From unknown Thu Jun 19 16:20:39 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#68526 <68526@debbugs.gnu.org> To: bug#68526 <68526@debbugs.gnu.org> Subject: Status: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Reply-To: bug#68526 <68526@debbugs.gnu.org> Date: Thu, 19 Jun 2025 23:20:39 +0000 retitle 68526 [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. reassign 68526 guix-patches submitter 68526 Lilah Tascheter severity 68526 normal tag 68526 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 16 23:37:30 2024 Received: (at submit) by debbugs.gnu.org; 17 Jan 2024 04:37:30 +0000 Received: from localhost ([127.0.0.1]:50363 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxg9-0005JZ-BM for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:29 -0500 Received: from lists.gnu.org ([2001:470:142::17]:33314) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxg7-0005JM-5k for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:37:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfy-00021q-Tc for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:19 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rPxfw-0003Ml-Vb for guix-patches@gnu.org; Tue, 16 Jan 2024 23:37:18 -0500 Authentication-Results: purelymail.com; auth=pass DKIM-Signature: a=rsa-sha256; b=Fkwos72jvVZG5SvfJuNiI4w1/SKRtYrD7+VYLxUFwj7c6RA+rSwRTqIPlIz0XJ+pxrIIdstSiUTeWKAtpipIVkVYH3qNKaAzsLFaktX4dwIRy7Z7dQIQInldyPEm2rDGlO9Cq3iIi6Eq0OZH+FoBCbE2Ima6AW8AfpLMVDvro1xUJv/4+KNnJL9rAcJ34faOa+jFnGFnCWEbe42a8MpwhJIcmlFNY3CnsVQqm/ZbxZbzfP4kU7EL9BEljLuNbArYSHH/MWoUF07GOG2hvysQ5GCzxO3vKE9QefHbTu3YIP3IpMLD0ojpLb/45MKRy/s9z9nV0P8WCk2UKmKhhiMM5A==; s=purelymail1; d=lunabee.space; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Received:From:To:Subject; DKIM-Signature: a=rsa-sha256; b=i1z3JQO48x9asa+DU1inaIn046V0TTrtq7IZ76BX37jeJjvwbo5cgbBty9VS212h0FsMkB2BqDvWlDwufCoOgCEmmcGAnjxvk2PGC+Cf0tCVHMq4h48bno6yXt9d2ZzTpdPuY1TpHaljPgoTw2FeMtowgqa73pNNl7GwQHrC36S25sBxXVmb56BKyKfsFUVnmI9JiMaeo9kBpFHrda0N2WeEA1f5WCtSNVp7qvu9/A4HMi/0wpvq/jXBHjG2H7H55OJTPJ4PV4H+jhai5nAkper1p71BtTfilhyk3x5iftpdlhy+7b6H1+dKQSffBu8UOY4xjjmk04Sz5zMHw93T1Q==; s=purelymail1; d=purelymail.com; v=1; bh=YXAJjYW2GgfCQLfFEEzTEfxGHAAk6tRnnjvDm3bPpLQ=; h=Feedback-ID:Received:From:To:Subject; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: guix-patches@gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -2094701616; (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:37:08 +0000 (UTC) From: Lilah Tascheter To: guix-patches@gnu.org Subject: [PATCH 2/2] gnu: bootloaders: Add uefi-uki-bootloader. Date: Tue, 16 Jan 2024 22:23:04 -0600 Message-ID: <8cad5fa9951dad5f663ca5d441db0ffc181e35fe.1705465384.git.lilah@lunabee.space> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail Content-Type: text/plain; charset=UTF-8 Received-SPF: pass client-ip=34.202.193.197; envelope-from=lilah@lunabee.space; helo=sendmail.purelymail.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Lilah Tascheter X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) * doc/guix.texi (Bootloader Configuration)[bootloader,targets]: Document uefi-uki-bootloader and uefi-uki-signed-bootloader. * gnu/bootloader/uki.scm: New file. Change-Id: Ie30ef47ea026889727a050131a9b3c0555aa4c21 --- doc/guix.texi | 35 ++++++++++---- gnu/bootloader/uki.scm | 106 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 8 deletions(-) create mode 100644 gnu/bootloader/uki.scm diff --git a/doc/guix.texi b/doc/guix.texi index a66005ee9d..3029740f45 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40881,8 +40881,9 @@ Bootloader Configuration The bootloader to use, as a @code{bootloader} object. For now @code{grub-bootloader}, @code{grub-efi-bootloader}, @code{grub-efi-removable-bootloader}, @code{grub-efi-netboot-bootloader}, -@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader} -and @code{u-boot-bootloader} are supported. +@code{grub-efi-netboot-removable-bootloader}, @code{extlinux-bootloader}, +@code{u-boot-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader} are supported. =20 @cindex ARM, bootloaders @cindex