszdw5happupscrnrx4.protonmail; t=1729525268; x=1729784468;
 bh=LSvAW/8H8QgfPzynZN2HRDTt9BTl+HZT1TwoR77tmbI=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=Bvr++rTSqhAqNsj3w6TqPaN7bLfKfOSPhGdOZuEetIgjTfDMmOfnCYLnWhrWfyAeL
 B71XcGtnAH4t88Z4iF/b9/3TmshN8uadfiJir79yK6kaOWhS9BG6J9W+ylIXGSKu9g
 c0JcPjdGIEBbz5f8S2YganrWTT5y1RD8U8VOP0Lz90iJtVQ9HkjV/q9/Ph/f01ZHrD
 +/9iEQNNJfj2OaiMv0TvXOMyoLq9aUX0Muh6PiS9Ie/9dg5C152/u7FyY6rM1JgoLk
 iSNhWGKz98F2MAqe89eNDwSw98vBNC/W8IBYN9cK3nhN+JunhVHkfTOxHozBRwvgT2
 9wIR4nMNg5Awg==
Date: Mon, 21 Oct 2024 15:41:02 +0000
To: "68524 <at> debbugs.gnu.org" <68524 <at> debbugs.gnu.org>
From: "amano.kenji" <amano.kenji@HIDDEN>
Subject: Can uki be used with grub?
Message-ID: <xIch4j_PFivh-eDINgBY5mCvG-TJeSjQPm99xwPpISW0rCwo_OewJCf8Y6x7RerdOdjjsI1hrdVXpT8pBZM3211UUWu6DURmsQKGvCVK8U0=@proton.me>
Feedback-ID: 48725158:user:proton
X-Pm-Message-ID: f3dc1eee397c5dcd6b84a717a9785aa2dd4846bb
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

I propose writing grub.cfg instead of modifying nvram.

1. Modifying nvram whenever there are changes to kernel images will increas=
e wear and tear on nvram. If grub loads uki, then nvram lifespan will incre=
ase.

2. kernel arguments should go to both grub.cfg and uki because uki argument=
s are passed to kernel in the absence of secure boot. I'd like to be able t=
o change kernel arguments in grub for debugging and troubleshooting.

Thus, the bootloader can be called grub-uefi-uki-bootloader and grub-uefi-u=
ki-signed-bootloader.

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 18 Oct 2024 05:48:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 18 01:48:23 2024
Received: from localhost ([127.0.0.1]:36721 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1t1fqZ-0003Tb-7r
	for submit <at> debbugs.gnu.org; Fri, 18 Oct 2024 01:48:23 -0400
Received: from mail-4325.protonmail.ch ([185.70.43.25]:12509)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <amano.kenji@HIDDEN>) id 1t1fqV-0003TH-5k
 for 68524 <at> debbugs.gnu.org; Fri, 18 Oct 2024 01:48:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;
 s=protonmail; t=1729230470; x=1729489670;
 bh=o6mBM6+G8PA54uNOiBPmXrIjYdzdvoJVCGamk63HnvA=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=j9H1g6ZExt4ZLKjuqvD4hge43v6U5FbLoftMQjfnRkHRZUyQgUFcN3cO0rYrqC4X9
 ZSq9eSxQG+ON5p3aUQ0q0s4U+8RXh7L8zYBoubjSRsGoRTTslxBUlg9+FPyWV2o4tL
 Zp0Kfm1qQfSt6jvcLODNB1vSKcJw9Up9Fx/BD4tOtQzj7ngRpgBteVAYmzROstypLp
 NoYeIK5l2OIo/UvbLuWL2e9U3DZ++0geIngS+ASRMlr0RxTbgJo/LXpTuHUoZ4q4L3
 S5j1GYxpQfgc7uG/pMVHi5kcGQklJZHj/p+rJtBT8PnLqGGRazKPCSoKalDMDHOcjF
 jA+kzHu6uVt3w==
Date: Fri, 18 Oct 2024 05:47:46 +0000
To: "68524 <at> debbugs.gnu.org" <68524 <at> debbugs.gnu.org>
From: "amano.kenji" <amano.kenji@HIDDEN>
Subject: One problem with uki bootloader.
Message-ID: <C6b5eB539CwLwdvDVzIYaBLzOJoCOJQPB1R49_i0pNcYX-p1bZz_REc1HZUgKaWa9z_yI-RxB40HVTv26eYk7KIH2byIVTXoDIifNmYAnIc=@proton.me>
Feedback-ID: 48725158:user:proton
X-Pm-Message-ID: 159b9a3923aa644975bf2c2fa47d68c8c04b65ce
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

You can't change kernel parameters when you boot uki bootloader.

GRUB allows you to change kernel parameters before boot.

I wish guix installed kernel and initrd and grub.cfg in /boot. Then, grub d=
oesn't need a password, and decrypting encrypted file systems will be a lot=
 faster with grub.

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:31 2024
Received: from localhost ([127.0.0.1]:57501 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4M-0001Wb-PY
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:31 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ4F-0001Sq-Ts
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262782;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=/0JKAnM5t64THUuoT4qiKSOCSq+rdBW2bp9hPc4an08=;
 b=lg93xlugl8YwXA/YZXjnrmnwZ/J8lGc+/cV9fONAuPCQefQ7uVN+jbRipwMbi9qrvaxfgm
 tAdgbi7nEW4Jj7hG2MnnPJDMB6XA8VSkpmJLCs4U+l566lI7YkRHtEnjIetSTXkOizknRy
 zAoJ4mrV87UsAK0aaxw1zHogzEtG29HTyxBFi3IF01brPtWhHY7iuAJVWDfegHXFx5xjBi
 QNa29ooFnRjhT5OKo5wFLnI7HnkOHpHfV0j6pBWSts3z55YZMg5eINV5Ud8lpZP+qSFgAV
 8HFqrVwwjs6oJrNpMlYS06mze9YfM6aSwweW2LmB6vuzRFK3VbpKbNocbpmN6Q==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id dd08b030
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 25 Sep 2024 11:13:02 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 5/5] gnu: bootloaders: Add uki-efi-bootloader.
Date: Wed, 25 Sep 2024 13:12:03 +0200
Message-ID: <a048eadc669b67d35b104010beadec1ad1b83ef4.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1727262600.git.herman@HIDDEN>
References: <cover.1727262600.git.herman@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Florian Pelz <pelzflorian@HIDDEN>, Lilah Tascheter <lilah@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lilah Tascheter <lilah@HIDDEN> *
 gnu/bootloader.scm
 (<bootloader-configuration>): New keypair field. * gnu/bootloader/uki.scm:
 New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. *
 doc/guix.texi (Bootloader Confi [...] 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 0.0 TVD_RCVD_IP            Message was received from an IP address
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Lilah Tascheter <lilah@HIDDEN> * gnu/bootloader.scm
    (<bootloader-configuration>): New keypair field. * gnu/bootloader/uki.scm:
    New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. *
   doc/guix.texi (Bootloader Confi [...] 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [81.205.150.117 listed in sa-accredit.habeas.com]
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

From: Lilah Tascheter <lilah@HIDDEN>

* gnu/bootloader.scm (<bootloader-configuration>): New keypair field.
* gnu/bootloader/uki.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm.
* doc/guix.texi (Bootloader Configuration): Document UKI bootloader.

Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da
---
 doc/guix.texi          |  25 +++++++++-
 gnu/bootloader.scm     |   3 ++
 gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
 gnu/local.mk           |   1 +
 4 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index 93be87d3cc..56d5b462c2 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42486,6 +42486,24 @@ Bootloader Configuration
 @item @code{extlinux-gpt-bootloader}
 This is the same as above, but for systems with a GPT partition table.
 
+@cindex Secure Boot, UEFI
+@vindex uki-efi-bootloader
+@item @code{uki-efi-bootloader}
+Makes and installs UKI images for UEFI systems.  Requires an @code{'esp}
+target providing a @code{path} to the mount point of the EFI System
+Partition.  Not all system generations may be available with this
+option, as UKI images contain the entire kernel and initramfs, and ESPs
+tend to be small.
+
+Full disk encryption with @code{uki-efi-bootloader} only requires a
+single password entry with fast decryption, in contrast to GRUB2
+requiring a second password entry with slow, LUKS1-only decryption.
+
+This is the only bootloader to currently support UEFI Secure Boot, when
+configured as below.
+
+[THE CONFIGURATION BELOW]
+
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
 @vindex u-boot-a20-olinuxino-lime-bootloader
@@ -42854,8 +42872,11 @@ Bootloader Configuration
 @end lisp
 
 @item @code{chain-loader} (default: @code{#f})
-Varies slightly depending on bootloader.  For @code{grub}, this is anything that
-the @code{chainloader} directive can accept
+Varies slightly depending on bootloader.  For @code{grub}, this is
+anything that the @code{chainloader} directive can accept
+(@pxref{Chain-loading,,, grub, GNU GRUB manual}).  For @code{uki-efi},
+this is any efi binary to be installed alongside the system.  The
+following is an example of chainloading a different GNU/Linux system.
 
 @lisp
 (bootloader
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 5e4578add0..ae7f20832e 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -100,6 +100,7 @@ (define-module (gnu bootloader)
             bootloader-configuration-default-entry
             bootloader-configuration-efi-removable?
             bootloader-configuration-32bit?
+            bootloader-configuration-keypair
             bootloader-configuration-timeout
             bootloader-configuration-keyboard-layout
             bootloader-configuration-theme
@@ -546,6 +547,8 @@ (define-record-type* <bootloader-configuration>
                          (default #f))    ;bool
   (32bit?                bootloader-configuration-32bit?
                          (default #f))    ;bool
+  (keypair               bootloader-configuration-keypair
+                         (default #f))    ;(cert . priv) pair
   (timeout               bootloader-configuration-timeout
                          (default 5))     ;seconds as integer
   (keyboard-layout       bootloader-configuration-keyboard-layout
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..848b7618e9
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2024 Lilah Tascheter <lilah@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu system boot)
+  #:use-module (guix gexp)
+  #:use-module (guix diagnostics)
+  #:use-module (guix i18n)
+  #:use-module (guix records)
+  #:use-module (ice-9 match)
+  #:export (uki-efi-bootloader))
+
+;; TODO: Support 32bit/mixed-mode UEFI.  May be relevant:
+;; https://github.com/systemd/systemd/issues/17056
+(define (menu-entry+bootcfg->builder entry bootcfg)
+  (match-menu-entry entry
+    (label linux linux-arguments initrd chain-loader)
+    (match-bootloader-configuration bootcfg (32bit? theme keypair)
+      (cond
+        ;; Support chainloader in order to allow arbitrary signed EFI
+        ;; binaries.
+        (chain-loader
+          (match keypair
+            ((cert key)
+             #~(lambda (dest)
+                 (invoke/quiet #+(sbsigntools "/bin/sbsign")
+                               "--cert" #$cert "--key" #$key
+                               "--output" dest #$chain-loader)
+                 (invoke/quiet #+(sbsigntools "/bin/sbverify")
+                               "--cert" #$(car keypair) dest)))
+            (#f #~(lambda (dest) (copy-file #$chain-loader dest)))))
+        (linux
+          (let* ((arch (efi-arch #:32? 32bit?))
+                 (stub (file-append systemd-stub "/libexec/linux" arch
+                                    ".efi.stub")))
+            #~(lambda (dest)
+                (invoke/quiet
+                  #+(file-append ukify "/bin/ukify") "build"
+                  "--output" dest "--linux" #$linux "--initrd" #$initrd
+                  "--cmdline" (string-join (list #$@linux-arguments))
+                  "--os-release" #$label "--stub" #$stub
+                  "--efi-arch" #$arch
+                  #$@(if theme #~("--splash" #$theme) '())
+                  #$@(match keypair
+                       ((cert key)
+                        #~("--secureboot-certificate" #$cert
+                           "--secureboot-private-key" #$key))
+                       (#f '()))))))
+        (else
+          (leave
+            (G_ "uki-efi-bootloader doesn't support multiboot")))))))
+
+;; We cannot use Guix's build system to make UKI images for two reasons:
+;; 1. signing is necessarily non-reproducable, especially since keys
+;; should not be in the store, or else risk being publically accessible.
+;; 2. Menu-entries may reference files which do not exist in the store.
+(define* (install-uki #:key
+                      bootloader-config
+                      current-boot-alternative
+                      old-boot-alternatives
+                      #:allow-other-keys)
+  (define* (menu-entry->plan entry num #:optional (prefix "menu-entry"))
+    #~(cons* #$(menu-entry+bootcfg->builder entry bootloader-config)
+             #$(string-append prefix "-" (number->string num) ".efi")
+             #$(menu-entry-label entry)))
+
+  (define (boot-alternative->plan alt)
+    (menu-entry->plan (boot-alternative->menu-entry alt)
+                      (boot-alternative-generation alt)
+                      "generation"))
+
+  (install-efi
+    bootloader-config
+    (let ((entries
+            (bootloader-configuration-menu-entries bootloader-config)))
+      #~(list #$(boot-alternative->plan current-boot-alternative)
+              #$@(map menu-entry->plan entries (iota (length entries)))
+              #$@(map boot-alternative->plan old-boot-alternatives)))))
+
+(define uki-efi-bootloader
+  (bootloader
+    (name 'uki-efi)
+    (default-targets (list (bootloader-target
+                             (type 'vendir)
+                             (offset 'esp)
+                             (path "EFI/Guix"))))
+    (installer install-uki)))
diff --git a/gnu/local.mk b/gnu/local.mk
index e2d32d4fbf..507ca26dfc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -94,6 +94,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/bootloader/extlinux.scm                   \
   %D%/bootloader/u-boot.scm                     \
   %D%/bootloader/depthcharge.scm                \
+  %D%/bootloader/uki.scm                        \
   %D%/ci.scm					\
   %D%/compression.scm				\
   %D%/home.scm					\
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:30 2024
Received: from localhost ([127.0.0.1]:57498 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4M-0001WO-4E
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:30 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ4F-0001SX-9X
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262781;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ewok/gv3RN7ahM4jjrZmh9W1dFP/wus5mkmLNeLlktQ=;
 b=JlRDYUsFQvl8/h/DNMlaaPDLsPZz4zR4KIcP60RDD99A2OMnMCJHKw+JW5o3F8rW9glUa6
 s8AW9qvrxLip1gJ2Pzu21Hb4stGS+ZEFeOsGHUSRu1h1klfoQ6s0aLjZP5WCIsq+D7EhLI
 gYXxgwh34EP+KFFad+6UMhKlPSOarWMI03E7Q8foaG6cxTfQcqMtWY26vOnYtpylQuyKCD
 2eL3ukCRxtykauNb92hlFKiW4lbp2SbHYw4UKCqM17ZgDYTDgQFGMYGpcMjrySmc3w9nql
 r8EOJKe+YDZ1pAQzepja4HVUYV3BVFSS1q2VyYR8az0fv1B+e+MHK1Ct3xrOyw==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id ca472f81
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 25 Sep 2024 11:13:01 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 3/5] gnu: packages: Add systemd-stub.
Date: Wed, 25 Sep 2024 13:12:01 +0200
Message-ID: <1bbcba5273652ad4c23b1d1655685720ef83d225.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1727262600.git.herman@HIDDEN>
References: <cover.1727262600.git.herman@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
 Vagrant Cascadian <vagrant@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lilah Tascheter <lilah@HIDDEN> *
 gnu/packages/bootloaders.scm
 (systemd-stub): New variable. Change-Id:
 I974bad9ff7a52f736286d05de53f7c5ccb60b9d6
 --- gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+) 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 0.0 TVD_RCVD_IP            Message was received from an IP address
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm
    (systemd-stub): New variable. Change-Id: I974bad9ff7a52f736286d05de53f7c5ccb60b9d6
    --- gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++
    1 file changed, 47 insertions(+) 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [81.205.150.117 listed in sa-accredit.habeas.com]
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

From: Lilah Tascheter <lilah@HIDDEN>

* gnu/packages/bootloaders.scm (systemd-stub): New variable.

