GNU bug report logs - #68524
[PATCH 0/2] Support root encryption and secure boot.

Previous Next

Package: guix-patches;

Reported by: Lilah Tascheter <lilah <at> lunabee.space>

Date: Wed, 17 Jan 2024 04:38:02 UTC

Severity: normal

Tags: patch

Full log

Message #14 received at 68524 <at> debbugs.gnu.org (full text, mbox):

From: Herman Rimm <herman <at> rimm.ee>
To: Lilah Tascheter <lilah <at> lunabee.space>, 68524 <at> debbugs.gnu.org
Subject: [bug#68524] [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Thu, 25 Jan 2024 11:03:57 +0100

Hello,

On Tue, Jan 16, 2024 at 10:48:11PM -0600, Lilah Tascheter wrote:
> * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
>   uefi-uki-bootloader and uefi-uki-signed-bootloader.
> * gnu/bootloader/uki.scm: New file.
Remember to note your copyright and register new files in gnu/local.mk.

> +(define* (uefi-uki-configuration-file #:optional cert privkey)
> +  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
old-entries got mistyped as old-entires.
> +    (define (menu-entry->uki e)
> +      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
Can you have systemd-stub be an argument of uefi-uki-configuration-file?

> +            (when (file-exists? schema)
> +              (call-with-input-file schema
> +                (lambda (port)
> +                  (for-each (lambda (l)
> +                              (unless (string-null? l)
> +                                (system* efibootmgr "-B" "-L" l)))
You can make this quiet.

> +                              (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
Maybe this too?

> +(define install-uefi-uki
> +  #~(lambda (bootloader target mount-point)
Get systemd-stub from bootloader with bootloader-package.
> +      (invoke (string-append mount-point "/boot/install-uki.scm")
> +              (string-append mount-point target))))
The way GRUB does it, if mount-point/boot/efi does not exist, try
install to /boot/efi in case the ESP got mounted there. Personally, I
think it's okay to only try install to mount-point/boot/efi.

> +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
> +;; use ukify genkey to generate cert and privkey. DO NOT include in store.
> +(define-public (uefi-uki-signed-bootloader cert privkey)
> +  (make-uefi-uki-bootloader cert privkey))
Can you use define instead and export the bootloaders in define-module?
I expect define-public procedures in package modules which would have to
use an export procedure with many arguments otherwise.

The install-uki.scm config file is a nice idea. It can be used to
regenerate the UKI and corresponding UEFI boot entry. Now that I think
about it, can that be included as an example? Like:

  uefi-uki-bootloader installs install-uki.scm to /boot, you can use it
  to (re)create the UKI manually: sudo ./install-uki.scm /boot/efi/. If
  you need to chroot to an existing system on /mnt, mount efivars first:
  mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars.
  This is required for efibootmgr to (re)install the UEFI entry for the
  corresponding UKI.

This bootloader has been very useful to me. I could easily chainload the
UKI from an install image GRUB, whenever I messed up the UEFI boot entry
for the EFI stub bootloader I'm working on.

Thank you,
Herman
This bug report was last modified 237 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.