AArch64, bootloaders @@ -40989,6 +40990,24 @@ Bootloader Configuration unbootable. @end quotation =20 +@vindex uefi-uki-bootloader +@code{uefi-uki-bootloader} boots a linux kernel directly through UEFI, wit= hout +an intermediary like GRUB. The main practical advantage of this is allowin= g +root/store encryption without an extra GRUB password entry and slow decryp= tion +step. + +@vindex uefi-uki-signed-bootloader +@code{uefi-uki-signed-bootloader} is like @code{uefi-uki-bootloader}, exce= pt +that it is a procedure that returns a bootloader compatible with UEFI secu= re +boot. You must provide it with two paths, to an out-of-store secure boot d= b +certificate, and key, in that order. + +@quotation Note +This bootloader @emph{does not} support booting from any old system genera= tion. +You will also need enough space in your EFI System partition to store your +kernel and initramfs, though this likely won't be an issue. +@end quotation + @item @code{targets} This is a list of strings denoting the targets onto which to install the bootloader. @@ -40997,12 +41016,12 @@ Bootloader Configuration For @code{grub-bootloader}, for example, they should be device names understood by the bootloader @command{installer} command, such as @code{/dev/sda} or @code{(hd0)} (@pxref{Invoking grub-install,,, grub, -GNU GRUB Manual}). For @code{grub-efi-bootloader} and -@code{grub-efi-removable-bootloader} they should be mount -points of the EFI file system, usually @file{/boot/efi}. For -@code{grub-efi-netboot-bootloader}, @code{targets} should be the mount -points corresponding to TFTP root directories served by your TFTP -server. +GNU GRUB Manual}). For @code{grub-efi-bootloader}, +@code{grub-efi-removable-bootloader}, @code{uefi-uki-bootloader}, and +@code{uefi-uki-signed-bootloader}, they should be mount points of the EFI = file +system, usually @file{/boot/efi}. For @code{grub-efi-netboot-bootloader}, +@code{targets} should be the mount points corresponding to TFTP root direc= tories +served by your TFTP server. =20 @item @code{menu-entries} (default: @code{'()}) A possibly empty list of @code{menu-entry} objects (see below), denoting diff --git a/gnu/bootloader/uki.scm b/gnu/bootloader/uki.scm new file mode 100644 index 0000000000..3131bae3d7 --- /dev/null +++ b/gnu/bootloader/uki.scm @@ -0,0 +1,106 @@ +;;; GNU Guix --- Functional package management for GNU +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu bootloader uki) + #:use-module (gnu bootloader) + #:use-module (gnu packages bootloaders) + #:use-module (gnu packages efi) + #:use-module (gnu packages linux) + #:use-module (guix gexp) + #:use-module (guix modules)) + +;; config generator makes script creating uki images +;; install runs script +;; install device is path to uefi dir + +(define* (uefi-uki-configuration-file #:optional cert privkey) + (lambda* (config entries #:key (old-entires '()) #:allow-other-keys) + + (define (menu-entry->uki e) + (define stub (file-append systemd-stub "/libexec/" (systemd-stub-nam= e))) + (computed-file "uki.efi" + (with-imported-modules (source-module-closure '((guix build utils)= )) + #~(let ((args (list #$@(menu-entry-linux-arguments e)))) + (use-modules (guix build utils)) + (invoke #$(file-append ukify "/bin/ukify") "build" + "--linux" #$(menu-entry-linux e) + "--initrd" #$(menu-entry-initrd e) + "--os-release" #$(menu-entry-label e) + "--cmdline" (string-join args) + "--stub" #$stub + "-o" #$output))))) + + (program-file "install-uki" + (with-imported-modules (source-module-closure '((guix build utils))) + #~(let* ((target (cadr (command-line))) + (vendir (string-append target "/EFI/Guix")) + (schema (string-append vendir "/boot.mgr")) + (findmnt #$(file-append util-linux "/bin/findmnt")) + (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")= )) + (use-modules (guix build utils) (ice-9 popen) (ice-9 textual-p= orts)) + + (define disk + (call-with-port + (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target= ) + (lambda (port) (get-line port)))) ; only 1 line: the devic= e + + (when (file-exists? schema) + (call-with-input-file