Change-Id: I974bad9ff7a52f736286d05de53f7c5ccb60b9d6
---
 gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 52d92ba03a..c563cbd988 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -39,6 +39,7 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages bootloaders)
+  #:use-module (gnu bootloader)
   #:use-module (gnu packages)
   #:use-module (gnu packages assembly)
   #:use-module (gnu packages base)
@@ -48,6 +49,7 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages check)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cross-base)
+  #:use-module (gnu packages crypto)
   #:use-module (gnu packages disk)
   #:use-module (gnu packages efi)
   #:use-module (gnu packages firmware)
@@ -55,6 +57,7 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages gperf)
   #:use-module (gnu packages guile)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages llvm)
@@ -596,6 +599,50 @@ (define systemd-source
       (base32
         "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
 
+(define-public systemd-stub
+  (package
+    (name "systemd-stub")
+    (version %systemd-version)
+    (source systemd-source)
+    (build-system meson-build-system)
+    (arguments
+      (list #:configure-flags
+            #~(list "-Dmode=release" "-Defi=true" "-Dsbat-distro=guix"
+                    "-Dsbat-distro-generation=1" ; package revision!
+                    "-Dsbat-distro-summary=Guix System"
+                    "-Dsbat-distro-url=https://guix.gnu.org"
+                    #$(string-append "-Dsbat-distro-pkgname="
+                        (package-name this-package))
+                    #$(string-append "-Dsbat-distro-version="
+                        (package-version this-package)))
+            #:phases
+            ;; TODO: 32-bit support.
+            (let* ((stub (string-append "src/boot/efi/linux" (efi-arch)
+                                        ".efi.stub")))
+              #~(modify-phases %standard-phases
+                  (replace 'build
+                    (lambda* (#:key parallel-build? #:allow-other-keys)
+                      (invoke "ninja" #$stub "-j"
+                              (if parallel-build?
+                                  (number->string (parallel-job-count))
+                                  "1"))))
+                  (replace 'install
+                    (lambda _
+                      (install-file #$stub (string-append #$output
+                                                          "/libexec"))))
+                  (delete 'check)))))
+    (supported-systems %efi-supported-systems)
+    (inputs
+      (list libcap libxcrypt python-pyelftools `(,util-linux "lib")))
+    (native-inputs (list gperf pkg-config python-3 python-jinja2))
+    (home-page "https://systemd.io/")
+    (synopsis "Unified kernel image UEFI stub")
+    (description
+      "Simple UEFI boot stub that loads a conjoined kernel image and
+supporting data to their proper locations, before chainloading to the
+kernel.  It supports measured and/or verified boot environments.")
+    (license license:lgpl2.1+)))
+
 (define-public ukify
   (package
     (name "ukify")
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:30 2024
Received: from localhost ([127.0.0.1]:57496 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4L-0001W6-O9
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:30 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ4E-0001Sq-P7
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262782;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=wH63hE8DjoWekl1CCteYbiT/ghGOjTnPA3hPqtF+hHg=;
 b=I59HjJZHUXqlIEy1tecEUGlVcSYYSERNzssl4xfY/qTECyMj4DYCbfucIu3/j+JjH3jTZq
 o7/o0mBrH+nrE4hnRvas9pseTd3xT8SkJwvjFgvbY5RhSCDX3Hmk9sUgdN+bB5gJC1gNcV
 1hWS5jFh8cxczhVtCRd9zLGLoijWLtntNAt+hkKzn+bGHMGNDjslhdElRbjwHBvt6gsprd
 Kglyi7X7sDkh3brY/+zLLrxtzEMpheQ2V9Lo5y+rQmFYR42SVRZGYtBV/gXiT/ulWMiUen
 pQxA4TDx3TW3mBKJ7l5US7wvPb8pr80hEtGFY0lJTOmWMMxHHLa9taLDB99yUQ==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 2f673988
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 25 Sep 2024 11:13:01 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 4/5] gnu: system: Fix bootloader crypto device recognition.
Date: Wed, 25 Sep 2024 13:12:02 +0200
Message-ID: <40e4b478889cb61296f9559591e1c7affa540ad8.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1727262600.git.herman@HIDDEN>
References: <cover.1727262600.git.herman@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/system.scm
 (operating-system-bootloader-crypto-devices): Check for
 luks-device-mapping-with-options
 in addition to luks-device-mapping. Change-Id:
 Iafc9afe608640b97083c4d559c9240846330472a
 --- gnu/system.scm | 17 ++++++++++------- 1 file changed, 10 insertions(+),
 7 deletions(-) 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 0.0 TVD_RCVD_IP            Message was received from an IP address
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Lilah Tascheter <lilah@HIDDEN> * gnu/system.scm
    (operating-system-bootloader-crypto-devices): Check for luks-device-mapping-with-options
    in addition to luks-device-mapping. Change-Id: Iafc9afe608640b97083c4d559c9240846330472a
    --- gnu/system.scm | 17 ++++++++++------- 1 file changed, 10 insertions(+),
    7 deletions(-) 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [81.205.150.117 listed in sa-accredit.habeas.com]
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

From: Lilah Tascheter <lilah@HIDDEN>

* gnu/system.scm (operating-system-bootloader-crypto-devices): Check for
luks-device-mapping-with-options in addition to luks-device-mapping.

Change-Id: Iafc9afe608640b97083c4d559c9240846330472a
---
 gnu/system.scm | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/gnu/system.scm b/gnu/system.scm
index 85e02a9965..3dde0f4959 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -402,13 +402,16 @@ (define operating-system-bootloader-crypto-devices
   (mlambdaq (os)                        ;to avoid duplicated output
     "Return the sources of the LUKS mapped devices specified by UUID."
     ;; XXX: Device ordering is important, we trust the returned one.
-    (let* ((luks-devices (filter (lambda (m)
-                                   (eq? luks-device-mapping
-                                        (mapped-device-type m)))
-                                 (operating-system-boot-mapped-devices os)))
-           (uuid-crypto-devices non-uuid-crypto-devices
-                                (partition (compose uuid? mapped-device-source)
-                                           luks-devices)))
+    ;; Check against the close-luks-device procedure to get both maptypes.
+    (let* ((close (compose mapped-device-kind-close mapped-device-type))
+           (luks (mapped-device-kind-close luks-device-mapping))
+           (luks? (lambda (m) (eq? (close m) luks)))
+           (os-devices (operating-system-boot-mapped-devices os))
+           (luks-devices (filter luks? os-devices))
+           (uuid? (compose uuid? mapped-device-source))
+           (uuid-crypto-devices
+            non-uuid-crypto-devices
+            (partition uuid? luks-devices)))
       (when (not (null? non-uuid-crypto-devices))
         (for-each (lambda (dev)
                     (warning
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:29 2024
Received: from localhost ([127.0.0.1]:57494 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4L-0001UX-36
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:29 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ4A-0001SX-0T
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262778;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=RlhqK6cz8IpIUScjGWdfn9jw5TbjjuhF4hpD+VRtWJs=;
 b=FcIW4hGa3zxTj3EjQ0xnV8LwhdU0tNAlkTdxG913TDi4PUxR5ydKWHlgGYWQWSnkndR/jh
 NRu+0Me47+HX8c9DcbrKmCEIM3xq7rJouDMKiJp582rpmWOylqOpsBRn/7m+eTn2+knAau
 mLgo1sHwHHvzlG16t2x1gr7gd3Et+igh4QWelUMkOMDZaeaz43JICBmugzJbCH3KLTBtGr
 zZ5WkEK0+QMExpHn/42s7mEA3eNeNd/xJYHVTB4MQCqh5FyULQfREuQe9Kz8aSWNUaRdwZ
 leUg5wyMWw8ql3GFIOZ4fxfloCgMbqHAF3tSVbRJhmZUHNjFZItTnFLZEhLIqQ==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 7d32fe11
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO)
 for <68524 <at> debbugs.gnu.org>; Wed, 25 Sep 2024 11:12:58 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 0/5] Support root encryption and secure boot.
Date: Wed, 25 Sep 2024 13:11:58 +0200
Message-ID: <cover.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
MIME-Version: 1.0
X-Debbugs-Cc: Florian Pelz <pelzflorian@HIDDEN>, Lilah Tascheter <lilah@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Hi Lilah, Recently Zheng Junjie <873216071@HIDDEN> told me
 git-fetch is better,
 so I changed pesign to it. I added libxcrypt to systemd-stub
 native-inputs and did some formatting. Please fill out [THE CONFIGURA [...]
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 0.0 TVD_RCVD_IP            Message was received from an IP address
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Hi Lilah, Recently Zheng Junjie <873216071@HIDDEN> told me
    git-fetch is better, so I changed pesign to it. I added libxcrypt to systemd-stub
    native-inputs and did some formatting. Please fill out [THE CONFIGURA [...]
    
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                         [81.205.150.117 listed in sa-trusted.bondedsender.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

Hi Lilah,

Recently Zheng Junjie <873216071@HIDDEN> told me git-fetch is better, so
I changed pesign to it.  I added libxcrypt to systemd-stub native-inputs
and did some formatting.  Please fill out [THE CONFIGURATION BELOW] in
doc/guix.texi for the next revision.  If you would like to create an
installation test for the UKI bootloader, please do so as well.

Having a UEFI boot entry per generation is pretty much perfect for me.

Thanks again,
Herman

Lilah Tascheter (5):
  gnu: packages: Add pesign.
  gnu: packages: Add ukify.
  gnu: packages: Add systemd-stub.
  gnu: system: Fix bootloader crypto device recognition.
  gnu: bootloaders: Add uki-efi-bootloader.

 doc/guix.texi                |  25 ++++++++-
 gnu/bootloader.scm           |   3 +
 gnu/bootloader/uki.scm       | 106 +++++++++++++++++++++++++++++++++++
 gnu/local.mk                 |   1 +
 gnu/packages/bootloaders.scm | 104 ++++++++++++++++++++++++++++++++++
 gnu/packages/efi.scm         |  52 +++++++++++++++++
 gnu/system.scm               |  17 +++---
 7 files changed, 299 insertions(+), 9 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm


base-commit: e00ab0921afbfd4e8ee96c0c1dec77e1c5dd85b9
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:25 2024
Received: from localhost ([127.0.0.1]:57489 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4F-0001Tc-Mf
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:25 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ4D-0001Sq-FV
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262781;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=M1lwJO/NUYNPE/Gd/LXwO5X0spLJJIKvx/47QRR84Qg=;
 b=KBgVzok9heGE+BBEbspsO+M/QbMej02+Zs+lK3qtluON6WMu5LTAixjbLdcNNjq9N9ErP3
 yI5ljA8+YQqSeN8zhsgQ8rw/N+Et0xkef9QPFKsKPEJh5X3TbZe3P9+MeNc6CKCCFTiF5B
 DQP1ihv5svJDcxh8Y99LLZNdUyrXFGFK/cWDLVigFTtpQN1R7VwDYeHSo08idUmblNxuKm
 fBKXAzKgC6s/e2nUwV5vvXE35FvR9AwQ+I8QdlPvuZbOmExdnqoIja43xRnrdwNlW1r5uD
 QgdsUlGEhmDOrZWrDYmhofCUiKx96AiO5fLUpCjrmYG9oZxPPBSHsclPiN0p2w==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 21fef9cf
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 25 Sep 2024 11:13:01 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 2/5] gnu: packages: Add ukify.
Date: Wed, 25 Sep 2024 13:12:00 +0200
Message-ID: <4a8e3c9cef67f009b6fcb00739bdba3d46c2a2a6.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1727262600.git.herman@HIDDEN>
References: <cover.1727262600.git.herman@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
 Vagrant Cascadian <vagrant@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lilah Tascheter <lilah@HIDDEN> *
 gnu/packages/bootloaders.scm (%systemd-version, systemd-source,
 ukify): New variables. Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add
 --- gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+) 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 0.0 TVD_RCVD_IP            Message was received from an IP address
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm
    (%systemd-version, systemd-source, ukify): New variables. Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add
    --- gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++
    1 file changed, 57 insertions(+) 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [81.205.150.117 listed in sa-accredit.habeas.com]
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

From: Lilah Tascheter <lilah@HIDDEN>

* gnu/packages/bootloaders.scm (%systemd-version, systemd-source,
ukify): New variables.

Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add
---
 gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 2f115f6bb3..52d92ba03a 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -21,6 +21,7 @@
 ;;; Copyright © 2023-2024 Herman Rimm <herman@HIDDEN>
 ;;; Copyright © 2023 Simon Tournier <zimon.toutoune@HIDDEN>
 ;;; Copyright © 2024 Zheng Junjie <873216071@HIDDEN>
+;;; Copyright © 2024 Lilah Tascheter <lilah@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -48,6 +49,7 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cross-base)
   #:use-module (gnu packages disk)
+  #:use-module (gnu packages efi)
   #:use-module (gnu packages firmware)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
@@ -76,11 +78,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages version-control)
   #:use-module (gnu packages virtualization)
   #:use-module (gnu packages xorg)
+  #:use-module (gnu packages python-crypto)
   #:use-module (gnu packages python-web)
   #:use-module (gnu packages python-xyz)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system pyproject)
+  #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
   #:use-module (guix download)
   #:use-module (guix gexp)
@@ -576,6 +580,59 @@ (define-public syslinux
                      ;; Also contains:
                      license:expat license:isc license:zlib)))))
 
+(define %systemd-version "255")
+(define systemd-source
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+           (url "https://github.com/systemd/systemd")
+           (commit (string-append "v" %systemd-version))))
+    (file-name (git-file-name "systemd" %systemd-version))
+    (snippet #~(substitute* "src/ukify/ukify.py"
+                 ;; Remove after python 3.11.
+                 (("datetime\\.UTC") "datetime.timezone.utc")))
+    (modules '((guix build utils)))
+    (sha256
+      (base32
+        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public ukify
+  (package
+    (name "ukify")
+    (version %systemd-version)
+    (source systemd-source)
+    (build-system python-build-system)
+    (arguments
+      (list
+        #:phases
+        #~(modify-phases %standard-phases
+            (replace 'build
+              (lambda* (#:key inputs #:allow-other-keys)
+                (define (get-tool tool)
+                  (search-input-file inputs (string-append "bin/" tool)))
+                ;; Hardcode the tool paths.
+                (substitute* "src/ukify/ukify.py"
+                  (("(find_tool\\(')(readelf|sbsign|pesign)'," _ ctx tool)
+                   (string-append ctx (get-tool tool) "',"))
+                  (("('name': ')(sbverify|pesign)'," _ ctx tool)
+                   (string-append ctx (get-tool tool) "',")))))
+            (delete 'check)
+            (replace 'install
+              (lambda* (#:key inputs #:allow-other-keys)
+                (let* ((bin (string-append #$output "/bin"))
+                       (file (string-append bin "/ukify")))
+                  (mkdir-p bin)
+                  (copy-file "src/ukify/ukify.py" file)))))))
+    (inputs
+      (list binutils pesign python-cryptography python-pefile sbsigntools))
+    (home-page "https://systemd.io/")
+    (synopsis "Unified kernel image UEFI tool")
+    (description
+      "@command{ukify} joins together a UKI stub, linux kernel, initrd,
+kernel arguments, and optional secure boot signatures into a single,
+UEFI-bootable image.")
+    (license license:lgpl2.1+)))
+
 (define-public dtc
   (package
     (name "dtc")
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:19 2024
Received: from localhost ([127.0.0.1]:57481 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1stQ4B-0001T7-0k
	for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:19 -0400
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1stQ48-0001SX-6n
 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1727262778;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=mvaZYx/nv7bH9mwzSyuPFBPIr/wHXQ/vZ9yAqrREorI=;
 b=VOIfRhQjnlOtV/wFKFIo8MZiirN/4qX1xffbsQ+/xtIYj829CYAMLQVOs3CX/Nz1G8LLJw
 BscwqtUNBarQRiXEIAafZUFwcm8wmBt2hC+lS5SciWZ1EkkCEuTHAjnG2lKbNwwKAJUax3
 jdy/y9XOxC48C43n5Y9pCASemil5R+Sq1FHWevpPOc5r35b9l0lfU2tCifaeUtZ1l4Ij56
 tdK9Z6GvY1rLJDjC85UV9C1sOjWaBBLLTYl+QTdu8LTng4hlqXDnS+bpK9nAlkb4J/RMc4
 DGocbQu+4cDGJe24wguUwL8hT2dUWkLvOweSdLQcN2oAjP1LMwxX1tPqBn22uA==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 15485550
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Wed, 25 Sep 2024 11:12:58 +0000 (UTC)
From: Herman Rimm <herman@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v3 1/5] gnu: packages: Add pesign.
Date: Wed, 25 Sep 2024 13:11:59 +0200
Message-ID: <eed6bbc414f615b6292e09bd48a3f12ae0964c0f.1727262600.git.herman@HIDDEN>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <cover.1727262600.git.herman@HIDDEN>
References: <cover.1727262600.git.herman@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 3.6 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lilah Tascheter <lilah@HIDDEN> *
 gnu/packages/efi.scm
 (pesign): New variable. Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db
 --- gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+) 
 Content analysis details:   (3.6 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 TVD_RCVD_IP            Message was received from an IP address
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in sa-accredit.habeas.com]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/efi.scm
    (pesign): New variable. Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db
    --- gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++
    1 file changed, 52 insertions(+) 
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [81.205.150.117 listed in sa-accredit.habeas.com]
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                            [81.205.150.117 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

From: Lilah Tascheter <lilah@HIDDEN>

* gnu/packages/efi.scm (pesign): New variable.

Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db
---
 gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/gnu/packages/efi.scm b/gnu/packages/efi.scm
index 499745eba1..e5f9d2d6a3 100644
--- a/gnu/packages/efi.scm
+++ b/gnu/packages/efi.scm
@@ -24,8 +24,10 @@ (define-module (gnu packages efi)
   #:use-module (gnu packages bash)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages man)
+  #:use-module (gnu packages nss)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages popt)
   #:use-module (gnu packages tls)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix build-system gnu)
@@ -153,6 +155,56 @@ (define-public sbsigntools
     (home-page "https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/")
     (license license:gpl3+)))
 
+(define-public pesign
+  (package
+    (name "pesign")
+    (version "116")
+    (source
+      (origin
+        (method git-fetch)
+        (uri (git-reference
+               (url (string-append "https://github.com/rhboot/" name))
+               (commit version)))
+        (modules '((guix build utils)))
+        (snippet
+          #~(substitute* "Make.defaults"
+              (("RANLIB\t\\?= \\$\\(CROSS_COMPILE\\)") "RANLIB\t?=")
+              (("pkg-config-ccldflags") "pkg-config-ldflags")))
+        (sha256
+          (base32
+            "0fnqfiivj46bha4hsnwiqy8vq8b4i3w2dig0h9h2k4j7yq7r5qvj"))))
+    (build-system gnu-build-system)
+    (arguments
+      (list #:tests? #f ; The Makefile has no check target.
+            #:modules '((guix build gnu-build-system)
+                        (guix build utils)
+                        (ice-9 match))
+            #:phases #~(modify-phases %standard-phases (delete 'configure))
+            #:make-flags
+            (let ((system (%current-system))
+                  (target (%current-target-system)))
+              (define (arch s)
+                (if (target-x86-32? s)
+                    "ia32"
+                    (match (string-split s #\-)
+                      ((x _ ...) x))))
+              #~(list "prefix=/" "libdir=/lib/"
+                      (string-append "DESTDIR=" #$output)
+                      (string-append "HOSTARCH=" #$(arch system))
+                      (string-append "ARCH=" #$(arch (or target system)))
+                      (if #$target
+                          (string-append "CROSS_COMPILE=" #$target "-")
+                          "")))))
+    (inputs (list efivar nspr nss popt `(,util-linux "lib")))
+    (native-inputs (list mandoc pkg-config))
+    (synopsis "PE-COFF binary signing tools")
+    (description
+      "This package supports EFI keygen and subsequent signing of
+PE-COFF binaries. It contains the tools authvar, efikeygen, pesigcheck,
+pesign, pesign-client, and pesum.")
+    (home-page "https://github.com/rhboot/pesign")
+    (license license:gpl2+)))
+
 (define-public efitools
   (package
     (name "efitools")
-- 
2.45.2

