| 29 Jul 2022 |
 K900 | Since people here might be interested too: I have a mostly working secure boot PoC with bootspec, rEFInd and sbctl at https://gitlab.com/K900/bootis | 06:08:18 |
| K900 | It is very much PoC and might set your computer on fire but please try it and tell me if it did | 06:08:42 |
 Winter (she/her) | What advantages does this provide over Graham's impl? | 06:09:03 |
| K900 | refind instead of sd-boot, and sbctl has some really nice failsafes to prevent you from breaking your system by accident | 06:10:38 |
| Winter (she/her) | oh cool | 06:11:33 |
| Winter (she/her) | (fwiw i wasn't saying that to like, bash your work, was just curious) | 06:11:48 |
| K900 | Oh yeah I know | 06:11:56 |
| K900 | No worries | 06:11:58 |
| K900 | But my main motivation is to just use sbctl for key management | 06:12:31 |
| K900 | Because it does it better than any other tool I've seen | 06:12:39 |
| Winter (she/her) | dare I ask why you use objcopy | 06:12:58 |
| Winter (she/her) | oh i see | 06:13:13 |
| Winter (she/her) | huh, interesting. | 06:13:22 |
| K900 | Instead of sbctl? There's a bug with that that I need to poke upstream about | 06:13:30 |
| Winter (she/her) | no to set like cmdline and stuff | 06:13:53 |
| K900 | But I do want to use it there too, though that's less critical | 06:13:55 |
| Winter (she/her) | or would that ideally be done in sbctl | 06:13:59 |
| K900 | I mean sbctl just shells out to objcopy | 06:14:07 |
| Winter (she/her) | ah is that where you got this invocation from? | 06:14:26 |
| K900 | Conceptually that's how you're supposed to use the systemd boot stubs | 06:14:30 |
| K900 | They basically self-extract the kernel + initrd + cmdline | 06:14:57 |
| K900 | And then run it all correctly | 06:15:05 |
| K900 | So you can build one EFI executable and sign it for secure boot | 06:15:25 |
| K900 | Without the bootloader or whatever having to validate the initrd, etc | 06:15:37 |
| K900 | You just put it all in a big blob and sign the blob | 06:15:53 |
| Winter (she/her) | interesting
wait yeah so where are these magic section offsets from, did you pull those from sbctl or some spec or something | 06:16:22 |
| K900 | It's not ideal for NixOS because we end up with a big blob for every generation because the cmdline changes | 06:16:25 |
| Winter (she/her) | * interesting
wait yeah so where are these magic section VMAs from, did you pull those from sbctl or some spec or something | 06:16:41 |
| K900 | But I don't think we have any good ways around it except, uh, writing our own bootloader? | 06:16:45 |
| Winter (she/her) | the purely functional bootloader 🚀 | 06:16:58 |
