Ra (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
since I haven't yet used it, should I try #NixOS on my backup NAS?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
ok here we ggo. #NixOS ZFS root on the backup NAS
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
ok I've got a live image, /run/current-system/sw appears to be "ok I suppose we can sort of have a standard Unix-looking filesystem but not really"
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
and now I get to figure out how the fuck to do NixOS root on ZFS
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
update: success! NixOS is now running on Yttrium. Is there a declarative way to tell my zpool to expand to the other drives in my machine, or do I do that th old way?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
update: NFS shared to my primary NAS, fwupd installed, nfs server running, this is actually working
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago

update: NixOS still deosn't have

boot.loader.secureboot.enabled = true;

or anything like that? despite using systemd-boot..... that seems really dumb

Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
I feel like the Linux community really fucked up in not embracing things like secure boot and mandatory disk encryption with TPM2 binding after the lies spread by anti-UEFI, anti-Secureboot people born out of misunderstandings about Windows 8 requirements
Show threadIty Kitty3d ago
@freya wdym? What lies?
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity oh there was a whole *thing* about how "oh, well, secure boot is a way for microsoft to control what you can run on your pc!" and "secrue boot is the root of evil drm!" and "uefi is microsoft's evil vehicle of evilness to do evil!" and all this shit
Show threadIty Kitty

@freya oh those funny things

UEFI's secure boot is simply not secure, given its root of trust is a trivially reflashable chip unless you own a device with smth like Intel TXT. It's also why it's trivial to decrypt things like BitLocker, since BitLocker only measures PCR7 and thus uses the same root of trust

I don't like UEFI, but not like we got anything better. Esp. hell on things like RISC-V, but I digress. I'm glad on x86 we have a semi-standardized way of booting an executable + APIs, on ARM and RV all we got is uboot, hopes and dreams.

Apr 13 at 5:06amWeb
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity given Intel Boot Guard, now, UEFI secure boot is afaik pretty secure
Show threadIty Kitty3d ago
@freya from what I know they only really enable that in "business" devices
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity incorrect, you're thinking of Intel AMT.
Show threadIty Kitty3d ago

@freya that's a separate thing, not what I'm thinking of

I should get a spare machine to play with. What about my girlfriend's Framework while she's asleep :3

Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity sillyyyy
Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity boot guard is, afaik, pretty universal now
Show threadIty Kitty3d ago

@freya hmm

I'm gonna probably finally test it myself rather than just trusting my firmware hacking friends' words for it

Show threadRa (Freyja) (it/its)𒀭𒈹𒍠𒊩3d ago
@tranquillity good cutie