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 15 Aug 2024 17:20:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 15 13:20:52 2024
Received: from localhost ([127.0.0.1]:49693 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1see9b-00040K-KW
	for submit <at> debbugs.gnu.org; Thu, 15 Aug 2024 13:20:52 -0400
Received: from mail-yb1-f179.google.com ([209.85.219.179]:52678)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nchatz314@HIDDEN>) id 1see9Z-000403-3H
 for 68524 <at> debbugs.gnu.org; Thu, 15 Aug 2024 13:20:50 -0400
Received: by mail-yb1-f179.google.com with SMTP id
 3f1490d57ef6-e1157e88bc9so1209664276.1
 for <68524 <at> debbugs.gnu.org>; Thu, 15 Aug 2024 10:20:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1723742346; x=1724347146; darn=debbugs.gnu.org;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=0rrnhiLS/Y/+QuHcWat0YWrx1JVF78ysAQvXsJQg+rM=;
 b=lShxul4ttVOHYXsycloPItz+EA2Aux6o0UOJHTt8gaglxHk+nMZ7HPDhxZe6Ij60Ej
 amLPxpIMYguHEVOoE5tEKquaD+n6jp/GuRJVZ4geAjmVVbv61GFsCv6S6lKWjETiCTrd
 tgH2RmHgCc0bMAzGiSnsy3wMPvTQeUvYJGgeCmHGdNNSYQex/eJjWILYlqCCtFikvt0V
 CIZpMluiWmKZtb5u2D6cAzFEJNpanwK6GJv6x9LmlsHaloSqCvF6UBko6KO9GLpXSATp
 xbQq5Frr6RoGNusszoF5RSUYFo8EcBYKp0UQ4iJcB+EnC5dTRpaIY5H2xGmZ/tajztY9
 OAJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1723742346; x=1724347146;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=0rrnhiLS/Y/+QuHcWat0YWrx1JVF78ysAQvXsJQg+rM=;
 b=TuzCixDpmeu/W/v45hVhh52HsMaVmOmJ5qa429KuLRXJNnbNhwfmatMgcRfwHF//sz
 +vBTOZptnWEOOAH/FpbxF6V3CEJmkn45ri9OxTThGDB1HteLHpVrGEQzW09f+4o3/7B0
 3DvPmohMQzs12edQt6TNzjA3hV7O16/xwDjKo21WpjHDTjWl6EuomK+a/Axl7hGI8kUr
 iBf+fVLAiu2VNNHgPFoqPevnjmpQABRoFrSrewtOS/g5QU+qLBjBRRsM+3WlgPEvqTU8
 H9PRhKcuod2eQfbdZnRQxPQ78or4GVZ2O4XROW65U/onwjES+2IvTEuOZDRF26Jl9uFe
 d/8g==
X-Gm-Message-State: AOJu0YxUGz2Icd5HB9VqZ4+kgluQ2T7A+FzGEEX/07xo2nvvihSx2Hvg
 qa4EIWfOscsoov1CueeDuhV1vHqqAAEwXMeZlrswqRnoTCVdu2g3M5s98fonlr2UeJuvXMNjD2o
 5oAyWAypyfEMaK7Rn6YxUucs7vYo=
X-Google-Smtp-Source: AGHT+IEYkmKGGvnlYdam78x8SY5E4Oq940Ope73Hg4n2P2VIGMTttZsHTvuJD6Wbk8AeiBEVgL3EqqP8Lg/CHLU0sCA=
X-Received: by 2002:a05:6902:1b12:b0:e11:5a47:eb8d with SMTP id
 3f1490d57ef6-e1180ff1071mr346743276.49.1723742346559; Thu, 15 Aug 2024
 10:19:06 -0700 (PDT)
MIME-Version: 1.0
References: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN>
In-Reply-To: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN>
From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>
Date: Thu, 15 Aug 2024 13:18:55 -0400
Message-ID: <CAAQmeke3bh7CV7tb3Mcxi_-JnJ5aXyu56XPP5wKgpP4_Wi3XRw@HIDDEN>
Subject: Re: Rewrite Posted
To: Lilah Tascheter <lilah@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 68524
Cc: Hilton Chain <hako@HIDDEN>, 68524 <at> debbugs.gnu.org,
 Ryan S <ryan@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

On Thu, Aug 15, 2024 at 9:15=E2=80=AFAM Lilah Tascheter <lilah@HIDDEN=
e> wrote:
>
> Hey!
>
> > When performing a fresh installation, the bootloader install will >
> always fail since it assumes "/boot/efi" as the base "script-path".
> Yeah, sorry, limitation of the current system. Speaking of, though...
>
> The rewrite has been posted! The new patch series is at
> https://issues.guix.gnu.org/72457 which also subsumes this series, so
> I'll close this one in favor of it.

Congratulations. This is great!

Regards,
Nikolaos Chatzikonstantinou

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 15 Aug 2024 13:15:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 15 09:15:47 2024
Received: from localhost ([127.0.0.1]:48545 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1seaKO-0005FK-5D
	for submit <at> debbugs.gnu.org; Thu, 15 Aug 2024 09:15:46 -0400
Received: from sendmail.purelymail.com ([34.202.193.197]:37742)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1seaKL-0005Ez-Ds
 for 68524 <at> debbugs.gnu.org; Thu, 15 Aug 2024 09:15:43 -0400
DKIM-Signature: a=rsa-sha256;
 b=CcwSaH+8pG9vgqr62fPFjZjCSKLQPVT8ynQ314POZL6QYfpEIuuNp50ZSHOnCZ7AvkYODE4CrpaI8KiZoXY4YKAsEnorrb079/vVDI+45oHMbWcttoix1/NkMN6uW01COt4H69aW2ykkerJwTSglqhaxOGifECFMAdiM6URIz05vZygWws+iXDIgNIFn5ao4lNzTkTdtDO/uFCLT7eYZw9cyu2vInqDHluqPks09fp4TRitrPKlMgG2/DVYGECr8hFcf4UqxHlIimb8GGfVgxzKPGHYeClcKKYTXR7FrQ3VyKta195J6evpE34aQlt0VF42V6tIJD9iFehdQEDsvsw==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=ujb1hNk93UGdzNtY4UdFptD8OWoqqq2omHLQA7WHri4=;
 h=Received:Subject:From:To:Date; 
DKIM-Signature: a=rsa-sha256;
 b=VZvPxn9v571u7ZzYfENm5x12OS8aFjuRmRjvxiiy1mSbiynF5bHH7inXAQ3krO0UPrThxnhAXHcSlyqb/ODPfpFuGCmOGE3tNtP08Wv1uPbvKrRY5ueIMX1i6I/HC+mNbM9Kng4NUj5nEeyV2H624vva4HnAJco3Xwz7rDAO42U003ioPjXYEkKFWhARNqUqyQD39RqlfiUX+WVuOl0ANygKeG3eQ/NGUBEiBw+BE0sWKz/mtlXgAfiAwAmpbko6q+09wjABqM4t9TarLtByUOpj0n/g+q7WA4oGJNXGetakCc/8ocToeIIk3vZLQ6RT7K9hG/q3o0tNYMqn8GFYqQ==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=ujb1hNk93UGdzNtY4UdFptD8OWoqqq2omHLQA7WHri4=;
 h=Feedback-ID:Received:Subject:From:To:Date; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -997553769; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Thu, 15 Aug 2024 13:14:56 +0000 (UTC)
Message-ID: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN>
Subject: Rewrite Posted
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Thu, 15 Aug 2024 08:14:55 -0500
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.48.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Hilton Chain <hako@HIDDEN>,
 Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>, Ryan S <ryan@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hey!

> When performing a fresh installation, the bootloader install will >
always fail since it assumes "/boot/efi" as the base "script-path".
Yeah, sorry, limitation of the current system. Speaking of, though...

The rewrite has been posted! The new patch series is at
https://issues.guix.gnu.org/72457 which also subsumes this series, so
I'll close this one in favor of it.

Thanks y'all!

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 29 Jul 2024 05:11:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 29 01:11:31 2024
Received: from localhost ([127.0.0.1]:44750 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1sYIfS-00081w-VI
	for submit <at> debbugs.gnu.org; Mon, 29 Jul 2024 01:11:31 -0400
Received: from mail.rschanz.org ([5.161.207.21]:35856)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ryan@HIDDEN>) id 1sYIfQ-00081n-3g
 for 68524 <at> debbugs.gnu.org; Mon, 29 Jul 2024 01:11:29 -0400
Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon)
 with ESMTPSA id 540BD271974
 for <68524 <at> debbugs.gnu.org>; Mon, 29 Jul 2024 01:11:15 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rschanz.org; s=dkim;
 t=1722229875; h=from:subject:date:message-id:to:mime-version:content-type:
 content-transfer-encoding; bh=+Px1yPYzMRFGBEYsVXoLRzRsNiIj23H+2KvwgPLa/74=;
 b=Q09EqAa5jeNJMtygv6KQL0oj+HPdQvB10/LCF/wlwg6DIPLzzoAHBh2vYc6hLqmC9sFfbl
 cL+9h2Lw916X1AE7m+Khb7RD5V1/EzV5SBBDBdkDUcosEyDmloume+kw6ZoLu6UrZWsG0J
 cL7c5PDwqEolMizJs2ZwgCEeBJ/q74aIBZ+m1ywVUOtOpy2fMdwn1rK09JDPKoNy2XgnmR
 0LubYCe5PPE/jAmgVpSvoOIHXflUWnY7wGCiWSelI8uB2Ti4X9eV0QfbA736PAcdt6Dhru
 F1TJbP9UTsMuvMiI5z8XI9qE0GkfKFvqKwTAanKkrRzfvHWMb7c1rLaGhdW06Q==
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8; format=Flowed
Date: Mon, 29 Jul 2024 01:11:14 -0400
Message-Id: <D31RJE4OZ3D5.1ZQS283PTVGXT@HIDDEN>
Subject: Fwd: [PATCH 0/2] Support root encryption and secure boot.
From: "Ryan S" <ryan@HIDDEN>
To: <68524 <at> debbugs.gnu.org>
X-Mailer: aerc 0.17.0
X-Last-TLS-Session-Version: TLSv1.3
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi all!

No clue if this patch series is still being worked on, however I have been =
keeping an eye on this (want to migrate away from GRUB because of decryptio=
n speed and integrity reasons). Good news, I've successfully added these pa=
tches on a local channel I have and everything still works, with little mod=
ifications (this has been an on and off process over the past month or so b=
ecause I've been busy, so my memory of changes made may be fuzzy). However,=
 I did notice a bug. When performing a fresh installation, the bootloader i=
nstall will always fail since it assumes "/boot/efi" as the base "script-pa=
th". This assumption is false due to the installer placing the system being=
 installed at "/mnt/boot/efi".

Outside of that, is a new rewrite of the boot system still being worked on?=
 What kinds of things are we looking for to get UKIs merged? Should I start=
/continue a thread on guix-devel? I'd like to help where I can.

--=20
Best,
Ryan

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 24 Mar 2024 09:48:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 24 05:48:03 2024
Received: from localhost ([127.0.0.1]:44673 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1roKSQ-00068H-RH
	for submit <at> debbugs.gnu.org; Sun, 24 Mar 2024 05:48:03 -0400
Received: from mail-oi1-f171.google.com ([209.85.167.171]:43428)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nchatz314@HIDDEN>) id 1roKSO-00067d-L3
 for 68524 <at> debbugs.gnu.org; Sun, 24 Mar 2024 05:48:01 -0400
Received: by mail-oi1-f171.google.com with SMTP id
 5614622812f47-3c38396c965so2080886b6e.1
 for <68524 <at> debbugs.gnu.org>; Sun, 24 Mar 2024 02:47:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1711273573; x=1711878373; darn=debbugs.gnu.org;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=kMO1CvActh0il79/q5gkTeObUXWFO4WnV2jknNkfO/Q=;
 b=BWuK0w9K3YnXVgTru5baVvn1Tk3TkPnvpSueY219c7OicnHP03wOwXgeffTG2SB86K
 Q3dyOM+5HKmKKa4eBKC+UiQX9yYnHRQp40pInt/zTICwRC4g5Wr5waobZzir0SqwJ034
 hIQUyfKNh0513AYuQv6bHQmEhu7GnrtanXIEKq/00Yz+pCuBi+U6was0w3HruHnlRL+M
 tLCidPEIyNm8iqDjKkq/Mdtq45nWRU2W5r/dZw1+WybGC+vgI+7DjV1j1uuZPfR6kIEB
 NNtdPKnGSYg81NqZeLFqRw+pXQlpjCKqxCZy7Ak1ET3AqFpatE/RpiItW1iiE/i9KjAr
 TDrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1711273573; x=1711878373;
 h=content-transfer-encoding:cc:to:subject:message-id:date:from
 :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=kMO1CvActh0il79/q5gkTeObUXWFO4WnV2jknNkfO/Q=;
 b=SdU6RgKlYuhwoO3vItZjTIEOvSlCc5QfS6254vXvrgTWF4nFqvk7+vmzNTnXS8sz4F
 E1F9V/T1FP4xZedOngfjGO9vrihcITPrbo8B8HD4BgSAkNOrmscflE39PB8uDNv9Nidx
 bhAgSUp5afng0ZBMR8iAkmm8A2v07wbx4Wzni7EnhvXCAWhLed8zWfIoNJ+rXrz1hCJx
 EomtUh9Xy0K+AslXg1lR2ZxD7ITOVceUXYPq4B56gNlDGgJBwZPrnQg6dW4jH0eMJ+RB
 q6NS4FG0aEzjMj7gG4xU+pAo/1aGi88XAkzr/MEcd65dVldPloVx49YdaqJnTrDf9W3v
 0iRg==
X-Gm-Message-State: AOJu0YziTQ6lF6J9H9lrjGMTP/FCcetSzuCjvBj2k0iv/FU8B1sEff3C
 88t8DuMNAqIVocNveEa9MtxxgPkJnvuXA5QPCjwMIWfWDCUnNVMLpfg5Si0ZyoEeNGjZeYYd53o
 nIxhBkqyfIzwvYtJ8jQkdhNNyNVF8Id7S
X-Google-Smtp-Source: AGHT+IFFu/a4GTKVdudEv8s2bW6b/OcQbEUa5qtVqvgtn1XK1Y2PUKVaviUxBKmZdzTwdHlZ+Kd53PskH7BdK9+6KRU=
X-Received: by 2002:a0d:d8c6:0:b0:610:e452:8c74 with SMTP id
 a189-20020a0dd8c6000000b00610e4528c74mr1726006ywe.0.1711273138362; Sun, 24
 Mar 2024 02:38:58 -0700 (PDT)
MIME-Version: 1.0
References: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN>
In-Reply-To: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN>
From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>
Date: Sun, 24 Mar 2024 05:38:47 -0400
Message-ID: <CAAQmekeS7e9G9Gbpbn6bLJCyq7ToPxKONeiU+PtzQE=UfqUQ5w@HIDDEN>
Subject: Re: [PATCH 0/2] Support root encryption and secure boot
To: Lilah Tascheter <lilah@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: 68524
Cc: 68524 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

On Sat, Mar 23, 2024 at 3:40=E2=80=AFPM Lilah Tascheter <lilah@HIDDEN=
e> wrote:
> and yeah don't worry it's isolated. there's only two bits of systemd
> used, systemd-boot-stub and ukify. ukify is pretty much just a single
> python script, and systemd-boot-stub is just a bit of code tacked on to
> the boot process to handle combining the kernel, args, and initrd
> together. no daemons or code past the bootloader at all!
>
> of note I'm currently in the process of rewriting the entire guix
> bootloader stack to make this work a Lot nicer. sooo hopefully that
> gets finished soon.

Very exciting! I am looking forward to looking at the code.

Regards,
Nikolaos Chatzikonstantinou

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 23 Mar 2024 20:10:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 23 16:10:20 2024
Received: from localhost ([127.0.0.1]:51093 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ro7h5-0001VV-Fy
	for submit <at> debbugs.gnu.org; Sat, 23 Mar 2024 16:10:20 -0400
Received: from sendmail.purelymail.com ([34.202.193.197]:49304)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1ro7Q9-0000nh-Us
 for 68524 <at> debbugs.gnu.org; Sat, 23 Mar 2024 15:52:56 -0400
DKIM-Signature: a=rsa-sha256;
 b=pMxgDK3oIuy+XYNeXRAqGHB/pjhLYqNZtXEZCvveCNXu6UBaRDM4iYz0rQH+IXVhK7VBOdDq98Dv/TTDkKhPfBdJuxNaN7oRzldQdleGcbaCC6uFsNubng0AhTjuVgLnKHGZKnZNONx/0eJZ8HXHtc5MnszRhXg0pPQ/OveQTZOIGzgIgsafm4lSbo1na0AuqkuHcODg1LePfiKLCcIb6VRn7Dhgtwi6o0URxJhfIarsDFk7C41+sC3zqaRYC3bBeY/LtoElMfGwtfiTfhKFslwJ9VR5EzFPxxuMPU/YwbTiDpo6770MSJxTQx3w36ecrQyD0u3G/hpMfgrdN/9FXg==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=pZOopb6EYrm8sYBiuXiUoWrC8ByNiH/bZvuwKcjq0jI=; h=Received:Subject:From:To; 
DKIM-Signature: a=rsa-sha256;
 b=D2ARaJB0py9kVdoJ0GkTdc7LnID53wU4SvZaWpHI01nOtowbx4TmdobD7EF+m93jfMz8O/9dgHq0pRKvgTkhG5zhi8m47mFdYMxWfoflwscUxRAArXJAt7S9AdhNzUe6sZDRfhFUjxI1lEo3K9SpRhhxRgL3QbxYt9KZh4vZLtQnoP/25X6G7iKUKP7j30HzUx6SyJjAseh2W1U9w+vj6Sx2VWthOLSD2MiV5b5qvvh8rcWz07/9NQJXPb+DCvoQSdZFLJXeTHjoz/hln3y5BrExm6jAGtvO8+voGXX6yT3wW2+TrVNLuxIcJvvICPxIdA6aQlGrfgAeedAoYqRgYA==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=pZOopb6EYrm8sYBiuXiUoWrC8ByNiH/bZvuwKcjq0jI=;
 h=Feedback-ID:Received:Subject:From:To; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 136536595; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Sat, 23 Mar 2024 19:40:41 +0000 (UTC)
Message-ID: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN>
Subject: Re: [PATCH 0/2] Support root encryption and secure boot
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Sat, 23 Mar 2024 14:40:40 -0500
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: nchatz314@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

sorry for the late responses; I don't actually get sent your replies
unless you cc me.

and yeah don't worry it's isolated. there's only two bits of systemd
used, systemd-boot-stub and ukify. ukify is pretty much just a single
python script, and systemd-boot-stub is just a bit of code tacked on to
the boot process to handle combining the kernel, args, and initrd
together. no daemons or code past the bootloader at all!

of note I'm currently in the process of rewriting the entire guix
bootloader stack to make this work a Lot nicer. sooo hopefully that
gets finished soon.

