added uki bootloader maybe

author: Ryan Schanzenbacher <ryan@rschanz.org> 2025-01-12 21:19:05 -0500
committer: Ryan Schanzenbacher <ryan@rschanz.org> 2025-01-12 21:19:05 -0500
commit: ce1c24e3100d48c9c210eb1ebc5ebadcc6b77659 (patch)
tree: 0ad0ef2d30db557ad4fb7bf47473ef3508723cb9
parent: 67da316096f98f9a3fc038a1deba1b2c5356dfab (diff)
2 files changed, 225 insertions, 0 deletions
diff --git a/modules/ryan-bootloader/uki.scm b/modules/ryan-bootloader/uki.scm
new file mode 100644
index 0000000..dce3917
--- /dev/null
+++ b/modules/ryan-bootloader/uki.scm
@@ -0,0 +1,115 @@
+(define-module (ryan-bootloader uki)
+  #:use-module (gnu bootloader)
+  #:use-module (ryan-packages bootloaders)
+  #:use-module (gnu packages bootloaders)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages linux)
+  #:use-module (guix gexp)
+  #:use-module (guix modules)
+  #:use-module (srfi srfi-1)
+  #:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
+;; config generator makes script creating uki images
+;; install runs script
+;; install device is path to uefi dir
+(define vendor "Guix")
+(define script-loc "/boot/install-uki.scm")
+(define* (uefi-uki-configuration-file #:optional cert privkey)
+  (lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
+    (define (menu-entry->args e)
+      (let* ((boot (bootloader-configuration-bootloader config))
+             (stub (bootloader-package boot)))
+        #~(list "--os-release" #$(menu-entry-label e)
+            "--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-initrd e)
+            "--cmdline" (string-join (list #$@(menu-entry-linux-arguments e)))
+            "--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
+            #$@(if cert #~("--secureboot-certificate" #$cert) #~())
+            #$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))))
+    (define (enum-filenames . args) ; same args as iota
+      (map (lambda (n) (string-append (number->string n) ".efi"))
+        (apply iota (map length args))))
+    (program-file "install-uki"
+      (with-imported-modules (source-module-closure '((guix build syscalls)
+                                                      (guix build utils)))
+        #~(let* ((target (cadr (command-line)))
+                 (vendir (string-append target "/EFI/" #$vendor))
+                 (schema (string-append vendir "/boot.mgr"))
+                 (findmnt #$(file-append util-linux "/bin/findmnt"))
+                 (efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
+            (use-modules (guix build syscalls) (guix build utils)
+                         (ice-9 popen) (ice-9 textual-ports))
+            (define (out name) (string-append vendir "/" name))
+            (define disk
+              (call-with-port
+                (open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
+                (lambda (port) (get-line port)))) ; only 1 line: the device
+            (define part
+              (substring disk (- (string-length disk) 1)))
+            ;; delete all boot entries and files we control
+            (when (file-exists? schema)
+              (call-with-input-file schema
+                (lambda (port)
+                  (for-each (lambda (l)
+                              (unless (string-null? l)
+                                (system* efibootmgr "-B" "-L" l "-q")))
+                    (string-split (get-string-all port) #\lf)))))
+            (when (directory-exists? vendir) (delete-file-recursively vendir))
+            (mkdir-p vendir)
+            (define (install port boot? oos)
+              (lambda (args label name)
+                (let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
+                  (put-string port label)
+                  (put-char port #\lf)
+                  (force-output port) ; make sure space is alloc'd
+                  (apply invoke #$(file-append ukify "/bin/ukify")
+                    "build" "-o" (out name) args)
+                  ;; make sure we have enough space for next install-uki.scm
+                  (when (and oos (< (free-disk-space vendir) minbytes)) (oos))
+                  (invoke efibootmgr (if boot? "-c" "-C") "-L" label "--disk" disk "--part" part
+                    "--loader" (string-append "\\EFI\\" #$vendor "\\" name) "-q"))))
+            (call-with-output-file schema
+              (lambda (port) ; prioritize latest UKIs in limited ESP space
+                (for-each (install port #t #f)
+                  (list #$@(map-in-order menu-entry->args entries))
+                  (list #$@(map-in-order menu-entry-label entries))
+                  (list #$@(enum-filenames entries)))
+                (for-each ; old-entries can fail (out of space) we don't care
+                  (lambda (args label name)
+                    (define (cleanup . _) ; do exit early if out of space tho
+                      (when (file-exists? (out name)) (delete-file (out name)))
+                      (exit))
+                    (with-exception-handler cleanup
+                      (lambda _ ((install port #f cleanup) args label name))))
+                  (list #$@(map-in-order menu-entry->args old-entries))
+                  (list #$@(map-in-order menu-entry-label old-entries))
+                  (list #$@(enum-filenames old-entries entries))))))))))
+(define install-uefi-uki
+  #~(lambda (bootloader target mount-point)
+      (invoke (string-append mount-point #$script-loc)
+              (string-append mount-point target))))
+(define* (make-uefi-uki-bootloader #:optional cert privkey)
+  (bootloader
+    (name 'uefi-uki)
+    (package systemd-stub)
+    (installer install-uefi-uki)
+    (disk-image-installer #f)
+    (configuration-file script-loc)
+    (configuration-file-generator (uefi-uki-configuration-file cert privkey))))
+;; IMPORTANT NOTE: if bootloader install fails, do not turn off your computer! until
+;; install succeeds, your system is unbootable.
