On 24-08-2022 05:07, Philip McGrath wrote:
I could imagine a process like this:
1. Build the binary that needs to be signed.
2. Outside of the Guix build environment, create a detached signature
for the binary using your secret key.
3. Add the detached signature to the Guix store, pe
On Sun, Aug 21, 2022, at 4:46 AM, Josselin Poiret wrote:
> Hi Antonio,
>
> Antonio Carlos Padoan Junior writes:
>
>> As far as I understand, Guix doesn't provide means to automatically sign
>> bootloaders and kernels in order to use UEFI secure boot after each system
>> reconfigure (assuming a PKI
Josselin Poiret writes:
Hi Josselin,
> It's not an easy problem unfortunately, and the number of people whose
> threat model requires such a thing is slim, hence the lack of work in
> that direction.
that sounds fair. Thanks for the explanation, it was clear!
Best regards,
--
Antonio Carlos
Hi Antonio,
Antonio Carlos Padoan Junior writes:
> Can we imagine signing the kernel outside the guix layer, I mean,
> directly into the store without using guix commands? I understand this
> would break conceptually the Guix functional characterization, and it is
> not very "clean". But despite
Thank you for your answer!
Josselin Poiret writes:
> Hi Antonio,
>
> Antonio Carlos Padoan Junior writes:
>
>> As far as I understand, Guix doesn't provide means to automatically sign
>> bootloaders and kernels in order to use UEFI secure boot after each system
>> reconfigure (assuming a PKI i
Hi Antonio,
Antonio Carlos Padoan Junior writes:
> As far as I understand, Guix doesn't provide means to automatically sign
> bootloaders and kernels in order to use UEFI secure boot after each system
> reconfigure (assuming a PKI is properly implemented). Hence, using
> secure boot with Guix i
Hi Antonio,
On Sat, 2022-08-20 at 13:23 +0200, Antonio Carlos Padoan Junior wrote:
> As far as I understand, Guix doesn't provide means to automatically
> sign
> bootloaders and kernels in order to use UEFI secure boot after each
> system
> reconfigure (assuming a PKI is properly implemented). He
That would be interesting, even on a Talos II, which has owner
controlled secure boot. There will be no need to sign with a Microsoft
key as most UEFI implementations do. There are two Microsoft keys, one
for Windows and one for all other OSes.
On Sat, 2022-08-20 at 13:23 +0200, Antonio Carlos Pad
