Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩since I haven't yet used it, should I try #NixOS on my backup NAS?
ok here we ggo. #NixOS ZFS root on the backup NAS
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
and now I get to figure out how the fuck to do NixOS root on ZFS
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
update: NixOS still deosn't have
boot.loader.secureboot.enabled = true;
or anything like that? despite using systemd-boot..... that seems really dumb
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Irenes (many)@freya we're in favor of that sort of thing, yeah, though it's .... TPM binding is nice but it's an after-the-fact detection system, which, while still genuinely helpful, is less comforting for us with an activist threat model than it would be to a corporation for which everything comes down to financial loss and can be averaged out and forgotten
@freya signed boot, now, we're hugely in favor of that. we've been chewing for years on what it would have to be like workflow-wise to provide high assurances to non-experts.
@ireneista AVB seems to be fairly workable, especially with avbkey partitions on pixels for installing custom loader keys, something that LineageOS should feel fucking ashamed of not taking advantage of
Ity Kitty@freya @ireneista you can sign LOS builds, I'm quite curious exactly what Pixels did to the usual ARM boot chain though.
I've been still too lazy to get mine signed (I'm on a Pixel now :D), because why document any of it, amirite. Gotta make the ity go RE things.
@tranquillity @ireneista Pixels have boot chain security rooted in the titan M2, a RISC-V microcontroller that acts as a keybox. Qualcomm XBL UEFI firmware loads ABL, ABL talks to the Titan M2 to verify the signature on the boot-archive, and so on