GNU bug report logs - #68524
[PATCH 0/2] Support root encryption and secure boot.

Previous Next

Package: guix-patches;

Reported by: Lilah Tascheter <lilah <at> lunabee.space>

Date: Wed, 17 Jan 2024 04:38:02 UTC

Severity: normal

Tags: patch

Full log

View this message in rfc822 format

From: Hilton Chain <hako <at> ultrarare.space>
To: Lilah Tascheter <lilah <at> lunabee.space>
Cc: Vagrant Cascadian <vagrant <at> debian.org>, 68524 <at> debbugs.gnu.org, Herman Rimm <herman <at> rimm.ee>, Efraim Flashner <efraim <at> flashner.co.il>
Subject: [bug#68524] [PATCH v2 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Thu, 15 Feb 2024 02:02:19 +0800

Hi Lilah,

On Tue, 13 Feb 2024 15:34:55 +0800,
Lilah Tascheter wrote:
>
> > * add secure-boot-cert and secure-boot-key fields to bootloader-
> > configuration.

How about using a pair instead of two fields?  And because the usage depends on
the bootlodaer, I'd like to use a generic name.

e.g. signing-keypair
 => '("/path/to/certificate" . "/path/to/private.key")

> > * deprecate configuration-file and configuration-file-generator in
> >   the bootloader struct, and instead create an install-configuration-file
> >   field, similar to install-bootloader. default procedure will be to do the
> >   current install-boot-cfg (gnu build install) using the deprecated fields.

I'd prefer ‘configuration-installer’, since the installation target may not be a
file. :)

I don't think the deprecation is necessary though, other bootloaders don't have
to duplicate this part of code, and in my opinion the following definition does
make sense.

--8<---------------cut here---------------start------------->8---
(define uefi-uki-bootloader
  (bootloader
   (name 'uefi-uki)
   (package systemd-stub)
   (installer install-uefi-uki)
   (configuration-installer install-uefi-uki-configuration)
   (configuration-file #f)
   (configuration-file-generator #f)))
--8<---------------cut here---------------end--------------->8---

> > * rework uki.scm to, instead, run efibootmgr in install-
> >   configuration-file and install the uki.efi files in install-bootloader.
> >   remove the separation between uefi-uki-signed-bootloader and
> >   uefi-uki-bootloader, instead working off the new bootloader-configuration
> >   fields.
>
> amending: also edit the bootloader-installer and bootloader-disk-image-installer
> procedures to provide the bootloader-configuration in some manner.

I agree that <bootloader> needs modifying, since unified kernel images currently
cannot be well described.  And to support proper generation switching, some
fields of <bootloader-configuration> need exposing.

As this now involves deeper change, I think it's better to post the plan on
guix-devel <at> gnu.org for wider visibility and potential discussions.

Thanks
This bug report was last modified 238 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.