| Message ID | cover.1705465384.git.lilah@lunabee.space |
|---|---|
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 607D327BBE9; Wed, 17 Jan 2024 04:38:21 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2568A27BBE2 for <patchwork@mira.cbaines.net>; Wed, 17 Jan 2024 04:38:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1rPxgj-000269-HN; Tue, 16 Jan 2024 23:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rPxgh-00025l-KK for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rPxgf-0003Ok-M2 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1rPxgg-0005Kb-B8 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#68524] [PATCH 0/2] Support root encryption and secure boot. Resent-From: Lilah Tascheter <lilah@lunabee.space> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 17 Jan 2024 04:38:02 +0000 Resent-Message-ID: <handler.68524.B.170546623020392@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524@debbugs.gnu.org Cc: Lilah Tascheter <lilah@lunabee.space> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.170546623020392 (code B ref -1); Wed, 17 Jan 2024 04:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1rPxfq-0005Iq-7E for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <lilah@lunabee.space>) id 1rPxfo-0005IE-0X for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@lunabee.space>) id 1rPxfg-0001zY-4i for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <lilah@lunabee.space>) id 1rPxfe-0003KP-6e for guix-patches@gnu.org; Tue, 16 Jan 2024 23:36:59 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: <cover.1705465384.git.lilah@lunabee.space> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@lunabee.space; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> From: Lilah Tascheter via Guix-patches <guix-patches@gnu.org> Reply-To: Lilah Tascheter <lilah@lunabee.space> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Support root encryption and secure boot.
|
|
Message
Lilah Tascheter
Jan. 17, 2024, 4:23 a.m. UTC
Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary form, uefi-uki-signed-bootloader. These use isolated fragments of the systemd project (particularly the systemd-stub UEFI stub and supporting ukify tool) to install combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this does require copying files from the store to the partition, it makes up for it in two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting the store in my experience, and it's annoying to have to enter in the root password twice. Since the kernel is loaded directly from the system partition, the first, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB not supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created the necessary keys (typically, in /root, as they should only be root-accessible). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this should fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been tested for months. The main drawback is lack of kernel generation rollback in the case of a botched upgrade, so I've been keeping around a manually-copied backup uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process may have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1
Comments
nah, what I meant by that is instead of entering your password while you're booted into grub, you enter it while booted into your initrd. either way nothing touches the disk.
Great, thank you for clarifying. This is awesome work. Does it mean however that Guix becomes tied to systemd in some way when this feature is used? Or is the feature sufficiently isolated that no systemd process takes place? I've also looked briefly into this from another angle, trying to either patch GRUB or to use kexec and boot from a USB. I'm glad that you were able to do this, thanks a lot! Regards, Nikolaos Chatzikonstantinou
sorry for the late responses; I don't actually get sent your replies unless you cc me. and yeah don't worry it's isolated. there's only two bits of systemd used, systemd-boot-stub and ukify. ukify is pretty much just a single python script, and systemd-boot-stub is just a bit of code tacked on to the boot process to handle combining the kernel, args, and initrd together. no daemons or code past the bootloader at all! of note I'm currently in the process of rewriting the entire guix bootloader stack to make this work a Lot nicer. sooo hopefully that gets finished soon.
On Sat, Mar 23, 2024 at 3:40 PM Lilah Tascheter <lilah@lunabee.space> wrote: > and yeah don't worry it's isolated. there's only two bits of systemd > used, systemd-boot-stub and ukify. ukify is pretty much just a single > python script, and systemd-boot-stub is just a bit of code tacked on to > the boot process to handle combining the kernel, args, and initrd > together. no daemons or code past the bootloader at all! > > of note I'm currently in the process of rewriting the entire guix > bootloader stack to make this work a Lot nicer. sooo hopefully that > gets finished soon. Very exciting! I am looking forward to looking at the code. Regards, Nikolaos Chatzikonstantinou
Hi all! No clue if this patch series is still being worked on, however I have been keeping an eye on this (want to migrate away from GRUB because of decryption speed and integrity reasons). Good news, I've successfully added these patches on a local channel I have and everything still works, with little modifications (this has been an on and off process over the past month or so because I've been busy, so my memory of changes made may be fuzzy). However, I did notice a bug. When performing a fresh installation, the bootloader install will always fail since it assumes "/boot/efi" as the base "script-path". This assumption is false due to the installer placing the system being installed at "/mnt/boot/efi". Outside of that, is a new rewrite of the boot system still being worked on? What kinds of things are we looking for to get UKIs merged? Should I start/continue a thread on guix-devel? I'd like to help where I can.
Hey!
> When performing a fresh installation, the bootloader install will >
always fail since it assumes "/boot/efi" as the base "script-path".
Yeah, sorry, limitation of the current system. Speaking of, though...
The rewrite has been posted! The new patch series is at
https://issues.guix.gnu.org/72457 which also subsumes this series, so
I'll close this one in favor of it.
Thanks y'all!
On Thu, Aug 15, 2024 at 9:15 AM Lilah Tascheter <lilah@lunabee.space> wrote: > > Hey! > > > When performing a fresh installation, the bootloader install will > > always fail since it assumes "/boot/efi" as the base "script-path". > Yeah, sorry, limitation of the current system. Speaking of, though... > > The rewrite has been posted! The new patch series is at > https://issues.guix.gnu.org/72457 which also subsumes this series, so > I'll close this one in favor of it. Congratulations. This is great! Regards, Nikolaos Chatzikonstantinou
You can't change kernel parameters when you boot uki bootloader. GRUB allows you to change kernel parameters before boot. I wish guix installed kernel and initrd and grub.cfg in /boot. Then, grub doesn't need a password, and decrypting encrypted file systems will be a lot faster with grub.
I propose writing grub.cfg instead of modifying nvram. 1. Modifying nvram whenever there are changes to kernel images will increase wear and tear on nvram. If grub loads uki, then nvram lifespan will increase. 2. kernel arguments should go to both grub.cfg and uki because uki arguments are passed to kernel in the absence of secure boot. I'd like to be able to change kernel arguments in grub for debugging and troubleshooting. Thus, the bootloader can be called grub-uefi-uki-bootloader and grub-uefi-uki-signed-bootloader.