Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩since I haven't yet used it, should I try #NixOS on my backup NAS?
ok here we ggo. #NixOS ZFS root on the backup NAS
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
and now I get to figure out how the fuck to do NixOS root on ZFS
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
update: NixOS still deosn't have
boot.loader.secureboot.enabled = true;
or anything like that? despite using systemd-boot..... that seems really dumb
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Irenes (many)@freya we're in favor of that sort of thing, yeah, though it's .... TPM binding is nice but it's an after-the-fact detection system, which, while still genuinely helpful, is less comforting for us with an activist threat model than it would be to a corporation for which everything comes down to financial loss and can be averaged out and forgotten
@ireneista oh, sure, but it's at least *something*
@freya yeah, absolutely
@freya signed boot, now, we're hugely in favor of that. we've been chewing for years on what it would have to be like workflow-wise to provide high assurances to non-experts.
@ireneista something like what AVB does?
@freya well the hard part in our view is, with a source-based distro, when does signing happen?
@ireneista that's true, s'why I'm not a fan of source-based distros like gentoo myself\
Ity Kitty@freya @ireneista oh hey, that's my work (verified boot on Linux, specifically Gentoo)
@tranquillity @ireneista gentoo gives me a headache unfortunately
@freya @ireneista I don't like it but I found it the easiest for when I inevitably have to debug every single program on my OS and just edit the src of everything that runs on my system to fix bugs in upstream
Collecting a bunch of .patch files when yet another random thing breaks, my favorite.
@freya @ireneista I also need to have the debug info hooked up right for GDB to work
Etc
@tranquillity @freya yeahhhhh this is how we relate to nix heh sigh
@ireneista @tranquillity gods, you linux people are ridiculous, I hope you're aware
@freya @ireneista I still hate Linux
@tranquillity @ireneista have you tried Solaris, cutie?
@freya @ireneista not like I spent a decent enough time setting up a cross compiling toolchain for targeting Solaris :3
@tranquillity @ireneista yes but you should play iwth Solaris 11.4 on X64 with secureboot
@freya @ireneista hmm, I cooould
@freya @tranquillity we don't really identify as a linux person we just happen to use it
@tranquillity @freya oh nice!
@freya nix just doesn't have an answer for that because the tooling is deeply invested in pretending that user interaction during building is impossible
(we have a bunch of nix things that are authorized by a yubikey touch... which is user interaction, just, not through the obvious UI)
@freya we think that needs to change, but it seems like we're the only ones interested in that direction of research, so it may be a while
@ireneista AVB seems to be fairly workable, especially with avbkey partitions on pixels for installing custom loader keys, something that LineageOS should feel fucking ashamed of not taking advantage of
@freya @ireneista you can sign LOS builds, I'm quite curious exactly what Pixels did to the usual ARM boot chain though.
I've been still too lazy to get mine signed (I'm on a Pixel now :D), because why document any of it, amirite. Gotta make the ity go RE things.
@tranquillity @ireneista Pixels have boot chain security rooted in the titan M2, a RISC-V microcontroller that acts as a keybox. Qualcomm XBL UEFI firmware loads ABL, ABL talks to the Titan M2 to verify the signature on the boot-archive, and so on
@ireneista @freya TPM can be used to seal a disk encryption key and simply not give access to the disk and refuse to boot on tampering
@tranquillity @freya sure, but, unless we're missing something, the bootloader, initrd etc still have to be unencrypted, right?
@ireneista @tranquillity unencrypted yes, but any modification to them would be caught by secureboot
@ireneista @freya cries in UKIs
@tranquillity @ireneista UKIs are good actually
@tranquillity @freya UKIs are definitely more elegant and convenient, especially around signing logistics... it's just that the size of the nixos initrd keeps creeping upwards, it's like triple what it was a few years ago (of course this does depend on settings). so a lot of systems have boot partitions that used to have plenty of space, and no longer do, and using separate kernel images saves a little :/
@ireneista @tranquillity really they should be using a hardened Linux kernel +initramfs in a UKI as the bootloader, then can mount the root partition and do any verification magic the user wants without making the object the firmware loads, massive
@tranquillity @freya (we think the ballooning initrd size is really unfortunate and keeping it small ought to be a higher priority, heh)
@ireneista @freya NixOS makes me cry, and I refuse to come back until I handroll my own nixpkgs that isn't... What nixpkgs has become.
@tranquillity @ireneista I'm probably not going to stick with NixOS, I wish Illumos distros had secure boot and built-in support for encrypted root on ZFS
@freya @ireneista wdym "had secure boot" ?
@tranquillity @ireneista they just don't support secure boot at all, there's no native tooling for it. could maybe knock something together with shim to load the BSD loader and....... but I'm not you, I'm not that much of a masochist
@freya @ireneista it's how I managed to daily drive NixOS for years! Masochism energy concentrate!
@tranquillity @freya yep, legit
@tranquillity oh there was a whole *thing* about how "oh, well, secure boot is a way for microsoft to control what you can run on your pc!" and "secrue boot is the root of evil drm!" and "uefi is microsoft's evil vehicle of evilness to do evil!" and all this shit
@freya oh those funny things
UEFI's secure boot is simply not secure, given its root of trust is a trivially reflashable chip unless you own a device with smth like Intel TXT. It's also why it's trivial to decrypt things like BitLocker, since BitLocker only measures PCR7 and thus uses the same root of trust
I don't like UEFI, but not like we got anything better. Esp. hell on things like RISC-V, but I digress. I'm glad on x86 we have a semi-standardized way of booting an executable + APIs, on ARM and RV all we got is uboot, hopes and dreams.
@tranquillity given Intel Boot Guard, now, UEFI secure boot is afaik pretty secure
@tranquillity incorrect, you're thinking of Intel AMT.
@freya that's a separate thing, not what I'm thinking of
I should get a spare machine to play with. What about my girlfriend's Framework while she's asleep :3
@tranquillity boot guard is, afaik, pretty universal now
@freya hmm
I'm gonna probably finally test it myself rather than just trusting my firmware hacking friends' words for it
@tranquillity good cutie