SebastianOH: The floor is Java @matthewcroughan
pentane 🇺🇦after 8 hours of debugging, I successfully narrowed down the YubiKey PIV PKCS#11 libp11 openssl provider issue stopping openssl from finding the correct private key: The yubikey is (incorrectly) returning an X.509 attestation certificate without a public key entry if invoked via the libp11 openssl provider, but one with a public key (correctly) if invoked via p11-kit.
unfortunately i have zero clue how to continue debugging from here.
TODO for #AuroraSprint:
- get LVM and Secure Boot signing to work in my NixOS image builder framework
- ( ) ~~LVM~~ (doubtful if feasible)
- (x) Secure Boot
- ( ) ~~write a systemd-veritysetup initrd module~~ (doubtful if this even makes sense)
- ( ) refactor upstream NixOS systemd-boot ESP generation script
- (x) extend initrd secrets module
- ( ) rewrite robotnix docs
- ( ) robotnix PKCS#11 token signing
- ( ) get NixNG to boot