schema + (lambda (port) + (for-each (lambda (l) + (unless (string-null? l) + (system* efibootmgr "-B" "-L" l))) + (string-split (get-string-all port) #\lf))))) + (when (directory-exists? vendir) (delete-file-recursively vend= ir)) + + (mkdir-p vendir) + (call-with-output-file schema + (lambda (port) + (for-each (lambda (uki label) + (let* ((base (basename uki)) + (out (string-append vendir "/" base))) + #$(if cert ; sign here so we can access root= certs + #~(invoke + #$(file-append sbsigntools "/bin/sbs= ign") + "--cert" #$cert "--key" #$privkey + "--output" out uki) + #~(copy-file uki out)) + (invoke efibootmgr "-c" "-L" label "-d" disk= "-l" + (string-append "\\EFI\\Guix\\" base)) + (put-string port label) + (put-char port #\lf))) + (list #$@(map-in-order menu-entry->uki entries)) + (list #$@(map-in-order menu-entry-label entries)))))))))= ) + +(define install-uefi-uki + #~(lambda (bootloader target mount-point) + (invoke (string-append mount-point "/boot/install-uki.scm") + (string-append mount-point target)))) + +(define* (make-uefi-uki-bootloader #:optional cert privkey) + (bootloader + (name 'uefi-uki) + (package systemd-stub) + (installer install-uefi-uki) + (disk-image-installer #f) + (configuration-file "/boot/install-uki.scm") + (configuration-file-generator (uefi-uki-configuration-file cert privke= y)))) + +(define-public uefi-uki-bootloader (make-uefi-uki-bootloader)) +;; use ukify genkey to generate cert and privkey. DO NOT include in store. +(define-public (uefi-uki-signed-bootloader cert privkey) + (make-uefi-uki-bootloader cert privkey)) --=20 2.41.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Jan 16 23:43:15 2024 Received: (at control) by debbugs.gnu.org; 17 Jan 2024 04:43:15 +0000 Received: from localhost ([127.0.0.1]:50377 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxlj-0005Tz-Gd for submit@debbugs.gnu.org; Tue, 16 Jan 2024 23:43:15 -0500 Received: from sendmail.purelymail.com ([34.202.193.197]:41108) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rPxlh-0005Tk-CB for control@debbugs.gnu.org; Tue, 16 Jan 2024 23:43:14 -0500 DKIM-Signature: a=rsa-sha256; b=dQ/7Mo+xjXywq6eA5BLJGN+LnXOK/AeDojlrUgMcETRmWIn4EaYEgZ85OwPzztnuu1sebc9nQwmKREshKA6P7u0cy8Yp/3LvW+0IP4UYl7lPgSFY1UkwydCuJ7/FTidQxUWqRKZZUkRaTEiwYoVKTsSGGJikNgbboHlLFI13pkjjDzjXPcm8pdY5swidGsL72kqfA4wKybsQnqN0JnlIaoVo9kfqVnZjgfU8XD/Hckoc8fd8Zyr6HkGrSnUo4s/mcKCT4hSNX8v0fhoZdNzilRMI0I8VSfrL8hwB984H2i70lBgrrAYpMu4xOYPA7Loy2ugxWOI1pXFP2rvi96kkTQ==; s=purelymail1; d=lunabee.space; v=1; bh=obRvJsvI0AMb/ix0cSzT/JRmtpiHHEa2907FscAjVHg=; h=Received:Subject:From:To; DKIM-Signature: a=rsa-sha256; b=ejS8RfGtwhSIzNILhBE+GfqGSKVqjTBJfJumM9yLGDi1FsCLN38p7DUWhb/S8jzQQQDZ6P8E2YVgL2tQkqIp+zW2nce7gE5ITK0ebZhvV0Qq8GtcCiRko7qW8gSt6/bvdbj5J6C6YYsA80IFaCsW9D9jBgGPnxGWtv4Mj6xYdiLMg+e2qQVRWo+y76YxGx5vFrLuVs6bGxNGI6nvni0AhAEp63nXe3tJXVCFpSG6Z/FrMnxYAGObyGKcBCQiyH6zb4sRz5B9dY+Hv0IY3mtAhHBDnwdTipspkdfOYC7mGkdAhqI7Uj4+HLRUqKx72at4A1zcsII+S7RGZWskAW/7Ww==; s=purelymail1; d=purelymail.com; v=1; bh=obRvJsvI0AMb/ix0cSzT/JRmtpiHHEa2907FscAjVHg=; h=Feedback-ID:Received:Subject:From:To; Feedback-ID: 8937:2070:null:purelymail X-Pm-Original-To: control@debbugs.gnu.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id -1102296812 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 17 Jan 2024 04:43:02 +0000 (UTC) Message-ID: <6cccbd91cb0d30590b9410ab75994243154f2414.camel@lunabee.space> Subject: From: Lilah Tascheter To: control@debbugs.gnu.org Date: Tue, 16 Jan 2024 22:43:01 -0600 Organization: Dissociation for Heresiographal Computation Content-Type: text/plain Content-Transfer-Encoding: 7bit User-Agent: Evolution 3.46.4 MIME-Version: 1.0 X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: close 68525 close 68526 Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 2.0 BLANK_SUBJECT Subject is present but empty -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) close 68525 close 68526 From unknown Thu Jun 19 16:20:39 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 14 Feb 2024 12:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator