Received: (at 68524) by debbugs.gnu.org; 21 Oct 2024 15:41:46 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Oct 21 11:41:46 2024 Received: from localhost ([127.0.0.1]:52977 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1t2uXS-00086D-0Z for submit <at> debbugs.gnu.org; Mon, 21 Oct 2024 11:41:46 -0400 Received: from mail-40137.protonmail.ch ([185.70.40.137]:64139) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <amano.kenji@HIDDEN>) id 1t2uXO-00085t-3p for 68524 <at> debbugs.gnu.org; Mon, 21 Oct 2024 11:41:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=uf4ctmxiszdw5happupscrnrx4.protonmail; t=1729525268; x=1729784468; bh=LSvAW/8H8QgfPzynZN2HRDTt9BTl+HZT1TwoR77tmbI=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=Bvr++rTSqhAqNsj3w6TqPaN7bLfKfOSPhGdOZuEetIgjTfDMmOfnCYLnWhrWfyAeL B71XcGtnAH4t88Z4iF/b9/3TmshN8uadfiJir79yK6kaOWhS9BG6J9W+ylIXGSKu9g c0JcPjdGIEBbz5f8S2YganrWTT5y1RD8U8VOP0Lz90iJtVQ9HkjV/q9/Ph/f01ZHrD +/9iEQNNJfj2OaiMv0TvXOMyoLq9aUX0Muh6PiS9Ie/9dg5C152/u7FyY6rM1JgoLk iSNhWGKz98F2MAqe89eNDwSw98vBNC/W8IBYN9cK3nhN+JunhVHkfTOxHozBRwvgT2 9wIR4nMNg5Awg== Date: Mon, 21 Oct 2024 15:41:02 +0000 To: "68524 <at> debbugs.gnu.org" <68524 <at> debbugs.gnu.org> From: "amano.kenji" <amano.kenji@HIDDEN> Subject: Can uki be used with grub? Message-ID: <xIch4j_PFivh-eDINgBY5mCvG-TJeSjQPm99xwPpISW0rCwo_OewJCf8Y6x7RerdOdjjsI1hrdVXpT8pBZM3211UUWu6DURmsQKGvCVK8U0=@proton.me> Feedback-ID: 48725158:user:proton X-Pm-Message-ID: f3dc1eee397c5dcd6b84a717a9785aa2dd4846bb MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) I propose writing grub.cfg instead of modifying nvram. 1. Modifying nvram whenever there are changes to kernel images will increas= e wear and tear on nvram. If grub loads uki, then nvram lifespan will incre= ase. 2. kernel arguments should go to both grub.cfg and uki because uki argument= s are passed to kernel in the absence of secure boot. I'd like to be able t= o change kernel arguments in grub for debugging and troubleshooting. Thus, the bootloader can be called grub-uefi-uki-bootloader and grub-uefi-u= ki-signed-bootloader.
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 18 Oct 2024 05:48:23 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Oct 18 01:48:23 2024 Received: from localhost ([127.0.0.1]:36721 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1t1fqZ-0003Tb-7r for submit <at> debbugs.gnu.org; Fri, 18 Oct 2024 01:48:23 -0400 Received: from mail-4325.protonmail.ch ([185.70.43.25]:12509) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <amano.kenji@HIDDEN>) id 1t1fqV-0003TH-5k for 68524 <at> debbugs.gnu.org; Fri, 18 Oct 2024 01:48:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1729230470; x=1729489670; bh=o6mBM6+G8PA54uNOiBPmXrIjYdzdvoJVCGamk63HnvA=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=j9H1g6ZExt4ZLKjuqvD4hge43v6U5FbLoftMQjfnRkHRZUyQgUFcN3cO0rYrqC4X9 ZSq9eSxQG+ON5p3aUQ0q0s4U+8RXh7L8zYBoubjSRsGoRTTslxBUlg9+FPyWV2o4tL Zp0Kfm1qQfSt6jvcLODNB1vSKcJw9Up9Fx/BD4tOtQzj7ngRpgBteVAYmzROstypLp NoYeIK5l2OIo/UvbLuWL2e9U3DZ++0geIngS+ASRMlr0RxTbgJo/LXpTuHUoZ4q4L3 S5j1GYxpQfgc7uG/pMVHi5kcGQklJZHj/p+rJtBT8PnLqGGRazKPCSoKalDMDHOcjF jA+kzHu6uVt3w== Date: Fri, 18 Oct 2024 05:47:46 +0000 To: "68524 <at> debbugs.gnu.org" <68524 <at> debbugs.gnu.org> From: "amano.kenji" <amano.kenji@HIDDEN> Subject: One problem with uki bootloader. Message-ID: <C6b5eB539CwLwdvDVzIYaBLzOJoCOJQPB1R49_i0pNcYX-p1bZz_REc1HZUgKaWa9z_yI-RxB40HVTv26eYk7KIH2byIVTXoDIifNmYAnIc=@proton.me> Feedback-ID: 48725158:user:proton X-Pm-Message-ID: 159b9a3923aa644975bf2c2fa47d68c8c04b65ce MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) You can't change kernel parameters when you boot uki bootloader. GRUB allows you to change kernel parameters before boot. I wish guix installed kernel and initrd and grub.cfg in /boot. Then, grub d= oesn't need a password, and decrypting encrypted file systems will be a lot= faster with grub.
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:31 2024 Received: from localhost ([127.0.0.1]:57501 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4M-0001Wb-PY for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:31 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ4F-0001Sq-Ts for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/0JKAnM5t64THUuoT4qiKSOCSq+rdBW2bp9hPc4an08=; b=lg93xlugl8YwXA/YZXjnrmnwZ/J8lGc+/cV9fONAuPCQefQ7uVN+jbRipwMbi9qrvaxfgm tAdgbi7nEW4Jj7hG2MnnPJDMB6XA8VSkpmJLCs4U+l566lI7YkRHtEnjIetSTXkOizknRy zAoJ4mrV87UsAK0aaxw1zHogzEtG29HTyxBFi3IF01brPtWhHY7iuAJVWDfegHXFx5xjBi QNa29ooFnRjhT5OKo5wFLnI7HnkOHpHfV0j6pBWSts3z55YZMg5eINV5Ud8lpZP+qSFgAV 8HFqrVwwjs6oJrNpMlYS06mze9YfM6aSwweW2LmB6vuzRFK3VbpKbNocbpmN6Q== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id dd08b030 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 25 Sep 2024 11:13:02 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 5/5] gnu: bootloaders: Add uki-efi-bootloader. Date: Wed, 25 Sep 2024 13:12:03 +0200 Message-ID: <a048eadc669b67d35b104010beadec1ad1b83ef4.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 In-Reply-To: <cover.1727262600.git.herman@HIDDEN> References: <cover.1727262600.git.herman@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz <pelzflorian@HIDDEN>, Lilah Tascheter <lilah@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/bootloader.scm (<bootloader-configuration>): New keypair field. * gnu/bootloader/uki.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. * doc/guix.texi (Bootloader Confi [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/bootloader.scm (<bootloader-configuration>): New keypair field. * gnu/bootloader/uki.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. * doc/guix.texi (Bootloader Confi [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager From: Lilah Tascheter <lilah@HIDDEN> * gnu/bootloader.scm (<bootloader-configuration>): New keypair field. * gnu/bootloader/uki.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. * doc/guix.texi (Bootloader Configuration): Document UKI bootloader. Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da --- doc/guix.texi | 25 +++++++++- gnu/bootloader.scm | 3 ++ gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + 4 files changed, 133 insertions(+), 2 deletions(-) create mode 100644 gnu/bootloader/uki.scm diff --git a/doc/guix.texi b/doc/guix.texi index 93be87d3cc..56d5b462c2 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42486,6 +42486,24 @@ Bootloader Configuration @item @code{extlinux-gpt-bootloader} This is the same as above, but for systems with a GPT partition table. +@cindex Secure Boot, UEFI +@vindex uki-efi-bootloader +@item @code{uki-efi-bootloader} +Makes and installs UKI images for UEFI systems. Requires an @code{'esp} +target providing a @code{path} to the mount point of the EFI System +Partition. Not all system generations may be available with this +option, as UKI images contain the entire kernel and initramfs, and ESPs +tend to be small. + +Full disk encryption with @code{uki-efi-bootloader} only requires a +single password entry with fast decryption, in contrast to GRUB2 +requiring a second password entry with slow, LUKS1-only decryption. + +This is the only bootloader to currently support UEFI Secure Boot, when +configured as below. + +[THE CONFIGURATION BELOW] + @cindex ARM, bootloaders @cindex AArch64, bootloaders @vindex u-boot-a20-olinuxino-lime-bootloader @@ -42854,8 +42872,11 @@ Bootloader Configuration @end lisp @item @code{chain-loader} (default: @code{#f}) -Varies slightly depending on bootloader. For @code{grub}, this is anything that -the @code{chainloader} directive can accept +Varies slightly depending on bootloader. For @code{grub}, this is +anything that the @code{chainloader} directive can accept +(@pxref{Chain-loading,,, grub, GNU GRUB manual}). For @code{uki-efi}, +this is any efi binary to be installed alongside the system. The +following is an example of chainloading a different GNU/Linux system. @lisp (bootloader diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index 5e4578add0..ae7f20832e 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -100,6 +100,7 @@ (define-module (gnu bootloader) bootloader-configuration-default-entry bootloader-configuration-efi-removable? bootloader-configuration-32bit? + bootloader-configuration-keypair bootloader-configuration-timeout bootloader-configuration-keyboard-layout bootloader-configuration-theme @@ -546,6 +547,8 @@ (define-record-type* <bootloader-configuration> (default #f)) ;bool (32bit? bootloader-configuration-32bit? (default #f)) ;bool + (keypair bootloader-configuration-keypair + (default #f)) ;(cert . priv) pair (timeout bootloader-configuration-timeout (default 5)) ;seconds as integer (keyboard-layout bootloader-configuration-keyboard-layout diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm new file mode 100644 index 0000000000..848b7618e9 --- /dev/null +++ b/gnu/bootloader/uki.scm @@ -0,0 +1,106 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2024 Lilah Tascheter <lilah@HIDDEN> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu bootloader uki) + #:use-module (gnu bootloader) + #:use-module (gnu packages bootloaders) + #:use-module (gnu packages efi) + #:use-module (gnu packages linux) + #:use-module (gnu system boot) + #:use-module (guix gexp) + #:use-module (guix diagnostics) + #:use-module (guix i18n) + #:use-module (guix records) + #:use-module (ice-9 match) + #:export (uki-efi-bootloader)) + +;; TODO: Support 32bit/mixed-mode UEFI. May be relevant: +;; https://github.com/systemd/systemd/issues/17056 +(define (menu-entry+bootcfg->builder entry bootcfg) + (match-menu-entry entry + (label linux linux-arguments initrd chain-loader) + (match-bootloader-configuration bootcfg (32bit? theme keypair) + (cond + ;; Support chainloader in order to allow arbitrary signed EFI + ;; binaries. + (chain-loader + (match keypair + ((cert key) + #~(lambda (dest) + (invoke/quiet #+(sbsigntools "/bin/sbsign") + "--cert" #$cert "--key" #$key + "--output" dest #$chain-loader) + (invoke/quiet #+(sbsigntools "/bin/sbverify") + "--cert" #$(car keypair) dest))) + (#f #~(lambda (dest) (copy-file #$chain-loader dest))))) + (linux + (let* ((arch (efi-arch #:32? 32bit?)) + (stub (file-append systemd-stub "/libexec/linux" arch + ".efi.stub"))) + #~(lambda (dest) + (invoke/quiet + #+(file-append ukify "/bin/ukify") "build" + "--output" dest "--linux" #$linux "--initrd" #$initrd + "--cmdline" (string-join (list #$@linux-arguments)) + "--os-release" #$label "--stub" #$stub + "--efi-arch" #$arch + #$@(if theme #~("--splash" #$theme) '()) + #$@(match keypair + ((cert key) + #~("--secureboot-certificate" #$cert + "--secureboot-private-key" #$key)) + (#f '())))))) + (else + (leave + (G_ "uki-efi-bootloader doesn't support multiboot"))))))) + +;; We cannot use Guix's build system to make UKI images for two reasons: +;; 1. signing is necessarily non-reproducable, especially since keys +;; should not be in the store, or else risk being publically accessible. +;; 2. Menu-entries may reference files which do not exist in the store. +(define* (install-uki #:key + bootloader-config + current-boot-alternative + old-boot-alternatives + #:allow-other-keys) + (define* (menu-entry->plan entry num #:optional (prefix "menu-entry")) + #~(cons* #$(menu-entry+bootcfg->builder entry bootloader-config) + #$(string-append prefix "-" (number->string num) ".efi") + #$(menu-entry-label entry))) + + (define (boot-alternative->plan alt) + (menu-entry->plan (boot-alternative->menu-entry alt) + (boot-alternative-generation alt) + "generation")) + + (install-efi + bootloader-config + (let ((entries + (bootloader-configuration-menu-entries bootloader-config))) + #~(list #$(boot-alternative->plan current-boot-alternative) + #$@(map menu-entry->plan entries (iota (length entries))) + #$@(map boot-alternative->plan old-boot-alternatives))))) + +(define uki-efi-bootloader + (bootloader + (name 'uki-efi) + (default-targets (list (bootloader-target + (type 'vendir) + (offset 'esp) + (path "EFI/Guix")))) + (installer install-uki))) diff --git a/gnu/local.mk b/gnu/local.mk index e2d32d4fbf..507ca26dfc 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -94,6 +94,7 @@ GNU_SYSTEM_MODULES = \ %D%/bootloader/extlinux.scm \ %D%/bootloader/u-boot.scm \ %D%/bootloader/depthcharge.scm \ + %D%/bootloader/uki.scm \ %D%/ci.scm \ %D%/compression.scm \ %D%/home.scm \ -- 2.45.2
pelzflorian@HIDDEN, lilah@HIDDEN, ludo@HIDDEN, maxim.cournoyer@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:30 2024 Received: from localhost ([127.0.0.1]:57498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4M-0001WO-4E for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:30 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ4F-0001SX-9X for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ewok/gv3RN7ahM4jjrZmh9W1dFP/wus5mkmLNeLlktQ=; b=JlRDYUsFQvl8/h/DNMlaaPDLsPZz4zR4KIcP60RDD99A2OMnMCJHKw+JW5o3F8rW9glUa6 s8AW9qvrxLip1gJ2Pzu21Hb4stGS+ZEFeOsGHUSRu1h1klfoQ6s0aLjZP5WCIsq+D7EhLI gYXxgwh34EP+KFFad+6UMhKlPSOarWMI03E7Q8foaG6cxTfQcqMtWY26vOnYtpylQuyKCD 2eL3ukCRxtykauNb92hlFKiW4lbp2SbHYw4UKCqM17ZgDYTDgQFGMYGpcMjrySmc3w9nql r8EOJKe+YDZ1pAQzepja4HVUYV3BVFSS1q2VyYR8az0fv1B+e+MHK1Ct3xrOyw== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id ca472f81 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 25 Sep 2024 11:13:01 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 3/5] gnu: packages: Add systemd-stub. Date: Wed, 25 Sep 2024 13:12:01 +0200 Message-ID: <1bbcba5273652ad4c23b1d1655685720ef83d225.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 In-Reply-To: <cover.1727262600.git.herman@HIDDEN> References: <cover.1727262600.git.herman@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (systemd-stub): New variable. Change-Id: I974bad9ff7a52f736286d05de53f7c5ccb60b9d6 --- gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (systemd-stub): New variable. Change-Id: I974bad9ff7a52f736286d05de53f7c5ccb60b9d6 --- gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (systemd-stub): New variable. Change-Id: I974bad9ff7a52f736286d05de53f7c5ccb60b9d6 --- gnu/packages/bootloaders.scm | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index 52d92ba03a..c563cbd988 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -39,6 +39,7 @@ ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. (define-module (gnu packages bootloaders) + #:use-module (gnu bootloader) #:use-module (gnu packages) #:use-module (gnu packages assembly) #:use-module (gnu packages base) @@ -48,6 +49,7 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages check) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) + #:use-module (gnu packages crypto) #:use-module (gnu packages disk) #:use-module (gnu packages efi) #:use-module (gnu packages firmware) @@ -55,6 +57,7 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages fontutils) #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) + #:use-module (gnu packages gperf) #:use-module (gnu packages guile) #:use-module (gnu packages linux) #:use-module (gnu packages llvm) @@ -596,6 +599,50 @@ (define systemd-source (base32 "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) +(define-public systemd-stub + (package + (name "systemd-stub") + (version %systemd-version) + (source systemd-source) + (build-system meson-build-system) + (arguments + (list #:configure-flags + #~(list "-Dmode=release" "-Defi=true" "-Dsbat-distro=guix" + "-Dsbat-distro-generation=1" ; package revision! + "-Dsbat-distro-summary=Guix System" + "-Dsbat-distro-url=https://guix.gnu.org" + #$(string-append "-Dsbat-distro-pkgname=" + (package-name this-package)) + #$(string-append "-Dsbat-distro-version=" + (package-version this-package))) + #:phases + ;; TODO: 32-bit support. + (let* ((stub (string-append "src/boot/efi/linux" (efi-arch) + ".efi.stub"))) + #~(modify-phases %standard-phases + (replace 'build + (lambda* (#:key parallel-build? #:allow-other-keys) + (invoke "ninja" #$stub "-j" + (if parallel-build? + (number->string (parallel-job-count)) + "1")))) + (replace 'install + (lambda _ + (install-file #$stub (string-append #$output + "/libexec")))) + (delete 'check))))) + (supported-systems %efi-supported-systems) + (inputs + (list libcap libxcrypt python-pyelftools `(,util-linux "lib"))) + (native-inputs (list gperf pkg-config python-3 python-jinja2)) + (home-page "https://systemd.io/") + (synopsis "Unified kernel image UEFI stub") + (description + "Simple UEFI boot stub that loads a conjoined kernel image and +supporting data to their proper locations, before chainloading to the +kernel. It supports measured and/or verified boot environments.") + (license license:lgpl2.1+))) + (define-public ukify (package (name "ukify") -- 2.45.2