+(define uefi-uki-bootloader (make-uefi-uki-bootloader))
+;; use ukify genkey to generate cert and privkey. DO NOT include in store.
+(define (uefi-uki-signed-bootloader cert privkey)
+  (make-uefi-uki-bootloader cert privkey))
diff --git a/modules/ryan-packages/bootloaders.scm b/modules/ryan-packages/bootloaders.scm
new file mode 100644
index 0000000..10f38d1
--- /dev/null
+++ b/modules/ryan-packages/bootloaders.scm
@@ -0,0 +1,110 @@
+(define-module (ryan-packages bootloaders)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (gnu packages efi)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages gperf)
+  #:use-module (gnu packages crypto)
+  #:use-module (gnu packages python)
+  #:use-module (gnu packages python-xyz)
+  #:use-module (gnu packages python-crypto)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (guix gexp)
+  #:use-module (guix utils)
+  #:use-module (guix modules)
+  #:use-module (guix packages)
+  #:use-module (guix git-download)
+  #:use-module (guix build-system gnu)
+  #:use-module (guix build-system meson)
+  #:use-module (guix build-system python))
+(define systemd-version "255")
+(define systemd-source
+  (origin
+    (method git-fetch)
+    (uri (git-reference
+           (url "https://github.com/systemd/systemd")
+           (commit (string-append "v" systemd-version))))
+    (file-name (git-file-name "systemd" systemd-version))
+    (sha256
+      (base32
+        "1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
+(define-public (systemd-stub-name)
+  (let ((arch (cond ((target-x86-32?) "ia32")
+                ((target-x86-64?) "x64")
+                ((target-arm32?) "arm")
+                ((target-aarch64?) "aa64")
+                ((target-riscv64?) "riscv64"))))
+    (string-append "linux" arch ".efi.stub")))
+(define-public systemd-stub
+  (package
+    (name "systemd-stub")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system meson-build-system)
+    (arguments
+      (list
+        #:configure-flags
+        `(list "-Defi=true" "-Dsbat-distro=guix"
+               "-Dsbat-distro-generation=1" ; package revision!
+               "-Dsbat-distro-summary=Guix System"
+               "-Dsbat-distro-url=https://guix.gnu.org"
+               ,(string-append "-Dsbat-distro-pkgname=" name)
+               ,(string-append "-Dsbat-distro-version=" version))
+        #:phases
+        #~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
+            (modify-phases %standard-phases
+              (replace 'build
+                (lambda* (#:key parallel-build? #:allow-other-keys)
+                  (invoke "ninja" stub
+                    "-j" (if parallel-build?
+                           (number->string (parallel-job-count)) "1"))))
+              (replace 'install
+                (lambda _
+                  (install-file stub (string-append #$output "/libexec"))))
+              (delete 'check)))))
+    (inputs (list libcap python-pyelftools `(,util-linux "lib")))
+    (native-inputs (list libxcrypt gperf pkg-config python-3 python-jinja2))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI stub")
+    (description "Simple UEFi boot stub that loads a conjoined kernel image and
+supporting data to their proper locations, before chainloading to the kernel.
+Supports measured and/or verified boot environments.")
