| 21 Jun 2021 |
 Foxboron | (Self-promotion: https://github.com/Foxboron/sbctl/) | 08:37:16 |
 Linux Hackerman | Nice! | 08:37:41 |
| Linux Hackerman | Oh but if keys can be loaded from the initramfs that's perfect. | 08:38:22 |
| Foxboron | Well, not without additional patching. | 08:38:37 |
| Foxboron | I haven't figured out how the initrd key insertion works. I have been trying to figure out lockdown mode + secureboot. (But now we are moving into offtopic territory) | 08:39:02 |
| Linux Hackerman | hm, I was thinking that the kernel could boot in non-lockdown mode, then the initramfs (which is also a signed efi image ergo trustable) can load some keys in via sysfs/procfs/whatever, and then enable lockdown | 08:39:48 |
| Linux Hackerman | IMHO, it's on-topic enough :p | 08:40:15 |
| Foxboron | There is no support. Currently you need to insert a key into the initrd or add the canonical/redhat patches which yeets the secure boot keys into the kernel keyring. | 08:40:41 |
| Foxboron | But initrd != efistub (or something) | 08:40:54 |
| Foxboron | (I never dug deep into that part of the problem) | 08:41:01 |
| Linux Hackerman | Well yeah, inserting the key into the initramfs is what I'm describing | 08:41:34 |
| Linux Hackerman | The efi stub is part of the linux kernel which makes it into an EFI-bootable image IIUC. | 08:42:02 |
| Foxboron | initramfs isn't actually protected by secure boot. But if you make a unified EFI image with initramfs+kernel it is. Hmmmm. Ahh this would be a cool feature | 08:43:33 |
| Linux Hackerman | Oh right, yeah, just saw that in https://github.com/NixOS/nixpkgs/pull/53901/files#diff-14341d580318ebe4f2ce22e4fc94c02f6a56229cdc7ae939728628a47b9e6b39R144-R149 :) | 08:44:00 |
| Foxboron | Make a seperate initramfs with the key in kernel/x86/key/somecert.cert (this is what microcode does for early boot loading) which you can concat with microcode + initramfs. | 08:44:49 |
| Foxboron | This is me theorizing what alternative key loading would look like fwiw | 08:45:32 |
|  fgaz joined the room. | 10:05:45 |
 baloo | 1486 out of 1486 (100.00%) paths in the minimal installation image are reproducible! πππ | 12:48:25 |
| baloo | In reply to @foxboron:archlinux.org
initramfs isn't actually protected by secure boot. But if you make a unified EFI image with initramfs+kernel it is. Hmmmm. Ahh this would be a cool feature That is pretty easy to do actually.
https://github.com/baloo/reproducibility-lab/tree/main/pkgs/uefi-bundle
I havenβt worked on injecting the key from the secureboot but that does not sound impossible. | 13:32:28 |
| baloo | Although if I might be pessimistic a bit. Not too sure all too many people have a practical use case for it | 13:33:46 |
 @grahamc:nixos.org | Foxboron: how do you deal with the key? | 20:56:34 |
| Foxboron | In reply to @grahamc:nixos.org
Foxboron: how do you deal with the key? for which part? The discussion above refers to quite a few keys :p | 22:20:00 |
| 22 Jun 2021 |
 siraben | is there a collection of patches we sent upstream to achieve 100% reproducibility? | 04:19:19 |
 raboof | In reply to @siraben:matrix.org
is there a collection of patches we sent upstream to achieve 100% reproducibility? I don't think so, no | 07:26:03 |
 davidak | In reply to @baloo_:matrix.org
1486 out of 1486 (100.00%) paths in the minimal installation image are reproducible! πππ i have just checked and noticed it. congratulations to everyone involved! can we have a big announcement with short introduction what this effort is about, link to https://reproducible-builds.org/ and then include it in their newsletter? also announce on twitter, mastodon, hackernews, reddit, lemmy, ... with link to our blog post. that's how we can make people interested in NixOS ;) #marketing | 19:37:58 |
 tomberek | Ideally, yes. It was on HN yesterday for a while. Iβd suggest one aspect of the marketing is to describe why this is a good thing and what this allows. The Nix/NixOS marketing team meets tomorrow, we can bring it up to have a coordinated thing. | 20:05:47 |
|  ollijh joined the room. | 20:12:40 |
| 23 Jun 2021 |
| siraben | tomberek: is there an invite link for the marketing meeting? | 03:21:32 |
|  anubhavkini joined the room. | 06:52:49 |
| raboof | we should definitely make sure it makes it to the reproduce-builds monthly newsletter, I'll write something up unless someone beats me to it | 07:40:03 |