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:30 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:30 2024 Received: from localhost ([127.0.0.1]:57496 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4L-0001W6-O9 for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:30 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ4E-0001Sq-P7 for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262782; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wH63hE8DjoWekl1CCteYbiT/ghGOjTnPA3hPqtF+hHg=; b=I59HjJZHUXqlIEy1tecEUGlVcSYYSERNzssl4xfY/qTECyMj4DYCbfucIu3/j+JjH3jTZq o7/o0mBrH+nrE4hnRvas9pseTd3xT8SkJwvjFgvbY5RhSCDX3Hmk9sUgdN+bB5gJC1gNcV 1hWS5jFh8cxczhVtCRd9zLGLoijWLtntNAt+hkKzn+bGHMGNDjslhdElRbjwHBvt6gsprd Kglyi7X7sDkh3brY/+zLLrxtzEMpheQ2V9Lo5y+rQmFYR42SVRZGYtBV/gXiT/ulWMiUen pQxA4TDx3TW3mBKJ7l5US7wvPb8pr80hEtGFY0lJTOmWMMxHHLa9taLDB99yUQ== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 2f673988 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 25 Sep 2024 11:13:01 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 4/5] gnu: system: Fix bootloader crypto device recognition. Date: Wed, 25 Sep 2024 13:12:02 +0200 Message-ID: <40e4b478889cb61296f9559591e1c7affa540ad8.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 In-Reply-To: <cover.1727262600.git.herman@HIDDEN> References: <cover.1727262600.git.herman@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/system.scm (operating-system-bootloader-crypto-devices): Check for luks-device-mapping-with-options in addition to luks-device-mapping. Change-Id: Iafc9afe608640b97083c4d559c9240846330472a --- gnu/system.scm | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/system.scm (operating-system-bootloader-crypto-devices): Check for luks-device-mapping-with-options in addition to luks-device-mapping. Change-Id: Iafc9afe608640b97083c4d559c9240846330472a --- gnu/system.scm | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager From: Lilah Tascheter <lilah@HIDDEN> * gnu/system.scm (operating-system-bootloader-crypto-devices): Check for luks-device-mapping-with-options in addition to luks-device-mapping. Change-Id: Iafc9afe608640b97083c4d559c9240846330472a --- gnu/system.scm | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/gnu/system.scm b/gnu/system.scm index 85e02a9965..3dde0f4959 100644 --- a/gnu/system.scm +++ b/gnu/system.scm @@ -402,13 +402,16 @@ (define operating-system-bootloader-crypto-devices (mlambdaq (os) ;to avoid duplicated output "Return the sources of the LUKS mapped devices specified by UUID." ;; XXX: Device ordering is important, we trust the returned one. - (let* ((luks-devices (filter (lambda (m) - (eq? luks-device-mapping - (mapped-device-type m))) - (operating-system-boot-mapped-devices os))) - (uuid-crypto-devices non-uuid-crypto-devices - (partition (compose uuid? mapped-device-source) - luks-devices))) + ;; Check against the close-luks-device procedure to get both maptypes. + (let* ((close (compose mapped-device-kind-close mapped-device-type)) + (luks (mapped-device-kind-close luks-device-mapping)) + (luks? (lambda (m) (eq? (close m) luks))) + (os-devices (operating-system-boot-mapped-devices os)) + (luks-devices (filter luks? os-devices)) + (uuid? (compose uuid? mapped-device-source)) + (uuid-crypto-devices + non-uuid-crypto-devices + (partition uuid? luks-devices))) (when (not (null? non-uuid-crypto-devices)) (for-each (lambda (dev) (warning -- 2.45.2
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:29 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:29 2024 Received: from localhost ([127.0.0.1]:57494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4L-0001UX-36 for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:29 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ4A-0001SX-0T for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=RlhqK6cz8IpIUScjGWdfn9jw5TbjjuhF4hpD+VRtWJs=; b=FcIW4hGa3zxTj3EjQ0xnV8LwhdU0tNAlkTdxG913TDi4PUxR5ydKWHlgGYWQWSnkndR/jh NRu+0Me47+HX8c9DcbrKmCEIM3xq7rJouDMKiJp582rpmWOylqOpsBRn/7m+eTn2+knAau mLgo1sHwHHvzlG16t2x1gr7gd3Et+igh4QWelUMkOMDZaeaz43JICBmugzJbCH3KLTBtGr zZ5WkEK0+QMExpHn/42s7mEA3eNeNd/xJYHVTB4MQCqh5FyULQfREuQe9Kz8aSWNUaRdwZ leUg5wyMWw8ql3GFIOZ4fxfloCgMbqHAF3tSVbRJhmZUHNjFZItTnFLZEhLIqQ== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 7d32fe11 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO) for <68524 <at> debbugs.gnu.org>; Wed, 25 Sep 2024 11:12:58 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 0/5] Support root encryption and secure boot. Date: Wed, 25 Sep 2024 13:11:58 +0200 Message-ID: <cover.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 X-Debbugs-Cc: Florian Pelz <pelzflorian@HIDDEN>, Lilah Tascheter <lilah@HIDDEN>, Ludovic Courtès <ludo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN> Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Lilah, Recently Zheng Junjie <873216071@HIDDEN> told me git-fetch is better, so I changed pesign to it. I added libxcrypt to systemd-stub native-inputs and did some formatting. Please fill out [THE CONFIGURA [...] Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi Lilah, Recently Zheng Junjie <873216071@HIDDEN> told me git-fetch is better, so I changed pesign to it. I added libxcrypt to systemd-stub native-inputs and did some formatting. Please fill out [THE CONFIGURA [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hi Lilah, Recently Zheng Junjie <873216071@HIDDEN> told me git-fetch is better, so I changed pesign to it. I added libxcrypt to systemd-stub native-inputs and did some formatting. Please fill out [THE CONFIGURATION BELOW] in doc/guix.texi for the next revision. If you would like to create an installation test for the UKI bootloader, please do so as well. Having a UEFI boot entry per generation is pretty much perfect for me. Thanks again, Herman Lilah Tascheter (5): gnu: packages: Add pesign. gnu: packages: Add ukify. gnu: packages: Add systemd-stub. gnu: system: Fix bootloader crypto device recognition. gnu: bootloaders: Add uki-efi-bootloader. doc/guix.texi | 25 ++++++++- gnu/bootloader.scm | 3 + gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/packages/bootloaders.scm | 104 ++++++++++++++++++++++++++++++++++ gnu/packages/efi.scm | 52 +++++++++++++++++ gnu/system.scm | 17 +++--- 7 files changed, 299 insertions(+), 9 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: e00ab0921afbfd4e8ee96c0c1dec77e1c5dd85b9 -- 2.45.2
pelzflorian@HIDDEN, lilah@HIDDEN, ludo@HIDDEN, maxim.cournoyer@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:25 2024 Received: from localhost ([127.0.0.1]:57489 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4F-0001Tc-Mf for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:25 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:50673 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ4D-0001Sq-FV for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262781; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M1lwJO/NUYNPE/Gd/LXwO5X0spLJJIKvx/47QRR84Qg=; b=KBgVzok9heGE+BBEbspsO+M/QbMej02+Zs+lK3qtluON6WMu5LTAixjbLdcNNjq9N9ErP3 yI5ljA8+YQqSeN8zhsgQ8rw/N+Et0xkef9QPFKsKPEJh5X3TbZe3P9+MeNc6CKCCFTiF5B DQP1ihv5svJDcxh8Y99LLZNdUyrXFGFK/cWDLVigFTtpQN1R7VwDYeHSo08idUmblNxuKm fBKXAzKgC6s/e2nUwV5vvXE35FvR9AwQ+I8QdlPvuZbOmExdnqoIja43xRnrdwNlW1r5uD QgdsUlGEhmDOrZWrDYmhofCUiKx96AiO5fLUpCjrmYG9oZxPPBSHsclPiN0p2w== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 21fef9cf (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 25 Sep 2024 11:13:01 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 2/5] gnu: packages: Add ukify. Date: Wed, 25 Sep 2024 13:12:00 +0200 Message-ID: <4a8e3c9cef67f009b6fcb00739bdba3d46c2a2a6.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 In-Reply-To: <cover.1727262600.git.herman@HIDDEN> References: <cover.1727262600.git.herman@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (%systemd-version, systemd-source, ukify): New variables. Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add --- gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] 0.0 TVD_RCVD_IP Message was received from an IP address -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (%systemd-version, systemd-source, ukify): New variables. Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add --- gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/bootloaders.scm (%systemd-version, systemd-source, ukify): New variables. Change-Id: Icde59b7266529c8002331ff0375e0a35af3a2add --- gnu/packages/bootloaders.scm | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index 2f115f6bb3..52d92ba03a 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -21,6 +21,7 @@ ;;; Copyright © 2023-2024 Herman Rimm <herman@HIDDEN> ;;; Copyright © 2023 Simon Tournier <zimon.toutoune@HIDDEN> ;;; Copyright © 2024 Zheng Junjie <873216071@HIDDEN> +;;; Copyright © 2024 Lilah Tascheter <lilah@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -48,6 +49,7 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages disk) + #:use-module (gnu packages efi) #:use-module (gnu packages firmware) #:use-module (gnu packages flex) #:use-module (gnu packages fontutils) @@ -76,11 +78,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages version-control) #:use-module (gnu packages virtualization) #:use-module (gnu packages xorg) + #:use-module (gnu packages python-crypto) #:use-module (gnu packages python-web) #:use-module (gnu packages python-xyz) #:use-module (guix build-system gnu) #:use-module (guix build-system meson) #:use-module (guix build-system pyproject) + #:use-module (guix build-system python) #:use-module (guix build-system trivial) #:use-module (guix download) #:use-module (guix gexp) @@ -576,6 +580,59 @@ (define-public syslinux ;; Also contains: license:expat license:isc license:zlib))))) +(define %systemd-version "255") +(define systemd-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/systemd/systemd") + (commit (string-append "v" %systemd-version)))) + (file-name (git-file-name "systemd" %systemd-version)) + (snippet #~(substitute* "src/ukify/ukify.py" + ;; Remove after python 3.11. + (("datetime\\.UTC") "datetime.timezone.utc"))) + (modules '((guix build utils))) + (sha256 + (base32 + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) + +(define-public ukify + (package + (name "ukify") + (version %systemd-version) + (source systemd-source) + (build-system python-build-system) + (arguments + (list + #:phases + #~(modify-phases %standard-phases + (replace 'build + (lambda* (#:key inputs #:allow-other-keys) + (define (get-tool tool) + (search-input-file inputs (string-append "bin/" tool))) + ;; Hardcode the tool paths. + (substitute* "src/ukify/ukify.py" + (("(find_tool\\(')(readelf|sbsign|pesign)'," _ ctx tool) + (string-append ctx (get-tool tool) "',")) + (("('name': ')(sbverify|pesign)'," _ ctx tool) + (string-append ctx (get-tool tool) "',"))))) + (delete 'check) + (replace 'install + (lambda* (#:key inputs #:allow-other-keys) + (let* ((bin (string-append #$output "/bin")) + (file (string-append bin "/ukify"))) + (mkdir-p bin) + (copy-file "src/ukify/ukify.py" file))))))) + (inputs + (list binutils pesign python-cryptography python-pefile sbsigntools)) + (home-page "https://systemd.io/") + (synopsis "Unified kernel image UEFI tool") + (description + "@command{ukify} joins together a UKI stub, linux kernel, initrd, +kernel arguments, and optional secure boot signatures into a single, +UEFI-bootable image.") + (license license:lgpl2.1+))) + (define-public dtc (package (name "dtc") -- 2.45.2
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Sep 2024 11:20:19 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 25 07:20:19 2024 Received: from localhost ([127.0.0.1]:57481 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1stQ4B-0001T7-0k for submit <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:19 -0400 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:45339 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1stQ48-0001SX-6n for 68524 <at> debbugs.gnu.org; Wed, 25 Sep 2024 07:20:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1727262778; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mvaZYx/nv7bH9mwzSyuPFBPIr/wHXQ/vZ9yAqrREorI=; b=VOIfRhQjnlOtV/wFKFIo8MZiirN/4qX1xffbsQ+/xtIYj829CYAMLQVOs3CX/Nz1G8LLJw BscwqtUNBarQRiXEIAafZUFwcm8wmBt2hC+lS5SciWZ1EkkCEuTHAjnG2lKbNwwKAJUax3 jdy/y9XOxC48C43n5Y9pCASemil5R+Sq1FHWevpPOc5r35b9l0lfU2tCifaeUtZ1l4Ij56 tdK9Z6GvY1rLJDjC85UV9C1sOjWaBBLLTYl+QTdu8LTng4hlqXDnS+bpK9nAlkb4J/RMc4 DGocbQu+4cDGJe24wguUwL8hT2dUWkLvOweSdLQcN2oAjP1LMwxX1tPqBn22uA== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 15485550 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Wed, 25 Sep 2024 11:12:58 +0000 (UTC) From: Herman Rimm <herman@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v3 1/5] gnu: packages: Add pesign. Date: Wed, 25 Sep 2024 13:11:59 +0200 Message-ID: <eed6bbc414f615b6292e09bd48a3f12ae0964c0f.1727262600.git.herman@HIDDEN> X-Mailer: git-send-email 2.45.2 In-Reply-To: <cover.1727262600.git.herman@HIDDEN> References: <cover.1727262600.git.herman@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: 3.6 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/efi.scm (pesign): New variable. Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db --- gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) Content analysis details: (3.6 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 TVD_RCVD_IP Message was received from an IP address 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/efi.scm (pesign): New variable. Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db --- gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in sa-accredit.habeas.com] 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [81.205.150.117 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager From: Lilah Tascheter <lilah@HIDDEN> * gnu/packages/efi.scm (pesign): New variable. Change-Id: I00fcc679d9514c85d508183b9ec7e121e0a814db --- gnu/packages/efi.scm | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/gnu/packages/efi.scm b/gnu/packages/efi.scm index 499745eba1..e5f9d2d6a3 100644 --- a/gnu/packages/efi.scm +++ b/gnu/packages/efi.scm @@ -24,8 +24,10 @@ (define-module (gnu packages efi) #:use-module (gnu packages bash) #:use-module (gnu packages linux) #:use-module (gnu packages man) + #:use-module (gnu packages nss) #:use-module (gnu packages perl) #:use-module (gnu packages pkg-config) + #:use-module (gnu packages popt) #:use-module (gnu packages tls) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix build-system gnu) @@ -153,6 +155,56 @@ (define-public sbsigntools (home-page "https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/") (license license:gpl3+))) +(define-public pesign + (package + (name "pesign") + (version "116") + (source + (origin + (method git-fetch) + (uri (git-reference + (url (string-append "https://github.com/rhboot/" name)) + (commit version))) + (modules '((guix build utils))) + (snippet + #~(substitute* "Make.defaults" + (("RANLIB\t\\?= \\$\\(CROSS_COMPILE\\)") "RANLIB\t?=") + (("pkg-config-ccldflags") "pkg-config-ldflags"))) + (sha256 + (base32 + "0fnqfiivj46bha4hsnwiqy8vq8b4i3w2dig0h9h2k4j7yq7r5qvj")))) + (build-system gnu-build-system) + (arguments + (list #:tests? #f ; The Makefile has no check target. + #:modules '((guix build gnu-build-system) + (guix build utils) + (ice-9 match)) + #:phases #~(modify-phases %standard-phases (delete 'configure)) + #:make-flags + (let ((system (%current-system)) + (target (%current-target-system))) + (define (arch s) + (if (target-x86-32? s) + "ia32" + (match (string-split s #\-) + ((x _ ...) x)))) + #~(list "prefix=/" "libdir=/lib/" + (string-append "DESTDIR=" #$output) + (string-append "HOSTARCH=" #$(arch system)) + (string-append "ARCH=" #$(arch (or target system))) + (if #$target + (string-append "CROSS_COMPILE=" #$target "-") + ""))))) + (inputs (list efivar nspr nss popt `(,util-linux "lib"))) + (native-inputs (list mandoc pkg-config)) + (synopsis "PE-COFF binary signing tools") + (description + "This package supports EFI keygen and subsequent signing of +PE-COFF binaries. It contains the tools authvar, efikeygen, pesigcheck, +pesign, pesign-client, and pesum.") + (home-page "https://github.com/rhboot/pesign") + (license license:gpl2+))) + (define-public efitools (package (name "efitools") -- 2.45.2
