| 21 Oct 2024 |
 hexa | systemd-boot and redundant EF00 partitions | 01:39:47 |
| hexa | * systemd-boot and redundant EFI partitions | 01:40:02 |
| hexa | is that possible on NixOS? | 01:40:10 |
| hexa | I imagine two removable installations and gg | 01:40:36 |
 ElvishJerricco | hexa: There was a PR for that but it got closed because of a number of unsolved questions | 01:52:39 |
| ElvishJerricco | hexa: the biggest problems are that invoking bootctl multiple times gets funky with EFI variables and that state needs to be synchronized between the mirrors (boot counting and random-seed) | 01:59:24 |
| hexa | hrm okay | 02:03:38 |
|  @tolgaerok:matrix.org left the room. | 04:35:27 |
 Arian | I think the problem is that we don't use entry-tokens in our systemd-boot-builder | 10:59:38 |
| Arian | or wait that's a different issue. I want to have like 2 parallel NixOS installations on one machine. But in NixOS it's a bit vague what that means | 11:00:11 |
| Arian | We dont' include any of the pcr measurement units in our systemd yet right? | 11:22:07 |
| Arian | (IDK if the ConditionUnifiedUKI works with lanzaboote's stub) | 11:23:13 |
 raitobezarius | (if it doesn't, this is fixable) | 12:02:28 |
| raitobezarius | i actually don't tend to use secure boot with measured boot tbh | 12:02:39 |
| raitobezarius | In reply to @arianvp:matrix.org
We dont' include any of the pcr measurement units in our systemd yet right? the pcr-phase? | 12:02:49 |
| raitobezarius | no | 12:02:49 |
| Arian | In reply to @raitobezarius:matrix.org
i actually don't tend to use secure boot with measured boot tbh But the lanzaboote stub is still useful in this case due to the thin uki | 12:06:28 |
| Arian | Especially if we measure the think uki components | 12:06:44 |
| raitobezarius | if you need more than 2 generations, yes | 12:06:54 |
| Arian | Yes. I want this to work for a normal nixos install where someone wants to use pcrlock basically | 12:07:25 |
| raitobezarius | me too | 12:07:38 |
| Arian | So not a/b boot with verity | 12:07:40 |
 emily | nikstur: 😍 suidless | 18:10:33 |
| ElvishJerricco | So I want to change the chroot that we do to find the realpath of the closure in systemd initrd. The main reason being that I don't want to execute any code from the sysroot store until we're actually going to switch-root. And I have two ways in mind to accomplish this. I can either do something frustrating but reasonable, or I can do something horribly cursed but easy :P | 19:21:08 |
| ElvishJerricco | The reasonable thing would be to just write a realpath-like script / program that considers an alternate root. | 19:21:40 |
| ElvishJerricco | the cursed thing would be mount -o noexec --bind /sysroot /sysroot and then mount -t overlay -o ro lower=/sysroot/nix/store:/nix/store /sysroot/nix/store and do a chroot /sysroot realpath anyway :P | 19:23:09 |
| ElvishJerricco | that way we're using the initrd's realpath and sysroot code is all noexec just in case | 19:23:36 |
| ElvishJerricco | * the cursed thing would be mount -o noexec --bind /sysroot /sysroot and then mount -t overlay -o ro,lowerdir=/sysroot/nix/store:/nix/store /sysroot/nix/store and do a chroot /sysroot realpath anyway :P | 19:26:03 |
| ElvishJerricco | In reply to @elvishjerricco:matrix.org
The reasonable thing would be to just write a realpath-like script / program that considers an alternate root. (btw does a program like this already exist anywhere? I wasn't able to find anything) | 19:28:23 |
|  (artur 'manuel) changed their display name from (lambda (f l) (format nil "~a ~a")) "Artur" "Manuel" to (artur 'manuel). | 20:04:20 |
