From patchwork Wed Jan 17 04:23:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lilah Tascheter X-Patchwork-Id: 1563 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 607D327BBE9; Wed, 17 Jan 2024 04:38:21 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2568A27BBE2 for ; Wed, 17 Jan 2024 04:38:19 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rPxgj-000269-HN; Tue, 16 Jan 2024 23:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxgh-00025l-KK for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rPxgf-0003Ok-M2 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rPxgg-0005Kb-B8 for guix-patches@gnu.org; Tue, 16 Jan 2024 23:38:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#68524] [PATCH 0/2] Support root encryption and secure boot. Resent-From: Lilah Tascheter Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 17 Jan 2024 04:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524@debbugs.gnu.org Cc: Lilah Tascheter X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.170546623020392 (code B ref -1); Wed, 17 Jan 2024 04:38:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:10 +0000 Received: from localhost ([127.0.0.1]:50353 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxfq-0005Iq-7E for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:10 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60336) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxfo-0005IE-0X for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfg-0001zY-4i for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:00 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfe-0003KP-6e for guix-patches@gnu.org; Tue, 16 Jan 2024 23:36:59 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=TbHhiSD+tVCKkc6dzJRcrTLxZ5/KBv802THsycSXIwn0zg9Wcy4dXt7VhPLdqDaXcbg9HJ98ChNyL4I6nRhyCkeVeQz2Cr1UEl7ZOf2Q0uftdmgaRg+zxQVgIwf/RIUMhAUHGVMVxpLHCL6RFWdH7a5jIXC81G9pcce2l2ANExkzcYgvkBbsdWrN0mNhpf9+SIHqvuBNdpVk+SX5MjzSSy7eLmAlAEPB+R9BuaYrqhRKY4ogHQQtYpxiQNVDzQeppNcJCzfLZd28ckk9idZET3e0K/BeRWvMYytNymSP9XNDag5OAviEP0vVhVkrJRt2RkUBqloGSa6jzEHfC/FXOA==; s=purelymail1; d=lunabee.space; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=DR8rWUscB1c4ZNaHEWTa0+sK467+o0kP5bjD5FiiCA8/gJgFQe8218lPCrDb+17GWBSSzGP55M/nV2O6HNo1TVn1JFnO5gsHIZg07axdNaBPR9pVgz8n7BGuC3kMzSG8zf5AR3p/ucMMe5gKWpstgHE4iGQ81HSQe/Yco7nevX0GY+i5L8jjsJBgNQlthguKvMQLfI/BsoPn1FHHORjpWg/LEgcgYyOY0dU1Vbro4zF+w2UX62bzuPUIXtJMGf0OMG1ptfa9vAyzc1UI1zZRwSt9dc85cJzw7AGfr7mLaKIqFdXZwkejegTBJrIpR2lz5s/fJxmeZdBE/Y51mQuPGQ==; s=purelymail1; d=purelymail.com; v=1; bh=mprrEhP8X6L9Qf6q6VbO2LR009RJav2B6uwqZK7i9DY=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:36:45 +0000 (UTC) Date: Tue, 16 Jan 2024 22:23:02 -0600 Message-ID: MIME-Version: 1.0 X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@lunabee.space; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Lilah Tascheter via Guix-patches From: Lilah Tascheter Reply-To: Lilah Tascheter Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Primarily adds a new bootloader, uefi-uki-bootloader, and an auxilliary form, uefi-uki-signed-bootloader. These use isolated fragments of the systemd project (particularly the systemd-stub UEFI stub and supporting ukify tool) to install combined kernel/arguments/initrd images to the EFI system partition. The built-in UEFI boot manager can then deal with boot selection. While this does require copying files from the store to the partition, it makes up for it in two important ways: 1. Proper encrypted root support! GRUB is really fucking slow at decrypting the store in my experience, and it's annoying to have to enter in the root password twice. Since the kernel is loaded directly from the system partition, the first, and only, LUKS password entry is in the initrd. Also wholly bypasses GRUB not supporting LUKS2 (or, at least, having bad issues with it on Guix). 2. Secure boot support! It's set up assuming the user has already created the necessary keys (typically, in /root, as they should only be root-accessible). Passing the paths to the db cert and key to uefi-uki-signed-bootloader will then automatically sign the entire bootloader image. In combination with root encryption, assuming a functioning motherboard UEFI installation, this should fully secure Guix's boot chain. This is ported from my personal channel, so uefi-uki-bootloader has been tested for months. The main drawback is lack of kernel generation rollback in the case of a botched upgrade, so I've been keeping around a manually-copied backup uki image, but I haven't had any troubles with it so far. I have just verified uefi-uki-signed-bootloader properly functions and boots in secure boot user mode. All in-system testing has been done on my channel, so the porting process may have had issues, but I did make sure the added packages compile, and there aren't any miscopies. No clue how this works on non-x64 systems. I don't think there's enough ARM UEFI systems in existance for it to matter that much anyway. Thanks! Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 35 +++++++++--- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++ gnu/packages/bootloaders.scm | 94 +++++++++++++++++++++++++++++++ 3 files changed, 227 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 21f5d20d68e0359f8111ccb936905649c70db9c1