From patchwork Sun Jan 28 09:51:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lilah Tascheter X-Patchwork-Id: 2206 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 480E327BBEA; Sun, 28 Jan 2024 10:04:08 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8A7F327BBE2 for ; Sun, 28 Jan 2024 10:04:07 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rU218-0007pA-CG; Sun, 28 Jan 2024 05:03:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rU214-0007oU-Il for guix-patches@gnu.org; Sun, 28 Jan 2024 05:03:56 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rU214-0006mX-9l for guix-patches@gnu.org; Sun, 28 Jan 2024 05:03:54 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rU21B-00040G-JS for guix-patches@gnu.org; Sun, 28 Jan 2024 05:04:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#68524] [PATCH v2 0/2] Support root encryption and secure boot. References: In-Reply-To: Resent-From: Lilah Tascheter Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 28 Jan 2024 10:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 68524 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 68524@debbugs.gnu.org Cc: vagrant@debian.org, Lilah Tascheter , herman@rimm.ee, efraim@flashner.co.il Received: via spool by 68524-submit@debbugs.gnu.org id=B68524.170643619315249 (code B ref 68524); Sun, 28 Jan 2024 10:04:01 +0000 Received: (at 68524) by debbugs.gnu.org; 28 Jan 2024 10:03:13 +0000 Received: from localhost ([127.0.0.1]:56618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rU20P-0003xt-F0 for submit@debbugs.gnu.org; Sun, 28 Jan 2024 05:03:13 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:38440) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rU20M-0003xN-Ry for 68524@debbugs.gnu.org; Sun, 28 Jan 2024 05:03:12 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=NX4rY+IPAUTbyqh3ZmURw/HhjXb/5kAkfcGmBs8e03jYOxX1wr0UdBvD65aB2M6fsU6qFkBQi6AkdubE5pulhI1Xipj4mRz5U9YSLRxfbq4oFj7wayv1TJ7JHaFwbPskB432B01Lr0z1sJNmzS1ZzC95ESlUCNsCMHvBLJg5PlkVnogeOrVfln/+yWe7OfHDKZy0tQDS3TBBNL/2jEMUjmWwUzcSvDsgYdeC297EDuvLI+3jQbXrEHYxDtDgghwaUsHoDG4hE3MpEzBIX7Ci4OZQLCVvLnoQxzde3t56JlBy1er5HSG9XeamMozK7VLvgD0jBpJZzVfxReowidcUIQ==; s=purelymail2; d=lunabee.space; v=1; bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=MEbB8jSl9ygx2efF3xfmOnLHVFy1nrTnNM4Vy5H+NplvBK99cMPQEp5Bf+4JkIE+fqiSKhpfJY/VIVe6rqxRpkw6O9Wuj/gMyUN21dZghiEk7OavqRyAra3LXZXOR4Qaf4N0QSYR7inLx5zE70U8KEeXMX1mSGKcMzawGCnzU8kqeSZQf2yi+SE6Nr/uYnAFAumIH3jiHHqflIt7zWolakDMzJ49ctJhZYmx4hsdaC2fZvqqMSei6eS37Q79uJFV/Xx7TsbAkC3Qa2jMjCRV9AYI6YY/ygxQnK4DpEts8YzOY8hg/uPiTZn6Iod0/g5/hMMGSHBstRLYrRIK69Ihxg==; s=purelymail2; d=purelymail.com; v=1; bh=xqsqTPSExPhByIFkpdXF8KikRKpec9SxIlcbnU2ocYc=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: 68524@debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1308848491; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Sun, 28 Jan 2024 10:02:47 +0000 (UTC) Date: Sun, 28 Jan 2024 03:51:38 -0600 Message-ID: MIME-Version: 1.0 X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Lilah Tascheter via Guix-patches From: Lilah Tascheter Reply-To: Lilah Tascheter Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Thank you so much Herman, that motherfucking typo was what made my old-entries testing not work. I reworked the majority of the install-uki.scm code, and now uefi-uki-bootloader and uefi-uki-signed-bootloader support generation rollback! Slightly jank, but it works. On install, we pretty much just cram as many generations into the ESP as possible. ESPs are typically small, so we can't assume that we can fit more than one UKI, so if we can't fit every extent generation we just exit early. We also don't waste space on root by adding each UKI to the store anymore. They're all generated at install time. Added slightly more documentation too. Otherwise, fixed everything Herman pointed out! Decided not to add a manual section on manually running /boot/install-uki.scm though. It's more of a quirk of getting around guix's bootloader assumptions than meant to be run that way; I don't know if it's a good idea to direct attention to it. I mean it Works, but it's more of a quick hack. Lilah Tascheter (2): gnu: bootloaders: Add uki packages. gnu: bootloaders: Add uefi-uki-bootloader. doc/guix.texi | 45 ++++++++---- gnu/bootloader/uki.scm | 129 +++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/packages/bootloaders.scm | 95 ++++++++++++++++++++++++++ 4 files changed, 258 insertions(+), 12 deletions(-) create mode 100644 gnu/bootloader/uki.scm base-commit: 2823253484e49391c6ba3c653a2f9e9f5e5f38ae