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Lilah Tascheter <lilah@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 15 Aug 2024 17:20:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 15 13:20:52 2024 Received: from localhost ([127.0.0.1]:49693 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1see9b-00040K-KW for submit <at> debbugs.gnu.org; Thu, 15 Aug 2024 13:20:52 -0400 Received: from mail-yb1-f179.google.com ([209.85.219.179]:52678) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <nchatz314@HIDDEN>) id 1see9Z-000403-3H for 68524 <at> debbugs.gnu.org; Thu, 15 Aug 2024 13:20:50 -0400 Received: by mail-yb1-f179.google.com with SMTP id 3f1490d57ef6-e1157e88bc9so1209664276.1 for <68524 <at> debbugs.gnu.org>; Thu, 15 Aug 2024 10:20:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723742346; x=1724347146; darn=debbugs.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0rrnhiLS/Y/+QuHcWat0YWrx1JVF78ysAQvXsJQg+rM=; b=lShxul4ttVOHYXsycloPItz+EA2Aux6o0UOJHTt8gaglxHk+nMZ7HPDhxZe6Ij60Ej amLPxpIMYguHEVOoE5tEKquaD+n6jp/GuRJVZ4geAjmVVbv61GFsCv6S6lKWjETiCTrd tgH2RmHgCc0bMAzGiSnsy3wMPvTQeUvYJGgeCmHGdNNSYQex/eJjWILYlqCCtFikvt0V CIZpMluiWmKZtb5u2D6cAzFEJNpanwK6GJv6x9LmlsHaloSqCvF6UBko6KO9GLpXSATp xbQq5Frr6RoGNusszoF5RSUYFo8EcBYKp0UQ4iJcB+EnC5dTRpaIY5H2xGmZ/tajztY9 OAJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723742346; x=1724347146; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0rrnhiLS/Y/+QuHcWat0YWrx1JVF78ysAQvXsJQg+rM=; b=TuzCixDpmeu/W/v45hVhh52HsMaVmOmJ5qa429KuLRXJNnbNhwfmatMgcRfwHF//sz +vBTOZptnWEOOAH/FpbxF6V3CEJmkn45ri9OxTThGDB1HteLHpVrGEQzW09f+4o3/7B0 3DvPmohMQzs12edQt6TNzjA3hV7O16/xwDjKo21WpjHDTjWl6EuomK+a/Axl7hGI8kUr iBf+fVLAiu2VNNHgPFoqPevnjmpQABRoFrSrewtOS/g5QU+qLBjBRRsM+3WlgPEvqTU8 H9PRhKcuod2eQfbdZnRQxPQ78or4GVZ2O4XROW65U/onwjES+2IvTEuOZDRF26Jl9uFe d/8g== X-Gm-Message-State: AOJu0YxUGz2Icd5HB9VqZ4+kgluQ2T7A+FzGEEX/07xo2nvvihSx2Hvg qa4EIWfOscsoov1CueeDuhV1vHqqAAEwXMeZlrswqRnoTCVdu2g3M5s98fonlr2UeJuvXMNjD2o 5oAyWAypyfEMaK7Rn6YxUucs7vYo= X-Google-Smtp-Source: AGHT+IEYkmKGGvnlYdam78x8SY5E4Oq940Ope73Hg4n2P2VIGMTttZsHTvuJD6Wbk8AeiBEVgL3EqqP8Lg/CHLU0sCA= X-Received: by 2002:a05:6902:1b12:b0:e11:5a47:eb8d with SMTP id 3f1490d57ef6-e1180ff1071mr346743276.49.1723742346559; Thu, 15 Aug 2024 10:19:06 -0700 (PDT) MIME-Version: 1.0 References: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN> In-Reply-To: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN> From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN> Date: Thu, 15 Aug 2024 13:18:55 -0400 Message-ID: <CAAQmeke3bh7CV7tb3Mcxi_-JnJ5aXyu56XPP5wKgpP4_Wi3XRw@HIDDEN> Subject: Re: Rewrite Posted To: Lilah Tascheter <lilah@HIDDEN> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 68524 Cc: Hilton Chain <hako@HIDDEN>, 68524 <at> debbugs.gnu.org, Ryan S <ryan@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.8 (/) On Thu, Aug 15, 2024 at 9:15=E2=80=AFAM Lilah Tascheter <lilah@HIDDEN= e> wrote: > > Hey! > > > When performing a fresh installation, the bootloader install will > > always fail since it assumes "/boot/efi" as the base "script-path". > Yeah, sorry, limitation of the current system. Speaking of, though... > > The rewrite has been posted! The new patch series is at > https://issues.guix.gnu.org/72457 which also subsumes this series, so > I'll close this one in favor of it. Congratulations. This is great! Regards, Nikolaos Chatzikonstantinou
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Lilah Tascheter <lilah@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 15 Aug 2024 13:15:47 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Aug 15 09:15:47 2024 Received: from localhost ([127.0.0.1]:48545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1seaKO-0005FK-5D for submit <at> debbugs.gnu.org; Thu, 15 Aug 2024 09:15:46 -0400 Received: from sendmail.purelymail.com ([34.202.193.197]:37742) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1seaKL-0005Ez-Ds for 68524 <at> debbugs.gnu.org; Thu, 15 Aug 2024 09:15:43 -0400 DKIM-Signature: a=rsa-sha256; b=CcwSaH+8pG9vgqr62fPFjZjCSKLQPVT8ynQ314POZL6QYfpEIuuNp50ZSHOnCZ7AvkYODE4CrpaI8KiZoXY4YKAsEnorrb079/vVDI+45oHMbWcttoix1/NkMN6uW01COt4H69aW2ykkerJwTSglqhaxOGifECFMAdiM6URIz05vZygWws+iXDIgNIFn5ao4lNzTkTdtDO/uFCLT7eYZw9cyu2vInqDHluqPks09fp4TRitrPKlMgG2/DVYGECr8hFcf4UqxHlIimb8GGfVgxzKPGHYeClcKKYTXR7FrQ3VyKta195J6evpE34aQlt0VF42V6tIJD9iFehdQEDsvsw==; s=purelymail1; d=lunabee.space; v=1; bh=ujb1hNk93UGdzNtY4UdFptD8OWoqqq2omHLQA7WHri4=; h=Received:Subject:From:To:Date; DKIM-Signature: a=rsa-sha256; b=VZvPxn9v571u7ZzYfENm5x12OS8aFjuRmRjvxiiy1mSbiynF5bHH7inXAQ3krO0UPrThxnhAXHcSlyqb/ODPfpFuGCmOGE3tNtP08Wv1uPbvKrRY5ueIMX1i6I/HC+mNbM9Kng4NUj5nEeyV2H624vva4HnAJco3Xwz7rDAO42U003ioPjXYEkKFWhARNqUqyQD39RqlfiUX+WVuOl0ANygKeG3eQ/NGUBEiBw+BE0sWKz/mtlXgAfiAwAmpbko6q+09wjABqM4t9TarLtByUOpj0n/g+q7WA4oGJNXGetakCc/8ocToeIIk3vZLQ6RT7K9hG/q3o0tNYMqn8GFYqQ==; s=purelymail1; d=purelymail.com; v=1; bh=ujb1hNk93UGdzNtY4UdFptD8OWoqqq2omHLQA7WHri4=; h=Feedback-ID:Received:Subject:From:To:Date; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -997553769; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Thu, 15 Aug 2024 13:14:56 +0000 (UTC) Message-ID: <ff66920bb4b69ccf90955e912dd99caa41d1e116.camel@HIDDEN> Subject: Rewrite Posted From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Thu, 15 Aug 2024 08:14:55 -0500 Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Hilton Chain <hako@HIDDEN>, Nikolaos Chatzikonstantinou <nchatz314@HIDDEN>, Ryan S <ryan@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hey! > When performing a fresh installation, the bootloader install will > always fail since it assumes "/boot/efi" as the base "script-path". Yeah, sorry, limitation of the current system. Speaking of, though... The rewrite has been posted! The new patch series is at https://issues.guix.gnu.org/72457 which also subsumes this series, so I'll close this one in favor of it. Thanks y'all!
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 29 Jul 2024 05:11:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jul 29 01:11:31 2024 Received: from localhost ([127.0.0.1]:44750 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1sYIfS-00081w-VI for submit <at> debbugs.gnu.org; Mon, 29 Jul 2024 01:11:31 -0400 Received: from mail.rschanz.org ([5.161.207.21]:35856) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ryan@HIDDEN>) id 1sYIfQ-00081n-3g for 68524 <at> debbugs.gnu.org; Mon, 29 Jul 2024 01:11:29 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 540BD271974 for <68524 <at> debbugs.gnu.org>; Mon, 29 Jul 2024 01:11:15 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rschanz.org; s=dkim; t=1722229875; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding; bh=+Px1yPYzMRFGBEYsVXoLRzRsNiIj23H+2KvwgPLa/74=; b=Q09EqAa5jeNJMtygv6KQL0oj+HPdQvB10/LCF/wlwg6DIPLzzoAHBh2vYc6hLqmC9sFfbl cL+9h2Lw916X1AE7m+Khb7RD5V1/EzV5SBBDBdkDUcosEyDmloume+kw6ZoLu6UrZWsG0J cL7c5PDwqEolMizJs2ZwgCEeBJ/q74aIBZ+m1ywVUOtOpy2fMdwn1rK09JDPKoNy2XgnmR 0LubYCe5PPE/jAmgVpSvoOIHXflUWnY7wGCiWSelI8uB2Ti4X9eV0QfbA736PAcdt6Dhru F1TJbP9UTsMuvMiI5z8XI9qE0GkfKFvqKwTAanKkrRzfvHWMb7c1rLaGhdW06Q== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8; format=Flowed Date: Mon, 29 Jul 2024 01:11:14 -0400 Message-Id: <D31RJE4OZ3D5.1ZQS283PTVGXT@HIDDEN> Subject: Fwd: [PATCH 0/2] Support root encryption and secure boot. From: "Ryan S" <ryan@HIDDEN> To: <68524 <at> debbugs.gnu.org> X-Mailer: aerc 0.17.0 X-Last-TLS-Session-Version: TLSv1.3 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi all! No clue if this patch series is still being worked on, however I have been = keeping an eye on this (want to migrate away from GRUB because of decryptio= n speed and integrity reasons). Good news, I've successfully added these pa= tches on a local channel I have and everything still works, with little mod= ifications (this has been an on and off process over the past month or so b= ecause I've been busy, so my memory of changes made may be fuzzy). However,= I did notice a bug. When performing a fresh installation, the bootloader i= nstall will always fail since it assumes "/boot/efi" as the base "script-pa= th". This assumption is false due to the installer placing the system being= installed at "/mnt/boot/efi". Outside of that, is a new rewrite of the boot system still being worked on?= What kinds of things are we looking for to get UKIs merged? Should I start= /continue a thread on guix-devel? I'd like to help where I can. --=20 Best, Ryan
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 24 Mar 2024 09:48:03 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Mar 24 05:48:03 2024 Received: from localhost ([127.0.0.1]:44673 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1roKSQ-00068H-RH for submit <at> debbugs.gnu.org; Sun, 24 Mar 2024 05:48:03 -0400 Received: from mail-oi1-f171.google.com ([209.85.167.171]:43428) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <nchatz314@HIDDEN>) id 1roKSO-00067d-L3 for 68524 <at> debbugs.gnu.org; Sun, 24 Mar 2024 05:48:01 -0400 Received: by mail-oi1-f171.google.com with SMTP id 5614622812f47-3c38396c965so2080886b6e.1 for <68524 <at> debbugs.gnu.org>; Sun, 24 Mar 2024 02:47:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711273573; x=1711878373; darn=debbugs.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=kMO1CvActh0il79/q5gkTeObUXWFO4WnV2jknNkfO/Q=; b=BWuK0w9K3YnXVgTru5baVvn1Tk3TkPnvpSueY219c7OicnHP03wOwXgeffTG2SB86K Q3dyOM+5HKmKKa4eBKC+UiQX9yYnHRQp40pInt/zTICwRC4g5Wr5waobZzir0SqwJ034 hIQUyfKNh0513AYuQv6bHQmEhu7GnrtanXIEKq/00Yz+pCuBi+U6was0w3HruHnlRL+M tLCidPEIyNm8iqDjKkq/Mdtq45nWRU2W5r/dZw1+WybGC+vgI+7DjV1j1uuZPfR6kIEB NNtdPKnGSYg81NqZeLFqRw+pXQlpjCKqxCZy7Ak1ET3AqFpatE/RpiItW1iiE/i9KjAr TDrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711273573; x=1711878373; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kMO1CvActh0il79/q5gkTeObUXWFO4WnV2jknNkfO/Q=; b=SdU6RgKlYuhwoO3vItZjTIEOvSlCc5QfS6254vXvrgTWF4nFqvk7+vmzNTnXS8sz4F E1F9V/T1FP4xZedOngfjGO9vrihcITPrbo8B8HD4BgSAkNOrmscflE39PB8uDNv9Nidx bhAgSUp5afng0ZBMR8iAkmm8A2v07wbx4Wzni7EnhvXCAWhLed8zWfIoNJ+rXrz1hCJx EomtUh9Xy0K+AslXg1lR2ZxD7ITOVceUXYPq4B56gNlDGgJBwZPrnQg6dW4jH0eMJ+RB q6NS4FG0aEzjMj7gG4xU+pAo/1aGi88XAkzr/MEcd65dVldPloVx49YdaqJnTrDf9W3v 0iRg== X-Gm-Message-State: AOJu0YziTQ6lF6J9H9lrjGMTP/FCcetSzuCjvBj2k0iv/FU8B1sEff3C 88t8DuMNAqIVocNveEa9MtxxgPkJnvuXA5QPCjwMIWfWDCUnNVMLpfg5Si0ZyoEeNGjZeYYd53o nIxhBkqyfIzwvYtJ8jQkdhNNyNVF8Id7S X-Google-Smtp-Source: AGHT+IFFu/a4GTKVdudEv8s2bW6b/OcQbEUa5qtVqvgtn1XK1Y2PUKVaviUxBKmZdzTwdHlZ+Kd53PskH7BdK9+6KRU= X-Received: by 2002:a0d:d8c6:0:b0:610:e452:8c74 with SMTP id a189-20020a0dd8c6000000b00610e4528c74mr1726006ywe.0.1711273138362; Sun, 24 Mar 2024 02:38:58 -0700 (PDT) MIME-Version: 1.0 References: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN> In-Reply-To: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN> From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN> Date: Sun, 24 Mar 2024 05:38:47 -0400 Message-ID: <CAAQmekeS7e9G9Gbpbn6bLJCyq7ToPxKONeiU+PtzQE=UfqUQ5w@HIDDEN> Subject: Re: [PATCH 0/2] Support root encryption and secure boot To: Lilah Tascheter <lilah@HIDDEN> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 68524 Cc: 68524 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.8 (/) On Sat, Mar 23, 2024 at 3:40=E2=80=AFPM Lilah Tascheter <lilah@HIDDEN= e> wrote: > and yeah don't worry it's isolated. there's only two bits of systemd > used, systemd-boot-stub and ukify. ukify is pretty much just a single > python script, and systemd-boot-stub is just a bit of code tacked on to > the boot process to handle combining the kernel, args, and initrd > together. no daemons or code past the bootloader at all! > > of note I'm currently in the process of rewriting the entire guix > bootloader stack to make this work a Lot nicer. sooo hopefully that > gets finished soon. Very exciting! I am looking forward to looking at the code. Regards, Nikolaos Chatzikonstantinou
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 23 Mar 2024 20:10:20 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Mar 23 16:10:20 2024 Received: from localhost ([127.0.0.1]:51093 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1ro7h5-0001VV-Fy for submit <at> debbugs.gnu.org; Sat, 23 Mar 2024 16:10:20 -0400 Received: from sendmail.purelymail.com ([34.202.193.197]:49304) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1ro7Q9-0000nh-Us for 68524 <at> debbugs.gnu.org; Sat, 23 Mar 2024 15:52:56 -0400 DKIM-Signature: a=rsa-sha256; b=pMxgDK3oIuy+XYNeXRAqGHB/pjhLYqNZtXEZCvveCNXu6UBaRDM4iYz0rQH+IXVhK7VBOdDq98Dv/TTDkKhPfBdJuxNaN7oRzldQdleGcbaCC6uFsNubng0AhTjuVgLnKHGZKnZNONx/0eJZ8HXHtc5MnszRhXg0pPQ/OveQTZOIGzgIgsafm4lSbo1na0AuqkuHcODg1LePfiKLCcIb6VRn7Dhgtwi6o0URxJhfIarsDFk7C41+sC3zqaRYC3bBeY/LtoElMfGwtfiTfhKFslwJ9VR5EzFPxxuMPU/YwbTiDpo6770MSJxTQx3w36ecrQyD0u3G/hpMfgrdN/9FXg==; s=purelymail1; d=lunabee.space; v=1; bh=pZOopb6EYrm8sYBiuXiUoWrC8ByNiH/bZvuwKcjq0jI=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=D2ARaJB0py9kVdoJ0GkTdc7LnID53wU4SvZaWpHI01nOtowbx4TmdobD7EF+m93jfMz8O/9dgHq0pRKvgTkhG5zhi8m47mFdYMxWfoflwscUxRAArXJAt7S9AdhNzUe6sZDRfhFUjxI1lEo3K9SpRhhxRgL3QbxYt9KZh4vZLtQnoP/25X6G7iKUKP7j30HzUx6SyJjAseh2W1U9w+vj6Sx2VWthOLSD2MiV5b5qvvh8rcWz07/9NQJXPb+DCvoQSdZFLJXeTHjoz/hln3y5BrExm6jAGtvO8+voGXX6yT3wW2+TrVNLuxIcJvvICPxIdA6aQlGrfgAeedAoYqRgYA==; s=purelymail1; d=purelymail.com; v=1; bh=pZOopb6EYrm8sYBiuXiUoWrC8ByNiH/bZvuwKcjq0jI=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 136536595; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sat, 23 Mar 2024 19:40:41 +0000 (UTC) Message-ID: <09d16b08abe96944ff692c233db4f9fd65dc5a60.camel@HIDDEN> Subject: Re: [PATCH 0/2] Support root encryption and secure boot From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Sat, 23 Mar 2024 14:40:40 -0500 Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: nchatz314@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) sorry for the late responses; I don't actually get sent your replies unless you cc me. and yeah don't worry it's isolated. there's only two bits of systemd used, systemd-boot-stub and ukify. ukify is pretty much just a single python script, and systemd-boot-stub is just a bit of code tacked on to the boot process to handle combining the kernel, args, and initrd together. no daemons or code past the bootloader at all! of note I'm currently in the process of rewriting the entire guix bootloader stack to make this work a Lot nicer. sooo hopefully that gets finished soon.
