| | 1 | = Potential risks |
| | 2 | |
| | 3 | == Mitigation strategies |
| | 4 | |
| | 5 | Recommendations specific to Guix in air-gapped, classified use |
| | 6 | |
| | 7 | === Security Risks in an Air-Gapped Guix Workflow |
| | 8 | |
| | 9 | ==== Supply Chain Attacks via Source Code |
| | 10 | |
| | 11 | Even though you're building from source, the upstream source code (tarballs, Git repos) may be maliciously modified. |
| | 12 | Guix uses cryptographic hash verification, but only against what is declared in the Guix package definition — not against independent trust anchors. |
| | 13 | |
| | 14 | '''Mitigations:''' |
| | 15 | |
| | 16 | * Use guix build --source with hash-locked package definitions (content-addressed derivations). |
| | 17 | |
| | 18 | * Use reproducible builds and determinism checks (e.g., compare build outputs across trusted builders). |
| | 19 | |
| | 20 | * Consider maintaining a private mirror of trusted source code, and pin hash checks yourself. |
| | 21 | |
| | 22 | * Use content scanning tools (e.g., static analyzers) on all .tar.gz and Git checkouts. |
| | 23 | |
| | 24 | ==== Compromise via Channel Updates |
| | 25 | |
| | 26 | Your Guix package definitions come from Git channels (e.g., guix.git, or your own). |
| | 27 | |
| | 28 | If your channel is compromised, malicious package definitions could be delivered. |
| | 29 | |
| | 30 | '''Mitigations:''' |
| | 31 | |
| | 32 | * Use a pinned commit hash in your channels.scm. |
| | 33 | |
| | 34 | * Verify the channel commit with signed Git commits or tags (Guix supports this). |
| | 35 | |
| | 36 | * Host your own internal Guix channel for critical environments — control what definitions are trusted. |
| | 37 | |
| | 38 | * Use guix time-machine to avoid rolling updates. |
| | 39 | |
| | 40 | ==== Media Transfer Risks (USB, SD cards) |
| | 41 | |
| | 42 | USB drives used for transferring .nar files or source archives can be a vector for malware, even in an air-gapped setup. |
| | 43 | |
| | 44 | '''Mitigations:''' |
| | 45 | |
| | 46 | * Always format and scan USB media on a controlled, known-clean staging machine before inserting into classified systems. |
| | 47 | |
| | 48 | * Use write-once optical media (DVD-R) where appropriate for immutable transfer. |
| | 49 | |
| | 50 | * Prefer hash verification of transferred files (sha256sum sources.nar) using offline-known-good hashes. |
| | 51 | |
| | 52 | ==== Build Environment Leakage |
| | 53 | |
| | 54 | If the build process writes temporary files or outputs data to places outside the Guix store, secrets or traces of sensitive data could leak or persist. |
| | 55 | |
| | 56 | '''Mitigations:''' |
| | 57 | |
| | 58 | * Use guix build inside a dedicated, minimal, reproducible system (e.g., a guix system vm). |
| | 59 | |
| | 60 | * Enable build sandboxing (enabled by default in Guix). |
| | 61 | |
| | 62 | * Disable networking in builders if not already (Guix does this by default, but confirm your configuration). |
| | 63 | |
| | 64 | * Consider full-disk encryption for the build system. |
| | 65 | |
| | 66 | ==== Tampered Nar Archives |
| | 67 | |
| | 68 | .nar archives imported into your air-gapped server could be tampered with in transit. |
| | 69 | |
| | 70 | '''Mitigations:''' |
| | 71 | |
| | 72 | * Sign the archive on the export side and verify the signature on the import side. |
| | 73 | |
| | 74 | * Use GPG or minisign for signing hashes. |
| | 75 | |
| | 76 | * Maintain a hash whitelist of approved .nar files on the classified system. |
| | 77 | |
| | 78 | * Store all .nar imports in a sealed append-only log for auditing. |
| | 79 | |
| | 80 | == High-Security Recommendations for Guix in Classified Environments |
| | 81 | |
| | 82 | || '''Concern''' || '''Recommendation''' || |
| | 83 | || Source authenticity || Use fixed-output derivations with pinned hashes || |
| | 84 | || Package definition trust || Host internal Guix channel; pin commit hashes || |
| | 85 | || Archive integrity || Sign .nar files and verify signatures || |
| | 86 | || Reproducibility || Use multiple offline builders to cross-check outputs || |
| | 87 | || Logging || Keep an audit trail of all imports and builds || |
| | 88 | || Isolation || Build in virtual machines or system containers with no network || |
| | 89 | || Transfer media || Sanitize USBs or use write-once optical media || |
| | 90 | || User separation || Separate users for import, build, audit, and deployment tasks || |
| | 91 | |
| | 92 | == Final Thoughts |
| | 93 | |
| | 94 | Guix offers an excellent foundation for secure, reproducible software environments. |
| | 95 | |
| | 96 | But air-gapped security is about the whole process, not just the tooling. |
| | 97 | |
| | 98 | You should treat the Guix channel, source transport, build environment, and auditability as a single trusted pipeline. |
