| 1 | | = Potential risks |
| 2 | | |
| 3 | | == Mitigation strategies |
| 4 | | |
| 5 | | Recommendations specific to Guix in air-gapped, classified use |
| 6 | | |
| 7 | | === Security Risks in an Air-Gapped Guix Workflow |
| 8 | | |
| 9 | | ==== Supply Chain Attacks via Source Code |
| 10 | | |
| 11 | | Even though you're building from source, the upstream source code (tarballs, Git repos) may be maliciously modified. |
| 12 | | Guix uses cryptographic hash verification, but only against what is declared in the Guix package definition — not against independent trust anchors. |
| 13 | | |
| 14 | | '''Mitigations:''' |
| 15 | | |
| 16 | | * Use guix build --source with hash-locked package definitions (content-addressed derivations). |
| 17 | | |
| 18 | | * Use reproducible builds and determinism checks (e.g., compare build outputs across trusted builders). |
| 19 | | |
| 20 | | * Consider maintaining a private mirror of trusted source code, and pin hash checks yourself. |
| 21 | | |
| 22 | | * Use content scanning tools (e.g., static analyzers) on all .tar.gz and Git checkouts. |
| 23 | | |
| 24 | | ==== Compromise via Channel Updates |
| 25 | | |
| 26 | | Your Guix package definitions come from Git channels (e.g., guix.git, or your own). |
| 27 | | |
| 28 | | If your channel is compromised, malicious package definitions could be delivered. |
| 29 | | |
| 30 | | '''Mitigations:''' |
| 31 | | |
| 32 | | * Use a pinned commit hash in your channels.scm. |
| 33 | | |
| 34 | | * Verify the channel commit with signed Git commits or tags (Guix supports this). |
| 35 | | |
| 36 | | * Host your own internal Guix channel for critical environments — control what definitions are trusted. |
| 37 | | |
| 38 | | * Use guix time-machine to avoid rolling updates. |
| 39 | | |
| 40 | | ==== Media Transfer Risks (USB, SD cards) |
| 41 | | |
| 42 | | USB drives used for transferring .nar files or source archives can be a vector for malware, even in an air-gapped setup. |
| 43 | | |
| 44 | | '''Mitigations:''' |
| 45 | | |
| 46 | | * Always format and scan USB media on a controlled, known-clean staging machine before inserting into classified systems. |
| 47 | | |
| 48 | | * Use write-once optical media (DVD-R) where appropriate for immutable transfer. |
| 49 | | |
| 50 | | * Prefer hash verification of transferred files (sha256sum sources.nar) using offline-known-good hashes. |
| 51 | | |
| 52 | | ==== Build Environment Leakage |
| 53 | | |
| 54 | | If the build process writes temporary files or outputs data to places outside the Guix store, secrets or traces of sensitive data could leak or persist. |
| 55 | | |
| 56 | | '''Mitigations:''' |
| 57 | | |
| 58 | | * Use guix build inside a dedicated, minimal, reproducible system (e.g., a guix system vm). |
| 59 | | |
| 60 | | * Enable build sandboxing (enabled by default in Guix). |
| 61 | | |
| 62 | | * Disable networking in builders if not already (Guix does this by default, but confirm your configuration). |
| 63 | | |
| 64 | | * Consider full-disk encryption for the build system. |
| 65 | | |
| 66 | | ==== Tampered Nar Archives |
| 67 | | |
| 68 | | .nar archives imported into your air-gapped server could be tampered with in transit. |
| 69 | | |
| 70 | | '''Mitigations:''' |
| 71 | | |
| 72 | | * Sign the archive on the export side and verify the signature on the import side. |
| 73 | | |
| 74 | | * Use GPG or minisign for signing hashes. |
| 75 | | |
| 76 | | * Maintain a hash whitelist of approved .nar files on the classified system. |
| 77 | | |
| 78 | | * Store all .nar imports in a sealed append-only log for auditing. |
| 79 | | |
| 80 | | == High-Security Recommendations for Guix in Classified Environments |
| 81 | | |
| 82 | | || '''Concern''' || '''Recommendation''' || |
| 83 | | || Source authenticity || Use fixed-output derivations with pinned hashes || |
| 84 | | || Package definition trust || Host internal Guix channel; pin commit hashes || |
| 85 | | || Archive integrity || Sign .nar files and verify signatures || |
| 86 | | || Reproducibility || Use multiple offline builders to cross-check outputs || |
| 87 | | || Logging || Keep an audit trail of all imports and builds || |
| 88 | | || Isolation || Build in virtual machines or system containers with no network || |
| 89 | | || Transfer media || Sanitize USBs or use write-once optical media || |
| 90 | | || User separation || Separate users for import, build, audit, and deployment tasks || |
| 91 | | |
| 92 | | == Final Thoughts |
| 93 | | |
| 94 | | Guix offers an excellent foundation for secure, reproducible software environments. |
| 95 | | |
| 96 | | But air-gapped security is about the whole process, not just the tooling. |
| 97 | | |
| 98 | | You should treat the Guix channel, source transport, build environment, and auditability as a single trusted pipeline. |
| | 1 | [[Potential risks and mitigations]] |
