Hi, On Sun, 15 Jun 2025 23:15:17 +0100 Kieran Brandle <[email protected]> wrote: > - I am Canoebooted, meaning I am using a custom full open source rom, > maybe that might affect guix? Im unsure — It does and it can help a lot getting things working here. However you didn't tell which Canoeboot image you used.
Your best shot at getting it working on this computer is probably to use a Canoeboot image with GRUB and no /boot at all. With a /boot, Guix won't be able to find its kernel and initramfs. Then you can use the following as the bootloader configuration: > (bootloader (bootloader-configuration > (bootloader (bootloader (inherit grub-bootloader) > (installer #~(const #t)))))) this will create a /boot/grub/grub.cfg file. You will then need to create the encrypted partition manually and use guix system init to install Guix. When this is done, Canoeboot should be able to find the Guix installation if you have only one distribution installed or if you have multiple distributions and that you are lucky, or that things improved on Canoeboot side and that I'm not aware of it. Though note that I'm not very familiar with Canoeboot: I use GNU Boot instead and compared to Canoeboot, GNU Boot has a slightly different GRUB configuration. Also note that GNU Boot doesn't support the Dell E6400 yet and it doesn't support LUKS2 with argon2i/argon2id, so Canoeboot is your best shot here. Both are not supported by GNU Boot because we decided to reduce the amount modifications of the project we reuse (argon2i / argon2id support in GRUB requires a big patch that isn't in GRUB). See below for more details for what argon2i/argon2id means. If you want to use a SeaBIOS image instead, then things are more complicated because you'll have to use the GRUB provided by the distributions, and distributions didn't include patches for argon2i / argon2id. If you go this route you will at least need something like that (you might need to adjust targets here): > (bootloader (bootloader-configuration > (bootloader grub-bootloader) > (targets '(file-system-label "Guix_image")) > (terminal-outputs '(console)))) This is because the VGA support of SeaBIOS is incomplete with real computers and Coreboot (it is probably fine with QEMU). You'll also need to find a way to tell GRUB to do full disk encryption, on distributions like Trisquel, it's done by adding 'GRUB_ENABLE_CRYPTODISK=y' to /etc/default/grub. I'm unsure if you need to send patches to Guix to enable that, or if it's possible to find a workaround somehow. But if you do manage to pull it off somehow, you'll also need to downgrade to LUKS-1 and/or keep LUKS-2 but downgrade to PKBDF2 if you don't already have LUKS-1. This is for instance what you need to do with Trisquel (the easiest with Trisquel is to do an encrypted installation, and if it's in LUKS2 with argon2i/argon2id, downgrade to PKBDF2 and get rid of the /boot in a third step). PKBDF2 is the key derivation function, it's basically what converts your passphrase into a key that can then decrypt the real encryption key of your partition. It is less resistant against bruteforce attacks than the new key derivation functions like argon2i / argon2id, and a state (France) managed to open a LUKS-1 partition with PKBDF2 that had a 20+ character passphrase, but the owner of the computer also didn't tell how random that passphrase was (the number of character isn't the right metric here as 'aaaaaaaaaaaaaaaaaaaaa' is not a very strong passphrase for instance). In any case if you need to downgrade to PKBDF2, there is an article that explains how to do the opposite[1], so you could adapt the instructions to downgrade to PKBDF2 if you have argon2i/argon2id. Another option for SeaBIOS would be to roll your own for GRUB: to install it, configure it (by adding 'GRUB_ENABLE_CRYPTODISK=y' to /etc/default/grub) and upgrade it manually, and not use Guix for it, and configure Guix like for Canoeboot GRUB images. Also note that I didn't check if Canoeboot had more image options (like Tianocore, etc). References: ----------- [1]https://mjg59.dreamwidth.org/66429.html Denis.
pgp4wL0CDQT8F.pgp
Description: OpenPGP digital signature
