| 20 Feb 2023 |
 @elvishjerricco:matrix.org | but I can see the perspective that values it | 09:17:55 |
 @lily:lily.flowers | If your threat model just wants to avoid arbitrary execution by an attacker physically present at the machine (but cannot open the machine and muck with the electronics -- you're always screwed in that case), you really just need to ensure no custom kernel cmdline is passed in at all (like lanzaboote started doing). Also I don't think the recovery shell will run by default anyway except maybe if it makes it to rescue.target and you enter the root password (I may be misremembering that though) | 11:21:45 |
| @lily:lily.flowers | I can get the desire to want to avoid any dynamic interpretation, but if the initrd always runs the same code (and said code doesn't depend on external factors hopefully...) just restricting cmdline should handle most reasonable threat models in conjunction with secure boot/bios password/etc I feel | 11:23:52 |
| @lily:lily.flowers | (Also assuming initrd is cryptographically verified like with lanzaboote or if you are just generating UKIs or something) | 11:24:49 |
|  @mixis:bau-ha.us set a profile picture. | 18:09:05 |
| @elvishjerricco:matrix.org |
Also I don't think the recovery shell will run by default anyway
yea by default the root password isn't set, so systemd-sulogin-shell just rejects you altogether. You have to actually set it in your nixos config.
| 19:09:21 |
| 22 Feb 2023 |
|  lgcl (she/they) changed their display name from lgcl to lgcl (they/them). | 20:32:54 |
| 23 Feb 2023 |
 @kranzes:matrix.org | Does anyone here use plymouth and would like to debug & test a new PR for it? | 13:32:59 |
| @kranzes:matrix.org | https://github.com/NixOS/nixpkgs/pull/217728 | 13:33:03 |
| @kranzes:matrix.org | This needs to be tested and debugged for both initrds | 13:35:15 |
| @lily:lily.flowers | In reply to @kranzes:matrix.org
Does anyone here use plymouth and would like to debug & test a new PR for it? I don't use plymouth but I could be convinced to test it if no one else does | 13:40:07 |
 @janne.hess:helsinki-systems.de | I had it once for testing but I don't have the config anymore | 13:40:34 |
| @janne.hess:helsinki-systems.de | Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo | 13:40:52 |
| @janne.hess:helsinki-systems.de | * Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo and flicker-free boot | 13:41:15 |
| @elvishjerricco:matrix.org | I use plymouth+systemd-initrd | 13:41:32 |
 @linus:schreibt.jetzt | What does BGRT mean? | 13:41:33 |
 K900 | Boot Graphics Resource Table | 13:41:41 |
| @elvishjerricco:matrix.org | Don't currently have time to test that though | 13:41:45 |
| @janne.hess:helsinki-systems.de | In reply to @linus:schreibt.jetzt
What does BGRT mean? It's your vendor logo from your UEFI | 13:41:45 |
| @linus:schreibt.jetzt | aah | 13:41:48 |
| @janne.hess:helsinki-systems.de | What Windows is doing | 13:41:54 |
| K900 | I'm just annoyed AMDGPU has what seems to be a forced modeset on boot | 13:42:19 |
| @janne.hess:helsinki-systems.de | In reply to @k900:0upti.me
I'm just annoyed AMDGPU has what seems to be a forced modeset on boot Have you tried amdgpu.dc=0? | 13:42:51 |
| K900 | Pretty sure that doesn't work | 13:43:30 |
| K900 | My GPU is too new to support the pre-DC code paths | 13:43:40 |
| @kranzes:matrix.org | It doesn't work right now btw. so debugging is also needed | 13:50:54 |
| @kranzes:matrix.org | this plymouth PR works if i manually run systemctl restart plymouth-start.service but doesn't work in the initrd. interesting. | 15:33:37 |
| @kranzes:matrix.org | testing it with something like this:
{
inputs = {
nixpkgs.url = "github:Kranzes/nixpkgs/plymouth";
nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; };
};
outputs = { self, nixpkgs, nixos-generators }:
let
pkgs = nixpkgs.legacyPackages.x86_64-linux;
in
{
packages.x86_64-linux.default = nixos-generators.nixosGenerate {
inherit pkgs;
modules = [{
boot.initrd.systemd.enable = true;
boot.plymouth.enable = true;
boot.plymouth.theme = "breeze";
documentation.nixos.enable = false;
users.users.root.hashedPassword = "$y$j9T$92VDaYfgg6XS1G8/s4Yff1$ORqQG/Iy/hUUuRdee35PBNqHu3FsplYv9ui.hqTL/bC"; # 123
users.mutableUsers = false;
}];
format = "vm-bootloader";
};
};
}
| 15:34:23 |
| @lily:lily.flowers | In reply to @kranzes:matrix.org
this plymouth PR works if i manually run systemctl restart plymouth-start.service but doesn't work in the initrd. interesting. Is it just segfaulting shortly after starting in initrd for you? That's what I'm seeing in a VM with a bunch of debug logging turned on and your flake | 16:03:02 |
| @kranzes:matrix.org | Idk, I don't know how to get debugging logs in the initrd. | 16:46:45 |