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 8 Mar 2024 10:43:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 08 05:43:18 2024
Received: from localhost ([127.0.0.1]:56788 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1riXh8-0001cc-II
	for submit <at> debbugs.gnu.org; Fri, 08 Mar 2024 05:43:18 -0500
Received: from mail-yw1-f170.google.com ([209.85.128.170]:60639)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nchatz314@HIDDEN>) id 1riXh6-0001cM-Ce
 for 68524 <at> debbugs.gnu.org; Fri, 08 Mar 2024 05:43:17 -0500
Received: by mail-yw1-f170.google.com with SMTP id
 00721157ae682-609f060cbafso18829947b3.0
 for <68524 <at> debbugs.gnu.org>; Fri, 08 Mar 2024 02:42:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1709894498; x=1710499298; darn=debbugs.gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=DYF2jH7C465WqWBRE2BAuuUmonoV7NDWtAKEYlVxw6I=;
 b=TGBx+TduY+4DsQ+sdYuGF5N/oKx295NwE9GJ1zO/VAPqXpcX2OIo1GtqDlmevofhvv
 DqCnRv75tkopcvstQe74miHxw9JYGHzlqZPRtKbyN/aM+zRoA2azAwz9eLPjCknIbmxD
 ZEA4OExol7PmZwVl2rKVMla+CKQfb8u5ILjxRahIATykMhQrvAHmyDertu7F2CCeNL4O
 inB/wnKnir+Sfp7NwNN2Q0tTsZX5Cc5UTs4HdVAvnsSoHRklAApiedTVtGVtsOwOxQlE
 +yxXTxRQO85JxPORp95OwZBGgzFYvPtAsU3Vknskk+QQAquE9V5zZAVBsyTJRj6lS8kY
 0N8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1709894498; x=1710499298;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=DYF2jH7C465WqWBRE2BAuuUmonoV7NDWtAKEYlVxw6I=;
 b=Kw4KzaFQNC6S3gWll88uxL2LRg3ve5hbu8DBFCDyq/FBHaK212v9JjLu1Zc2ilegrh
 EClEe35ayfGU/p+iMjSRBoff4XpRaZgJd+Jnd4ACS/AH6pSRzpWmIHT+G9V1kwdHegez
 iCmUo78mlHgy5229yW/9Nk+MGm1cfQ0qJLlN0vqVBeMFuGn7U25RUYM28AiqYgRprXZc
 vITApWFSxgTxfDXM9pDE+dpJASBywckIGwO9TlRobGBe0M3YjC2Nz0zMD8MMguEfGEYh
 rDCLgnWQj22Tmkqss4S+isO5qaFCgBHd1Z55aIzEbgU41v/RAJVSKeb77391sgL1byXN
 ZOsQ==
X-Gm-Message-State: AOJu0Yxa5FFu3RucYbD70God80QigyZ6fN5ycrOd+40EUwPt+fIOCH62
 JbNAqLaeN5M0tJOyYOx9/zGk4PJ1rObUCOUIWvHGoz7pTKs2pyNXBXv4YU9+TQj6s35NCO6ILUc
 Sq9RlN87mZphpOQdFOXuOpebB+fKfyafY
X-Google-Smtp-Source: AGHT+IH3CwwYOtKurtYE86joUbM00omBplhEJZYU9mOjm93wQhyZ7oK+fGobEWG8CqxWfPMZGt310mUbtsFiyOfxsbE=
X-Received: by 2002:a0d:e006:0:b0:609:e89e:7ff9 with SMTP id
 j6-20020a0de006000000b00609e89e7ff9mr5366464ywe.34.1709894498540; Fri, 08 Mar
 2024 02:41:38 -0800 (PST)
MIME-Version: 1.0
From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>
Date: Fri, 8 Mar 2024 05:41:27 -0500
Message-ID: <CAAQmekfTSNon-fvadJ8uzx0iAzso506RCdTr6YUY3nbVWGPXrA@HIDDEN>
Subject: 
To: 68524 <at> debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 2.2 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Great, thank you for clarifying. This is awesome work. Does
 it mean however that Guix becomes tied to systemd in some way when this
 feature
 is used? Or is the feature sufficiently isolated that no sys [...] 
 Content analysis details:   (2.2 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (nchatz314[at]gmail.com)
 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
 in digit (nchatz314[at]gmail.com)
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.128.170 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.128.170 listed in list.dnswl.org]
 2.0 BLANK_SUBJECT          Subject is present but empty
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Great, thank you for clarifying. This is awesome work. Does
    it mean however that Guix becomes tied to systemd in some way when this feature
    is used? Or is the feature sufficiently isolated that no sys [...] 
 
 Content analysis details:   (1.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                             [209.85.128.170 listed in wl.mailspike.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [209.85.128.170 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider (nchatz314[at]gmail.com)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
                             in digit (nchatz314[at]gmail.com)
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  2.0 BLANK_SUBJECT          Subject is present but empty
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

Great, thank you for clarifying. This is awesome work. Does it mean
however that Guix becomes tied to systemd in some way when this
feature is used? Or is the feature sufficiently isolated that no
systemd process takes place?

I've also looked briefly into this from another angle, trying to
either patch GRUB or to use kexec and boot from a USB. I'm glad that
you were able to do this, thanks a lot!

Regards,
Nikolaos Chatzikonstantinou

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 8 Mar 2024 08:10:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 08 03:10:45 2024
Received: from localhost ([127.0.0.1]:56271 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1riVJU-0001x9-6h
	for submit <at> debbugs.gnu.org; Fri, 08 Mar 2024 03:10:45 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:42584)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1riVJE-0001wI-3N
 for 68524 <at> debbugs.gnu.org; Fri, 08 Mar 2024 03:10:43 -0500
DKIM-Signature: a=rsa-sha256;
 b=pzv4xUgmdzR0zD0WnnYjYNgEs5NzUqeufkLJix1CROVQygo7F+U2wt+yeT2GRPdCfS2oAL6++u3E6p8h9xoe9cmzmYzKHb0AuotlXfY8PXgMvFi9xTtX4hcrwmEOtQ+CmFPYyLBEDs56XxHr22FfOUClIOLQ/kZMIniFcMWgfsgEF52vXzcMGYlM/fldWiYBg9tEzkz28iKIg5vu5g0PwGDyQETH/jXPEJKNox/maeGlzQEq8oRh8rhu3UHNovEI8wO70vp7L/u0er92djtzrYmr5XaAVvTBXYPG59q3PLKcbBJKobo/qMwCdyUilcgTKvbVQcMVxQrD3f38963BKg==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=RCVZCJeyAVJaKftjK8wTDe9b+x6HbGJZ3FiZ9ic77Fc=; h=Received:Subject:From:To; 
DKIM-Signature: a=rsa-sha256;
 b=AXtYufxCH1kq1J/MP56Mmj0KAhOZjvIYJ5WxK/gyKg6YjWY4pS91tgrW/TpvhusFkXI9QDgZ7ERWI9HbisdzIIjZV1li7x7ja+AH+pKHafHAYiNlD96zCxJ0gUOQOCalEJGJk9h4Va2F7ImKGBlliiupXM31XO/IpRmdGQN6nS+TmxyCS4UXhAoKlrRpcLuFOEHvlAYrfQ9hgspcfT3VT1u969/lBmyYK+HM1QmMm/VVHf50dASOB2x5WlT1EzNtVkKC/z7QAiyGPL8vn8epKRgRxFu3RP1jZQMiamFyLGSN+00+9H36A4xmjiBniOMbsQnFkLHYb4volSBMlzYmgg==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=RCVZCJeyAVJaKftjK8wTDe9b+x6HbGJZ3FiZ9ic77Fc=;
 h=Feedback-ID:Received:Subject:From:To; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 52456496;
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Fri, 08 Mar 2024 08:09:40 +0000 (UTC)
Message-ID: <f2c9aa7c48203c736d4e67082eaa4f685b9eb55f.camel@HIDDEN>
Subject: Re: [PATCH 0/2] Support root encryption and secure boot
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Fri, 08 Mar 2024 02:09:39 -0600
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: nchatz314@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

nah, what I meant by that is instead of entering your password while
you're booted into grub, you enter it while booted into your initrd.
either way nothing touches the disk.

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 20 Feb 2024 01:10:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 19 20:10:21 2024
Received: from localhost ([127.0.0.1]:43891 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rcEeL-0002zM-68
	for submit <at> debbugs.gnu.org; Mon, 19 Feb 2024 20:10:21 -0500
Received: from mail-yb1-f173.google.com ([209.85.219.173]:42034)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <nchatz314@HIDDEN>) id 1rcEeH-0002z1-Gb
 for 68524 <at> debbugs.gnu.org; Mon, 19 Feb 2024 20:10:19 -0500
Received: by mail-yb1-f173.google.com with SMTP id
 3f1490d57ef6-dcc6fc978ddso3991838276.0
 for <68524 <at> debbugs.gnu.org>; Mon, 19 Feb 2024 17:09:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1708391330; x=1708996130; darn=debbugs.gnu.org;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=ImdV52B6e21nw/xuIc8LOT6OIDGwJLRJ3CYcw2YFpYQ=;
 b=FmpOCp128YDZB1w+EPrp35JBuVfr8Nky2lsTABjxPe0nh0juLI2rWwPxEydlgvdyHe
 mNxbAsD6O+Fadt5gccLS1yuVzxrbiIWx/mBQAUqT32SmYvnBkxg69uVYnaydrVTRTDXJ
 qZ7HtGsowhLsKY8R49s09qS+qSxscL0WnHgpNpez/BXYucK2MS762FxWBo0jB9wRuMjx
 c8n7PAKwLBamZ5lyjljpCQTILTqxnnKRK7R0wKj0wV4pQFeQTSF4L8uvndSbBraXt3+a
 AJW5GZbTlTdV+cLNcBMHk/qtj2NXeF4CXh8pGwVAVEwu2LpxNeQ1xv8nJ72XFtAEsjk9
 RoSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1708391330; x=1708996130;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=ImdV52B6e21nw/xuIc8LOT6OIDGwJLRJ3CYcw2YFpYQ=;
 b=a6DYEcx1dbp5ESnTwzJIGxlZKfGRYBO+QtX585sJ/rm22IdmSi7R0vqPbF7/a1vj/A
 CkijImzKWoKeCvVTjxkz68Kf9n7PV6WY/r7jNIM7NS702NGUt/nC4MREfjmsutaLkZU/
 WLEeud6l9BIBPU8yAMsBAyChymof7j8iXE/cOwyp2q1iMNkx27xdfyZE/EvbY34jqdpM
 oqFdEoil2Mo5yexWugyeeillCIkkvryXFUo11MNC+370a41d73CtOhf3c7ofK91CVmLj
 DYLSMo567S68PHzdffQVMBCfWFXAvlkW6xJ1QqdtO6uyItePohppgL4Eaq75dlq8pl9v
 GpUQ==
X-Gm-Message-State: AOJu0Yzy2wmSIo5nrLDpoKFBf3jKrX8T727yT6OFnlpgcjZ5gtwtzN9N
 5OE0DWePV+gnUm7Kn8bKm+Y5nbB7mrKL/OWTJ5lzzel+aJk8QHJuvR3V+KNPN+PQk8w5Ous/PNa
 mYARNW7dDjsqdftCCH9q9Ryx2f7bnv5+A
X-Google-Smtp-Source: AGHT+IG8Qwp11wpBsuUitX1mTztkWZGqqj9kMxbMUNOvc5UDUWT3IBW45mcaM9aGRm+yRgCwydMxHSRiwyVnexkJqzM=
X-Received: by 2002:a25:7145:0:b0:dc6:d1d7:c762 with SMTP id
 m66-20020a257145000000b00dc6d1d7c762mr11033700ybc.11.1708391329870; Mon, 19
 Feb 2024 17:08:49 -0800 (PST)
MIME-Version: 1.0
From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>
Date: Mon, 19 Feb 2024 20:08:39 -0500
Message-ID: <CAAQmekdcuds40drOiGcNhKEk=40M1poigVbbJNfWsmdfmVXttQ@HIDDEN>
Subject: [PATCH 0/2] Support root encryption and secure boot
To: 68524 <at> debbugs.gnu.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: -1.7 (-)
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.7 (--)

What does it mean that "LUKS password entry is in the initrd"? Is the
password in plain sight?

Regards,
Nikolaos Chatzikonstantinou

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 14 Feb 2024 18:10:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 14 13:10:49 2024
Received: from localhost ([127.0.0.1]:53015 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1raJib-0007V4-4v
	for submit <at> debbugs.gnu.org; Wed, 14 Feb 2024 13:10:49 -0500
Received: from mail.boiledscript.com ([144.168.59.46]:48088)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hako@HIDDEN>) id 1raJiY-0007Ut-OY
 for 68524 <at> debbugs.gnu.org; Wed, 14 Feb 2024 13:10:47 -0500
Date: Thu, 15 Feb 2024 02:02:19 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space;
 s=dkim; t=1707934138;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=MiYGRqQZoLI9G/BxOZVbcRjoLbghMb6B76XYwr86Adc=;
 b=h3uEiUVAZ+OYv28z7DRRlysSqHG//MAtYFdkP/ZUItXsAHA+/6VcY8nSL/jkYtEx6Oi4Ji
 jvT7aU61QCGVHzTNA5Z/CGZR1kfbxhQMRxO+f7T0v+kJyhKCPAkydza8R9fHa26HFeWUlW
 vv1vpSaPVFn/HdsI4Jc8m5Bs0ezfKA/6G27AxNH7N7Hino+NcBJ2oNI98eHyJSybOKWCzR
 7QSaPSyXTkcqtkh1xEUHGA7ESIMxOAmT2Rc3686z/7/CJbO8aYCpKZJ8eO5uKBiwyTXD2p
 Ql95cjUfE+l30jtgBRdmQAd78MTNvnbBKMENRbjlSAur/IpHGjidAhqvLdns/Q==
Authentication-Results: mail.boiledscript.com;
 auth=pass smtp.mailfrom=hako@HIDDEN
Message-ID: <87r0hegc0k.wl-hako@HIDDEN>
From: Hilton Chain <hako@HIDDEN>
To: Lilah Tascheter <lilah@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add
 uefi-uki-bootloader.
In-Reply-To: <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>
 <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
 <87a5o6n8v9.wl-hako@HIDDEN>
 <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN>
 <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Spam-Score: -1.9 (-)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.9 (--)

Hi Lilah,

On Tue, 13 Feb 2024 15:34:55 +0800,
Lilah Tascheter wrote:
>
> > * add secure-boot-cert and secure-boot-key fields to bootloader-
> > configuration.

How about using a pair instead of two fields?  And because the usage depend=
s on
the bootlodaer, I'd like to use a generic name.

e.g. signing-keypair
 =3D> '("/path/to/certificate" . "/path/to/private.key")

> > * deprecate configuration-file and configuration-file-generator in
> >   the bootloader struct, and instead create an install-configuration-fi=
le
> >   field, similar to install-bootloader. default procedure will be to do=
 the
> >   current install-boot-cfg (gnu build install) using the deprecated fie=
lds.

I'd prefer =A1configuration-installer=A2, since the installation target may=
 not be a
file. :)

I don't think the deprecation is necessary though, other bootloaders don't =
have
to duplicate this part of code, and in my opinion the following definition =
does
make sense.

--8<---------------cut here---------------start------------->8---
(define uefi-uki-bootloader
  (bootloader
   (name 'uefi-uki)
   (package systemd-stub)
   (installer install-uefi-uki)
   (configuration-installer install-uefi-uki-configuration)
   (configuration-file #f)
   (configuration-file-generator #f)))
--8<---------------cut here---------------end--------------->8---

> > * rework uki.scm to, instead, run efibootmgr in install-
> >   configuration-file and install the uki.efi files in install-bootloade=
r.
> >   remove the separation between uefi-uki-signed-bootloader and
> >   uefi-uki-bootloader, instead working off the new bootloader-configura=
tion
> >   fields.
>
> amending: also edit the bootloader-installer and bootloader-disk-image-in=
staller
> procedures to provide the bootloader-configuration in some manner.

I agree that <bootloader> needs modifying, since unified kernel images curr=
ently
cannot be well described.  And to support proper generation switching, some
fields of <bootloader-configuration> need exposing.

As this now involves deeper change, I think it's better to post the plan on
guix-devel@HIDDEN for wider visibility and potential discussions.