+    (license license:lgpl2.1+)))
+(define-public ukify
+  (package
+    (name "ukify")
+    (version systemd-version)
+    (source systemd-source)
+    (build-system python-build-system)
+    (arguments
+      (list #:phases
+            #~(modify-phases %standard-phases
+                (replace 'build
+                  (lambda _
+                    (substitute* "src/ukify/ukify.py" ; added in python 3.11
+                      (("datetime\\.UTC") "datetime.timezone.utc"))))
+                (delete 'check)
+                (replace 'install
+                  (lambda* (#:key inputs #:allow-other-keys)
+                    (let* ((bin (string-append #$output "/bin"))
+                           (file (string-append bin "/ukify"))
+                           (binutils (assoc-ref inputs "binutils"))
+                           (sbsign (assoc-ref inputs "sbsigntools")))
+                      (mkdir-p bin)
+                      (copy-file "src/ukify/ukify.py" file)
+                      (wrap-program file
+                        `("PATH" ":" prefix
+                          (,(string-append binutils "/bin")
+                           ,(string-append sbsign "/bin"))))))))))
+    (inputs (list binutils python-cryptography python-pefile sbsigntools))
+    (home-page "https://systemd.io")
+    (synopsis "Unified kernel image UEFI tool")
+    (description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
+kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
+image.")
+    (license license:lgpl2.1+)))
author	Ryan Schanzenbacher <ryan@rschanz.org>	2025-01-12 21:19:05 -0500
committer	Ryan Schanzenbacher <ryan@rschanz.org>	2025-01-12 21:19:05 -0500
commit	ce1c24e3100d48c9c210eb1ebc5ebadcc6b77659 (patch)
tree	0ad0ef2d30db557ad4fb7bf47473ef3508723cb9
parent	67da316096f98f9a3fc038a1deba1b2c5356dfab (diff)

diff --git a/modules/ryan-bootloader/uki.scm b/modules/ryan-bootloader/uki.scm new file mode 100644 index 0000000..dce3917 --- /dev/null +++ b/modules/ryan-bootloader/uki.scm
@@ -0,0 +1,115 @@
	1	(define-module (ryan-bootloader uki)
	2	#:use-module (gnu bootloader)
	3	#:use-module (ryan-packages bootloaders)
	4	#:use-module (gnu packages bootloaders)
	5	#:use-module (gnu packages efi)
	6	#:use-module (gnu packages linux)
	7	#:use-module (guix gexp)
	8	#:use-module (guix modules)
	9	#:use-module (srfi srfi-1)
	10	#:export (uefi-uki-bootloader uefi-uki-signed-bootloader))
	11
	12	;; config generator makes script creating uki images
	13	;; install runs script
	14	;; install device is path to uefi dir
	15	(define vendor "Guix")
	16	(define script-loc "/boot/install-uki.scm")
	17
	18	(define* (uefi-uki-configuration-file #:optional cert privkey)
	19	(lambda* (config entries #:key (old-entries '()) #:allow-other-keys)
	20
	21	(define (menu-entry->args e)
	22	(let* ((boot (bootloader-configuration-bootloader config))
	23	(stub (bootloader-package boot)))
	24	#~(list "--os-release" #$(menu-entry-label e)
	25	"--linux" #$(menu-entry-linux e) "--initrd" #$(menu-entry-initrd e)
	26	"--cmdline" (string-join (list #$@(menu-entry-linux-arguments e)))
	27	"--stub" #$(file-append stub "/libexec/" (systemd-stub-name))
	28	#$@(if cert #~("--secureboot-certificate" #$cert) #~())
	29	#$@(if privkey #~("--secureboot-private-key" #$privkey) #~()))))
	30
	31	(define (enum-filenames . args) ; same args as iota
	32	(map (lambda (n) (string-append (number->string n) ".efi"))
