Hello all! It was nice to see so many of you at FOSDEM and Guix Days
this year! I have been thinking about the many things that came out of
those wonderful days, and one of the things that has been clearest was
the clustering of people running MNT Pocket Reform devices, gathered at
the Guix on Weird Computers session at Guix Days. Five of us! And one
Steam Deck person!
But a universally agreed upon issue at that group was: booting on a
non-x86 system isn't great. In fact, it's not even great for full
encrypted boot on the x86 world, we're just *used* to it being not
great.
First, what's good about the present. Guix on x86 allows for full disk
encryption, which is great, and allows for choosing a particular
sytem generation on the boot menu, which is also great.
Things get less great from there:
- The "boot choice" only works on x86 devices, because that's where we
have GRUB.
- It's painful with full disk encryption even then, because you have to
type your passphrase twice. And the first time you type it you're
stuck waiting for what feels like ages to find out if you entered it
right or not, and if you haven't, you have to start all over. And if
you have, you have to enter it *again*, with a "three strikes till a
rescue REPL" situation, which if you hit that it's the absolute worst
because then you have to start all over again.
- On non-x86, we don't have GRUB, so you can't choose a system
generation.
- But also due to the bootloader hacks where GRUB decrypts the disk for
you (albeit slowly) for full disk encryption we rely on, this also
means that we really don't have a path to full disk encryption for
non-x86 devices at all.
Notably, this last problem doesn't exist on Debian, and partly for this
very reason, I'm no longer running Guix as my distro! I'm running Guix
in userspace on top of Debian, which is suboptimal. Seems I'm not
alone. People running ARM at Guix Days were either running on top of
Debian or didn't have full disk encryption.
What's the path out? Is there a glorious future with full disk
encryption, entering your passphrase just *once*, and the ability to
select which generation to boot from for everyone?
I don't know the answers myself, I can speculate on a few:
- Have an unencrypted /boot which gets "splatted" to, but then we switch
the kernel or something with kexec (somewhat suboptimal and kinda
risky feeling)
- Maybe use the barebox bootloader on ARM:
https://mastodon.social/@mntmn/115986965428592424
(but what about the full disk encryption thing?)
- What does Nix do?
- Someone mentioned something else but I can't remember what it was
I dunno! But I feel like we could do better! Thoughts?
- Christine
