| 3 Oct 2024 |
 ElvishJerricco | Arian: I genuinely cannot understand what that section of that page is saying | 21:43:54 |
| ElvishJerricco | "such a unit" is ordered... After=boot-complete.target, but is wanted by multi-user.target (and therefore ordered Before= it), which does not contain cycles. So to prevent cycles, we should order it... After=multi-user.target? Huh? | 21:44:55 |
| ElvishJerricco | boot-complete.target isn't ordered after multi-user.target | 21:45:08 |
| ElvishJerricco | er, | 21:45:29 |
| ElvishJerricco | is it? | 21:45:30 |
| ElvishJerricco | the unit in the systemd package just says After=sysinit.target | 21:45:49 |
 raitobezarius | In reply to @elvishjerricco:matrix.org
(look at that, Apple has MOK built in, unlike UEFI :P) Tbh MOK could be built in EDK2 | 22:27:29 |
| raitobezarius | It's kinda just a choice | 22:27:34 |
| raitobezarius | I would literally bet that the Apple secure element impl is just the obvious EDK2 package in there | 22:28:01 |
| raitobezarius | (interestingly: there's very few non TPM2, e.g. ARM TrustZone and similar code support in the Linux trusted system ecosystem) | 22:28:38 |
 emily | no, there's no EDK2 on Apple's platform. they have a custom L4-based microkernel for the Secure Enclave | 22:32:08 |
| emily | no UEFI on the host side of the SoC either | 22:32:28 |
| emily | their firmware chain is much more minimal | 22:35:04 |
| emily | there's not even a keyboard driver to show the boot menu without booting a mini-macOS | 22:35:20 |
| raitobezarius | I think you are thinking of Apple M1? | 22:38:31 |
| ElvishJerricco | oh wait is that not what we're talking about? | 22:38:48 |
| ElvishJerricco | the per-OS thing emily was talking about is an apple silicon thing | 22:39:25 |
| raitobezarius | It's true that Apple Silicon was mentioned first | 22:39:28 |
| emily | I'm a little confused, where would EDK2 be involved on any current Apple platform? | 22:39:52 |
| raitobezarius | But my brain went on Apple T2 | 22:39:52 |
| emily | ah | 22:40:02 |
| emily | I don't think T2 involved UEFI either, since it was basically a proto-M1 | 22:40:10 |
| emily | maybe on the Intel side of the equation, but Apple's EFI implementation is old enough and quirky enough that I wouldn't be surprised if it wasn't | 22:40:33 |
| emily | but yeah I was talking about the Apple Silicon boot security model | 22:40:44 |
| raitobezarius | I am quite certain that T2 has UEFI firmware | 22:41:00 |
| emily | https://support.apple.com/en-gb/guide/security/seced055bcf6/web ok it actually is EDK2 for Intel | 22:41:19 |
| raitobezarius | (and it's even publicly documented as such by Apple itself afaik?) | 22:41:19 |
| emily | I don't think the T2 itself boots via UEFI, but it's used as the root of trust for the Intel CPU's UEFI boot | 22:41:39 |
| emily | is my understanding | 22:41:40 |
| emily | (maybe we're referring to different things by "T2"?) | 22:41:49 |
