Secure boot support?

It shows up as UEFI but it doesn't boot without the proper signatures. Any ETA? Sent with [Proton Mail](https://proton.me/) secure email.

Re: secure boot

On 24-08-2022 05:07, Philip McGrath wrote: I could imagine a process like this: 1. Build the binary that needs to be signed. 2. Outside of the Guix build environment, create a detached signature for the binary using your secret key. 3. Add the detached signature to the Guix store, pe

Re: secure boot

On Sun, Aug 21, 2022, at 4:46 AM, Josselin Poiret wrote: > Hi Antonio, > > Antonio Carlos Padoan Junior writes: > >> As far as I understand, Guix doesn't provide means to automatically sign >> bootloaders and kernels in order to use UEFI secure boot after each syst

Re: secure boot

Josselin Poiret writes: Hi Josselin, > It's not an easy problem unfortunately, and the number of people whose > threat model requires such a thing is slim, hence the lack of work in > that direction. that sounds fair. Thanks for the explanation, it was clear! Best regards, -- Antonio Carlos

Re: secure boot

Hi Antonio, Antonio Carlos Padoan Junior writes: > Can we imagine signing the kernel outside the guix layer, I mean, > directly into the store without using guix commands? I understand this > would break conceptually the Guix functional characterization, and it is > not very "clean". But despite

Re: secure boot

Thank you for your answer! Josselin Poiret writes: > Hi Antonio, > > Antonio Carlos Padoan Junior writes: > >> As far as I understand, Guix doesn't provide means to automatically sign >> bootloaders and kernels in order to use UEFI secure boot after each system &

Re: secure boot

Hi Antonio, Antonio Carlos Padoan Junior writes: > As far as I understand, Guix doesn't provide means to automatically sign > bootloaders and kernels in order to use UEFI secure boot after each system > reconfigure (assuming a PKI is properly implemented). Hence, using > secu

Re: secure boot

Hi Antonio, On Sat, 2022-08-20 at 13:23 +0200, Antonio Carlos Padoan Junior wrote: > As far as I understand, Guix doesn't provide means to automatically > sign > bootloaders and kernels in order to use UEFI secure boot after each > system > reconfigure (assuming a PKI is

Re: secure boot

That would be interesting, even on a Talos II, which has owner controlled secure boot. There will be no need to sign with a Microsoft key as most UEFI implementations do. There are two Microsoft keys, one for Windows and one for all other OSes. On Sat, 2022-08-20 at 13:23 +0200, Antonio Carlos

secure boot

ns to automatically sign bootloaders and kernels in order to use UEFI secure boot after each system reconfigure (assuming a PKI is properly implemented). Hence, using secure boot with Guix is currently not viable (am i correct?). In this context, can I assume that the risk of not having secure bo

Re: Fun question: has anyone tried secure boot with GuixSD?

ftware movement (according to [[https://k7r.eu/there-is-no-free-software-company-but/]] and [[https://media.libreplanet.org/u/libreplanet/m/libreplanet-2016-the-last-lighthouse-3d51/]]). Before anyone else jumps at us, it's important to note the difference between "Secure Boot" an

Fun question: has anyone tried secure boot with GuixSD?

Following some interesting points I got during a discussion we had (offline), I have some questions for multiple projects. One of the topics is "Secure Boot". Apparently I missed the point with my hardware and systems where Secure Boot practically became mandatory and default. Which