Intro
This is a painful post to write. It's about a choice one should never have to make, the choice between software freedom and security.
In this post I explain how to use Guix with software coming from third-party repositories, including repositories shipping proprietary software. I also explain why and under what (very limited) circumstances you may want to consider installing proprietary software even if you're a strong free software advocate.
Of CPU microcode and firmware updates
There is a category of CPU vulnerabilities, such as Spectre and Meltdown, that have been brought to light in recent years and that affect the vast majority of CPUs. These vulnerabilities can only be mitigated via patches that get applied directly to the processor in the form of so-called microcode. Unfortunately microcode is usually released by CPU vendors under a proprietary licence.
Similarly, our devices and peripherals often require low-level software, or firmware, that defines their fundamental behaviour. Firmware updates may be required from time to time for various reasons, including to fix security vulnerabilities. Like with CPU microcode, firmware is often released as proprietary code.
Incidentally, the Linux Vendor Firmware Service is a project that collects firmware from hardware vendors and makes it available for download via a convenient API. The API can be used via a command-line client called fwupd.
This is a real conundrum. Either to prioritise software freedom, resulting in a potentially unpatched and vulnerable system; or to prioritise security, giving up on the idea of a completely free system.
Even if you're a strong free software supporter, security updates are probably the one case where you should make an exception. A good first step is to select freedom-respecting hardware from projects like Respects your Freedom, but completely free/libre hardware is rare these days. When the alternative is between freedom and security, you should consider to prioritise the latter and install CPU microcode and similar firmware updates.
Guix and Nonguix
Guix is a package manager, operating system, and more generally a software deployment system with interesting properties: declarative, functional, transactional, reproducible.
Guix has a strong stand in favour of software freedom. Guix only includes software released under a free-software licence - therefore no proprietary security updates such as CPU microcode.
Like many other software distributions, Guix offers a mechanism to download software from third-party repositories, called channels in Guix jargon. One such third-party channel is Nonguix. Typically, Nonguix contains software that can't be added to Guix for licensing reasons, including CPU microcode and tools such as fwupd (the non-free version). In the rest of this document I explain how to add Nonguix to your Guix system.
If you're interested, the Toys website lists various third-party Guix channels and provides an interface to search software from across all of them.
How to add Nonguix
The Nonguix documentation already explains how to add Nonguix to your Guix system. We'll briefly recap the main steps, focusing on how to install CPU microcode.
Add these bits to your system definition, which we assume is called
system.scm
. The proprietary kernel and the firmware may make it easier to use
some devices but are a matter of convenience, not security, and you may want to
skip them.
(use-modules (nongnu packages linux) (nongnu system linux-initrd) ...) (operating-system (kernel linux) (initrd microcode-initrd) (firmware (list linux-firmware)) ...)
Create a file like the one below, name it nonguix-guix.scm
:
(use-modules (gnu packages package-management) (guix channels)) (define my-channels (cons* (channel (name 'nonguix) (url "https://gitlab.com/nonguix/nonguix") (branch "master") (introduction (make-channel-introduction "897c1a470da759236cc11798f4e0a5f7d4d59fbc" (openpgp-fingerprint "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))) %default-channels)) (guix (guix-for-channels my-channels))
You may want to double-check the OpenPGP fingerprint on the official website and via a trusted channel. Build the file with:
guix build --file=nonguix-guix.scm --root=nonguix-guix
This builds a Nonguix version of Guix (i.e. a version of Guix that includes
Nonguix as an additional repository, according to the nonguix-guix.scm
definition). You can use nonguix-guix/bin/guix
to reconfigure the system:
sudo nonguix-guix/bin/guix system reconfigure system.scm
There are other ways to do this, but this approach is interesting as it keeps
Guix and Nonguix separate. You'll only be able to install non-free software from
Nonguix when you explicitly decide to do so and use nonguix-guix/bin/guix
,
whereas the guix
command will continue to work as usual.
For example, look at the output of guix search fwupd-nonfree
and
nonguix-guix/bin/guix search fwupd-nonfree
. The former will return nothing,
whereas the latter will return a match, this is because fwupd-nonfree
is only
available from Nonguix.
As a further step, if you want to use precompiled binaries (or substitutes in Guix jargon) from the Nonguix project, you can modify your system definition as follows.
(define %nonguix-authorized-key (plain-file "nonguix-authorized-key.pub" "(public-key (ecc (curve Ed25519) (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) (define %nonguix-substitute-urls "https://substitutes.nonguix.org") (operating-system ... (services ... (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (substitute-urls (cons* %nonguix-substitute-url %default-substitute-urls)) (authorized-keys (cons* %nonguix-authorized-key %default-authorized-guix-keys)))))))
That's all it takes to install CPU microcode (and potentially more non-free software, if you're so inclined) from Nonguix.
Outro
The fact that CPU microcode and similar security-related software (e.g. the non-free version of fwupd) are not in Guix is problematic.
Proprietary updates can be obtained from Nonguix, this is an easy workaround, but new users may not be aware of this. In fact, mentioning Nonguix in official Guix documentation and communication channels is discouraged, in light of the projects' different attitude towards proprietary software. But then new Guix users may end up not knowing about Nonguix and the freedom-vs-security trade-offs. Ultimately, they may be left exposed to vulnerabilities they're unaware of.
I think it'd be important to add a section to the Guix manual that presents the freedom-vs-security problem in all its technical and ethical complexity. Nonguix should be explicitly mentioned in the manual and it should stop being treated as a taboo. Ultimately, users should be informed as openly as possible and allowed to decide what to prioritise given their particular needs.