	33	(apply iota (map length args))))
	34
	35	(program-file "install-uki"
	36	(with-imported-modules (source-module-closure '((guix build syscalls)
	37	(guix build utils)))
	38	#~(let* ((target (cadr (command-line)))
	39	(vendir (string-append target "/EFI/" #$vendor))
	40	(schema (string-append vendir "/boot.mgr"))
	41	(findmnt #$(file-append util-linux "/bin/findmnt"))
	42	(efibootmgr #$(file-append efibootmgr "/sbin/efibootmgr")))
	43	(use-modules (guix build syscalls) (guix build utils)
	44	(ice-9 popen) (ice-9 textual-ports))
	45
	46	(define (out name) (string-append vendir "/" name))
	47	(define disk
	48	(call-with-port
	49	(open-pipe* OPEN_READ findmnt "-fnro" "SOURCE" "-T" target)
	50	(lambda (port) (get-line port)))) ; only 1 line: the device
	51	(define part
	52	(substring disk (- (string-length disk) 1)))
	53
	54	;; delete all boot entries and files we control
	55	(when (file-exists? schema)
	56	(call-with-input-file schema
	57	(lambda (port)
	58	(for-each (lambda (l)
	59	(unless (string-null? l)
	60	(system* efibootmgr "-B" "-L" l "-q")))
	61	(string-split (get-string-all port) #\lf)))))
	62	(when (directory-exists? vendir) (delete-file-recursively vendir))
	63	(mkdir-p vendir)
	64
	65	(define (install port boot? oos)
	66	(lambda (args label name)
	67	(let ((minbytes (* 2 (stat:size (stat #$script-loc)))))
	68	(put-string port label)
	69	(put-char port #\lf)
	70	(force-output port) ; make sure space is alloc'd
	71	(apply invoke #$(file-append ukify "/bin/ukify")
	72	"build" "-o" (out name) args)
	73	;; make sure we have enough space for next install-uki.scm
	74	(when (and oos (< (free-disk-space vendir) minbytes)) (oos))
	75	(invoke efibootmgr (if boot? "-c" "-C") "-L" label "--disk" disk "--part" part
	76	"--loader" (string-append "\\EFI\\" #$vendor "\\" name) "-q"))))
	77
	78	(call-with-output-file schema
	79	(lambda (port) ; prioritize latest UKIs in limited ESP space
	80	(for-each (install port #t #f)
	81	(list #$@(map-in-order menu-entry->args entries))
	82	(list #$@(map-in-order menu-entry-label entries))
	83	(list #$@(enum-filenames entries)))
	84	(for-each ; old-entries can fail (out of space) we don't care
	85	(lambda (args label name)
	86	(define (cleanup . _) ; do exit early if out of space tho
	87	(when (file-exists? (out name)) (delete-file (out name)))
	88	(exit))
	89	(with-exception-handler cleanup
	90	(lambda _ ((install port #f cleanup) args label name))))
	91	(list #$@(map-in-order menu-entry->args old-entries))
	92	(list #$@(map-in-order menu-entry-label old-entries))
	93	(list #$@(enum-filenames old-entries entries))))))))))
	94
	95	(define install-uefi-uki
	96	#~(lambda (bootloader target mount-point)
	97	(invoke (string-append mount-point #$script-loc)
	98	(string-append mount-point target))))
	99
	100	(define* (make-uefi-uki-bootloader #:optional cert privkey)
	101	(bootloader
	102	(name 'uefi-uki)
	103	(package systemd-stub)
	104	(installer install-uefi-uki)
	105	(disk-image-installer #f)
	106	(configuration-file script-loc)
	107	(configuration-file-generator (uefi-uki-configuration-file cert privkey))))
	108
	109	;; IMPORTANT NOTE: if bootloader install fails, do not turn off your computer! until
	110	;; install succeeds, your system is unbootable.
	111	(define uefi-uki-bootloader (make-uefi-uki-bootloader))
	112	;; use ukify genkey to generate cert and privkey. DO NOT include in store.