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 8 Mar 2024 10:43:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 08 05:43:18 2024 Received: from localhost ([127.0.0.1]:56788 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1riXh8-0001cc-II for submit <at> debbugs.gnu.org; Fri, 08 Mar 2024 05:43:18 -0500 Received: from mail-yw1-f170.google.com ([209.85.128.170]:60639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <nchatz314@HIDDEN>) id 1riXh6-0001cM-Ce for 68524 <at> debbugs.gnu.org; Fri, 08 Mar 2024 05:43:17 -0500 Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-609f060cbafso18829947b3.0 for <68524 <at> debbugs.gnu.org>; Fri, 08 Mar 2024 02:42:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709894498; x=1710499298; darn=debbugs.gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=DYF2jH7C465WqWBRE2BAuuUmonoV7NDWtAKEYlVxw6I=; b=TGBx+TduY+4DsQ+sdYuGF5N/oKx295NwE9GJ1zO/VAPqXpcX2OIo1GtqDlmevofhvv DqCnRv75tkopcvstQe74miHxw9JYGHzlqZPRtKbyN/aM+zRoA2azAwz9eLPjCknIbmxD ZEA4OExol7PmZwVl2rKVMla+CKQfb8u5ILjxRahIATykMhQrvAHmyDertu7F2CCeNL4O inB/wnKnir+Sfp7NwNN2Q0tTsZX5Cc5UTs4HdVAvnsSoHRklAApiedTVtGVtsOwOxQlE +yxXTxRQO85JxPORp95OwZBGgzFYvPtAsU3Vknskk+QQAquE9V5zZAVBsyTJRj6lS8kY 0N8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709894498; x=1710499298; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=DYF2jH7C465WqWBRE2BAuuUmonoV7NDWtAKEYlVxw6I=; b=Kw4KzaFQNC6S3gWll88uxL2LRg3ve5hbu8DBFCDyq/FBHaK212v9JjLu1Zc2ilegrh EClEe35ayfGU/p+iMjSRBoff4XpRaZgJd+Jnd4ACS/AH6pSRzpWmIHT+G9V1kwdHegez iCmUo78mlHgy5229yW/9Nk+MGm1cfQ0qJLlN0vqVBeMFuGn7U25RUYM28AiqYgRprXZc vITApWFSxgTxfDXM9pDE+dpJASBywckIGwO9TlRobGBe0M3YjC2Nz0zMD8MMguEfGEYh rDCLgnWQj22Tmkqss4S+isO5qaFCgBHd1Z55aIzEbgU41v/RAJVSKeb77391sgL1byXN ZOsQ== X-Gm-Message-State: AOJu0Yxa5FFu3RucYbD70God80QigyZ6fN5ycrOd+40EUwPt+fIOCH62 JbNAqLaeN5M0tJOyYOx9/zGk4PJ1rObUCOUIWvHGoz7pTKs2pyNXBXv4YU9+TQj6s35NCO6ILUc Sq9RlN87mZphpOQdFOXuOpebB+fKfyafY X-Google-Smtp-Source: AGHT+IH3CwwYOtKurtYE86joUbM00omBplhEJZYU9mOjm93wQhyZ7oK+fGobEWG8CqxWfPMZGt310mUbtsFiyOfxsbE= X-Received: by 2002:a0d:e006:0:b0:609:e89e:7ff9 with SMTP id j6-20020a0de006000000b00609e89e7ff9mr5366464ywe.34.1709894498540; Fri, 08 Mar 2024 02:41:38 -0800 (PST) MIME-Version: 1.0 From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN> Date: Fri, 8 Mar 2024 05:41:27 -0500 Message-ID: <CAAQmekfTSNon-fvadJ8uzx0iAzso506RCdTr6YUY3nbVWGPXrA@HIDDEN> Subject: To: 68524 <at> debbugs.gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 2.2 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Great, thank you for clarifying. This is awesome work. Does it mean however that Guix becomes tied to systemd in some way when this feature is used? Or is the feature sufficiently isolated that no sys [...] Content analysis details: (2.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (nchatz314[at]gmail.com) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (nchatz314[at]gmail.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.170 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.170 listed in list.dnswl.org] 2.0 BLANK_SUBJECT Subject is present but empty -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Great, thank you for clarifying. This is awesome work. Does it mean however that Guix becomes tied to systemd in some way when this feature is used? Or is the feature sufficiently isolated that no sys [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.170 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.170 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (nchatz314[at]gmail.com) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (nchatz314[at]gmail.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 2.0 BLANK_SUBJECT Subject is present but empty -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Great, thank you for clarifying. This is awesome work. Does it mean however that Guix becomes tied to systemd in some way when this feature is used? Or is the feature sufficiently isolated that no systemd process takes place? I've also looked briefly into this from another angle, trying to either patch GRUB or to use kexec and boot from a USB. I'm glad that you were able to do this, thanks a lot! Regards, Nikolaos Chatzikonstantinou
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 8 Mar 2024 08:10:45 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Mar 08 03:10:45 2024 Received: from localhost ([127.0.0.1]:56271 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1riVJU-0001x9-6h for submit <at> debbugs.gnu.org; Fri, 08 Mar 2024 03:10:45 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:42584) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1riVJE-0001wI-3N for 68524 <at> debbugs.gnu.org; Fri, 08 Mar 2024 03:10:43 -0500 DKIM-Signature: a=rsa-sha256; b=pzv4xUgmdzR0zD0WnnYjYNgEs5NzUqeufkLJix1CROVQygo7F+U2wt+yeT2GRPdCfS2oAL6++u3E6p8h9xoe9cmzmYzKHb0AuotlXfY8PXgMvFi9xTtX4hcrwmEOtQ+CmFPYyLBEDs56XxHr22FfOUClIOLQ/kZMIniFcMWgfsgEF52vXzcMGYlM/fldWiYBg9tEzkz28iKIg5vu5g0PwGDyQETH/jXPEJKNox/maeGlzQEq8oRh8rhu3UHNovEI8wO70vp7L/u0er92djtzrYmr5XaAVvTBXYPG59q3PLKcbBJKobo/qMwCdyUilcgTKvbVQcMVxQrD3f38963BKg==; s=purelymail2; d=lunabee.space; v=1; bh=RCVZCJeyAVJaKftjK8wTDe9b+x6HbGJZ3FiZ9ic77Fc=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=AXtYufxCH1kq1J/MP56Mmj0KAhOZjvIYJ5WxK/gyKg6YjWY4pS91tgrW/TpvhusFkXI9QDgZ7ERWI9HbisdzIIjZV1li7x7ja+AH+pKHafHAYiNlD96zCxJ0gUOQOCalEJGJk9h4Va2F7ImKGBlliiupXM31XO/IpRmdGQN6nS+TmxyCS4UXhAoKlrRpcLuFOEHvlAYrfQ9hgspcfT3VT1u969/lBmyYK+HM1QmMm/VVHf50dASOB2x5WlT1EzNtVkKC/z7QAiyGPL8vn8epKRgRxFu3RP1jZQMiamFyLGSN+00+9H36A4xmjiBniOMbsQnFkLHYb4volSBMlzYmgg==; s=purelymail2; d=purelymail.com; v=1; bh=RCVZCJeyAVJaKftjK8wTDe9b+x6HbGJZ3FiZ9ic77Fc=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 52456496; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Fri, 08 Mar 2024 08:09:40 +0000 (UTC) Message-ID: <f2c9aa7c48203c736d4e67082eaa4f685b9eb55f.camel@HIDDEN> Subject: Re: [PATCH 0/2] Support root encryption and secure boot From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Fri, 08 Mar 2024 02:09:39 -0600 Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: nchatz314@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) nah, what I meant by that is instead of entering your password while you're booted into grub, you enter it while booted into your initrd. either way nothing touches the disk.
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 20 Feb 2024 01:10:21 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 19 20:10:21 2024 Received: from localhost ([127.0.0.1]:43891 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rcEeL-0002zM-68 for submit <at> debbugs.gnu.org; Mon, 19 Feb 2024 20:10:21 -0500 Received: from mail-yb1-f173.google.com ([209.85.219.173]:42034) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <nchatz314@HIDDEN>) id 1rcEeH-0002z1-Gb for 68524 <at> debbugs.gnu.org; Mon, 19 Feb 2024 20:10:19 -0500 Received: by mail-yb1-f173.google.com with SMTP id 3f1490d57ef6-dcc6fc978ddso3991838276.0 for <68524 <at> debbugs.gnu.org>; Mon, 19 Feb 2024 17:09:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708391330; x=1708996130; darn=debbugs.gnu.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=ImdV52B6e21nw/xuIc8LOT6OIDGwJLRJ3CYcw2YFpYQ=; b=FmpOCp128YDZB1w+EPrp35JBuVfr8Nky2lsTABjxPe0nh0juLI2rWwPxEydlgvdyHe mNxbAsD6O+Fadt5gccLS1yuVzxrbiIWx/mBQAUqT32SmYvnBkxg69uVYnaydrVTRTDXJ qZ7HtGsowhLsKY8R49s09qS+qSxscL0WnHgpNpez/BXYucK2MS762FxWBo0jB9wRuMjx c8n7PAKwLBamZ5lyjljpCQTILTqxnnKRK7R0wKj0wV4pQFeQTSF4L8uvndSbBraXt3+a AJW5GZbTlTdV+cLNcBMHk/qtj2NXeF4CXh8pGwVAVEwu2LpxNeQ1xv8nJ72XFtAEsjk9 RoSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708391330; x=1708996130; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=ImdV52B6e21nw/xuIc8LOT6OIDGwJLRJ3CYcw2YFpYQ=; b=a6DYEcx1dbp5ESnTwzJIGxlZKfGRYBO+QtX585sJ/rm22IdmSi7R0vqPbF7/a1vj/A CkijImzKWoKeCvVTjxkz68Kf9n7PV6WY/r7jNIM7NS702NGUt/nC4MREfjmsutaLkZU/ WLEeud6l9BIBPU8yAMsBAyChymof7j8iXE/cOwyp2q1iMNkx27xdfyZE/EvbY34jqdpM oqFdEoil2Mo5yexWugyeeillCIkkvryXFUo11MNC+370a41d73CtOhf3c7ofK91CVmLj DYLSMo567S68PHzdffQVMBCfWFXAvlkW6xJ1QqdtO6uyItePohppgL4Eaq75dlq8pl9v GpUQ== X-Gm-Message-State: AOJu0Yzy2wmSIo5nrLDpoKFBf3jKrX8T727yT6OFnlpgcjZ5gtwtzN9N 5OE0DWePV+gnUm7Kn8bKm+Y5nbB7mrKL/OWTJ5lzzel+aJk8QHJuvR3V+KNPN+PQk8w5Ous/PNa mYARNW7dDjsqdftCCH9q9Ryx2f7bnv5+A X-Google-Smtp-Source: AGHT+IG8Qwp11wpBsuUitX1mTztkWZGqqj9kMxbMUNOvc5UDUWT3IBW45mcaM9aGRm+yRgCwydMxHSRiwyVnexkJqzM= X-Received: by 2002:a25:7145:0:b0:dc6:d1d7:c762 with SMTP id m66-20020a257145000000b00dc6d1d7c762mr11033700ybc.11.1708391329870; Mon, 19 Feb 2024 17:08:49 -0800 (PST) MIME-Version: 1.0 From: Nikolaos Chatzikonstantinou <nchatz314@HIDDEN> Date: Mon, 19 Feb 2024 20:08:39 -0500 Message-ID: <CAAQmekdcuds40drOiGcNhKEk=40M1poigVbbJNfWsmdfmVXttQ@HIDDEN> Subject: [PATCH 0/2] Support root encryption and secure boot To: 68524 <at> debbugs.gnu.org Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -1.7 (-) X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.7 (--) What does it mean that "LUKS password entry is in the initrd"? Is the password in plain sight? Regards, Nikolaos Chatzikonstantinou
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 14 Feb 2024 18:10:49 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 14 13:10:49 2024 Received: from localhost ([127.0.0.1]:53015 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1raJib-0007V4-4v for submit <at> debbugs.gnu.org; Wed, 14 Feb 2024 13:10:49 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:48088) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <hako@HIDDEN>) id 1raJiY-0007Ut-OY for 68524 <at> debbugs.gnu.org; Wed, 14 Feb 2024 13:10:47 -0500 Date: Thu, 15 Feb 2024 02:02:19 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1707934138; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MiYGRqQZoLI9G/BxOZVbcRjoLbghMb6B76XYwr86Adc=; b=h3uEiUVAZ+OYv28z7DRRlysSqHG//MAtYFdkP/ZUItXsAHA+/6VcY8nSL/jkYtEx6Oi4Ji jvT7aU61QCGVHzTNA5Z/CGZR1kfbxhQMRxO+f7T0v+kJyhKCPAkydza8R9fHa26HFeWUlW vv1vpSaPVFn/HdsI4Jc8m5Bs0ezfKA/6G27AxNH7N7Hino+NcBJ2oNI98eHyJSybOKWCzR 7QSaPSyXTkcqtkh1xEUHGA7ESIMxOAmT2Rc3686z/7/CJbO8aYCpKZJ8eO5uKBiwyTXD2p Ql95cjUfE+l30jtgBRdmQAd78MTNvnbBKMENRbjlSAur/IpHGjidAhqvLdns/Q== Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@HIDDEN Message-ID: <87r0hegc0k.wl-hako@HIDDEN> From: Hilton Chain <hako@HIDDEN> To: Lilah Tascheter <lilah@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. In-Reply-To: <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> <87a5o6n8v9.wl-hako@HIDDEN> <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN> <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.9 (--) Hi Lilah, On Tue, 13 Feb 2024 15:34:55 +0800, Lilah Tascheter wrote: > > > * add secure-boot-cert and secure-boot-key fields to bootloader- > > configuration. How about using a pair instead of two fields? And because the usage depend= s on the bootlodaer, I'd like to use a generic name. e.g. signing-keypair =3D> '("/path/to/certificate" . "/path/to/private.key") > > * deprecate configuration-file and configuration-file-generator in > > the bootloader struct, and instead create an install-configuration-fi= le > > field, similar to install-bootloader. default procedure will be to do= the > > current install-boot-cfg (gnu build install) using the deprecated fie= lds. I'd prefer =A1configuration-installer=A2, since the installation target may= not be a file. :) I don't think the deprecation is necessary though, other bootloaders don't = have to duplicate this part of code, and in my opinion the following definition = does make sense. --8<---------------cut here---------------start------------->8--- (define uefi-uki-bootloader (bootloader (name 'uefi-uki) (package systemd-stub) (installer install-uefi-uki) (configuration-installer install-uefi-uki-configuration) (configuration-file #f) (configuration-file-generator #f))) --8<---------------cut here---------------end--------------->8--- > > * rework uki.scm to, instead, run efibootmgr in install- > > configuration-file and install the uki.efi files in install-bootloade= r. > > remove the separation between uefi-uki-signed-bootloader and > > uefi-uki-bootloader, instead working off the new bootloader-configura= tion > > fields. > > amending: also edit the bootloader-installer and bootloader-disk-image-in= staller > procedures to provide the bootloader-configuration in some manner. I agree that <bootloader> needs modifying, since unified kernel images curr= ently cannot be well described. And to support proper generation switching, some fields of <bootloader-configuration> need exposing. As this now involves deeper change, I think it's better to post the plan on guix-devel@HIDDEN for wider visibility and potential discussions. Thanks
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 13 Feb 2024 07:35:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 13 02:35:24 2024 Received: from localhost ([127.0.0.1]:40962 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rZnK7-0005Hv-VD for submit <at> debbugs.gnu.org; Tue, 13 Feb 2024 02:35:24 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:38072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rZnK5-0005Hf-7A for 68524 <at> debbugs.gnu.org; Tue, 13 Feb 2024 02:35:22 -0500 DKIM-Signature: a=rsa-sha256; b=O/tJnLpqJBBUQUNykH1rtBdmwfGeiXHmZzpScIT621YsTZuM+WBu/V8ZHu2DGD2p77chSF5os8jtuItIHasBEbz/4qsTRL+U6Di1Yttmc4XbWGZp6XEmJxzsEZZA3Tv2sF1orczB1FAaxxerTBoV0NPDHqWSA1cJN+LA7XBfZVs9E7lgPN+F9JmEACyaQ4M9F5LGwY6hTXQ+w/HL42fmMyOzYzNB4sDTEFfW2PVqEm5FSjtCLrnUx/SnbfxtCrw4o5ZgL4zBVslfMXgVSGZB2eblmL6fMgLj+Rt/pY0OLdjOkiecuFg41NFp57iJBMO2QR2MFa4dkh0K6/IRPDNKwA==; s=purelymail2; d=lunabee.space; v=1; bh=Q6S+h+vcZmk4AkX5ak8iBkaRP1y79T5F+jlck3iBE2k=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=J+i40jsCYRAg8xvsWdyDjLw9KNF4/tZKUAzipTZ0XULPV+HBUr/pZ+XXIpgvWwAoEm9kjMEoMaAYzghiaL26evtIjTeujZ4fQk/VSsFXIKNu/7BSxpmELfD+n30Z+HzW10kqx/Pbry5MAoJNjqddD9nWKR12gUvTZf4dM6vPZZtlRHwdk/H5KySY0LVsTWMMKIUT9qZk4NEocHaxvIkgqJDEuDm731O3wnAyvS2upWpGjbJGM9h8av8amV30/RfILqgDMpd1asyq2m5mgYfPtIW9QVmvJeLXKRjkOA5P4MvSnLbLIRgYoaVKLdOCrj8IiVsCpGdK9HJDe4MKsBetqw==; s=purelymail2; d=purelymail.com; v=1; bh=Q6S+h+vcZmk4AkX5ak8iBkaRP1y79T5F+jlck3iBE2k=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 1385188433; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 13 Feb 2024 07:34:57 +0000 (UTC) Message-ID: <8ab5d0bc36ced87463e0e64ca367266c80bd633d.camel@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Tue, 13 Feb 2024 01:34:55 -0600 In-Reply-To: <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> <87a5o6n8v9.wl-hako@HIDDEN> <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN> Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, Hilton Chain <hako@HIDDEN>, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) > * add secure-boot-cert and secure-boot-key fields to bootloader- > configuration. > > * deprecate configuration-file and configuration-file-generator in > the bootloader struct, and instead create an install-configuration-file > field, similar to install-bootloader. default procedure will be to do t= he > current install-boot-cfg (gnu build install) using the deprecated field= s. > > * rework uki.scm to, instead, run efibootmgr in install- > configuration-file and install the uki.efi files in install-bootloader. > remove the separation between uefi-uki-signed-bootloader and > uefi-uki-bootloader, instead working off the new bootloader-configurati= on > fields. amending: also edit the bootloader-installer and bootloader-disk-image-inst= aller procedures to provide the bootloader-configuration in some manner. lilah
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 13 Feb 2024 02:11:52 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 12 21:11:52 2024 Received: from localhost ([127.0.0.1]:37972 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rZiH2-0003Gv-En for submit <at> debbugs.gnu.org; Mon, 12 Feb 2024 21:11:52 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:42754) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rZiGz-0003GI-Nf for 68524 <at> debbugs.gnu.org; Mon, 12 Feb 2024 21:11:50 -0500 DKIM-Signature: a=rsa-sha256; b=sfattE12iY8Ece6X2yQE5odAuBwXjUsKLE3/hG5PnWzusm23O4VbDeNAiRfSZTNdRhT1idB2SDIQft6CZSKbSegabHDseyWvhfNQoseIaXLWZaaGspuk5uRxEoo6RZIBOfINKbSbljdrxpUdLLiyIC9CpgPnlpRcfnjAzYsDa9ags5Ae4T87SnDk+UHVifsqNPdsigdH3W1UjsNOWQYIH4pdy2KFvs6nwhna1KdXxVATT1I64IIKHkzmh6is4DUVXzf7cB0lBdYj/bdhJJd3bRxllL9f6mLFbXB1WSONqXHPG4vDmEnhq19HnieAOZzmWIw1a3SeIM/8dmK0tX1ctA==; s=purelymail2; d=lunabee.space; v=1; bh=y5aeoexECaySDA9hrGQ//bb5NtUi+wNC6sd3aC74J+o=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=BJOXcbnshLUy23EP830EeKZlKX0TeygRw9dAT29D3YBuaU4EgQpjhKgXmJ4ubgWM0c7yF8ASxs+JRF382gUMLCbf6UuifTBXgUEMq/utxPn7GM6ZQv3LhucrbAdDRFQw+kKL9fmfI/z8wU1wF4L46E43ht56SLLFkdGAgEGcwgqpqQfysse8C7hXW3LtVAZdGK7H1xqLKzar82Ms7L5uxTvnH9ct3XHVNnblO2NiA/rAlvq+u9yKB4J3q/wR9Rmttf7AJFkIMpRghKSIUjFDL+z/iLlzBzQRujGHNmdl3kq9HYd3EvOOO1f6XVKgdiMTtvkPzv8+/5ZDldQeeg54RQ==; s=purelymail2; d=purelymail.com; v=1; bh=y5aeoexECaySDA9hrGQ//bb5NtUi+wNC6sd3aC74J+o=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 1344397455; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 13 Feb 2024 02:11:20 +0000 (UTC) Message-ID: <05032c80273155fb72fad87d3fedb36fa73c9a28.camel@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Mon, 12 Feb 2024 20:11:18 -0600 In-Reply-To: <87a5o6n8v9.wl-hako@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> <87a5o6n8v9.wl-hako@HIDDEN> Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, Hilton Chain <hako@HIDDEN>, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) heyo! thanks for the review :) I'll submit a revised patch, but had a question be= fore I get to work on it. > I tried to adjust uki.scm before commenting, so here's a paste of my > adjusted version, in case some of my comments are not expressed clearly: > https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000 nighttime sky I didn't realize reinstall-bootloader existed. shit. at this point, I don't think the install-uki.scm hack is a good idea. to ge= t this fully functioning, will probably have to do some more invasive edits t= o the bootloader system, since the current one pretty much assumes an extlinux/grubalike (which is what necessitated install-uki in the first pla= ce). RFC on the following plan: * add secure-boot-cert and secure-boot-key fields to bootloader-configurati= on. * deprecate configuration-file and configuration-file-generator in the bootloader struct, and instead create an install-configuration-file field= , similar to install-bootloader. default procedure will be to do the curren= t install-boot-cfg (gnu build install) using the deprecated fields. * rework uki.scm to, instead, run efibootmgr in install-configuration-file = and install the uki.efi files in install-bootloader. remove the separation be= tween uefi-uki-signed-bootloader and uefi-uki-bootloader, instead working off t= he new bootloader-configuration fields. this plan should work with reinstall-bootloader, even though it uses the de= fault bootloader-configuration, since files are only signed during installation proper. opinions? thanks, lilah
