Thank you for your answer!
Josselin Poiret <d...@jpoiret.xyz> writes: > Hi Antonio, > > Antonio Carlos Padoan Junior <acpadoa...@yahoo.com.br> writes: > >> As far as I understand, Guix doesn't provide means to automatically sign >> bootloaders and kernels in order to use UEFI secure boot after each system >> reconfigure (assuming a PKI is properly implemented). Hence, using >> secure boot with Guix is currently not viable (am i correct?). > > You're right, we don't really have any means to do that. It would have > to be done outside of the store, again, so that the private key doesn't > leak into it. > Can we imagine signing the kernel outside the guix layer, I mean, directly into the store without using guix commands? I understand this would break conceptually the Guix functional characterization, and it is not very "clean". But despite these points, any other side effects expected? I'm not sure if my question is convenient for this list, if it is not, sorry for the inconvenience. Best regards, -- Antonio Carlos PADOAN JUNIOR GPG fingerprint: 243F 237F 2DD3 4DCA 4EA3 1341 2481 90F9 B421 A6C9
