21 Oct 2024 |
hexa | systemd-boot and redundant EF00 partitions | 01:39:47 |
hexa | * systemd-boot and redundant EFI partitions | 01:40:02 |
hexa | is that possible on NixOS? | 01:40:10 |
hexa | I imagine two removable installations and gg | 01:40:36 |
ElvishJerricco | hexa: There was a PR for that but it got closed because of a number of unsolved questions | 01:52:39 |
ElvishJerricco | hexa: the biggest problems are that invoking bootctl multiple times gets funky with EFI variables and that state needs to be synchronized between the mirrors (boot counting and random-seed) | 01:59:24 |
hexa | hrm okay | 02:03:38 |
| @tolgaerok:matrix.org left the room. | 04:35:27 |
Arian | I think the problem is that we don't use entry-tokens in our systemd-boot-builder | 10:59:38 |
Arian | or wait that's a different issue. I want to have like 2 parallel NixOS installations on one machine. But in NixOS it's a bit vague what that means | 11:00:11 |
Arian | We dont' include any of the pcr measurement units in our systemd yet right? | 11:22:07 |
Arian | (IDK if the ConditionUnifiedUKI works with lanzaboote's stub) | 11:23:13 |
raitobezarius | (if it doesn't, this is fixable) | 12:02:28 |
raitobezarius | i actually don't tend to use secure boot with measured boot tbh | 12:02:39 |
raitobezarius | In reply to @arianvp:matrix.org We dont' include any of the pcr measurement units in our systemd yet right? the pcr-phase? | 12:02:49 |
raitobezarius | no | 12:02:49 |
Arian | In reply to @raitobezarius:matrix.org i actually don't tend to use secure boot with measured boot tbh But the lanzaboote stub is still useful in this case due to the thin uki | 12:06:28 |
Arian | Especially if we measure the think uki components | 12:06:44 |
raitobezarius | if you need more than 2 generations, yes | 12:06:54 |
Arian | Yes. I want this to work for a normal nixos install where someone wants to use pcrlock basically | 12:07:25 |
raitobezarius | me too | 12:07:38 |
Arian | So not a/b boot with verity | 12:07:40 |
emily | nikstur: 😍 suidless | 18:10:33 |
ElvishJerricco | So I want to change the chroot that we do to find the realpath of the closure in systemd initrd. The main reason being that I don't want to execute any code from the sysroot store until we're actually going to switch-root. And I have two ways in mind to accomplish this. I can either do something frustrating but reasonable, or I can do something horribly cursed but easy :P | 19:21:08 |
ElvishJerricco | The reasonable thing would be to just write a realpath-like script / program that considers an alternate root. | 19:21:40 |
ElvishJerricco | the cursed thing would be mount -o noexec --bind /sysroot /sysroot and then mount -t overlay -o ro lower=/sysroot/nix/store:/nix/store /sysroot/nix/store and do a chroot /sysroot realpath anyway :P | 19:23:09 |
ElvishJerricco | that way we're using the initrd's realpath and sysroot code is all noexec just in case | 19:23:36 |
ElvishJerricco | * the cursed thing would be mount -o noexec --bind /sysroot /sysroot and then mount -t overlay -o ro,lowerdir=/sysroot/nix/store:/nix/store /sysroot/nix/store and do a chroot /sysroot realpath anyway :P | 19:26:03 |
ElvishJerricco | In reply to @elvishjerricco:matrix.org The reasonable thing would be to just write a realpath-like script / program that considers an alternate root. (btw does a program like this already exist anywhere? I wasn't able to find anything) | 19:28:23 |
| (artur 'manuel) changed their display name from (lambda (f l) (format nil "~a ~a")) "Artur" "Manuel" to (artur 'manuel). | 20:04:20 |