That would be interesting, even on a Talos II, which has owner controlled secure boot. There will be no need to sign with a Microsoft key as most UEFI implementations do. There are two Microsoft keys, one for Windows and one for all other OSes.
On Sat, 2022-08-20 at 13:23 +0200, Antonio Carlos Padoan Junior wrote: > Hello, > > I hope my question makes sense. It concerns Guix grub UEFI > bootloaders. > > I would like to understand in which extent Guix functional approach > helps to secure the computer with regards to an early boot malicious > code/malware infection. > > As far as I understand, Guix doesn't provide means to automatically > sign > bootloaders and kernels in order to use UEFI secure boot after each > system > reconfigure (assuming a PKI is properly implemented). Hence, using > secure boot with Guix is currently not viable (am i correct?). > > In this context, can I assume that the risk of not having secure boot > is > minimized by the fact that in each system reconfiguration, the early > boot chain is overwritten is such a way that, if a malicious is > introduced somehow, it will be also overwritten? Am I correct? > > In addition, how much more difficult it is to introduce such > malicious > code in a Guix system giving its functional approach and store > system? > (in comparison with others Linux distributions). > > I know that Guix provides an amazing approach to secure software > supply > chain, but I as wondering if not having secure boot can be considered > a major drawback for Guix. > > Best regards