Thanks

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 13 Feb 2024 07:35:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 13 02:35:24 2024
Received: from localhost ([127.0.0.1]:40962 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rZnK7-0005Hv-VD
	for submit <at> debbugs.gnu.org; Tue, 13 Feb 2024 02:35:24 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:38072)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rZnK5-0005Hf-7A
 for 68524 <at> debbugs.gnu.org; Tue, 13 Feb 2024 02:35:22 -0500
DKIM-Signature: a=rsa-sha256;
 b=O/tJnLpqJBBUQUNykH1rtBdmwfGeiXHmZzpScIT621YsTZuM+WBu/V8ZHu2DGD2p77chSF5os8jtuItIHasBEbz/4qsTRL+U6Di1Yttmc4XbWGZp6XEmJxzsEZZA3Tv2sF1orczB1FAaxxerTBoV0NPDHqWSA1cJN+LA7XBfZVs9E7lgPN+F9JmEACyaQ4M9F5LGwY6hTXQ+w/HL42fmMyOzYzNB4sDTEFfW2PVqEm5FSjtCLrnUx/SnbfxtCrw4o5ZgL4zBVslfMXgVSGZB2eblmL6fMgLj+Rt/pY0OLdjOkiecuFg41NFp57iJBMO2QR2MFa4dkh0K6/IRPDNKwA==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=Q6S+h+vcZmk4AkX5ak8iBkaRP1y79T5F+jlck3iBE2k=; h=Received:Subject:From:To; 
DKIM-Signature: a=rsa-sha256;
 b=J+i40jsCYRAg8xvsWdyDjLw9KNF4/tZKUAzipTZ0XULPV+HBUr/pZ+XXIpgvWwAoEm9kjMEoMaAYzghiaL26evtIjTeujZ4fQk/VSsFXIKNu/7BSxpmELfD+n30Z+HzW10kqx/Pbry5MAoJNjqddD9nWKR12gUvTZf4dM6vPZZtlRHwdk/H5KySY0LVsTWMMKIUT9qZk4NEocHaxvIkgqJDEuDm731O3wnAyvS2upWpGjbJGM9h8av8amV30/RfILqgDMpd1asyq2m5mgYfPtIW9QVmvJeLXKRjkOA5P4MvSnLbLIRgYoaVKLdOCrj8IiVsCpGdK9HJDe4MKsBetqw==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=Q6S+h+vcZmk4AkX5ak8iBkaRP1y79T5F+jlck3iBE2k=;
 h=Feedback-ID:Received:Subject:From:To; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 1385188433; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 13 Feb 2024 07:34:57 +0000 (UTC)
Message-ID: <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add
 uefi-uki-bootloader.
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Tue, 13 Feb 2024 01:34:55 -0600
In-Reply-To: <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>
 <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
 <87a5o6n8v9.wl-hako@HIDDEN>
 <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN>
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, Hilton Chain <hako@HIDDEN>,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

> * add secure-boot-cert and secure-boot-key fields to bootloader-
> configuration.
>
> * deprecate configuration-file and configuration-file-generator in
>   the bootloader struct, and instead create an install-configuration-file
>   field, similar to install-bootloader. default procedure will be to do t=
he
>   current install-boot-cfg (gnu build install) using the deprecated field=
s.
>
> * rework uki.scm to, instead, run efibootmgr in install-
>   configuration-file and install the uki.efi files in install-bootloader.
>   remove the separation between uefi-uki-signed-bootloader and
>   uefi-uki-bootloader, instead working off the new bootloader-configurati=
on
>   fields.

amending: also edit the bootloader-installer and bootloader-disk-image-inst=
aller
procedures to provide the bootloader-configuration in some manner.

lilah

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 13 Feb 2024 02:11:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 12 21:11:52 2024
Received: from localhost ([127.0.0.1]:37972 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rZiH2-0003Gv-En
	for submit <at> debbugs.gnu.org; Mon, 12 Feb 2024 21:11:52 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:42754)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rZiGz-0003GI-Nf
 for 68524 <at> debbugs.gnu.org; Mon, 12 Feb 2024 21:11:50 -0500
DKIM-Signature: a=rsa-sha256;
 b=sfattE12iY8Ece6X2yQE5odAuBwXjUsKLE3/hG5PnWzusm23O4VbDeNAiRfSZTNdRhT1idB2SDIQft6CZSKbSegabHDseyWvhfNQoseIaXLWZaaGspuk5uRxEoo6RZIBOfINKbSbljdrxpUdLLiyIC9CpgPnlpRcfnjAzYsDa9ags5Ae4T87SnDk+UHVifsqNPdsigdH3W1UjsNOWQYIH4pdy2KFvs6nwhna1KdXxVATT1I64IIKHkzmh6is4DUVXzf7cB0lBdYj/bdhJJd3bRxllL9f6mLFbXB1WSONqXHPG4vDmEnhq19HnieAOZzmWIw1a3SeIM/8dmK0tX1ctA==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=y5aeoexECaySDA9hrGQ//bb5NtUi+wNC6sd3aC74J+o=; h=Received:Subject:From:To; 
DKIM-Signature: a=rsa-sha256;
 b=BJOXcbnshLUy23EP830EeKZlKX0TeygRw9dAT29D3YBuaU4EgQpjhKgXmJ4ubgWM0c7yF8ASxs+JRF382gUMLCbf6UuifTBXgUEMq/utxPn7GM6ZQv3LhucrbAdDRFQw+kKL9fmfI/z8wU1wF4L46E43ht56SLLFkdGAgEGcwgqpqQfysse8C7hXW3LtVAZdGK7H1xqLKzar82Ms7L5uxTvnH9ct3XHVNnblO2NiA/rAlvq+u9yKB4J3q/wR9Rmttf7AJFkIMpRghKSIUjFDL+z/iLlzBzQRujGHNmdl3kq9HYd3EvOOO1f6XVKgdiMTtvkPzv8+/5ZDldQeeg54RQ==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=y5aeoexECaySDA9hrGQ//bb5NtUi+wNC6sd3aC74J+o=;
 h=Feedback-ID:Received:Subject:From:To; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 1344397455; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Tue, 13 Feb 2024 02:11:20 +0000 (UTC)
Message-ID: <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add
 uefi-uki-bootloader.
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Mon, 12 Feb 2024 20:11:18 -0600
In-Reply-To: <87a5o6n8v9.wl-hako@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>
 <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
 <87a5o6n8v9.wl-hako@HIDDEN>
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, Hilton Chain <hako@HIDDEN>,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

heyo!

thanks for the review :) I'll submit a revised patch, but had a question be=
fore
I get to work on it.

> I tried to adjust uki.scm before commenting, so here's a paste of my
> adjusted version, in case some of my comments are not expressed clearly:
> https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000

nighttime sky I didn't realize reinstall-bootloader existed. shit.

at this point, I don't think the install-uki.scm hack is a good idea. to ge=
t
this fully functioning, will probably have to do some more invasive edits t=
o the
bootloader system, since the current one pretty much assumes an
extlinux/grubalike (which is what necessitated install-uki in the first pla=
ce).
RFC on the following plan:

* add secure-boot-cert and secure-boot-key fields to bootloader-configurati=
on.

* deprecate configuration-file and configuration-file-generator in the
  bootloader struct, and instead create an install-configuration-file field=
,
  similar to install-bootloader. default procedure will be to do the curren=
t
  install-boot-cfg (gnu build install) using the deprecated fields.

* rework uki.scm to, instead, run efibootmgr in install-configuration-file =
and
  install the uki.efi files in install-bootloader. remove the separation be=
tween
  uefi-uki-signed-bootloader and uefi-uki-bootloader, instead working off t=
he
  new bootloader-configuration fields.

this plan should work with reinstall-bootloader, even though it uses the de=
fault
bootloader-configuration, since files are only signed during installation
proper.

opinions?

thanks,
lilah

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 19:10:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 14:10:24 2024
Received: from localhost ([127.0.0.1]:40671 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rZFDY-0005O2-Rr
	for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 14:10:24 -0500
Received: from mail.boiledscript.com ([144.168.59.46]:56386)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hako@HIDDEN>) id 1rZEqc-0004I0-RD
 for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:40 -0500
Date: Mon, 12 Feb 2024 02:37:59 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space;
 s=dkim; t=1707677091;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Gb106VRnv0W/Wdxwd7z2hIHd6sM2eU8QCZun0e/zECM=;
 b=SiYPs69ibFXRAXZ/7sWocN4HojmZ5n8l0gZMpXQ4siYEIvdDBEuymwuuSGzefcPvj2lJWY
 83frMGQVm7vBVOvungRQnoVI3iIIWcTOEITLae34dCIdXAnAdcAFLkIVMVYWgZTPlSjoFC
 MV3F4MYjfdmxA3PZMyl2AbW8s9t5pGG/5mWTBoHA/gsOX4fFBfkohIGA12GjPQicSsgQr2
 b1fsYnrDs91UMs9e4hgP6l3jGIHQ65qDDjiQZZzab91VLSdR4f5SZQ5MnFx3iiz20ju3Br
 ZOEZVNrQ4kNFtpW0tP5PK9OOAqW5qzz6x0dAgEt4kRDJhE/RZzbXgwnX99weSA==
Authentication-Results: mail.boiledscript.com;
 auth=pass smtp.mailfrom=hako@HIDDEN
Message-ID: <87bk8mn8xk.wl-hako@HIDDEN>
From: Hilton Chain <hako@HIDDEN>
To: Lilah Tascheter <lilah@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages.
In-Reply-To: <d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>	<d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

Hi Lilah,

On Sun, 28 Jan 2024 17:51:40 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
>   (systemd-version,systemd-source,systemd-stub,ukify): New variables.

First of all, please split this commit into two commits, each adding a sing=
le
package.
(Other comments are between quote blocks.)

> Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8
> ---
>  gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 95 insertions(+)
>
> diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
> index 986f0ac035..b0d4979f44 100644
> --- a/gnu/packages/bootloaders.scm
> +++ b/gnu/packages/bootloaders.scm
> @@ -19,6 +19,7 @@
>  ;;; Copyright =A9 2021 Stefan <stefan-guix@HIDDEN>
>  ;;; Copyright =A9 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
>  ;;; Copyright =A9 2023 Herman Rimm <herman@HIDDEN>
> +;;; Copyright =A9 2024 Lilah Tascheter <lilah@HIDDEN>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders)
>    #:use-module (gnu packages compression)
>    #:use-module (gnu packages cross-base)
>    #:use-module (gnu packages disk)
> +  #:use-module (gnu packages efi)
>    #:use-module (gnu packages firmware)
>    #:use-module (gnu packages flex)
>    #:use-module (gnu packages fontutils)
>    #:use-module (gnu packages gcc)
>    #:use-module (gnu packages gettext)
> +  #:use-module (gnu packages gperf)
>    #:use-module (gnu packages linux)
>    #:use-module (gnu packages man)
>    #:use-module (gnu packages mtools)
> @@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders)
>    #:use-module (gnu packages valgrind)
>    #:use-module (gnu packages virtualization)
>    #:use-module (gnu packages xorg)
> +  #:use-module (gnu packages python-crypto)
>    #:use-module (gnu packages python-web)
>    #:use-module (gnu packages python-xyz)
>    #:use-module (guix build-system gnu)
>    #:use-module (guix build-system meson)
>    #:use-module (guix build-system pyproject)
> +  #:use-module (guix build-system python)
>    #:use-module (guix build-system trivial)
>    #:use-module (guix download)
>    #:use-module (guix gexp)
> @@ -632,6 +637,96 @@ (define-public syslinux
>                       ;; Also contains:
>                       license:expat license:isc license:zlib)))))
>
> +(define systemd-version "255")
> +(define systemd-source
> +  (origin
> +    (method git-fetch)
> +    (uri (git-reference
> +           (url "https://github.com/systemd/systemd")
> +           (commit (string-append "v" systemd-version))))
> +    (file-name (git-file-name "systemd" systemd-version))
> +    (sha256
> +      (base32
> +        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
> +
> +(define-public (systemd-stub-name)
> +  (let ((arch (cond ((target-x86-32?) "ia32")
> +                ((target-x86-64?) "x64")
> +                ((target-arm32?) "arm")
> +                ((target-aarch64?) "aa64")
> +                ((target-riscv64?) "riscv64"))))
> +    (string-append "linux" arch ".efi.stub")))

How about exporting this procedure in the module definition instead?

> +
> +(define-public systemd-stub
> +  (package
> +    (name "systemd-stub")
> +    (version systemd-version)
> +    (source systemd-source)
> +    (build-system meson-build-system)
> +    (arguments
> +      (list
> +        #:configure-flags
> +        `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix"
> +               "-Dsbat-distro-generation=3D1" ; package revision!
> +               "-Dsbat-distro-summary=3DGuix System"
> +               "-Dsbat-distro-url=3Dhttps://guix.gnu.org"
> +               ,(string-append "-Dsbat-distro-pkgname=3D" name)
> +               ,(string-append "-Dsbat-distro-version=3D" version))

Please use a G-expression for #:configure-flags, replace =A1name=A2 and =A1=
version=A2
to =A1#$(package-name this-package)=A2 and =A1#$(package-version this-packa=
ge)=A2.

"-Dmode=3Drelease" can be added, too.

> +        #:phases
> +        #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-nam=
e))))
> +            (modify-phases %standard-phases
> +              (replace 'build
> +                (lambda* (#:key parallel-build? #:allow-other-keys)
> +                  (invoke "ninja" stub
> +                    "-j" (if parallel-build?
> +                           (number->string (parallel-job-count)) "1"))))
> +              (replace 'install
> +                (lambda _
> +                  (install-file stub (string-append #$output "/libexec")=
)))
> +              (delete 'check)))))
> +    (inputs (list libcap python-pyelftools `(,util-linux "lib")))
> +    (native-inputs (list gperf pkg-config python-3 python-jinja2))
> +    (home-page "https://systemd.io")

I think its homepage has an ending slash, as in "https://systemd.io/".

> +    (synopsis "Unified kernel image UEFI stub")
> +    (description "Simple UEFi boot stub that loads a conjoined kernel im=
age and
> +supporting data to their proper locations, before chainloading to the ke=
rnel.
> +Supports measured and/or verified boot environments.")
> +    (license license:lgpl2.1+)))
> +
> +(define-public ukify
> +  (package
> +    (name "ukify")
> +    (version systemd-version)
> +    (source systemd-source)
> +    (build-system python-build-system)
> +    (arguments
> +      (list #:phases
> +            #~(modify-phases %standard-phases
> +                (replace 'build
> +                  (lambda _
> +                    (substitute* "src/ukify/ukify.py" ; added in python =
3.11
> +                      (("datetime\\.UTC") "datetime.timezone.utc"))))

It's likely that only =A1systemd-source=A2 will be touched in the future, s=
o I'd
suggest moving this substitution into =A1systemd-source=A2 as a snippet.

> +                (delete 'check)
> +                (replace 'install
> +                  (lambda* (#:key inputs #:allow-other-keys)
> +                    (let* ((bin (string-append #$output "/bin"))
> +                           (file (string-append bin "/ukify"))
> +                           (binutils (assoc-ref inputs "binutils"))
> +                           (sbsign (assoc-ref inputs "sbsigntools")))

Getting inputs' path with =A1assoc-ref=A2 is not recommended.  =A1search-in=
put-file=A2
or =A1this-package-input=A2 can be used instead.

> +                      (mkdir-p bin)
> +                      (copy-file "src/ukify/ukify.py" file)
> +                      (wrap-program file
> +                        `("PATH" ":" prefix
> +                          (,(string-append binutils "/bin")
> +                           ,(string-append sbsign "/bin"))))))))))

I'd suggest patching paths instead of wrapping programs when possible, for
example, I have made one when reviewing this patch:

--8<---------------cut here---------------start------------->8---
(replace 'install
  (lambda* (#:key inputs #:allow-other-keys)
    (let ((file (string-append #$output "/bin/ukify")))
      (mkdir-p (dirname file))
      (copy-file "src/ukify/ukify.py" file)
      (substitute* file
        (("(find_tool.'|'name': ')\\<(readelf|sbsign|sbverify)\\>"
          _ pre cmd)
         (string-append
          pre (search-input-file
               inputs (string-append "bin/" cmd))))))))
--8<---------------cut here---------------end--------------->8---

Note that one dependency, =A1pesign=A2, is currently missing from Guix, thu=
s not
handled here.

I don't know if it has anything to do with our usage, but for the completen=
ess
of the package, I think we can package this dependency, or adding a comment
around the =A1inputs=A2 field to indicate it's missing.

> +    (inputs (list binutils python-cryptography python-pefile sbsigntools=
))
> +    (home-page "https://systemd.io")

Same as the homepage mentioned above.

> +    (synopsis "Unified kernel image UEFI tool")
> +    (description "@command{ukify} joins together a UKI stub, linux kerne=
l, initrd,
> +kernel arguments, and optional secure boot signatures into a single, UEF=
I-bootable
> +image.")
> +    (license license:lgpl2.1+)))
> +
>  (define-public dtc
>    (package
>      (name "dtc")
> --
> 2.41.0

Thanks

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 19:10:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 14:10:20 2024
Received: from localhost ([127.0.0.1]:40669 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rZFDX-0005Nx-Ch
	for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 14:10:20 -0500
Received: from mail.boiledscript.com ([144.168.59.46]:48014)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hako@HIDDEN>) id 1rZEp7-0004Cz-Uo
 for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:45:07 -0500
Date: Mon, 12 Feb 2024 02:39:22 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space;
 s=dkim; t=1707676992;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=JkK/ma766KIurRkk5n6xd7ypfOtPWCinqH1q22fRtao=;
 b=iQ5mgpSfS2qwYxCFrYa2Ol4lXRHCHocHMS+eEK2R6A78Yf6ARyLaAPvdNhRmDOR6npXqMH
 jKyn/lHoU/mHua7lsCWUjmQ8Yhc+bnvB3tkEC/FBDq7ijeJ8fuI/NHsdrmAwPVPTDpSmOX
 vw3+E7MaVrzCmqJwEAT0NBem7SfUNLYfPZx3psp5ee8CngUIHnDgcZqc4ka/xYgvK2zhup
 4L6s2b4frTwVyQ/8xlDgLakn5SFBBZkXAGuYyYXMHAWXe2J/Zh8dim59BGtKPyJJgjtM/l
 bIbW66+etjwfYqvrSKXhOxxsgK9x7+tJhtM16SsfeeRqIHi8j+1P3Ao2nV+/sw==
Authentication-Results: mail.boiledscript.com;
 auth=pass smtp.mailfrom=hako@HIDDEN
Message-ID: <87a5o6n8v9.wl-hako@HIDDEN>
From: Hilton Chain <hako@HIDDEN>
To: Lilah Tascheter <lilah@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add
 uefi-uki-bootloader.
In-Reply-To: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>	<22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Lilah,

On Sun, 28 Jan 2024 17:51:41 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
>   uefi-uki-bootloader and uefi-uki-signed-bootloader.
>   (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]:
>   Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader.
> * gnu/bootloader/uki.scm: New file.
> * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm.
>
> Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da
> ---
>  doc/guix.texi          |  45 ++++++++++----
>  gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++
>  gnu/local.mk           |   1 +
>  3 files changed, 163 insertions(+), 12 deletions(-)
>  create mode 100644 gnu/bootloader/uki.scm
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index c458befb76..30fd5d022b 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning
>  for @command{cryptsetup luksFormat}.  You can check which key derivation
>  function is being used by a device by running @command{cryptsetup
>  luksDump @var{device}}, and looking for the PBKDF field of your
> -keyslots.
> +keyslots.  UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can
> +however use the default, more secure key derivation function.
>  @end quotation
>
> -Assuming you want to store the root partition on @file{/dev/sda2}, the
> -command sequence to format it as a LUKS2 partition would be along these
> -lines:
> +Assuming you want to store the root partition on @file{/dev/sda2} and us=
e GRUB
> +as your bootloader, the command sequence to format it as a LUKS2 partiti=
on would
> +be along these lines:
>
>  @example
>  cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
> @@ -41136,8 +41137,9 @@ Bootloader Configuration
>  The bootloader to use, as a @code{bootloader} object.  For now
>  @code{grub-bootloader}, @code{grub-efi-bootloader},
>  @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
> -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
> -and @code{u-boot-bootloader} are supported.
> +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
> +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
> +@code{uefi-uki-signed-bootloader} are supported.
>
>  @cindex ARM, bootloaders
>  @cindex AArch64, bootloaders
> @@ -41244,6 +41246,25 @@ Bootloader Configuration
>  unbootable.
>  @end quotation
>
> +@vindex uefi-uki-bootloader
> +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, w=
ithout
> +an intermediary like GRUB. The main practical advantage of this is allow=
ing
> +root/store encryption without an extra GRUB password entry and slow decr=
yption
> +step.
> +
> +@vindex uefi-uki-signed-bootloader
> +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, ex=
cept
> +that it is a procedure that returns a bootloader compatible with UEFI se=
cure
> +boot. You must provide it with two paths: an out-of-store secure boot db
> +certificate (in PEM format), and out-of-store db key, in that order.