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 19:10:24 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 14:10:24 2024 Received: from localhost ([127.0.0.1]:40671 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rZFDY-0005O2-Rr for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 14:10:24 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:56386) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <hako@HIDDEN>) id 1rZEqc-0004I0-RD for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:40 -0500 Date: Mon, 12 Feb 2024 02:37:59 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1707677091; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Gb106VRnv0W/Wdxwd7z2hIHd6sM2eU8QCZun0e/zECM=; b=SiYPs69ibFXRAXZ/7sWocN4HojmZ5n8l0gZMpXQ4siYEIvdDBEuymwuuSGzefcPvj2lJWY 83frMGQVm7vBVOvungRQnoVI3iIIWcTOEITLae34dCIdXAnAdcAFLkIVMVYWgZTPlSjoFC MV3F4MYjfdmxA3PZMyl2AbW8s9t5pGG/5mWTBoHA/gsOX4fFBfkohIGA12GjPQicSsgQr2 b1fsYnrDs91UMs9e4hgP6l3jGIHQ65qDDjiQZZzab91VLSdR4f5SZQ5MnFx3iiz20ju3Br ZOEZVNrQ4kNFtpW0tP5PK9OOAqW5qzz6x0dAgEt4kRDJhE/RZzbXgwnX99weSA== Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@HIDDEN Message-ID: <87bk8mn8xk.wl-hako@HIDDEN> From: Hilton Chain <hako@HIDDEN> To: Lilah Tascheter <lilah@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 1/2] gnu: bootloaders: Add uki packages. In-Reply-To: <d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> <d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) Hi Lilah, On Sun, 28 Jan 2024 17:51:40 +0800, Lilah Tascheter via Guix-patches wrote: > > * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure. > (systemd-version,systemd-source,systemd-stub,ukify): New variables. First of all, please split this commit into two commits, each adding a sing= le package. (Other comments are between quote blocks.) > Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8 > --- > gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++ > 1 file changed, 95 insertions(+) > > diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm > index 986f0ac035..b0d4979f44 100644 > --- a/gnu/packages/bootloaders.scm > +++ b/gnu/packages/bootloaders.scm > @@ -19,6 +19,7 @@ > ;;; Copyright =A9 2021 Stefan <stefan-guix@HIDDEN> > ;;; Copyright =A9 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN> > ;;; Copyright =A9 2023 Herman Rimm <herman@HIDDEN> > +;;; Copyright =A9 2024 Lilah Tascheter <lilah@HIDDEN> > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders) > #:use-module (gnu packages compression) > #:use-module (gnu packages cross-base) > #:use-module (gnu packages disk) > + #:use-module (gnu packages efi) > #:use-module (gnu packages firmware) > #:use-module (gnu packages flex) > #:use-module (gnu packages fontutils) > #:use-module (gnu packages gcc) > #:use-module (gnu packages gettext) > + #:use-module (gnu packages gperf) > #:use-module (gnu packages linux) > #:use-module (gnu packages man) > #:use-module (gnu packages mtools) > @@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders) > #:use-module (gnu packages valgrind) > #:use-module (gnu packages virtualization) > #:use-module (gnu packages xorg) > + #:use-module (gnu packages python-crypto) > #:use-module (gnu packages python-web) > #:use-module (gnu packages python-xyz) > #:use-module (guix build-system gnu) > #:use-module (guix build-system meson) > #:use-module (guix build-system pyproject) > + #:use-module (guix build-system python) > #:use-module (guix build-system trivial) > #:use-module (guix download) > #:use-module (guix gexp) > @@ -632,6 +637,96 @@ (define-public syslinux > ;; Also contains: > license:expat license:isc license:zlib))))) > > +(define systemd-version "255") > +(define systemd-source > + (origin > + (method git-fetch) > + (uri (git-reference > + (url "https://github.com/systemd/systemd") > + (commit (string-append "v" systemd-version)))) > + (file-name (git-file-name "systemd" systemd-version)) > + (sha256 > + (base32 > + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) > + > +(define-public (systemd-stub-name) > + (let ((arch (cond ((target-x86-32?) "ia32") > + ((target-x86-64?) "x64") > + ((target-arm32?) "arm") > + ((target-aarch64?) "aa64") > + ((target-riscv64?) "riscv64")))) > + (string-append "linux" arch ".efi.stub"))) How about exporting this procedure in the module definition instead? > + > +(define-public systemd-stub > + (package > + (name "systemd-stub") > + (version systemd-version) > + (source systemd-source) > + (build-system meson-build-system) > + (arguments > + (list > + #:configure-flags > + `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix" > + "-Dsbat-distro-generation=3D1" ; package revision! > + "-Dsbat-distro-summary=3DGuix System" > + "-Dsbat-distro-url=3Dhttps://guix.gnu.org" > + ,(string-append "-Dsbat-distro-pkgname=3D" name) > + ,(string-append "-Dsbat-distro-version=3D" version)) Please use a G-expression for #:configure-flags, replace =A1name=A2 and =A1= version=A2 to =A1#$(package-name this-package)=A2 and =A1#$(package-version this-packa= ge)=A2. "-Dmode=3Drelease" can be added, too. > + #:phases > + #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-nam= e)))) > + (modify-phases %standard-phases > + (replace 'build > + (lambda* (#:key parallel-build? #:allow-other-keys) > + (invoke "ninja" stub > + "-j" (if parallel-build? > + (number->string (parallel-job-count)) "1")))) > + (replace 'install > + (lambda _ > + (install-file stub (string-append #$output "/libexec")= ))) > + (delete 'check))))) > + (inputs (list libcap python-pyelftools `(,util-linux "lib"))) > + (native-inputs (list gperf pkg-config python-3 python-jinja2)) > + (home-page "https://systemd.io") I think its homepage has an ending slash, as in "https://systemd.io/". > + (synopsis "Unified kernel image UEFI stub") > + (description "Simple UEFi boot stub that loads a conjoined kernel im= age and > +supporting data to their proper locations, before chainloading to the ke= rnel. > +Supports measured and/or verified boot environments.") > + (license license:lgpl2.1+))) > + > +(define-public ukify > + (package > + (name "ukify") > + (version systemd-version) > + (source systemd-source) > + (build-system python-build-system) > + (arguments > + (list #:phases > + #~(modify-phases %standard-phases > + (replace 'build > + (lambda _ > + (substitute* "src/ukify/ukify.py" ; added in python = 3.11 > + (("datetime\\.UTC") "datetime.timezone.utc")))) It's likely that only =A1systemd-source=A2 will be touched in the future, s= o I'd suggest moving this substitution into =A1systemd-source=A2 as a snippet. > + (delete 'check) > + (replace 'install > + (lambda* (#:key inputs #:allow-other-keys) > + (let* ((bin (string-append #$output "/bin")) > + (file (string-append bin "/ukify")) > + (binutils (assoc-ref inputs "binutils")) > + (sbsign (assoc-ref inputs "sbsigntools"))) Getting inputs' path with =A1assoc-ref=A2 is not recommended. =A1search-in= put-file=A2 or =A1this-package-input=A2 can be used instead. > + (mkdir-p bin) > + (copy-file "src/ukify/ukify.py" file) > + (wrap-program file > + `("PATH" ":" prefix > + (,(string-append binutils "/bin") > + ,(string-append sbsign "/bin")))))))))) I'd suggest patching paths instead of wrapping programs when possible, for example, I have made one when reviewing this patch: --8<---------------cut here---------------start------------->8--- (replace 'install (lambda* (#:key inputs #:allow-other-keys) (let ((file (string-append #$output "/bin/ukify"))) (mkdir-p (dirname file)) (copy-file "src/ukify/ukify.py" file) (substitute* file (("(find_tool.'|'name': ')\\<(readelf|sbsign|sbverify)\\>" _ pre cmd) (string-append pre (search-input-file inputs (string-append "bin/" cmd)))))))) --8<---------------cut here---------------end--------------->8--- Note that one dependency, =A1pesign=A2, is currently missing from Guix, thu= s not handled here. I don't know if it has anything to do with our usage, but for the completen= ess of the package, I think we can package this dependency, or adding a comment around the =A1inputs=A2 field to indicate it's missing. > + (inputs (list binutils python-cryptography python-pefile sbsigntools= )) > + (home-page "https://systemd.io") Same as the homepage mentioned above. > + (synopsis "Unified kernel image UEFI tool") > + (description "@command{ukify} joins together a UKI stub, linux kerne= l, initrd, > +kernel arguments, and optional secure boot signatures into a single, UEF= I-bootable > +image.") > + (license license:lgpl2.1+))) > + > (define-public dtc > (package > (name "dtc") > -- > 2.41.0 Thanks
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 19:10:21 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 14:10:20 2024 Received: from localhost ([127.0.0.1]:40669 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rZFDX-0005Nx-Ch for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 14:10:20 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:48014) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <hako@HIDDEN>) id 1rZEp7-0004Cz-Uo for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:45:07 -0500 Date: Mon, 12 Feb 2024 02:39:22 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1707676992; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JkK/ma766KIurRkk5n6xd7ypfOtPWCinqH1q22fRtao=; b=iQ5mgpSfS2qwYxCFrYa2Ol4lXRHCHocHMS+eEK2R6A78Yf6ARyLaAPvdNhRmDOR6npXqMH jKyn/lHoU/mHua7lsCWUjmQ8Yhc+bnvB3tkEC/FBDq7ijeJ8fuI/NHsdrmAwPVPTDpSmOX vw3+E7MaVrzCmqJwEAT0NBem7SfUNLYfPZx3psp5ee8CngUIHnDgcZqc4ka/xYgvK2zhup 4L6s2b4frTwVyQ/8xlDgLakn5SFBBZkXAGuYyYXMHAWXe2J/Zh8dim59BGtKPyJJgjtM/l bIbW66+etjwfYqvrSKXhOxxsgK9x7+tJhtM16SsfeeRqIHi8j+1P3Ao2nV+/sw== Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@HIDDEN Message-ID: <87a5o6n8v9.wl-hako@HIDDEN> From: Hilton Chain <hako@HIDDEN> To: Lilah Tascheter <lilah@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. In-Reply-To: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Lilah, On Sun, 28 Jan 2024 17:51:41 +0800, Lilah Tascheter via Guix-patches wrote: > > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: > Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gnu/bootloader/uki.scm: New file. > * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. > > Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da > --- > doc/guix.texi | 45 ++++++++++---- > gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > 3 files changed, 163 insertions(+), 12 deletions(-) > create mode 100644 gnu/bootloader/uki.scm > > diff --git a/doc/guix.texi b/doc/guix.texi > index c458befb76..30fd5d022b 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning > for @command{cryptsetup luksFormat}. You can check which key derivation > function is being used by a device by running @command{cryptsetup > luksDump @var{device}}, and looking for the PBKDF field of your > -keyslots. > +keyslots. UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can > +however use the default, more secure key derivation function. > @end quotation > > -Assuming you want to store the root partition on @file{/dev/sda2}, the > -command sequence to format it as a LUKS2 partition would be along these > -lines: > +Assuming you want to store the root partition on @file{/dev/sda2} and us= e GRUB > +as your bootloader, the command sequence to format it as a LUKS2 partiti= on would > +be along these lines: > > @example > cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 > @@ -41136,8 +41137,9 @@ Bootloader Configuration > The bootloader to use, as a @code{bootloader} object. For now > @code{grub-bootloader}, @code{grub-efi-bootloader}, > @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, > -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} > -and @code{u-boot-bootloader} are supported. > +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, > +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and > +@code{uefi-uki-signed-bootloader} are supported. > > @cindex ARM, bootloaders > @cindex AArch64, bootloaders > @@ -41244,6 +41246,25 @@ Bootloader Configuration > unbootable. > @end quotation > > +@vindex uefi-uki-bootloader > +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, w= ithout > +an intermediary like GRUB. The main practical advantage of this is allow= ing > +root/store encryption without an extra GRUB password entry and slow decr= yption > +step. > + > +@vindex uefi-uki-signed-bootloader > +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, ex= cept > +that it is a procedure that returns a bootloader compatible with UEFI se= cure > +boot. You must provide it with two paths: an out-of-store secure boot db > +certificate (in PEM format), and out-of-store db key, in that order. Please add two spaces between sentences, e.g. "Sentence 1. Sentence 2". I think "out-of-store" is not necessary here. :) > + > +@quotation Warning > +When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloade= r}, > +@emph{do not} turn off your computer if a system reconfigure failed at > +installing the bootloader. Until bootloader installation succeeds, your= system > +is in an unbootable state. > +@end quotation > + > @item @code{targets} > This is a list of strings denoting the targets onto which to install the > bootloader. > @@ -41252,12 +41273,12 @@ Bootloader Configuration > For @code{grub-bootloader}, for example, they should be device names > understood by the bootloader @command{installer} command, such as > @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, > -GNU GRUB Manual}). For @code{grub-efi-bootloader} and > -@code{grub-efi-removable-bootloader} they should be mount > -points of the EFI file system, usually @file{/boot/efi}. For > -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount > -points corresponding to TFTP root directories served by your TFTP > -server. > +GNU GRUB Manual}). For @code{grub-efi-bootloader}, > +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and > +@code{uefi-uki-signed-bootloader}, they should be mount points of the EF= I file > +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader= }, > +@code{targets} should be the mount points corresponding to TFTP root dir= ectories > +served by your TFTP server. > > @item @code{menu-entries} (default: @code{'()}) > A possibly empty list of @code{menu-entry} objects (see below), denoting > diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm > new file mode 100644 > index 0000000000..0ef62295d6 > --- /dev/null > +++ b/gnu/bootloader/uki.scm > @@ -0,0 +1,129 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =A9 2024 Lilah Tascheter <lilah@HIDDEN> > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. > + > +(define-module (gnu bootloader uki) > + #:use-module (gnu bootloader) > + #:use-module (gnu packages bootloaders) > + #:use-module (gnu packages efi) > + #:use-module (gnu packages linux) > + #:use-module (guix gexp) > + #:use-module (guix modules) > + #:use-module (srfi srfi-1) > + #:export (uefi-uki-bootloader uefi-uki-signed-bootloader)) > + > +;; config generator makes script creating uki images > +;; install runs script > +;; install device is path to uefi dir > +(define vendor "Guix") > +(define script-loc "/boot/install-uki.scm") > + > +(define* (uefi-uki-configuration-file #:optional cert privkey) > + (lambda* (config entries #:key (old-entries '()) #:allow-other-keys) > + > + (define (menu-entry->args e) I'd prefer using =A1entry=A2 instead of =A1e=A2, same for some other nonobv= ious abbreviations. > + (let* ((boot (bootloader-configuration-bootloader config)) > + (stub (bootloader-package boot))) > + #~(list "--os-release" #$(menu-entry-label e) > + "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-in= itrd e) > + "--cmdline" (string-join (list #$@(menu-entry-linux-argument= s e))) > + "--stub" #$(file-append stub "/libexec/" (systemd-stub-name)) > + #$@(if cert #~("--secureboot-certificate" #$cert) #~()) > + #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()= )))) > + > + (define (enum-filenames . args) ; same args as iota > + (map (lambda (n) (string-append (number->string n) ".efi")) > + (apply iota (map length args)))) "Same args as iota" doesn't explain the procudre, it actually accepts lists instead of numbers, and only the first two lists are intended to be used, r= ight? I'd suggest just having two arguments with more descriptive names. > + > + (program-file "install-uki" > + (with-imported-modules (source-module-closure '((guix build syscal= ls) > + (guix build utils)= )) > + #~(let* ((target (cadr (command-line))) > + (vendir (string-append target "/EFI/" #$vendor)) > + (schema (string-append