	113	(define (uefi-uki-signed-bootloader cert privkey)
	114	(make-uefi-uki-bootloader cert privkey))
	115


diff --git a/modules/ryan-packages/bootloaders.scm b/modules/ryan-packages/bootloaders.scm new file mode 100644 index 0000000..10f38d1 --- /dev/null +++ b/modules/ryan-packages/bootloaders.scm
@@ -0,0 +1,110 @@
	1	(define-module (ryan-packages bootloaders)
	2	#:use-module ((guix licenses) #:prefix license:)
	3	#:use-module (gnu packages efi)
	4	#:use-module (gnu packages base)
	5	#:use-module (gnu packages linux)
	6	#:use-module (gnu packages gperf)
	7	#:use-module (gnu packages crypto)
	8	#:use-module (gnu packages python)
	9	#:use-module (gnu packages python-xyz)
	10	#:use-module (gnu packages python-crypto)
	11	#:use-module (gnu packages pkg-config)
	12	#:use-module (guix gexp)
	13	#:use-module (guix utils)
	14	#:use-module (guix modules)
	15	#:use-module (guix packages)
	16	#:use-module (guix git-download)
	17	#:use-module (guix build-system gnu)
	18	#:use-module (guix build-system meson)
	19	#:use-module (guix build-system python))
	20
	21	(define systemd-version "255")
	22	(define systemd-source
	23	(origin
	24	(method git-fetch)
	25	(uri (git-reference
	26	(url "https://github.com/systemd/systemd")
	27	(commit (string-append "v" systemd-version))))
	28	(file-name (git-file-name "systemd" systemd-version))
	29	(sha256
	30	(base32
	31	"1qdyw9g3jgvsbc1aryr11gpc3075w5pg00mqv4pyf3hwixxkwaq6"))))
	32
	33	(define-public (systemd-stub-name)
	34	(let ((arch (cond ((target-x86-32?) "ia32")
	35	((target-x86-64?) "x64")
	36	((target-arm32?) "arm")
	37	((target-aarch64?) "aa64")
	38	((target-riscv64?) "riscv64"))))
	39	(string-append "linux" arch ".efi.stub")))
	40
	41	(define-public systemd-stub
	42	(package
	43	(name "systemd-stub")
	44	(version systemd-version)
	45	(source systemd-source)
	46	(build-system meson-build-system)
	47	(arguments
	48	(list
	49	#:configure-flags
	50	`(list "-Defi=true" "-Dsbat-distro=guix"
	51	"-Dsbat-distro-generation=1" ; package revision!
	52	"-Dsbat-distro-summary=Guix System"
	53	"-Dsbat-distro-url=https://guix.gnu.org"
	54	,(string-append "-Dsbat-distro-pkgname=" name)
	55	,(string-append "-Dsbat-distro-version=" version))
	56	#:phases
	57	#~(let ((stub #$(string-append "src/boot/efi/" (systemd-stub-name))))
	58	(modify-phases %standard-phases
	59	(replace 'build
	60	(lambda* (#:key parallel-build? #:allow-other-keys)
	61	(invoke "ninja" stub
	62	"-j" (if parallel-build?
	63	(number->string (parallel-job-count)) "1"))))
	64	(replace 'install
	65	(lambda _
	66	(install-file stub (string-append #$output "/libexec"))))
	67	(delete 'check)))))
	68	(inputs (list libcap python-pyelftools `(,util-linux "lib")))
	69	(native-inputs (list libxcrypt gperf pkg-config python-3 python-jinja2))
	70	(home-page "https://systemd.io")
	71	(synopsis "Unified kernel image UEFI stub")
	72	(description "Simple UEFi boot stub that loads a conjoined kernel image and
	73	supporting data to their proper locations, before chainloading to the kernel.
	74	Supports measured and/or verified boot environments.")
	75	(license license:lgpl2.1+)))
	76
	77	(define-public ukify
	78	(package
	79	(name "ukify")
	80	(version systemd-version)
	81	(source systemd-source)
	82	(build-system python-build-system)
	83	(arguments
	84	(list #:phases
	85	#~(modify-phases %standard-phases
	86	(replace 'build
	87	(lambda _
	88	(substitute* "src/ukify/ukify.py" ; added in python 3.11
	89	(("datetime\\.UTC") "datetime.timezone.utc"))))
	90	(delete 'check)
	91	(replace 'install
	92	(lambda* (#:key inputs #:allow-other-keys)
	93	(let* ((bin (string-append #$output "/bin"))
	94	(file (string-append bin "/ukify"))
	95	(binutils (assoc-ref inputs "binutils"))
	96	(sbsign (assoc-ref inputs "sbsigntools")))
	97	(mkdir-p bin)
	98	(copy-file "src/ukify/ukify.py" file)
	99	(wrap-program file
	100	`("PATH" ":" prefix
	101	(,(string-append binutils "/bin")
	102	,(string-append sbsign "/bin"))))))))))
	103	(inputs (list binutils python-cryptography python-pefile sbsigntools))
	104	(home-page "https://systemd.io")
	105	(synopsis "Unified kernel image UEFI tool")
	106	(description "@command{ukify} joins together a UKI stub, linux kernel, initrd,
	107	kernel arguments, and optional secure boot signatures into a single, UEFI-bootable
	108	image.")
	109	(license license:lgpl2.1+)))
	110