GNU bug report logs - #68524
[PATCH 0/2] Support root encryption and secure boot.

Previous Next

Package: guix-patches;

Reported by: Lilah Tascheter <lilah <at> lunabee.space>

Date: Wed, 17 Jan 2024 04:38:02 UTC

Severity: normal

Tags: patch

Full log


Message #38 received at 68524 <at> debbugs.gnu.org (full text, mbox):

From: Lilah Tascheter <lilah <at> lunabee.space>
To: 68524 <at> debbugs.gnu.org
Cc: Vagrant Cascadian <vagrant <at> debian.org>, Hilton Chain <hako <at> ultrarare.space>,
 Herman Rimm <herman <at> rimm.ee>, Efraim Flashner <efraim <at> flashner.co.il>
Subject: Re: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add
 uefi-uki-bootloader.
Date: Mon, 12 Feb 2024 20:11:18 -0600
heyo!

thanks for the review :) I'll submit a revised patch, but had a question before
I get to work on it.

> I tried to adjust uki.scm before commenting, so here's a paste of my
> adjusted version, in case some of my comments are not expressed clearly:
> https://paste.sr.ht/~hako/62bb15503290273e869520e12466718ebb82e000

nighttime sky I didn't realize reinstall-bootloader existed. shit.

at this point, I don't think the install-uki.scm hack is a good idea. to get
this fully functioning, will probably have to do some more invasive edits to the
bootloader system, since the current one pretty much assumes an
extlinux/grubalike (which is what necessitated install-uki in the first place).
RFC on the following plan:

* add secure-boot-cert and secure-boot-key fields to bootloader-configuration.

* deprecate configuration-file and configuration-file-generator in the
  bootloader struct, and instead create an install-configuration-file field,
  similar to install-bootloader. default procedure will be to do the current
  install-boot-cfg (gnu build install) using the deprecated fields.

* rework uki.scm to, instead, run efibootmgr in install-configuration-file and
  install the uki.efi files in install-bootloader. remove the separation between
  uefi-uki-signed-bootloader and uefi-uki-bootloader, instead working off the
  new bootloader-configuration fields.

this plan should work with reinstall-bootloader, even though it uses the default
bootloader-configuration, since files are only signed during installation
proper.

opinions?

thanks,
lilah





This bug report was last modified 237 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.