vendir "/boot.mgr")) > + (findmnt #$(file-append util-linux "/bin/findmnt")) > + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr= "))) > + (use-modules (guix build syscalls) (guix build utils) > + (ice-9 popen) (ice-9 textual-ports)) > + > + (define (out name) (string-append vendir "/" name)) > + (define disk > + (call-with-port > + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" targ= et) > + (lambda (port) (get-line port)))) ; only 1 line: the dev= ice (guix build syscalls) has procedures can be utilized for this, no need to i= nvoke findmnt. > + > + ;; delete all boot entries and files we control > + (when (file-exists? schema) > + (call-with-input-file schema > + (lambda (port) > + (for-each (lambda (l) > + (unless (string-null? l) > + (system* efibootmgr "-B" "-L" l "-q"))) Dispite the "-q" option, error messages will still be visible to user, plea= se use =A1invoke/quiet=A2 + error handling instead. And I'd prefer long options. > + (string-split (get-string-all port) #\lf))))) =A1#\newline=A2 is preferred over =A1#\lf=A2 in Guix source. > + (when (directory-exists? vendir) (delete-file-recursively ve= ndir)) > + (mkdir-p vendir) > + > + (define (install port boot? oos) > + (lambda (args label name) > + (let ((minbytes (* 2 (stat:size (stat #$script-loc))))) > + (put-string port label) > + (put-char port #\lf) > + (force-output port) ; make sure space is alloc'd > + (apply invoke #$(file-append ukify "/bin/ukify") =A1invoke/quiet=A2 can be used. > + "build" "-o" (out name) args) > + ;; make sure we have enough space for next install-uki= .scm > + (when (and oos (< (free-disk-space vendir) minbytes)) = (oos)) > + (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d= " disk > + "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-= q")))) You're calling the exception handler directly here, it might be better to m= ove the exception handling part into the procedure to avoid this. > + > + (call-with-output-file schema > + (lambda (port) ; prioritize latest UKIs in limited ESP spa= ce > + (for-each (install port #t #f) > + (list #$@(map-in-order menu-entry->args entries)) > + (list #$@(map-in-order menu-entry-label entries)) > + (list #$@(enum-filenames entries))) > + (for-each ; old-entries can fail (out of space) we don't= care > + (lambda (args label name) > + (define (cleanup . _) ; do exit early if out of spac= e tho > + (when (file-exists? (out name)) (delete-file (out = name))) > + (exit)) > + (with-exception-handler cleanup > + (lambda _ ((install port #f cleanup) args label na= me)))) > + (list #$@(map-in-order menu-entry->args old-entries)) > + (list #$@(map-in-order menu-entry-label old-entries)) > + (list #$@(enum-filenames old-entries entries)))))))))) These two =A1for-each=A2 can be merged into one. > + > +(define install-uefi-uki > + #~(lambda (bootloader target mount-point) > + (invoke (string-append mount-point #$script-loc) > + (string-append mount-point target)))) > + > +(define* (make-uefi-uki-bootloader #:optional cert privkey) > + (bootloader > + (name 'uefi-uki) > + (package systemd-stub) > + (installer install-uefi-uki) > + (disk-image-installer #f) > + (configuration-file script-loc) > + (configuration-file-generator (uefi-uki-configuration-file cert priv= key)))) > + > +;; IMPORTANT NOTE: if bootloader install fails, do not turn off your com= puter! until > +;; install succeeds, your system is unbootable. > +(define uefi-uki-bootloader (make-uefi-uki-bootloader)) > +;; use ukify genkey to generate cert and privkey. DO NOT include in stor= e. > +(define (uefi-uki-signed-bootloader cert privkey) > + (make-uefi-uki-bootloader cert privkey)) They'll have the same bootloader name, making these two bootloaders indistinguishable from boot-parameters. > diff --git a/gnu/local.mk b/gnu/local.mk > index ab63bd5881..0a15251ddf 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES =3D \ > %D%/bootloader/extlinux.scm \ > %D%/bootloader/u-boot.scm \ > %D%/bootloader/depthcharge.scm \ > + %D%/bootloader/uki.scm \ > %D%/ci.scm \ > %D%/compression.scm \ > %D%/home.scm \ > -- > 2.41.0 I tried to adjust uki.scm before commenting, so here's a paste of my adjust= ed version, in case some of my comments are not expressed clearly: https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000 Thanks
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 11 Feb 2024 18:46:05 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Feb 11 13:46:05 2024 Received: from localhost ([127.0.0.1]:39153 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rZEq4-0004GB-58 for submit <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:05 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:34494) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <hako@HIDDEN>) id 1rZEq2-0004Fk-1w for 68524 <at> debbugs.gnu.org; Sun, 11 Feb 2024 13:46:02 -0500 Date: Mon, 12 Feb 2024 02:37:21 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1707677046; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zqMduDsQhzhfC3N2o1LMNYbPb/gYrc/erd84aZ5eunQ=; b=jtJWHTIiETgy1CH3wnAbIQ4A27Q2pJ4DvPrbKHmHx5hbT4lispkNZBQKJ4IdoK71zGRdNm 64/5DPpsOC1LwzqYdDY/tVdvyA0k7/Vg82RntG0AEQ0aUkZQ5x991NeaBJ72Kq3C5QKr0+ MiokROnpqKsJyMFXvq+HGhFhYWgYobmN6soBwCY9LLiGlV9wCFPHqgevsiy6EmFqt1cE/I qyunVukE7bnuu+g5orzRNuf8hJSsxyKt4I1f/lX1E+qsiGgNBN4mUmthtRz+ffhGBOjF/w UMpLNQistVrsJcGAvKbW2o6T9rhRlAHQFQ2FWa3Yc7k2N2acRc3R4s3S5w8QMw== Authentication-Results: mail.boiledscript.com; auth=pass smtp.mailfrom=hako@HIDDEN Message-ID: <87cyt2n8ym.wl-hako@HIDDEN> From: Hilton Chain <hako@HIDDEN> To: Lilah Tascheter <lilah@HIDDEN> Subject: Re: [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot. In-Reply-To: <cover.1706435500.git.lilah@HIDDEN> References: <cover.1705465384.git.lilah@HIDDEN> <cover.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-7 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Vagrant Cascadian <vagrant@HIDDEN>, 68524 <at> debbugs.gnu.org, Herman Rimm <herman@HIDDEN>, Efraim Flashner <efraim@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Lilah, On Sun, 28 Jan 2024 17:51:38 +0800, Lilah Tascheter via Guix-patches wrote: > > Thank you so much Herman, that motherfucking typo was what made my old-en= tries > testing not work. I reworked the majority of the install-uki.scm code, an= d now > uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rol= lback! > Slightly jank, but it works. On install, we pretty much just cram as many > generations into the ESP as possible. ESPs are typically small, so we can= 't > assume that we can fit more than one UKI, so if we can't fit every extent > generation we just exit early. > > We also don't waste space on root by adding each UKI to the store anymore. > They're all generated at install time. Added slightly more documentation = too. > > Otherwise, fixed everything Herman pointed out! > > Decided not to add a manual section on manually running /boot/install-uki= .scm > though. It's more of a quirk of getting around guix's bootloader assumpti= ons > than meant to be run that way; I don't know if it's a good idea to direct > attention to it. I mean it Works, but it's more of a quick hack. > > Lilah Tascheter (2): > gnu: bootloaders: Add uki packages. > gnu: bootloaders: Add uefi-uki-bootloader. > > doc/guix.texi | 45 ++++++++---- > gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++ > gnu/local.mk | 1 + > gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++ > 4 files changed, 258 insertions(+), 12 deletions(-) > create mode 100644 gnu/bootloader/uki.scm > > > base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae > -- > 2.41.0 Nicely done! I have tested =A1uefi-uki-bootloader=A2, and it works! But currently =A1uefi-uki-bootloader=A2 doesn't match generation switching = well, and =A1uefi-uki-signed-bootloader=A2 as a procedure further breaks that, right? I think these issues have to be addressed to get the series merged. Reviews are coming later. Thanks
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:38 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:38 2024 Received: from localhost ([127.0.0.1]:56628 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rU20n-0003zJ-KI for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:38 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:38470) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rU20f-0003yP-TG for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:33 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=kUhKC5Nf+fJ6l/lOCHlQqpDckhrg+zkmeLugvtEZg3z4EcXPbSKKQD1qbAiKZQEN36CmA91VA/i+q3/eB6L52x/fqdgV31bCAq8JOcMhoMq5bgNVHXgmahsUGYbqQCRswo7hR3tGqFrMQcJYPYvjYU+ln7Q3pPvQ/JnS2wHqr4ts8HfSUMC9UF4Cy6V464PQBkzqu/YMZ9I5y08cFjxwlBNUXdFB6S5we7JxdAqDJtxqdmcn4H3mbqofXj5261Yz/9w9GF+q+TqlIkp1WvSySe9Lr7tOjTtpOnJEdobdIIIDAjHGpzIr/yRa+qovTxa9OX61CqB3W9m1X4ZNbFGCrQ==; s=purelymail2; d=lunabee.space; v=1; bh=us+EFDXms9fDRtQBeGDoDSsswTmzdHRQy5lzdw8+3gY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=EGDXT+2aVT7KPMrNo+7HP+Wjppoit2QVachhvPmjPQAXOgTmCvNjD+sUyTvCTeriHQ2MQCBEM+9aGPQA/BUE1XvQnrYyIvfca15o1iutcOZa1Wcv8TDX2RvPb1gXHB+5Y9qqOT3w2rJ9S80oTXi1bZnbC4z3cHAl1Nf5dJ2lRwL/fYzYxJN0cpdNpmPU3ZwuYGvqG7FPRjebgA+rDlFmI+U8rlLWs4X3r8NPUicRvRWY2vlD4+F+14fj8i9aKn5tdtmSMIF/NDS4DcQeZAjZB5PFrCIXVeNpUvcpwnp1geP50o01NGytpcfPVjltqYcYVgrJ3gFuX6KR7fVTVB9wjw==; s=purelymail2; d=purelymail.com; v=1; bh=us+EFDXms9fDRtQBeGDoDSsswTmzdHRQy5lzdw8+3gY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 28 Jan 2024 10:03:15 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Date: Sun, 28 Jan 2024 03:51:41 -0600 Message-ID: <22f2967a552454baade056c60a37c02e36a048a5.1706435500.git.lilah@HIDDEN> In-Reply-To: <cover.1706435500.git.lilah@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN, efraim@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document uefi-uki-bootloader and uefi-uki-signed-bootloader. (Keyboard Layout, Networking, and Partitioning)[Disk Partitioning]: Note use of uefi-uki-bootloader and uefi-uki-signed-bootloader. * gnu/bootloader/uki.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add bootloader/uki.scm. Change-Id: I2097da9f3dd35137b3419f6d0545de26d53cb6da --- doc/guix.texi | 45 ++++++++++---- gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + 3 files changed, 163 insertions(+), 12 deletions(-) create mode 100644 gnu/bootloader/uki.scm diff --git a/doc/guix.texi b/doc/guix.texi index c458befb76..30fd5d022b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -2723,12 +2723,13 @@ Keyboard Layout and Networking and Partitioning for @command{cryptsetup luksFormat}. You can check which key derivation function is being used by a device by running @command{cryptsetup luksDump @var{device}}, and looking for the PBKDF field of your -keyslots. +keyslots. UEFI stub bootloaders, such as @code{uefi-uki-bootloader}, can +however use the default, more secure key derivation function. @end quotation =20 -Assuming you want to store the root partition on @file{/dev/sda2}, the -command sequence to format it as a LUKS2 partition would be along these -lines: +Assuming you want to store the root partition on @file{/dev/sda2} and use = GRUB +as your bootloader, the command sequence to format it as a LUKS2 partition= would +be along these lines: =20 @example cryptsetup luksFormat --type luks2 --pbkdf pbkdf2 /dev/sda2 @@ -41136,8 +41137,9 @@ Bootloader Configuration The bootloader to use, as a @code{bootloader} object. For now @code{grub-bootloader}, @code{grub-efi-bootloader}, @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} -and @code{u-boot-bootloader} are supported. +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader} are supported. =20 @cindex ARM, bootloaders @cindex AArch64, bootloaders @@ -41244,6 +41246,25 @@ Bootloader Configuration unbootable. @end quotation =20 +@vindex uefi-uki-bootloader +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit= hout +an intermediary like GRUB. The main practical advantage of this is allowin= g +root/store encryption without an extra GRUB password entry and slow decryp= tion +step. + +@vindex uefi-uki-signed-bootloader +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce= pt +that it is a procedure that returns a bootloader compatible with UEFI secu= re +boot. You must provide it with two paths: an out-of-store secure boot db +certificate (in PEM format), and out-of-store db key, in that order. + +@quotation Warning +When using @code{uefi-uki-bootloader} or @code{uefi-uki-signed-bootloader}= , +@emph{do not} turn off your computer if a system reconfigure failed at +installing the bootloader. Until bootloader installation succeeds, your s= ystem +is in an unbootable state. +@end quotation + @item @code{targets} This is a list of strings denoting the targets onto which to install the bootloader. @@ -41252,12 +41273,12 @@ Bootloader Configuration For @code{grub-bootloader}, for example, they should be device names understood by the bootloader @command{installer} command, such as @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, -GNU GRUB Manual}). For @code{grub-efi-bootloader} and -@code{grub-efi-removable-bootloader} they should be mount -points of the EFI file system, usually @file{/boot/efi}. For -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount -points corresponding to TFTP root directories served by your TFTP -server. +GNU GRUB Manual}). For @code{grub-efi-bootloader}, +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI = file +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader}, +@code{targets} should be the mount points corresponding to TFTP root direc= tories +served by your TFTP server. =20 @item @code{menu-entries} (default: @code{'()}) A possibly empty list of @code{menu-entry} objects (see below), denoting diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm new file mode 100644 index 0000000000..0ef62295d6 --- /dev/null +++ b/gnu/bootloader/uki.scm @@ -0,0 +1,129 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright =C2=A9 2024 Lilah Tascheter <lilah@HIDDEN> +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu bootloader uki) + #:use-module (gnu bootloader) + #:use-module (gnu packages bootloaders) + #:use-module (gnu packages efi) + #:use-module (gnu packages linux) + #:use-module (guix gexp) + #:use-module (guix modules) + #:use-module (srfi srfi-1) + #:export (uefi-uki-bootloader uefi-uki-signed-bootloader)) + +;; config generator makes script creating uki images +;; install runs script +;; install device is path to uefi dir +(define vendor "Guix") +(define script-loc "/boot/install-uki.scm") + +(define* (uefi-uki-configuration-file #:optional cert privkey) + (lambda* (config entries #:key (old-entries '()) #:allow-other-keys) + + (define (menu-entry->args e) + (let* ((boot (bootloader-configuration-bootloader config)) + (stub (bootloader-package boot))) + #~(list "--os-release" #$(menu-entry-label e) + "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-init= rd e) + "--cmdline" (string-join (list #$@(menu-entry-linux-arguments = e))) + "--stub" #$(file-append stub "/libexec/" (systemd-stub-name)) + #$@(if cert #~("--secureboot-certificate" #$cert) #~()) + #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))= )) + + (define (enum-filenames . args) ; same args as iota + (map (lambda (n) (string-append (number->string n) ".efi")) + (apply iota (map length args)))) + + (program-file "install-uki" + (with-imported-modules (source-module-closure '((guix build syscalls= ) + (guix build utils))) + #~(let* ((target (cadr (command-line))) + (vendir (string-append target "/EFI/" #$vendor)) + (schema (string-append vendir "/boot.mgr")) + (findmnt #$(file-append util-linux "/bin/findmnt")) + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")= )) + (use-modules (guix build syscalls) (guix build utils) + (ice-9 popen) (ice-9 textual-ports)) + + (define (out name) (string-append vendir "/" name)) + (define disk + (call-with-port + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target= ) + (lambda (port) (get-line port)))) ; only 1 line: the devic= e + + ;; delete all boot entries and files we control + (when (file-exists? schema) + (call-with-input-file schema + (lambda (port) + (for-each (lambda (l) + (unless (string-null? l) + (system* efibootmgr "-B" "-L" l "-q"))) + (string-split (get-string-all port) #\lf))))) + (when (directory-exists? vendir) (delete-file-recursively vend= ir)) + (mkdir-p vendir) + + (define (install port boot? oos) + (lambda (args label name) + (let ((minbytes (* 2 (stat:size (stat #$script-loc))))) + (put-string port label) + (put-char port #\lf) + (force-output port) ; make sure space is alloc'd + (apply invoke #$(file-append ukify "/bin/ukify") + "build" "-o" (out name) args) + ;; make sure we have enough space for next install-uki.s= cm + (when (and oos (< (free-disk-space vendir) minbytes)) (o= os)) + (invoke efibootmgr (if boot? "-c" "-C") "-L" label "-d" = disk + "-l" (string-append "\\EFI\\" #$vendor "\\" name) "-q"= )))) + + (call-with-output-file schema + (lambda (port) ; prioritize latest UKIs in limited ESP space + (for-each (install port #t #f) + (list #$@(map-in-order menu-entry->args entries)) + (list #$@(map-in-order menu-entry-label entries)) + (list #$@(enum-filenames entries))) + (for-each ; old-entries can fail (out of space) we don't c= are + (lambda (args label name) + (define (cleanup . _) ; do exit early if out of space = tho + (when (file-exists? (out name)) (delete-file (out na= me))) + (exit)) + (with-exception-handler cleanup + (lambda _ ((install port #f cleanup) args label name= )))) + (list #$@(map-in-order menu-entry->args old-entries)) + (list #$@(map-in-order menu-entry-label old-entries)) + (list #$@(enum-filenames old-entries entries)))))))))) + +(define install-uefi-uki + #~(lambda (bootloader target mount-point) + (invoke (string-append mount-point #$script-loc) + (string-append mount-point target)))) + +(define* (make-uefi-uki-bootloader #:optional cert privkey) + (bootloader + (name 'uefi-uki) + (package systemd-stub) + (installer install-uefi-uki) + (disk-image-installer #f) + (configuration-file script-loc) + (configuration-file-generator (uefi-uki-configuration-file cert privke= y)))) + +;; IMPORTANT NOTE: if bootloader install fails, do not turn off your compu= ter! until +;; install succeeds, your system is unbootable. +(define uefi-uki-bootloader (make-uefi-uki-bootloader)) +;; use ukify genkey to generate cert and privkey. DO NOT include in store. +(define (uefi-uki-signed-bootloader cert privkey) + (make-uefi-uki-bootloader cert privkey)) diff --git a/gnu/local.mk b/gnu/local.mk index ab63bd5881..0a15251ddf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -90,6 +90,7 @@ GNU_SYSTEM_MODULES =3D=09=09=09=09\ %D%/bootloader/extlinux.scm \ %D%/bootloader/u-boot.scm \ %D%/bootloader/depthcharge.scm \ + %D%/bootloader/uki.scm \ %D%/ci.scm=09=09=09=09=09\ %D%/compression.scm=09=09=09=09\ %D%/home.scm=09=09=09=09=09\ --=20 2.41.0