Please add two spaces between sentences, e.g. "Sentence 1.  Sentence 2".

I think "out-of-store" is not necessary here. :)

> +
> +@quotation Warning
> +When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloade=
r},
> +@emph{do not} turn off your computer if a system reconfigure failed at
> +installing the bootloader.  Until bootloader installation succeeds, your=
 system
> +is in an unbootable state.
> +@end quotation
> +
>  @item @code{targets}
>  This is a list of strings denoting the targets onto which to install the
>  bootloader.
> @@ -41252,12 +41273,12 @@ Bootloader Configuration
>  For @code{grub-bootloader}, for example, they should be device names
>  understood by the bootloader @command{installer} command, such as
>  @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
> -GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
> -@code{grub-efi-removable-bootloader} they should be mount
> -points of the EFI file system, usually @file{/boot/efi}.  For
> -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
> -points corresponding to TFTP root directories served by your TFTP
> -server.
> +GNU GRUB Manual}).  For @code{grub-efi-bootloader},
> +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
> +@code{uefi-uki-signed-bootloader}, they should be mount points of the EF=
I file
> +system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader=
},
> +@code{targets} should be the mount points corresponding to TFTP root dir=
ectories
> +served by your TFTP server.
>
>  @item @code{menu-entries} (default: @code{'()})
>  A possibly empty list of @code{menu-entry} objects (see below), denoting
> diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
> new file mode 100644
> index 0000000000..0ef62295d6
> --- /dev/null
> +++ b/gnu/bootloader/uki.scm
> @@ -0,0 +1,129 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright =A9 2024 Lilah Tascheter <lilah@HIDDEN>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu bootloader uki)
> +  #:use-module (gnu bootloader)
> +  #:use-module (gnu packages bootloaders)
> +  #:use-module (gnu packages efi)
> +  #:use-module (gnu packages linux)
> +  #:use-module (guix gexp)
> +  #:use-module (guix modules)
> +  #:use-module (srfi srfi-1)
> +  #:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
> +
> +;; config generator makes script creating uki images
> +;; install runs script
> +;; install device is path to uefi dir
> +(define vendor "Guix")
> +(define script-loc "/boot/install-uki.scm")
> +
> +(define* (uefi-uki-configuration-file #:optional cert privkey)
> +  (lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
> +
> +    (define (menu-entry->args e)

I'd prefer using =A1entry=A2 instead of =A1e=A2, same for some other nonobv=
ious
abbreviations.

> +      (let* ((boot (bootloader-configuration-bootloader config))
> +             (stub (bootloader-package boot)))
> +        #~(list "--os-release" #$(menu-entry-label e)
> +            "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-in=
itrd e)
> +            "--cmdline" (string-join (list #$@(menu-entry-linux-argument=
s e)))
> +            "--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
> +            #$@(if cert #~("--secureboot-certificate" #$cert) #~())
> +            #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()=
))))
> +
> +    (define (enum-filenames . args) ; same args as iota
> +      (map (lambda (n) (string-append (number->string n) ".efi"))
> +        (apply iota (map length args))))

"Same args as iota" doesn't explain the procudre, it actually accepts lists
instead of numbers, and only the first two lists are intended to be used, r=
ight?

I'd suggest just having two arguments with more descriptive names.

> +
> +    (program-file "install-uki"
> +      (with-imported-modules (source-module-closure '((guix build syscal=
ls)
> +                                                      (guix build utils)=
))
> +        #~(let* ((target (cadr (command-line)))
> +                 (vendir (string-append target "/EFI/" #$vendor))
> +                 (schema (string-append vendir "/boot.mgr"))
> +                 (findmnt #$(file-append util-linux "/bin/findmnt"))
> +                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr=
")))
> +            (use-modules (guix build syscalls) (guix build utils)
> +                         (ice-9 popen) (ice-9 textual-ports))
> +
> +            (define (out name) (string-append vendir "/" name))
> +            (define disk
> +              (call-with-port
> +                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" targ=
et)
> +                (lambda (port) (get-line port)))) ; only 1 line: the dev=
ice

(guix build syscalls) has procedures can be utilized for this, no need to i=
nvoke
findmnt.

> +
> +            ;; delete all boot entries and files we control
> +            (when (file-exists? schema)
> +              (call-with-input-file schema
> +                (lambda (port)
> +                  (for-each (lambda (l)
> +                              (unless (string-null? l)
> +                                (system* efibootmgr "-B" "-L" l "-q")))

Dispite the "-q" option, error messages will still be visible to user, plea=
se
use =A1invoke/quiet=A2 + error handling instead.

And I'd prefer long options.

> +                    (string-split (get-string-all port) #\lf)))))

=A1#\newline=A2 is preferred over =A1#\lf=A2 in Guix source.

> +            (when (directory-exists? vendir) (delete-file-recursively ve=
ndir))
> +            (mkdir-p vendir)
> +
> +            (define (install port boot? oos)
> +              (lambda (args label name)
> +                (let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
> +                  (put-string port label)
> +                  (put-char port #\lf)
> +                  (force-output port) ; make sure space is alloc'd
> +                  (apply invoke #$(file-append ukify "/bin/ukify")

=A1invoke/quiet=A2 can be used.

> +                    "build" "-o" (out name) args)
> +                  ;; make sure we have enough space for next install-uki=
.scm
> +                  (when (and oos (< (free-disk-space vendir) minbytes)) =
(oos))
> +                  (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d=
" disk
> +                    "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-=
q"))))

You're calling the exception handler directly here, it might be better to m=
ove
the exception handling part into the procedure to avoid this.

> +
> +            (call-with-output-file schema
> +              (lambda (port) ; prioritize latest UKIs in limited ESP spa=
ce
> +                (for-each (install port #t #f)
> +                  (list #$@(map-in-order menu-entry->args entries))
> +                  (list #$@(map-in-order menu-entry-label entries))
> +                  (list #$@(enum-filenames entries)))
> +                (for-each ; old-entries can fail (out of space) we don't=
 care
> +                  (lambda (args label name)
> +                    (define (cleanup . _) ; do exit early if out of spac=
e tho
> +                      (when (file-exists? (out name)) (delete-file (out =
name)))
> +                      (exit))
> +                    (with-exception-handler cleanup
> +                      (lambda _ ((install port #f cleanup) args label na=
me))))
> +                  (list #$@(map-in-order menu-entry->args old-entries))
> +                  (list #$@(map-in-order menu-entry-label old-entries))
> +                  (list #$@(enum-filenames old-entries entries))))))))))

These two =A1for-each=A2 can be merged into one.

> +
> +(define install-uefi-uki
> +  #~(lambda (bootloader target mount-point)
> +      (invoke (string-append mount-point #$script-loc)
> +              (string-append mount-point target))))
> +
> +(define* (make-uefi-uki-bootloader #:optional cert privkey)
> +  (bootloader
> +    (name 'uefi-uki)
> +    (package systemd-stub)
> +    (installer install-uefi-uki)
> +    (disk-image-installer #f)
> +    (configuration-file script-loc)
> +    (configuration-file-generator (uefi-uki-configuration-file cert priv=
key))))
> +
> +;; IMPORTANT NOTE: if bootloader install fails, do not turn off your com=
puter! until
> +;; install succeeds, your system is unbootable.
> +(define uefi-uki-bootloader (make-uefi-uki-bootloader))
> +;; use ukify genkey to generate cert and privkey. DO NOT include in stor=
e.
> +(define (uefi-uki-signed-bootloader cert privkey)
> +  (make-uefi-uki-bootloader cert privkey))

They'll have the same bootloader name, making these two bootloaders
indistinguishable from boot-parameters.

> diff --git a/gnu/local.mk b/gnu/local.mk
> index ab63bd5881..0a15251ddf 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES =3D				\
>    %D%/bootloader/extlinux.scm                   \
>    %D%/bootloader/u-boot.scm                     \
>    %D%/bootloader/depthcharge.scm                \
> +  %D%/bootloader/uki.scm                        \
>    %D%/ci.scm					\
>    %D%/compression.scm				\
>    %D%/home.scm					\
> --
> 2.41.0

I tried to adjust uki.scm before commenting, so here's a paste of my adjust=
ed
version, in case some of my comments are not expressed clearly:
https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000

Thanks

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 18:46:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 13:46:05 2024
Received: from localhost ([127.0.0.1]:39153 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rZEq4-0004GB-58
	for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:05 -0500
Received: from mail.boiledscript.com ([144.168.59.46]:34494)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <hako@HIDDEN>) id 1rZEq2-0004Fk-1w
 for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:02 -0500
Date: Mon, 12 Feb 2024 02:37:21 +0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space;
 s=dkim; t=1707677046;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=zqMduDsQhzhfC3N2o1LMNYbPb/gYrc/erd84aZ5eunQ=;
 b=jtJWHTIiETgy1CH3wnAbIQ4A27Q2pJ4DvPrbKHmHx5hbT4lispkNZBQKJ4IdoK71zGRdNm
 64/5DPpsOC1LwzqYdDY/tVdvyA0k7/Vg82RntG0AEQ0aUkZQ5x991NeaBJ72Kq3C5QKr0+
 MiokROnpqKsJyMFXvq+HGhFhYWgYobmN6soBwCY9LLiGlV9wCFPHqgevsiy6EmFqt1cE/I
 qyunVukE7bnuu+g5orzRNuf8hJSsxyKt4I1f/lX1E+qsiGgNBN4mUmthtRz+ffhGBOjF/w
 UMpLNQistVrsJcGAvKbW2o6T9rhRlAHQFQ2FWa3Yc7k2N2acRc3R4s3S5w8QMw==
Authentication-Results: mail.boiledscript.com;
 auth=pass smtp.mailfrom=hako@HIDDEN
Message-ID: <87cyt2n8ym.wl-hako@HIDDEN>
From: Hilton Chain <hako@HIDDEN>
To: Lilah Tascheter <lilah@HIDDEN>
Subject: Re: [bug#68524] [PATCH v2 0/2] Support root encryption and secure
 boot.
In-Reply-To: <cover.1706435500.git.lilah@HIDDEN>
References: <cover.1705465384.git.lilah@HIDDEN>	<cover.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-Spamd-Bar: /
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org,
 Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Lilah,

On Sun, 28 Jan 2024 17:51:38 +0800,
Lilah Tascheter via Guix-patches wrote:
>
> Thank you so much Herman, that motherfucking typo was what made my old-en=
tries
> testing not work. I reworked the majority of the install-uki.scm code, an=
d now
> uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rol=
lback!
> Slightly jank, but it works. On install, we pretty much just cram as many
> generations into the ESP as possible. ESPs are typically small, so we can=
't
> assume that we can fit more than one UKI, so if we can't fit every extent
> generation we just exit early.
>
> We also don't waste space on root by adding each UKI to the store anymore.
> They're all generated at install time. Added slightly more documentation =
too.
>
> Otherwise, fixed everything Herman pointed out!
>
> Decided not to add a manual section on manually running /boot/install-uki=
.scm
> though. It's more of a quirk of getting around guix's bootloader assumpti=
ons
> than meant to be run that way; I don't know if it's a good idea to direct
> attention to it. I mean it Works, but it's more of a quick hack.
>
> Lilah Tascheter (2):
>   gnu: bootloaders: Add uki packages.
>   gnu: bootloaders: Add uefi-uki-bootloader.
>
>  doc/guix.texi                |  45 ++++++++----
>  gnu/bootloader/uki.scm       | 129 +++++++++++++++++++++++++++++++++++
>  gnu/local.mk                 |   1 +
>  gnu/packages/bootloaders.scm |  95 ++++++++++++++++++++++++++
>  4 files changed, 258 insertions(+), 12 deletions(-)
>  create mode 100644 gnu/bootloader/uki.scm
>
>
> base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae
> --
> 2.41.0

Nicely done!  I have tested =A1uefi-uki-bootloader=A2, and it works!

But currently =A1uefi-uki-bootloader=A2 doesn't match generation switching =
well, and
=A1uefi-uki-signed-bootloader=A2 as a procedure further breaks that, right?

I think these issues have to be addressed to get the series merged.

Reviews are coming later.

Thanks

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:38 2024
Received: from localhost ([127.0.0.1]:56628 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rU20n-0003zJ-KI
	for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:38 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:38470)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rU20f-0003yP-TG
 for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:33 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=kUhKC5Nf+fJ6l/lOCHlQqpDckhrg+zkmeLugvtEZg3z4EcXPbSKKQD1qbAiKZQEN36CmA91VA/i+q3/eB6L52x/fqdgV31bCAq8JOcMhoMq5bgNVHXgmahsUGYbqQCRswo7hR3tGqFrMQcJYPYvjYU+ln7Q3pPvQ/JnS2wHqr4ts8HfSUMC9UF4Cy6V464PQBkzqu/YMZ9I5y08cFjxwlBNUXdFB6S5we7JxdAqDJtxqdmcn4H3mbqofXj5261Yz/9w9GF+q+TqlIkp1WvSySe9Lr7tOjTtpOnJEdobdIIIDAjHGpzIr/yRa+qovTxa9OX61CqB3W9m1X4ZNbFGCrQ==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=us+EFDXms9fDRtQBeGDoDSsswTmzdHRQy5lzdw8+3gY=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=EGDXT+2aVT7KPMrNo+7HP+Wjppoit2QVachhvPmjPQAXOgTmCvNjD+sUyTvCTeriHQ2MQCBEM+9aGPQA/BUE1XvQnrYyIvfca15o1iutcOZa1Wcv8TDX2RvPb1gXHB+5Y9qqOT3w2rJ9S80oTXi1bZnbC4z3cHAl1Nf5dJ2lRwL/fYzYxJN0cpdNpmPU3ZwuYGvqG7FPRjebgA+rDlFmI+U8rlLWs4X3r8NPUicRvRWY2vlD4+F+14fj8i9aKn5tdtmSMIF/NDS4DcQeZAjZB5PFrCIXVeNpUvcpwnp1geP50o01NGytpcfPVjltqYcYVgrJ3gFuX6KR7fVTVB9wjw==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=us+EFDXms9fDRtQBeGDoDSsswTmzdHRQy5lzdw8+3gY=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Sun, 28 Jan 2024 10:03:15 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Sun, 28 Jan 2024 03:51:41 -0600
Message-ID: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN>
In-Reply-To: <cover.1706435500.git.lilah@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN,
 efraim@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
  uefi-uki-bootloader and uefi-uki-signed-bootloader.
  (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]:
  Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm.

Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da
---
 doc/guix.texi          |  45 ++++++++++----
 gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++
 gnu/local.mk           |   1 +
 3 files changed, 163 insertions(+), 12 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index c458befb76..30fd5d022b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning
 for @command{cryptsetup luksFormat}.  You can check which key derivation
 function is being used by a device by running @command{cryptsetup
 luksDump @var{device}}, and looking for the PBKDF field of your
-keyslots.
+keyslots.  UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can
+however use the default, more secure key derivation function.
 @end quotation
=20
-Assuming you want to store the root partition on @file{/dev/sda2}, the
-command sequence to format it as a LUKS2 partition would be along these
-lines:
+Assuming you want to store the root partition on @file{/dev/sda2} and use =
GRUB
+as your bootloader, the command sequence to format it as a LUKS2 partition=
 would
+be along these lines:
=20
 @example
 cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2
@@ -41136,8 +41137,9 @@ Bootloader Configuration
 The bootloader to use, as a @code{bootloader} object.  For now
 @code{grub-bootloader}, @code{grub-efi-bootloader},
 @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
=20
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
@@ -41244,6 +41246,25 @@ Bootloader Configuration
 unbootable.
 @end quotation
=20
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit=
hout
+an intermediary like GRUB. The main practical advantage of this is allowin=
g
+root/store encryption without an extra GRUB password entry and slow decryp=
tion
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce=
pt
+that it is a procedure that returns a bootloader compatible with UEFI secu=
re
+boot. You must provide it with two paths: an out-of-store secure boot db
+certificate (in PEM format), and out-of-store db key, in that order.
+
+@quotation Warning
+When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloader}=
,
+@emph{do not} turn off your computer if a system reconfigure failed at
+installing the bootloader.  Until bootloader installation succeeds, your s=
ystem
+is in an unbootable state.
+@end quotation
+
 @item @code{targets}
 This is a list of strings denoting the targets onto which to install the
 bootloader.
@@ -41252,12 +41273,12 @@ Bootloader Configuration
 For @code{grub-bootloader}, for example, they should be device names
 understood by the bootloader @command{installer} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}.  For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}).  For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI =
file
+system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root direc=
tories
+served by your TFTP server.
=20
 @item @code{menu-entries} (default: @code{'()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..0ef62295d6
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,129 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright =C2=A9 2024 Lilah Tascheter <lilah@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules)
+  #:use-module (srfi srfi-1)
+  #:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+(define vendor "Guix")
+(define script-loc "/boot/install-uki.scm")
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
+
+    (define (menu-entry->args e)
+      (let* ((boot (bootloader-configuration-bootloader config))
+             (stub (bootloader-package boot)))
+        #~(list "--os-release" #$(menu-entry-label e)
+            "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-init=
rd e)
+            "--cmdline" (string-join (list #$@(menu-entry-linux-arguments =
e)))
+            "--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
+            #$@(if cert #~("--secureboot-certificate" #$cert) #~())
+            #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))=
))
+
+    (define (enum-filenames . args) ; same args as iota
+      (map (lambda (n) (string-append (number->string n) ".efi"))
+        (apply iota (map length args))))
+
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build syscalls=
)
+                                                      (guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/" #$vendor))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")=
))
+            (use-modules (guix build syscalls) (guix build utils)
+                         (ice-9 popen) (ice-9 textual-ports))
+
+            (define (out name) (string-append vendir "/" name))
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target=
)
+                (lambda (port) (get-line port)))) ; only 1 line: the devic=
e
+
+            ;; delete all boot entries and files we control
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l "-q")))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vend=
ir))
+            (mkdir-p vendir)
+
+            (define (install port boot? oos)
+              (lambda (args label name)
+                (let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
+                  (put-string port label)
+                  (put-char port #\lf)
+                  (force-output port) ; make sure space is alloc'd
+                  (apply invoke #$(file-append ukify "/bin/ukify")
+                    "build" "-o" (out name) args)
+                  ;; make sure we have enough space for next install-uki.s=
cm
+                  (when (and oos (< (free-disk-space vendir) minbytes)) (o=
os))
+                  (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d" =
disk
+                    "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-q"=
))))
+
+            (call-with-output-file schema
+              (lambda (port) ; prioritize latest UKIs in limited ESP space
+                (for-each (install port #t #f)
+                  (list #$@(map-in-order menu-entry->args entries))
+                  (list #$@(map-in-order menu-entry-label entries))
+                  (list #$@(enum-filenames entries)))
+                (for-each ; old-entries can fail (out of space) we don't c=
are
+                  (lambda (args label name)
+                    (define (cleanup . _) ; do exit early if out of space =
tho
+                      (when (file-exists? (out name)) (delete-file (out na=
me)))
+                      (exit))
+                    (with-exception-handler cleanup
+                      (lambda _ ((install port #f cleanup) args label name=
))))
+                  (list #$@(map-in-order menu-entry->args old-entries))
+                  (list #$@(map-in-order menu-entry-label old-entries))
+                  (list #$@(enum-filenames old-entries entries))))))))))
+
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point #$script-loc)
+              (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file script-loc)
+    (configuration-file-generator (uefi-uki-configuration-file cert privke=
y))))
+
+;; IMPORTANT NOTE: if bootloader install fails, do not turn off your compu=
ter! until
+;; install succeeds, your system is unbootable.
+(define uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
diff --git a/gnu/local.mk b/gnu/local.mk
index ab63bd5881..0a15251ddf 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES =3D=09=09=09=09\
   %D%/bootloader/extlinux.scm                   \
   %D%/bootloader/u-boot.scm                     \
   %D%/bootloader/depthcharge.scm                \
+  %D%/bootloader/uki.scm                        \
   %D%/ci.scm=09=09=09=09=09\
   %D%/compression.scm=09=09=09=09\
   %D%/home.scm=09=09=09=09=09\
--=20
2.41.0

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:32 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:32 2024
Received: from localhost ([127.0.0.1]:56626 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rU20h-0003yq-T1
	for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:32 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:50706)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rU20f-0003yO-SO
 for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:30 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=U673TrUCTFscakmyI8GUi6M1eWjyPIKffhlWHqWEPenliP1FXr9T2CW+sMzObgwBDLqpK3uNLJdYq1c/kYUfiVQLpSCjVnXWP1rBWjZ0zfnXaqQzRROLnswvswa49ul6ZPge6DRuzTUoFsocB/bxA2wcR420DBzxbr5smgXfHtyOIaGfDhspohS0l5dNQhgGnGM1kVdpQUig1LzXVgW59EhD2dyBPBsBG0ym2CbDzZ1a7yyBZTsern81bk6KCXs8pVy6CUItybvoqgHyvJ9gtiXL8CNzlu0Sk0VOnGxljBMEc1UHl1eJvbZDbpAGZ1zkruV5s1HEPXylfxMycK4POw==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=/0e0X1bfriDa7mztPzwNLhVYDcs7uvRT3P83zy8NFF8=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=uEknK+JL2gwPRkc4ZR3wQ/sP0MDEvbtXr6fvI0fXG4Yi34pjtsFNeiSYRazOSYcNzMJWr2d+QoWZdT9cjY5emniOmVZ2khRQqLaoiGoz/lvuqjPRjhK+jtluwDN3hfuRi+iPBs56jQPxUveNZCtUpY9FSHwJ5ux9oBveK+nxz9xdDXrIXTAQquMZEZLdN6XbtJJ9oWukVyCiDZXnUXG5CQ0iZ/hKr5ZIryPw6d6LjBi5uXhlpe5WNGjq3wUMRL2oXwbHpIzYHBzNx+kRLCBhYGkYjaaoG0dm6iWyw3rsO97FfuCrlo/1svH0N9lKpXM7BJ9ECa4KmqxTfv4jkYMKag==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=/0e0X1bfriDa7mztPzwNLhVYDcs7uvRT3P83zy8NFF8=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Sun, 28 Jan 2024 10:03:12 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v2 1/2] gnu: bootloaders: Add uki packages.
Date: Sun, 28 Jan 2024 03:51:40 -0600
Message-ID: <d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN>
In-Reply-To: <cover.1706435500.git.lilah@HIDDEN>
References: <cover.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
 Vagrant Cascadian <vagrant@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: 68524
Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN,
 efraim@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
  (systemd-version,systemd-source,systemd-stub,ukify): New variables.

Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8
---
 gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)

diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index 986f0ac035..b0d4979f44 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -19,6 +19,7 @@
 ;;; Copyright =C2=A9 2021 Stefan <stefan-guix@HIDDEN>
 ;;; Copyright =C2=A9 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN=
>
 ;;; Copyright =C2=A9 2023 Herman Rimm <herman@HIDDEN>
+;;; Copyright =C2=A9 2024 Lilah Tascheter <lilah@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cross-base)
   #:use-module (gnu packages disk)
+  #:use-module (gnu packages efi)
   #:use-module (gnu packages firmware)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages gperf)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages man)
   #:use-module (gnu packages mtools)
@@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages valgrind)
   #:use-module (gnu packages virtualization)
   #:use-module (gnu packages xorg)
+  #:use-module (gnu packages python-crypto)
   #:use-module (gnu packages python-web)
   #:use-module (gnu packages python-xyz)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system pyproject)
+  #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
   #:use-module (guix download)
   #:use-module (guix gexp)
@@ -632,6 +637,96 @@ (define-public syslinux
                      ;; Also contains:
                      license:expat license:isc license:zlib)))))
=20
+(define systemd-version "255")
+(define systemd-source
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+           (url "https://github.com/systemd/systemd")
+           (commit (string-append "v" systemd-version))))
+    (file-name (git-file-name "systemd" systemd-version))
+    (sha256
+      (base32
+        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+  (let ((arch (cond ((target-x86-32?) "ia32")
+                ((target-x86-64?) "x64")
+                ((target-arm32?) "arm")
+                ((target-aarch64?) "aa64")
+                ((target-riscv64?) "riscv64"))))
+    (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+  (package
+    (name "systemd-stub")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system meson-build-system)
+    (arguments
+      (list
+        #:configure-flags
+        `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix"
+               "-Dsbat-distro-generation=3D1" ; package revision!
+               "-Dsbat-distro-summary=3DGuix System"
+               "-Dsbat-distro-url=3Dhttps://guix.gnu.org"
+               ,(string-append "-Dsbat-distro-pkgname=3D" name)
+               ,(string-append "-Dsbat-distro-version=3D" version))
+        #:phases
+        #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)=
)))
+            (modify-phases %standard-phases
+              (replace 'build
+                (lambda* (#:key parallel-build? #:allow-other-keys)
+                  (invoke "ninja" stub
+                    "-j" (if parallel-build?
+                           (number->string (parallel-job-count)) "1"))))
+              (replace 'install
+                (lambda _
+                  (install-file stub (string-append #$output "/libexec")))=
)
+              (delete 'check)))))
+    (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+    (native-inputs (list gperf pkg-config python-3 python-jinja2))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI stub")
+    (description "Simple UEFi boot stub that loads a conjoined kernel imag=
e and
+supporting data to their proper locations, before chainloading to the kern=
el.
+Supports measured and/or verified boot environments.")
+    (license license:lgpl2.1+)))
+
+(define-public ukify
+  (package
+    (name "ukify")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system python-build-system)
+    (arguments
+      (list #:phases
+            #~(modify-phases %standard-phases
+                (replace 'build
+                  (lambda _
+                    (substitute* "src/ukify/ukify.py" ; added in python 3.=
11
+                      (("datetime\\.UTC") "datetime.timezone.utc"))))
+                (delete 'check)
+                (replace 'install
+                  (lambda* (#:key inputs #:allow-other-keys)
+                    (let* ((bin (string-append #$output "/bin"))
+                           (file (string-append bin "/ukify"))
+                           (binutils (assoc-ref inputs "binutils"))
+                           (sbsign (assoc-ref inputs "sbsigntools")))
+                      (mkdir-p bin)
+                      (copy-file "src/ukify/ukify.py" file)
+                      (wrap-program file
+                        `("PATH" ":" prefix
+                          (,(string-append binutils "/bin")
+                           ,(string-append sbsign "/bin"))))))))))
+    (inputs (list binutils python-cryptography python-pefile sbsigntools))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI tool")
+    (description "@command{ukify} joins together a UKI stub, linux kernel,=
 initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-=
bootable
+image.")
+    (license license:lgpl2.1+)))
+
 (define-public dtc
   (package
     (name "dtc")
--=20
2.41.0

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:13 2024
Received: from localhost ([127.0.0.1]:56618 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rU20P-0003xt-F0
	for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:13 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:38440)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rU20M-0003xN-Ry
 for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:12 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=NX4rY+IPAUTbyqh3ZmURw/HhjXb/5kAkfcGmBs8e03jYOxX1wr0UdBvD65aB2M6fsU6qFkBQi6AkdubE5pulhI1Xipj4mRz5U9YSLRxfbq4oFj7wayv1TJ7JHaFwbPskB432B01Lr0z1sJNmzS1ZzC95ESlUCNsCMHvBLJg5PlkVnogeOrVfln/+yWe7OfHDKZy0tQDS3TBBNL/2jEMUjmWwUzcSvDsgYdeC297EDuvLI+3jQbXrEHYxDtDgghwaUsHoDG4hE3MpEzBIX7Ci4OZQLCVvLnoQxzde3t56JlBy1er5HSG9XeamMozK7VLvgD0jBpJZzVfxReowidcUIQ==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=MEbB8jSl9ygx2efF3xfmOnLHVFy1nrTnNM4Vy5H+NplvBK99cMPQEp5Bf+4JkIE+fqiSKhpfJY/VIVe6rqxRpkw6O9Wuj/gMyUN21dZghiEk7OavqRyAra3LXZXOR4Qaf4N0QSYR7inLx5zE70U8KEeXMX1mSGKcMzawGCnzU8kqeSZQf2yi+SE6Nr/uYnAFAumIH3jiHHqflIt7zWolakDMzJ49ctJhZYmx4hsdaC2fZvqqMSei6eS37Q79uJFV/Xx7TsbAkC3Qa2jMjCRV9AYI6YY/ygxQnK4DpEts8YzOY8hg/uPiTZn6Iod0/g5/hMMGSHBstRLYrRIK69Ihxg==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Sun, 28 Jan 2024 10:02:47 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH v2 0/2] Support root encryption and secure boot.
Date: Sun, 28 Jan 2024 03:51:38 -0600
Message-ID: <cover.1706435500.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN,
 efraim@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Thank you so much Herman, that motherfucking typo was what made my old-entr=
ies
testing not work. I reworked the majority of the install-uki.scm code, and =
now
uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rollb=
ack!
Slightly jank, but it works. On install, we pretty much just cram as many
generations into the ESP as possible. ESPs are typically small, so we can't
assume that we can fit more than one UKI, so if we can't fit every extent
generation we just exit early.

We also don't waste space on root by adding each UKI to the store anymore.
They're all generated at install time. Added slightly more documentation to=
o.

Otherwise, fixed everything Herman pointed out!

Decided not to add a manual section on manually running /boot/install-uki.s=
cm
though. It's more of a quirk of getting around guix's bootloader assumption=
s
than meant to be run that way; I don't know if it's a good idea to direct
attention to it. I mean it Works, but it's more of a quick hack.

Lilah Tascheter (2):
  gnu: bootloaders: Add uki packages.
  gnu: bootloaders: Add uefi-uki-bootloader.

 doc/guix.texi                |  45 ++++++++----
 gnu/bootloader/uki.scm       | 129 +++++++++++++++++++++++++++++++++++
 gnu/local.mk                 |   1 +
 gnu/packages/bootloaders.scm |  95 ++++++++++++++++++++++++++
 4 files changed, 258 insertions(+), 12 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm


base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae
--=20
2.41.0

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 00:50:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 27 19:50:46 2024
Received: from localhost ([127.0.0.1]:56179 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rTtNl-00034G-UH
	for submit <at> debbugs.gnu.org; Sat, 27 Jan 2024 19:50:46 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:47742)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rTtNg-00033x-Vl
 for 68524 <at> debbugs.gnu.org; Sat, 27 Jan 2024 19:50:44 -0500
DKIM-Signature: a=rsa-sha256;
 b=szNlB/d+hqsS0Gq6hPoWXaHKmjcbSm5uthwO6O15wVrxXJXjeJ3nPkwQTh48oMQx0Dqdwog+Xw1oxCgdr6z5XfILNS4G4NkMGtJ8cEmg2dct76gTUlj7+0XpDYJvx+hfhnLecSuOnPmFLzglu28xygCA2hK9G1XXhjWAi/AGo87O80EJ7frdsm0wFWaGnHhjZ2P4fclbSPmbBi2xoBUq/R93eQcmnx1mRBMKZbG9e2K73ODYkiiwU1lsRYl4tSnxyRMAx2BFnFnkM4OgF4vWwKqfVn12dRqVPC9oJ4dgm4l9CVT5VUQdiOizejq/37vZ3y0sZj7X+f2+6/Jr+hQlCA==;
 s=purelymail2; d=lunabee.space; v=1;
 bh=N4K33LogyZkVZE6i/5qaELO6cr1CfS8r0buT4Nd0HQ0=; h=Received:Subject:From:To; 
DKIM-Signature: a=rsa-sha256;
 b=o1kDy5EOFjxBW3BJUMQneO1807WoVai56SNNwlHN0yt/asYs3lvWwr7qN+jlihv3C+6mulh/TfEVEPzCNUqSyf9SleGeLR9Y/zjFDfXMoTFP1Ly61q/n410C5yY7ceTxo0v2geb4rTYN5fkSufXnNF4fKP48FEjCwsdQMquyFi6gAbaZVSls2LrLwAHpdQteDRWXCNusGbYCAkRW5fAq1Uvrm2FllSuB9vORtAwQEsI5MoEH62MctILFltLlr1crOpqr4rv5f9HJnV4fB+z0qaN6EpwtvSQkPwUNAlxssr1XtdzOEcuxt8U2JbhCYPwnDBzF5ZRY+FBFhNx+AwW29A==;
 s=purelymail2; d=purelymail.com; v=1;
 bh=N4K33LogyZkVZE6i/5qaELO6cr1CfS8r0buT4Nd0HQ0=;
 h=Feedback-ID:Received:Subject:From:To; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1183457486; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Sun, 28 Jan 2024 00:50:18 +0000 (UTC)
Message-ID: <6caf74d7eb6ad410b2f05af13f548353e150771c.camel@HIDDEN>
Subject: Re: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Date: Sat, 27 Jan 2024 18:50:16 -0600
In-Reply-To: <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh>
References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
 <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
 <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh>
Organization: Dissociation for Heresiographal Computation
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4 
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Herman Rimm <herman@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Thanks for the notes! I'm working on a v2 right now.

> The way GRUB does it, if mount-point/boot/efi does not exist, try
> install to /boot/efi in case the ESP got mounted there. Personally, I
> think it's okay to only try install to mount-point/boot/efi.
Yeah, I'd be concerned about overriding my own bootloader if it could decid=
e to
just not use mount-point.

> This bootloader has been very useful to me.
I'm so glad!!! :)

> I could easily chainload the UKI from an install image GRUB
Would it be more useful to have the EFI vendor dir for UKI be like, Guix-UK=
I
instead of just Guix, as to not delete a preexisting grub-efi-bootloader?

-lilah

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 25 Jan 2024 10:04:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 25 05:04:25 2024
Received: from localhost ([127.0.0.1]:47376 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rSwav-0008WL-DC
	for submit <at> debbugs.gnu.org; Thu, 25 Jan 2024 05:04:25 -0500
Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:38909
 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <herman@HIDDEN>) id 1rSwas-0008Vy-Ef
 for 68524 <at> debbugs.gnu.org; Thu, 25 Jan 2024 05:04:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman;
 t=1706177045;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=of1SbOb+zojpM1ZXdOpBywTNavJlCibjzgGaN9GuFMo=;
 b=HojRqf88w7G0s+Dhi+YxbXNCDSeF6HE4MsgS+9vrhdSGAUzAXo864/EfU6HfHJAH8PagGE
 zgP29EbkHKlbTjAWKVYExbNy81rlmjuIOQSG6roVcDKB7RNbtZk+z0KSE2HcQjMWjiY947
 RXxrlPmha2Z+SUmTAGGeVcoh7q6oLcllE53PaWzO6m1oIDoF+LcjQ9gprnQ6zWKuShncCc
 IrY+oftaREmqrfhNvhUxUNnRVOFgJ2PHQIxbfirrhazo3csCbe1fcgkLAXI5vZl3yr9IFs
 WjhKwCZrDpXE2LxjDDF1uFnabpUY8Wv/UCaFWWJr0alfmA+ug5qLNkLm00JROQ==
Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 15f49f34
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Thu, 25 Jan 2024 10:04:05 +0000 (UTC)
Date: Thu, 25 Jan 2024 11:03:57 +0100
From: Herman Rimm <herman@HIDDEN>
To: Lilah Tascheter <lilah@HIDDEN>, 68524 <at> debbugs.gnu.org
Subject: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Message-ID: <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh>
References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
 <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
X-Spam-Score: 3.5 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Hello, On Tue, Jan 16, 2024 at 10:48:11PM -0600,
 Lilah Tascheter
 wrote: > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]:
 Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gn [...]
 Content analysis details:   (3.5 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.0 TVD_RCVD_IP            Message was received from an IP address
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
 [81.205.150.117 listed in zen.spamhaus.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 68524
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Hello, On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter
    wrote: > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]:
   Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gn [...]
    
