GNU bug report logs - #68526
[PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 68526 in the body.
You can then email your comments to 68526 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Lilah Tascheter <lilah <at> lunabee.space>
To: guix-patches <at> gnu.org
Cc: Lilah Tascheter <lilah <at> lunabee.space>
Subject: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader.
Date: Tue, 16 Jan 2024 22:23:04 -0600

* doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document
  uefi-uki-bootloader and uefi-uki-signed-bootloader.
* gnu/bootloader/uki.scm: New file.

Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21
---
 doc/guix.texi          |  35 ++++++++++----
 gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 133 insertions(+), 8 deletions(-)
 create mode 100644 gnu/bootloader/uki.scm

diff --git a/doc/guix.texi b/doc/guix.texi
index a66005ee9d..3029740f45 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40881,8 +40881,9 @@ Bootloader Configuration
 The bootloader to use, as a @code{bootloader} object.  For now
 @code{grub-bootloader}, @code{grub-efi-bootloader},
 @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader},
-@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}
-and @code{u-boot-bootloader} are supported.
+@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader},
+@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader} are supported.
 
 @cindex ARM, bootloaders
 @cindex AArch64, bootloaders
@@ -40989,6 +40990,24 @@ Bootloader Configuration
 unbootable.
 @end quotation
 
+@vindex uefi-uki-bootloader
+@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, without
+an intermediary like GRUB. The main practical advantage of this is allowing
+root/store encryption without an extra GRUB password entry and slow decryption
+step.
+
+@vindex uefi-uki-signed-bootloader
+@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, except
+that it is a procedure that returns a bootloader compatible with UEFI secure
+boot. You must provide it with two paths, to an out-of-store secure boot db
+certificate, and key, in that order.
+
+@quotation Note
+This bootloader @emph{does not} support booting from any old system generation.
+You will also need enough space in your EFI System partition to store your
+kernel and initramfs, though this likely won't be an issue.
+@end quotation
+
 @item @code{targets}
 This is a list of strings denoting the targets onto which to install the
 bootloader.
@@ -40997,12 +41016,12 @@ Bootloader Configuration
 For @code{grub-bootloader}, for example, they should be device names
 understood by the bootloader @command{installer} command, such as
 @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub,
-GNU GRUB Manual}).  For @code{grub-efi-bootloader} and
-@code{grub-efi-removable-bootloader} they should be mount
-points of the EFI file system, usually @file{/boot/efi}.  For
-@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount
-points corresponding to TFTP root directories served by your TFTP
-server.
+GNU GRUB Manual}).  For @code{grub-efi-bootloader},
+@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and
+@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI file
+system, usually @file{/boot/efi}.  For @code{grub-efi-netboot-bootloader},
+@code{targets} should be the mount points corresponding to TFTP root directories
+served by your TFTP server.
 
 @item @code{menu-entries} (default: @code{'()})
 A possibly empty list of @code{menu-entry} objects (see below), denoting
diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm
new file mode 100644
index 0000000000..3131bae3d7
--- /dev/null
+++ b/gnu/bootloader/uki.scm
@@ -0,0 +1,106 @@
+;;; GNU Guix --- Functional package management for GNU
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules))
+
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entires '()) #:allow-other-keys)
+
+    (define (menu-entry->uki e)
+      (define stub (file-append systemd-stub "/libexec/" (systemd-stub-name)))
+      (computed-file "uki.efi"
+        (with-imported-modules (source-module-closure '((guix build utils)))
+          #~(let ((args (list #$@(menu-entry-linux-arguments e))))
+              (use-modules (guix build utils))
+              (invoke #$(file-append ukify "/bin/ukify") "build"
+                "--linux" #$(menu-entry-linux e)
+                "--initrd" #$(menu-entry-initrd e)
+                "--os-release" #$(menu-entry-label e)
+                "--cmdline" (string-join args)
+                "--stub" #$stub
+                "-o" #$output)))))
+
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/Guix"))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
+            (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-ports))
+
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
+                (lambda (port) (get-line port)))) ; only 1 line: the device
+
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l)))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vendir))
+
+            (mkdir-p vendir)
+            (call-with-output-file schema
+              (lambda (port)
+                (for-each (lambda (uki label)
+                            (let* ((base (basename uki))
+                                   (out (string-append vendir "/" base)))
+                              #$(if cert ; sign here so we can access root certs
+                                  #~(invoke
+                                      #$(file-append sbsigntools "/bin/sbsign")
+                                      "--cert" #$cert "--key" #$privkey
+                                      "--output" out uki)
+                                  #~(copy-file uki out))
+                              (invoke efibootmgr "-c" "-L" label "-d" disk "-l"
+                                (string-append "\\EFI\\Guix\\" base))
+                              (put-string port label)
+                              (put-char port #\lf)))
+                  (list #$@(map-in-order menu-entry->uki entries))
+                  (list #$@(map-in-order menu-entry-label entries))))))))))
+
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point "/boot/install-uki.scm")
+              (string-append mount-point target))))
+
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file "/boot/install-uki.scm")
+    (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
+
+(define-public uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define-public (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
-- 
2.41.0

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.