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:32 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:32 2024 Received: from localhost ([127.0.0.1]:56626 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rU20h-0003yq-T1 for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:32 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:50706) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rU20f-0003yO-SO for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:30 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=U673TrUCTFscakmyI8GUi6M1eWjyPIKffhlWHqWEPenliP1FXr9T2CW+sMzObgwBDLqpK3uNLJdYq1c/kYUfiVQLpSCjVnXWP1rBWjZ0zfnXaqQzRROLnswvswa49ul6ZPge6DRuzTUoFsocB/bxA2wcR420DBzxbr5smgXfHtyOIaGfDhspohS0l5dNQhgGnGM1kVdpQUig1LzXVgW59EhD2dyBPBsBG0ym2CbDzZ1a7yyBZTsern81bk6KCXs8pVy6CUItybvoqgHyvJ9gtiXL8CNzlu0Sk0VOnGxljBMEc1UHl1eJvbZDbpAGZ1zkruV5s1HEPXylfxMycK4POw==; s=purelymail2; d=lunabee.space; v=1; bh=/0e0X1bfriDa7mztPzwNLhVYDcs7uvRT3P83zy8NFF8=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=uEknK+JL2gwPRkc4ZR3wQ/sP0MDEvbtXr6fvI0fXG4Yi34pjtsFNeiSYRazOSYcNzMJWr2d+QoWZdT9cjY5emniOmVZ2khRQqLaoiGoz/lvuqjPRjhK+jtluwDN3hfuRi+iPBs56jQPxUveNZCtUpY9FSHwJ5ux9oBveK+nxz9xdDXrIXTAQquMZEZLdN6XbtJJ9oWukVyCiDZXnUXG5CQ0iZ/hKr5ZIryPw6d6LjBi5uXhlpe5WNGjq3wUMRL2oXwbHpIzYHBzNx+kRLCBhYGkYjaaoG0dm6iWyw3rsO97FfuCrlo/1svH0N9lKpXM7BJ9ECa4KmqxTfv4jkYMKag==; s=purelymail2; d=purelymail.com; v=1; bh=/0e0X1bfriDa7mztPzwNLhVYDcs7uvRT3P83zy8NFF8=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 28 Jan 2024 10:03:12 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v2 1/2] gnu: bootloaders: Add uki packages. Date: Sun, 28 Jan 2024 03:51:40 -0600 Message-ID: <d0bd85e4c1be3a8a2d351c9d50053e4374032857.1706435500.git.lilah@HIDDEN> In-Reply-To: <cover.1706435500.git.lilah@HIDDEN> References: <cover.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 68524 Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN, efraim@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure. (systemd-version,systemd-source,systemd-stub,ukify): New variables. Change-Id: I67776ec35d165afebc2eb4b11bea0459259e4bd8 --- gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index 986f0ac035..b0d4979f44 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -19,6 +19,7 @@ ;;; Copyright =C2=A9 2021 Stefan <stefan-guix@HIDDEN> ;;; Copyright =C2=A9 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN= > ;;; Copyright =C2=A9 2023 Herman Rimm <herman@HIDDEN> +;;; Copyright =C2=A9 2024 Lilah Tascheter <lilah@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -46,11 +47,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages disk) + #:use-module (gnu packages efi) #:use-module (gnu packages firmware) #:use-module (gnu packages flex) #:use-module (gnu packages fontutils) #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) + #:use-module (gnu packages gperf) #:use-module (gnu packages linux) #:use-module (gnu packages man) #:use-module (gnu packages mtools) @@ -71,11 +74,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages valgrind) #:use-module (gnu packages virtualization) #:use-module (gnu packages xorg) + #:use-module (gnu packages python-crypto) #:use-module (gnu packages python-web) #:use-module (gnu packages python-xyz) #:use-module (guix build-system gnu) #:use-module (guix build-system meson) #:use-module (guix build-system pyproject) + #:use-module (guix build-system python) #:use-module (guix build-system trivial) #:use-module (guix download) #:use-module (guix gexp) @@ -632,6 +637,96 @@ (define-public syslinux ;; Also contains: license:expat license:isc license:zlib))))) =20 +(define systemd-version "255") +(define systemd-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/systemd/systemd") + (commit (string-append "v" systemd-version)))) + (file-name (git-file-name "systemd" systemd-version)) + (sha256 + (base32 + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) + +(define-public (systemd-stub-name) + (let ((arch (cond ((target-x86-32?) "ia32") + ((target-x86-64?) "x64") + ((target-arm32?) "arm") + ((target-aarch64?) "aa64") + ((target-riscv64?) "riscv64")))) + (string-append "linux" arch ".efi.stub"))) + +(define-public systemd-stub + (package + (name "systemd-stub") + (version systemd-version) + (source systemd-source) + (build-system meson-build-system) + (arguments + (list + #:configure-flags + `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix" + "-Dsbat-distro-generation=3D1" ; package revision! + "-Dsbat-distro-summary=3DGuix System" + "-Dsbat-distro-url=3Dhttps://guix.gnu.org" + ,(string-append "-Dsbat-distro-pkgname=3D" name) + ,(string-append "-Dsbat-distro-version=3D" version)) + #:phases + #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)= ))) + (modify-phases %standard-phases + (replace 'build + (lambda* (#:key parallel-build? #:allow-other-keys) + (invoke "ninja" stub + "-j" (if parallel-build? + (number->string (parallel-job-count)) "1")))) + (replace 'install + (lambda _ + (install-file stub (string-append #$output "/libexec")))= ) + (delete 'check))))) + (inputs (list libcap python-pyelftools `(,util-linux "lib"))) + (native-inputs (list gperf pkg-config python-3 python-jinja2)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI stub") + (description "Simple UEFi boot stub that loads a conjoined kernel imag= e and +supporting data to their proper locations, before chainloading to the kern= el. +Supports measured and/or verified boot environments.") + (license license:lgpl2.1+))) + +(define-public ukify + (package + (name "ukify") + (version systemd-version) + (source systemd-source) + (build-system python-build-system) + (arguments + (list #:phases + #~(modify-phases %standard-phases + (replace 'build + (lambda _ + (substitute* "src/ukify/ukify.py" ; added in python 3.= 11 + (("datetime\\.UTC") "datetime.timezone.utc")))) + (delete 'check) + (replace 'install + (lambda* (#:key inputs #:allow-other-keys) + (let* ((bin (string-append #$output "/bin")) + (file (string-append bin "/ukify")) + (binutils (assoc-ref inputs "binutils")) + (sbsign (assoc-ref inputs "sbsigntools"))) + (mkdir-p bin) + (copy-file "src/ukify/ukify.py" file) + (wrap-program file + `("PATH" ":" prefix + (,(string-append binutils "/bin") + ,(string-append sbsign "/bin")))))))))) + (inputs (list binutils python-cryptography python-pefile sbsigntools)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI tool") + (description "@command{ukify} joins together a UKI stub, linux kernel,= initrd, +kernel arguments, and optional secure boot signatures into a single, UEFI-= bootable +image.") + (license license:lgpl2.1+))) + (define-public dtc (package (name "dtc") --=20 2.41.0
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jan 28 05:03:13 2024 Received: from localhost ([127.0.0.1]:56618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rU20P-0003xt-F0 for submit <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:13 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:38440) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rU20M-0003xN-Ry for 68524 <at> debbugs.gnu.org; Sun, 28 Jan 2024 05:03:12 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=NX4rY+IPAUTbyqh3ZmURw/HhjXb/5kAkfcGmBs8e03jYOxX1wr0UdBvD65aB2M6fsU6qFkBQi6AkdubE5pulhI1Xipj4mRz5U9YSLRxfbq4oFj7wayv1TJ7JHaFwbPskB432B01Lr0z1sJNmzS1ZzC95ESlUCNsCMHvBLJg5PlkVnogeOrVfln/+yWe7OfHDKZy0tQDS3TBBNL/2jEMUjmWwUzcSvDsgYdeC297EDuvLI+3jQbXrEHYxDtDgghwaUsHoDG4hE3MpEzBIX7Ci4OZQLCVvLnoQxzde3t56JlBy1er5HSG9XeamMozK7VLvgD0jBpJZzVfxReowidcUIQ==; s=purelymail2; d=lunabee.space; v=1; bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=MEbB8jSl9ygx2efF3xfmOnLHVFy1nrTnNM4Vy5H+NplvBK99cMPQEp5Bf+4JkIE+fqiSKhpfJY/VIVe6rqxRpkw6O9Wuj/gMyUN21dZghiEk7OavqRyAra3LXZXOR4Qaf4N0QSYR7inLx5zE70U8KEeXMX1mSGKcMzawGCnzU8kqeSZQf2yi+SE6Nr/uYnAFAumIH3jiHHqflIt7zWolakDMzJ49ctJhZYmx4hsdaC2fZvqqMSei6eS37Q79uJFV/Xx7TsbAkC3Qa2jMjCRV9AYI6YY/ygxQnK4DpEts8YzOY8hg/uPiTZn6Iod0/g5/hMMGSHBstRLYrRIK69Ihxg==; s=purelymail2; d=purelymail.com; v=1; bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 28 Jan 2024 10:02:47 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH v2 0/2] Support root encryption and secure boot. Date: Sun, 28 Jan 2024 03:51:38 -0600 Message-ID: <cover.1706435500.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: vagrant@HIDDEN, Lilah Tascheter <lilah@HIDDEN>, herman@HIDDEN, efraim@HIDDEN X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Thank you so much Herman, that motherfucking typo was what made my old-entr= ies testing not work. I reworked the majority of the install-uki.scm code, and = now uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rollb= ack! Slightly jank, but it works. On install, we pretty much just cram as many generations into the ESP as possible. ESPs are typically small, so we can't assume that we can fit more than one UKI, so if we can't fit every extent generation we just exit early. We also don't waste space on root by adding each UKI to the store anymore. They're all generated at install time. Added slightly more documentation to= o. Otherwise, fixed everything Herman pointed out! Decided not to add a manual section on manually running /boot/install-uki.s= cm though. It's more of a quirk of getting around guix's bootloader assumption= s than meant to be run that way; I don't know if it's a good idea to direct attention to it. I mean it Works, but it's more of a quick hack. Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 45 ++++++++---- gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++ 4 files changed, 258 insertions(+), 12 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae --=20 2.41.0
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 00:50:46 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jan 27 19:50:46 2024 Received: from localhost ([127.0.0.1]:56179 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rTtNl-00034G-UH for submit <at> debbugs.gnu.org; Sat, 27 Jan 2024 19:50:46 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:47742) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rTtNg-00033x-Vl for 68524 <at> debbugs.gnu.org; Sat, 27 Jan 2024 19:50:44 -0500 DKIM-Signature: a=rsa-sha256; b=szNlB/d+hqsS0Gq6hPoWXaHKmjcbSm5uthwO6O15wVrxXJXjeJ3nPkwQTh48oMQx0Dqdwog+Xw1oxCgdr6z5XfILNS4G4NkMGtJ8cEmg2dct76gTUlj7+0XpDYJvx+hfhnLecSuOnPmFLzglu28xygCA2hK9G1XXhjWAi/AGo87O80EJ7frdsm0wFWaGnHhjZ2P4fclbSPmbBi2xoBUq/R93eQcmnx1mRBMKZbG9e2K73ODYkiiwU1lsRYl4tSnxyRMAx2BFnFnkM4OgF4vWwKqfVn12dRqVPC9oJ4dgm4l9CVT5VUQdiOizejq/37vZ3y0sZj7X+f2+6/Jr+hQlCA==; s=purelymail2; d=lunabee.space; v=1; bh=N4K33LogyZkVZE6i/5qaELO6cr1CfS8r0buT4Nd0HQ0=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=o1kDy5EOFjxBW3BJUMQneO1807WoVai56SNNwlHN0yt/asYs3lvWwr7qN+jlihv3C+6mulh/TfEVEPzCNUqSyf9SleGeLR9Y/zjFDfXMoTFP1Ly61q/n410C5yY7ceTxo0v2geb4rTYN5fkSufXnNF4fKP48FEjCwsdQMquyFi6gAbaZVSls2LrLwAHpdQteDRWXCNusGbYCAkRW5fAq1Uvrm2FllSuB9vORtAwQEsI5MoEH62MctILFltLlr1crOpqr4rv5f9HJnV4fB+z0qaN6EpwtvSQkPwUNAlxssr1XtdzOEcuxt8U2JbhCYPwnDBzF5ZRY+FBFhNx+AwW29A==; s=purelymail2; d=purelymail.com; v=1; bh=N4K33LogyZkVZE6i/5qaELO6cr1CfS8r0buT4Nd0HQ0=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1183457486; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 28 Jan 2024 00:50:18 +0000 (UTC) Message-ID: <6caf74d7eb6ad410b2f05af13f548353e150771c.camel@HIDDEN> Subject: Re: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Date: Sat, 27 Jan 2024 18:50:16 -0600 In-Reply-To: <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh> References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN> <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh> Organization: Dissociation for Heresiographal Computation Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Herman Rimm <herman@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Thanks for the notes! I'm working on a v2 right now. > The way GRUB does it, if mount-point/boot/efi does not exist, try > install to /boot/efi in case the ESP got mounted there. Personally, I > think it's okay to only try install to mount-point/boot/efi. Yeah, I'd be concerned about overriding my own bootloader if it could decid= e to just not use mount-point. > This bootloader has been very useful to me. I'm so glad!!! :) > I could easily chainload the UKI from an install image GRUB Would it be more useful to have the EFI vendor dir for UKI be like, Guix-UK= I instead of just Guix, as to not delete a preexisting grub-efi-bootloader? -lilah
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 25 Jan 2024 10:04:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 25 05:04:25 2024 Received: from localhost ([127.0.0.1]:47376 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rSwav-0008WL-DC for submit <at> debbugs.gnu.org; Thu, 25 Jan 2024 05:04:25 -0500 Received: from 81-205-150-117.fixed.kpn.net ([81.205.150.117]:38909 helo=email.rimm.ee) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <herman@HIDDEN>) id 1rSwas-0008Vy-Ef for 68524 <at> debbugs.gnu.org; Thu, 25 Jan 2024 05:04:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rimm.ee; s=herman; t=1706177045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=of1SbOb+zojpM1ZXdOpBywTNavJlCibjzgGaN9GuFMo=; b=HojRqf88w7G0s+Dhi+YxbXNCDSeF6HE4MsgS+9vrhdSGAUzAXo864/EfU6HfHJAH8PagGE zgP29EbkHKlbTjAWKVYExbNy81rlmjuIOQSG6roVcDKB7RNbtZk+z0KSE2HcQjMWjiY947 RXxrlPmha2Z+SUmTAGGeVcoh7q6oLcllE53PaWzO6m1oIDoF+LcjQ9gprnQ6zWKuShncCc IrY+oftaREmqrfhNvhUxUNnRVOFgJ2PHQIxbfirrhazo3csCbe1fcgkLAXI5vZl3yr9IFs WjhKwCZrDpXE2LxjDDF1uFnabpUY8Wv/UCaFWWJr0alfmA+ug5qLNkLm00JROQ== Received: by 81-205-150-117.fixed.kpn.net (OpenSMTPD) with ESMTPSA id 15f49f34 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 25 Jan 2024 10:04:05 +0000 (UTC) Date: Thu, 25 Jan 2024 11:03:57 +0100 From: Herman Rimm <herman@HIDDEN> To: Lilah Tascheter <lilah@HIDDEN>, 68524 <at> debbugs.gnu.org Subject: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Message-ID: <a2deufa4hfixwgtksix7nxp7d7vwnslnoimhy4fblfb3dxl5wn@umkpvt4tlpwh> References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN> X-Spam-Score: 3.5 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote: > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gn [...] Content analysis details: (3.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 TVD_RCVD_IP Message was received from an IP address 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: 68524 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hello, On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote: > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gn [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL [81.205.150.117 listed in zen.spamhaus.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hello, On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote: > * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document > uefi-uki-bootloader and uefi-uki-signed-bootloader. > * gnu/bootloader/uki.scm: New file. Remember to note your copyright and register new files in gnu/local.mk. > +(define* (uefi-uki-configuration-file #:optional cert privkey) > + (lambda* (config entries #:key (old-entires '()) #:allow-other-keys) old-entries got mistyped as old-entires. > + (define (menu-entry->uki e) > + (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name))) Can you have systemd-stub be an argument of uefi-uki-configuration-file? > + (when (file-exists? schema) > + (call-with-input-file schema > + (lambda (port) > + (for-each (lambda (l) > + (unless (string-null? l) > + (system* efibootmgr "-B" "-L" l))) You can make this quiet. > + (invoke efibootmgr "-c" "-L" label "-d" disk "-l" Maybe this too? > +(define install-uefi-uki > + #~(lambda (bootloader target mount-point) Get systemd-stub from bootloader with bootloader-package. > + (invoke (string-append mount-point "/boot/install-uki.scm") > + (string-append mount-point target)))) The way GRUB does it, if mount-point/boot/efi does not exist, try install to /boot/efi in case the ESP got mounted there. Personally, I think it's okay to only try install to mount-point/boot/efi. > +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader)) > +;; use ukify genkey to generate cert and privkey. DO NOT include in store. > +(define-public (uefi-uki-signed-bootloader cert privkey) > + (make-uefi-uki-bootloader cert privkey)) Can you use define instead and export the bootloaders in define-module? I expect define-public procedures in package modules which would have to use an export procedure with many arguments otherwise. The install-uki.scm config file is a nice idea. It can be used to regenerate the UKI and corresponding UEFI boot entry. Now that I think about it, can that be included as an example? Like: uefi-uki-bootloader installs install-uki.scm to /boot, you can use it to (re)create the UKI manually: sudo ./install-uki.scm /boot/efi/. If you need to chroot to an existing system on /mnt, mount efivars first: mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars. This is required for efibootmgr to (re)install the UEFI entry for the corresponding UKI. This bootloader has been very useful to me. I could easily chainload the UKI from an install image GRUB, whenever I messed up the UEFI boot entry for the EFI stub bootloader I'm working on. Thank you, Herman
guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:15 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:15 2024 Received: from localhost ([127.0.0.1]:50393 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxrX-0008PU-17 for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:15 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:41784) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxrV-0008PG-Lu for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:14 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=IZOf4TyqkHhXBMqQt39pP1a4wFL9EAt3C+bVwSXsLfqKbAFssolLscbVpGi2SKbhVBS3I949BorLm/TFMHkeLTWyX+fgLfr4zZBltCNW+Y8a3Wt/dylxrlMnjyGVBpSnIyQVp7gIPGTEavk39sNAXeS1tS65fYivOLheGZWCn6jcqR0uYbOS5FukcU8JU8HPKtTE+ROi8i4X1Y0XiT3sDaTiWe9aYKHRdx01vcVdYHSqd9kTDpcrh6PUFyoEinbBLhDCeJZZhJoGVShk1zlsdkErV7/821PpXlrYkQl7kHDZPpA5rGgk7MKpVpP7JaDRBs3Z9pnr+xDSvEVOGvZZ+Q==; s=purelymail1; d=lunabee.space; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=qnznObJwJg0RW7Kb3ignaCnyzRmKdKzdLx3UJqpwwj1tYj2LqMUqwEiQ7pEPxOIwd+aZBMQQKFooJgrlfLFJ6VKfOUe4D7BrykIA6g4Bw3NiZXqZCQ+zBVPuZCl149ZzbXN/C9YqFrFRwElsrqa3mBI+3VlKE5/8512jKrmtiH5zKpOFRacGckSaRlyA1eZBRK4GYoPBecQpMcZzuhuXe3yVoryKZyXCv2NUktJHRToMYCMHwM1DIaZ2M3S02ug2M86AlIax7SSVmeZ4av9PnhfgrQZINe4GsT2Ylx2VlrJTeHnQDMgyWWb0u+t1CmjRls2XU0FvxAbsR5FYLsqw0Q==; s=purelymail1; d=purelymail.com; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:49:01 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Date: Tue, 16 Jan 2024 22:48:11 -0600 Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705466646.git.lilah@HIDDEN> In-Reply-To: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> References: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document uefi-uki-bootloader and uefi-uki-signed-bootloader. * gnu/bootloader/uki.scm: New file. Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21 --- doc/guix.texi | 35 ++++++++++---- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm diff --git a/doc/guix.texi b/doc/guix.texi index a66005ee9d..3029740f45 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40881,8 +40881,9 @@ Bootloader Configuration The bootloader to use, as a @code{bootloader} object. For now @code{grub-bootloader}, @code{grub-efi-bootloader}, @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} -and @code{u-boot-bootloader} are supported. +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader} are supported. =20 @cindex ARM, bootloaders @cindex AArch64, bootloaders @@ -40989,6 +40990,24 @@ Bootloader Configuration unbootable. @end quotation =20 +@vindex uefi-uki-bootloader +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit= hout +an intermediary like GRUB. The main practical advantage of this is allowin= g +root/store encryption without an extra GRUB password entry and slow decryp= tion +step. + +@vindex uefi-uki-signed-bootloader +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce= pt +that it is a procedure that returns a bootloader compatible with UEFI secu= re +boot. You must provide it with two paths, to an out-of-store secure boot d= b +certificate, and key, in that order. + +@quotation Note +This bootloader @emph{does not} support booting from any old system genera= tion. +You will also need enough space in your EFI System partition to store your +kernel and initramfs, though this likely won't be an issue. +@end quotation + @item @code{targets} This is a list of strings denoting the targets onto which to install the bootloader. @@ -40997,12 +41016,12 @@ Bootloader Configuration For @code{grub-bootloader}, for example, they should be device names understood by the bootloader @command{installer} command, such as @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, -GNU GRUB Manual}). For @code{grub-efi-bootloader} and -@code{grub-efi-removable-bootloader} they should be mount -points of the EFI file system, usually @file{/boot/efi}. For -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount -points corresponding to TFTP root directories served by your TFTP -server. +GNU GRUB Manual}). For @code{grub-efi-bootloader}, +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI = file +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader}, +@code{targets} should be the mount points corresponding to TFTP root direc= tories +served by your TFTP server. =20 @item @code{menu-entries} (default: @code{'()}) A possibly empty list of @code{menu-entry} objects (see below), denoting diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm new file mode 100644 index 0000000000..3131bae3d7 --- /dev/null +++ b/gnu/bootloader/uki.scm @@ -0,0 +1,106 @@ +;;; GNU Guix --- Functional package management for GNU +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. + +(define-module (gnu bootloader uki) + #:use-module (gnu bootloader) + #:use-module (gnu packages bootloaders) + #:use-module (gnu packages efi) + #:use-module (gnu packages linux) + #:use-module (guix gexp) + #:use-module (guix modules)) + +;; config generator makes script creating uki images +;; install runs script +;; install device is path to uefi dir + +(define* (uefi-uki-configuration-file #:optional cert privkey) + (lambda* (config entries #:key (old-entires '()) #:allow-other-keys) + + (define (menu-entry->uki e) + (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam= e))) + (computed-file "uki.efi" + (with-imported-modules (source-module-closure '((guix build utils)= )) + #~(let ((args (list #$@(menu-entry-linux-arguments e)))) + (use-modules (guix build utils)) + (invoke #$(file-append ukify "/bin/ukify") "build" + "--linux" #$(menu-entry-linux e) + "--initrd" #$(menu-entry-initrd e) + "--os-release" #$(menu-entry-label e) + "--cmdline" (string-join args) + "--stub" #$stub + "-o" #$output))))) + + (program-file "install-uki" + (with-imported-modules (source-module-closure '((guix build utils))) + #~(let* ((target (cadr (command-line))) + (vendir (string-append target "/EFI/Guix")) + (schema (string-append vendir "/boot.mgr")) + (findmnt #$(file-append util-linux "/bin/findmnt")) + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")= )) + (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p= orts)) + + (define disk + (call-with-port + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target= ) + (lambda (port) (get-line port)))) ; only 1 line: the devic= e + + (when (file-exists? schema) + (call-with-input-file schema + (lambda (port) + (for-each (lambda (l) + (unless (string-null? l) + (system* efibootmgr "-B" "-L" l))) + (string-split (get-string-all port) #\lf))))) + (when (directory-exists? vendir) (delete-file-recursively vend= ir)) + + (mkdir-p vendir) + (call-with-output-file schema + (lambda (port) + (for-each (lambda (uki label) + (let* ((base (basename uki)) + (out (string-append vendir "/" base))) + #$(if cert ; sign here so we can access root= certs + #~(invoke + #$(file-append sbsigntools "/bin/sbs= ign") + "--cert" #$cert "--key" #$privkey + "--output" out uki) + #~(copy-file uki out)) + (invoke efibootmgr "-c" "-L" label "-d" disk= "-l" + (string-append "\\EFI\\Guix\\" base)) + (put-string port label) + (put-char port #\lf))) + (list #$@(map-in-order menu-entry->uki entries)) + (list #$@(map-in-order menu-entry-label entries)))))))))= ) + +(define install-uefi-uki + #~(lambda (bootloader target mount-point) + (invoke (string-append mount-point "/boot/install-uki.scm") + (string-append mount-point target)))) + +(define* (make-uefi-uki-bootloader #:optional cert privkey) + (bootloader + (name 'uefi-uki) + (package systemd-stub) + (installer install-uefi-uki) + (disk-image-installer #f) + (configuration-file "/boot/install-uki.scm") + (configuration-file-generator (uefi-uki-configuration-file cert privke= y)))) + +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader)) +;; use ukify genkey to generate cert and privkey. DO NOT include in store. +(define-public (uefi-uki-signed-bootloader cert privkey) + (make-uefi-uki-bootloader cert privkey)) --=20 2.41.0
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at 68524) by debbugs.gnu.org; 17 Jan 2024 04:49:07 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:49:06 2024 Received: from localhost ([127.0.0.1]:50388 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxrO-0008P7-Ao for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:06 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:56886) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxrL-0008Oa-PF for 68524 <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:49:04 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=CoI3a0pRAm8FbNI6FD17WBgNNP0lVrQWqvRheGosCqBdNUsq1umWlO4o3+UIsHu6CF/jAvPQy4SiK0mf4/1tk6eaoBgrz+8cj0QP6D0jw04fQBzleLUvpTOxfjDw9lm8igDyAAzJq4fEhRgFGIAmYP7EMONt/P+vYenF6aT5FY/xaKLLJilrOIEzANh7BxbXj4kuiRvLO2YVGGNHAxUKhcO++B4b6J61rqye3Yaura5cJYdJeIdJSbxJrUdTCtlcmDO5TmI5P/dNLUE5zRGhrNNS/8rf43rW1YI9i3esTBe+9tgjxi1sARIc5Pr9ACqDEukefZaSyg3eOvE0lOF72A==; s=purelymail1; d=lunabee.space; v=1; bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=XYG4r/YfWp2wEA28vFw2BCVIdy7WXuF0fHHICbo6H66fzW09vF1SXw0VQEZpwvAboLzWV5D05TPh8c0rwGZhIxBP6Ivc3bzzxfGRf7va6Rm1N/1dQcDFGIF9SDhA6pjQerbHgMJqe8/CDk22zYTb+qHq441lrPmTWCq6gmM4WDxwhe4RYEZqIQLgmloFN+KXDrH62UVyOASUeAZc8kpEa3UdPMfwUf/t32BrWh+PtZeqHuGhbNcLEL1rPuaVdRJfW74KOTUe+P4LwTmKsfZUUo/wBFS1MY63HOb6ovdYadIQ1ttbi0ZhqlOFEsUnb2P0WyTjg4RJZF19youJTI1aSA==; s=purelymail1; d=purelymail.com; v=1; bh=VAkcOrIv+AO59RQNzpuJQftRom6Sh72sjl3N1ns+cjk=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524 <at> debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -96528462; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:48:54 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: 68524 <at> debbugs.gnu.org Subject: [PATCH 1/2] gnu: bootloaders: Add uki packages. Date: Tue, 16 Jan 2024 22:48:10 -0600 Message-ID: <c0905637db21c4bb89714cbb9225d8f59f8911e1.1705466646.git.lilah@HIDDEN> In-Reply-To: <cover.1705465384.git.lilah@HIDDEN> References: <cover.1705465384.git.lilah@HIDDEN> MIME-Version: 1.0 X-Debbugs-Cc: Efraim Flashner <efraim@HIDDEN>, Vagrant Cascadian <vagrant@HIDDEN> Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: 68524 Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) * gnu/packages/bootloaders.scm (systemd-stub-name): New procedure. (systemd-version,systemd-source,systemd-stub,ukify): New variables. Change-Id: Ie27bdcbf2c03e895956295f94f280c304393ce8d --- gnu/packages/bootloaders.scm | 94 ++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/gnu/packages/bootloaders.scm b/gnu/packages/bootloaders.scm index c73a0e665d..32cbb4e704 100644 --- a/gnu/packages/bootloaders.scm +++ b/gnu/packages/bootloaders.scm @@ -46,11 +46,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages compression) #:use-module (gnu packages cross-base) #:use-module (gnu packages disk) + #:use-module (gnu packages efi) #:use-module (gnu packages firmware) #:use-module (gnu packages flex) #:use-module (gnu packages fontutils) #:use-module (gnu packages gcc) #:use-module (gnu packages gettext) + #:use-module (gnu packages gperf) #:use-module (gnu packages linux) #:use-module (gnu packages man) #:use-module (gnu packages mtools) @@ -71,11 +73,13 @@ (define-module (gnu packages bootloaders) #:use-module (gnu packages valgrind) #:use-module (gnu packages virtualization) #:use-module (gnu packages xorg) + #:use-module (gnu packages python-crypto) #:use-module (gnu packages python-web) #:use-module (gnu packages python-xyz) #:use-module (guix build-system gnu) #:use-module (guix build-system meson) #:use-module (guix build-system pyproject) + #:use-module (guix build-system python) #:use-module (guix build-system trivial) #:use-module (guix download) #:use-module (guix gexp) @@ -632,6 +636,96 @@ (define-public syslinux ;; Also contains: license:expat license:isc license:zlib))))) =20 +(define systemd-version "255") +(define systemd-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/systemd/systemd") + (commit (string-append "v" systemd-version)))) + (file-name (git-file-name "systemd" systemd-version)) + (sha256 + (base32 + "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6")))) + +(define-public (systemd-stub-name) + (let ((arch (cond ((target-x86-32?) "ia32") + ((target-x86-64?) "x64") + ((target-arm32?) "arm") + ((target-aarch64?) "aa64") + ((target-riscv64?) "riscv64")))) + (string-append "linux" arch ".efi.stub"))) + +(define-public systemd-stub + (package + (name "systemd-stub") + (version systemd-version) + (source systemd-source) + (build-system meson-build-system) + (arguments + (list + #:configure-flags + `(list "-Defi=3Dtrue" "-Dsbat-distro=3Dguix" + "-Dsbat-distro-generation=3D1" ; package revision! + "-Dsbat-distro-summary=3DGuix System" + "-Dsbat-distro-url=3Dhttps://guix.gnu.org" + ,(string-append "-Dsbat-distro-pkgname=3D" name) + ,(string-append "-Dsbat-distro-version=3D" version)) + #:phases + #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name)= ))) + (modify-phases %standard-phases + (replace 'build + (lambda* (#:key parallel-build? #:allow-other-keys) + (invoke "ninja" stub + "-j" (if parallel-build? + (number->string (parallel-job-count)) "1")))) + (replace 'install + (lambda _ + (install-file stub (string-append #$output "/libexec")))= ) + (delete 'check))))) + (inputs (list libcap python-pyelftools `(,util-linux "lib"))) + (native-inputs (list gperf pkg-config python-3 python-jinja2)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI stub") + (description "Simple UEFi boot stub that loads a conjoined kernel imag= e and +supporting data to their proper locations, before chainloading to the kern= el. +Supports measured and/or verified boot environments.") + (license license:lgpl2.1+))) + +(define-public ukify + (package + (name "ukify") + (version systemd-version) + (source systemd-source) + (build-system python-build-system) + (arguments + (list #:phases + #~(modify-phases %standard-phases + (replace 'build + (lambda _ + (substitute* "src/ukify/ukify.py" ; added in python 3.= 11 + (("datetime\\.UTC") "datetime.timezone.utc")))) + (delete 'check) + (replace 'install + (lambda* (#:key inputs #:allow-other-keys) + (let* ((bin (string-append #$output "/bin")) + (file (string-append bin "/ukify")) + (binutils (assoc-ref inputs "binutils")) + (sbsign (assoc-ref inputs "sbsigntools"))) + (mkdir-p bin) + (copy-file "src/ukify/ukify.py" file) + (wrap-program file + `("PATH" ":" prefix + (,(string-append binutils "/bin") + ,(string-append sbsign "/bin")))))))))) + (inputs (list binutils python-cryptography python-pefile sbsigntools)) + (home-page "https://systemd.io") + (synopsis "Unified kernel image UEFI tool") + (description "@command{ukify} joins together a UKI stub, linux kernel,= initrd, +kernel arguments, and optional secure boot signatures into a single, UEFI-= bootable +image.") + (license license:lgpl2.1+))) + (define-public dtc (package (name "dtc") base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0
efraim@HIDDEN, vagrant@HIDDEN, guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jan 16 23:37:10 2024 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1rPxfq-0005Iq-7E for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@HIDDEN>) id 1rPxfo-0005IE-0X for submit <at> debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfg-0001zY-4i for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@HIDDEN>) id 1rPxfe-0003KP-6e for guix-patches@HIDDEN; Tue, 16 Jan 2024 23:36:59 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@HIDDEN Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) From: Lilah Tascheter <lilah@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH 0/2] Support root encryption and secure boot. Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: <cover.1705465384.git.lilah@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@HIDDEN; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Lilah Tascheter <lilah@HIDDEN> X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary for= m, uefi-uki-signed-bootloader. These use isolated fragments of the systemd pro= ject (particularly the systemd-stub UEFI stub and supporting ukify tool) to inst= all combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this do= es require copying files from the store to the partition, it makes up for it i= n two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting= the store in my experience, and it's annoying to have to enter in the root pass= word twice. Since the kernel is loaded directly from the system partition, the f= irst, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB n= ot supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created t= he necessary keys (typically, in /root, as they should only be root-accessible= ). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will= then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this shou= ld fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been te= sted for months. The main drawback is lack of kernel generation rollback in the = case of a botched upgrade, so I've been keeping around a manually-copied backup = uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process m= ay have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM= UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1 --=20 2.41.0
Lilah Tascheter <lilah@HIDDEN>
:guix-patches@HIDDEN
.
Full text available.guix-patches@HIDDEN
:bug#68524
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.