 
 Content analysis details:   (2.5 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                             [81.205.150.117 listed in zen.spamhaus.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

Hello,

On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote:
> * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
>   uefi-uki-bootloader and uefi-uki-signed-bootloader.
> * gnu/bootloader/uki.scm: New file.
Remember to note your copyright and register new files in gnu/local.mk.

> +(define* (uefi-uki-configuration-file #:optional cert privkey)
> +  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
old-entries got mistyped as old-entires.
> +    (define (menu-entry->uki e)
> +      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
Can you have systemd-stub be an argument of uefi-uki-configuration-file?

> +            (when (file-exists? schema)
> +              (call-with-input-file schema
> +                (lambda (port)
> +                  (for-each (lambda (l)
> +                              (unless (string-null? l)
> +                                (system* efibootmgr "-B" "-L" l)))
You can make this quiet.

> +                              (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
Maybe this too?

> +(define install-uefi-uki
> +  #~(lambda (bootloader target mount-point)
Get systemd-stub from bootloader with bootloader-package.
> +      (invoke (string-append mount-point "/boot/install-uki.scm")
> +              (string-append mount-point target))))
The way GRUB does it, if mount-point/boot/efi does not exist, try
install to /boot/efi in case the ESP got mounted there. Personally, I
think it's okay to only try install to mount-point/boot/efi.

> +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
> +;; use ukify genkey to generate cert and privkey. DO NOT include in store.
> +(define-public (uefi-uki-signed-bootloader cert privkey)
> +  (make-uefi-uki-bootloader cert privkey))
Can you use define instead and export the bootloaders in define-module?
I expect define-public procedures in package modules which would have to
use an export procedure with many arguments otherwise.

The install-uki.scm config file is a nice idea. It can be used to
regenerate the UKI and corresponding UEFI boot entry. Now that I think
about it, can that be included as an example? Like:

  uefi-uki-bootloader installs install-uki.scm to /boot, you can use it
  to (re)create the UKI manually: sudo ./install-uki.scm /boot/efi/. If
  you need to chroot to an existing system on /mnt, mount efivars first:
  mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars.
  This is required for efibootmgr to (re)install the UEFI entry for the
  corresponding UKI.

This bootloader has been very useful to me. I could easily chainload the
UKI from an install image GRUB, whenever I messed up the UEFI boot entry
for the EFI stub bootloader I'm working on.

Thank you,
Herman

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:15 2024
Received: from localhost ([127.0.0.1]:50393 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rPxrX-0008PU-17
	for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:15 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:41784)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rPxrV-0008PG-Lu
 for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:14 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=IZOf4TyqkHhXBMqQt39pP1a4wFL9EAt3C+bVwSXsLfqKbAFssolLscbVpGi2SKbhVBS3I949BorLm/TFMHkeLTWyX+fgLfr4zZBltCNW+Y8a3Wt/dylxrlMnjyGVBpSnIyQVp7gIPGTEavk39sNAXeS1tS65fYivOLheGZWCn6jcqR0uYbOS5FukcU8JU8HPKtTE+ROi8i4X1Y0XiT3sDaTiWe9aYKHRdx01vcVdYHSqd9kTDpcrh6PUFyoEinbBLhDCeJZZhJoGVShk1zlsdkErV7/821PpXlrYkQl7kHDZPpA5rGgk7MKpVpP7JaDRBs3Z9pnr+xDSvEVOGvZZ+Q==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=qnznObJwJg0RW7Kb3ignaCnyzRmKdKzdLx3UJqpwwj1tYj2LqMUqwEiQ7pEPxOIwd+aZBMQQKFooJgrlfLFJ6VKfOUe4D7BrykIA6g4Bw3NiZXqZCQ+zBVPuZCl149ZzbXN/C9YqFrFRwElsrqa3mBI+3VlKE5/8512jKrmtiH5zKpOFRacGckSaRlyA1eZBRK4GYoPBecQpMcZzuhuXe3yVoryKZyXCv2NUktJHRToMYCMHwM1DIaZ2M3S02ug2M86AlIax7SSVmeZ4av9PnhfgrQZINe4GsT2Ylx2VlrJTeHnQDMgyWWb0u+t1CmjRls2XU0FvxAbsR5FYLsqw0Q==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 17 Jan 2024 04:49:01 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Tue, 16 Jan 2024 22:48:11 -0600
Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN>
In-Reply-To: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
 Vagrant Cascadian <vagrant@HIDDEN>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
  uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.

Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
 doc/guix.texi          |  35 ++++++++++----
 gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
 The bootloader to use, as a @code{bootloader} object.  For now
 @code{grub-bootloader}, @code{grub-efi-bootloader},
 @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
=20
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
 unbootable.
 @end quotation
=20
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit=
hout
+an intermediary like GRUB. The main practical advantage of this is allowin=
g
+root/store encryption without an extra GRUB password entry and slow decryp=
tion
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce=
pt
+that it is a procedure that returns a bootloader compatible with UEFI secu=
re
+boot. You must provide it with two paths, to an out-of-store secure boot d=
b
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system genera=
tion.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
 @item @code{targets}
 This is a list of strings denoting the targets onto which to install the
 bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
 For @code{grub-bootloader}, for example, they should be device names
 understood by the bootloader @command{installer} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}.  For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}).  For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI =
file
+system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root direc=
tories
+served by your TFTP server.
=20
 @item @code{menu-entries} (default: @code{'()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+    (define (menu-entry->uki e)
+      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam=
e)))
+      (computed-file "uki.efi"
+        (with-imported-modules (source-module-closure '((guix build utils)=
))
+          #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+              (use-modules (guix build utils))
+              (invoke #$(file-append ukify "/bin/ukify") "build"
+                "--linux" #$(menu-entry-linux e)
+                "--initrd" #$(menu-entry-initrd e)
+                "--os-release" #$(menu-entry-label e)
+                "--cmdline" (string-join args)
+                "--stub" #$stub
+                "-o" #$output)))))
+
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/Guix"))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")=
))
+            (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p=
orts))
+
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target=
)
+                (lambda (port) (get-line port)))) ; only 1 line: the devic=
e
+
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l)))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vend=
ir))
+
+            (mkdir-p vendir)
+            (call-with-output-file schema
+              (lambda (port)
+                (for-each (lambda (uki label)
+                            (let* ((base (basename uki))
+                                   (out (string-append vendir "/" base)))
+                              #$(if cert ; sign here so we can access root=
 certs
+                                  #~(invoke
+                                      #$(file-append sbsigntools "/bin/sbs=
ign")
+                                      "--cert" #$cert "--key" #$privkey
+                                      "--output" out uki)
+                                  #~(copy-file uki out))
+                              (invoke efibootmgr "-c" "-L" label "-d" disk=
 "-l"
+                                (string-append "\\EFI\\Guix\\" base))
+                              (put-string port label)
+                              (put-char port #\lf)))
+                  (list #$@(map-in-order menu-entry->uki entries))
+                  (list #$@(map-in-order menu-entry-label entries)))))))))=
)
+
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point "/boot/install-uki.scm")
+              (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file "/boot/install-uki.scm")
+    (configuration-file-generator (uefi-uki-configuration-file cert privke=
y))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
--=20
2.41.0

Message received at 68524 <at> debbugs.gnu.org:

Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:06 2024
Received: from localhost ([127.0.0.1]:50388 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rPxrO-0008P7-Ao
	for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:06 -0500
Received: from sendmail.purelymail.com ([34.202.193.197]:56886)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rPxrL-0008Oa-PF
 for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:04 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=CoI3a0pRAm8FbNI6FD17WBgNNP0lVrQWqvRheGosCqBdNUsq1umWlO4o3+UIsHu6CF/jAvPQy4SiK0mf4/1tk6eaoBgrz+8cj0QP6D0jw04fQBzleLUvpTOxfjDw9lm8igDyAAzJq4fEhRgFGIAmYP7EMONt/P+vYenF6aT5FY/xaKLLJilrOIEzANh7BxbXj4kuiRvLO2YVGGNHAxUKhcO++B4b6J61rqye3Yaura5cJYdJeIdJSbxJrUdTCtlcmDO5TmI5P/dNLUE5zRGhrNNS/8rf43rW1YI9i3esTBe+9tgjxi1sARIc5Pr9ACqDEukefZaSyg3eOvE0lOF72A==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=XYG4r/YfWp2wEA28vFw2BCVIdy7WXuF0fHHICbo6H66fzW09vF1SXw0VQEZpwvAboLzWV5D05TPh8c0rwGZhIxBP6Ivc3bzzxfGRf7va6Rm1N/1dQcDFGIF9SDhA6pjQerbHgMJqe8/CDk22zYTb+qHq441lrPmTWCq6gmM4WDxwhe4RYEZqIQLgmloFN+KXDrH62UVyOASUeAZc8kpEa3UdPMfwUf/t32BrWh+PtZeqHuGhbNcLEL1rPuaVdRJfW74KOTUe+P4LwTmKsfZUUo/wBFS1MY63HOb6ovdYadIQ1ttbi0ZhqlOFEsUnb2P0WyTjg4RJZF19youJTI1aSA==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: 68524 <at> debbugs.gnu.org
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 17 Jan 2024 04:48:54 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: 68524 <at> debbugs.gnu.org
Subject: [PATCH 1/2] gnu: bootloaders: Add uki packages.
Date: Tue, 16 Jan 2024 22:48:10 -0600
Message-ID: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN>
In-Reply-To: <cover.1705465384.git.lilah@HIDDEN>
References: <cover.1705465384.git.lilah@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>,
 Vagrant Cascadian <vagrant@HIDDEN>
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: 68524
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

* gnu/packages/bootloaders.scm (systemd-stub-name): New procedure.
  (systemd-version,systemd-source,systemd-stub,ukify): New variables.

Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d
---
 gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm
index c73a0e665d..32cbb4e704 100644
--- a/gnu/packages/bootloaders.scm
+++ b/gnu/packages/bootloaders.scm
@@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages compression)
   #:use-module (gnu packages cross-base)
   #:use-module (gnu packages disk)
+  #:use-module (gnu packages efi)
   #:use-module (gnu packages firmware)
   #:use-module (gnu packages flex)
   #:use-module (gnu packages fontutils)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages gettext)
+  #:use-module (gnu packages gperf)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages man)
   #:use-module (gnu packages mtools)
@@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders)
   #:use-module (gnu packages valgrind)
   #:use-module (gnu packages virtualization)
   #:use-module (gnu packages xorg)
+  #:use-module (gnu packages python-crypto)
   #:use-module (gnu packages python-web)
   #:use-module (gnu packages python-xyz)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system pyproject)
+  #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
   #:use-module (guix download)
   #:use-module (guix gexp)
@@ -632,6 +636,96 @@ (define-public syslinux
                      ;; Also contains:
                      license:expat license:isc license:zlib)))))
=20
+(define systemd-version "255")
+(define systemd-source
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+           (url "https://github.com/systemd/systemd")
+           (commit (string-append "v" systemd-version))))
+    (file-name (git-file-name "systemd" systemd-version))
+    (sha256
+      (base32
+        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+
+(define-public (systemd-stub-name)
+  (let ((arch (cond ((target-x86-32?) "ia32")
+                ((target-x86-64?) "x64")
+                ((target-arm32?) "arm")
+                ((target-aarch64?) "aa64")
+                ((target-riscv64?) "riscv64"))))
+    (string-append "linux" arch ".efi.stub")))
+
+(define-public systemd-stub
+  (package
+    (name "systemd-stub")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system meson-build-system)
+    (arguments
+      (list
+        #:configure-flags
+        `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix"
+               "-Dsbat-distro-generation=3D1" ; package revision!
+               "-Dsbat-distro-summary=3DGuix System"
+               "-Dsbat-distro-url=3Dhttps://guix.gnu.org"
+               ,(string-append "-Dsbat-distro-pkgname=3D" name)
+               ,(string-append "-Dsbat-distro-version=3D" version))
+        #:phases
+        #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)=
)))
+            (modify-phases %standard-phases
+              (replace 'build
+                (lambda* (#:key parallel-build? #:allow-other-keys)
+                  (invoke "ninja" stub
+                    "-j" (if parallel-build?
+                           (number->string (parallel-job-count)) "1"))))
+              (replace 'install
+                (lambda _
+                  (install-file stub (string-append #$output "/libexec")))=
)
+              (delete 'check)))))
+    (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+    (native-inputs (list gperf pkg-config python-3 python-jinja2))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI stub")
+    (description "Simple UEFi boot stub that loads a conjoined kernel imag=
e and
+supporting data to their proper locations, before chainloading to the kern=
el.
+Supports measured and/or verified boot environments.")
+    (license license:lgpl2.1+)))
+
+(define-public ukify
+  (package
+    (name "ukify")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system python-build-system)
+    (arguments
+      (list #:phases
+            #~(modify-phases %standard-phases
+                (replace 'build
+                  (lambda _
+                    (substitute* "src/ukify/ukify.py" ; added in python 3.=
11
+                      (("datetime\\.UTC") "datetime.timezone.utc"))))
+                (delete 'check)
+                (replace 'install
+                  (lambda* (#:key inputs #:allow-other-keys)
+                    (let* ((bin (string-append #$output "/bin"))
+                           (file (string-append bin "/ukify"))
+                           (binutils (assoc-ref inputs "binutils"))
+                           (sbsign (assoc-ref inputs "sbsigntools")))
+                      (mkdir-p bin)
+                      (copy-file "src/ukify/ukify.py" file)
+                      (wrap-program file
+                        `("PATH" ":" prefix
+                          (,(string-append binutils "/bin")
+                           ,(string-append sbsign "/bin"))))))))))
+    (inputs (list binutils python-cryptography python-pefile sbsigntools))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI tool")
+    (description "@command{ukify} joins together a UKI stub, linux kernel,=
 initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-=
bootable
+image.")
+    (license license:lgpl2.1+)))
+
 (define-public dtc
   (package
     (name "dtc")

base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--=20
2.41.0

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:37:10 2024
Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rPxfq-0005Iq-7E
	for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500
Received: from lists.gnu.org ([2001:470:142::17]:60336)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lilah@HIDDEN>) id 1rPxfo-0005IE-0X
 for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lilah@HIDDEN>)
 id 1rPxfg-0001zY-4i
 for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:37:00 -0500
Received: from sendmail.purelymail.com ([34.202.193.197])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lilah@HIDDEN>)
 id 1rPxfe-0003KP-6e
 for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:36:59 -0500
Authentication-Results: purelymail.com; auth=pass
DKIM-Signature: a=rsa-sha256;
 b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==;
 s=purelymail1; d=lunabee.space; v=1;
 bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; 
DKIM-Signature: a=rsa-sha256;
 b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==;
 s=purelymail1; d=purelymail.com; v=1;
 bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=;
 h=Feedback-ID:Received:From:To:Subject; 
Feedback-ID: 8937:2070:null:purelymail
X-Pm-Original-To: guix-patches@HIDDEN
Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; 
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);
 Wed, 17 Jan 2024 04:36:45 +0000 (UTC)
From: Lilah Tascheter <lilah@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH 0/2] Support root encryption and secure boot.
Date: Tue, 16 Jan 2024 22:23:02 -0600
Message-ID: <cover.1705465384.git.lilah@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@HIDDEN;
 helo=sendmail.purelymail.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
Cc: Lilah Tascheter <lilah@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for=
m,
uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro=
ject
(particularly the systemd-stub UEFI stub and supporting ukify tool) to inst=
all
combined kernel/arguments/initrd images to the EFI system partition. The
built-in UEFI boot manager can then deal with boot selection. While this do=
es
require copying files from the store to the partition, it makes up for it i=
n two
important ways:

1. Proper encrypted root support! GRUB is really fucking slow at decrypting=
 the
store in my experience, and it's annoying to have to enter in the root pass=
word
twice. Since the kernel is loaded directly from the system partition, the f=
irst,
and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n=
ot
supporting LUKS2 (or, at least, having bad issues with it on Guix).

2. Secure boot support! It's set up assuming the user has already created t=
he
necessary keys (typically, in /root, as they should only be root-accessible=
).
Passing the paths to the db cert and key to uefi-uki-signed-bootloader will=
 then
automatically sign the entire bootloader image. In combination with root
encryption, assuming a functioning motherboard UEFI installation, this shou=
ld
fully secure Guix's boot chain.

This is ported from my personal channel, so uefi-uki-bootloader has been te=
sted
for months. The main drawback is lack of kernel generation rollback in the =
case
of a botched upgrade, so I've been keeping around a manually-copied backup =
uki
image, but I haven't had any troubles with it so far. I have just verified
uefi-uki-signed-bootloader properly functions and boots in secure boot user
mode.

All in-system testing has been done on my channel, so the porting process m=
ay
have had issues, but I did make sure the added packages compile, and there
aren't any miscopies.

No clue how this works on non-x64 systems. I don't think there's enough ARM=
 UEFI
systems in existance for it to matter that much anyway.

Thanks!

Lilah Tascheter (2):
  gnu: bootloaders: Add uki packages.
  gnu: bootloaders: Add uefi-uki-bootloader.

 doc/guix.texi                |  35 +++++++++---
 gnu/bootloader/uki.scm       | 106 +++++++++++++++++++++++++++++++++++
 gnu/packages/bootloaders.scm |  94 +++++++++++++++++++++++++++++++
 3 files changed, 227 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm


base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
--=20
2.41.0