| 20 Feb 2023 |
 @janne.hess:helsinki-systems.de | No, that's the point. Rather have lua than ruby | 09:14:41 |
 @elvishjerricco:matrix.org | ah lol fair enough | 09:14:50 |
| @janne.hess:helsinki-systems.de | Or just go the way of anti-cheat on windows and open an unauthenticated pipe and execute whatever comes out of it 🎉 | 09:15:02 |
| @janne.hess:helsinki-systems.de | * Or just go the way of anti-cheat on windows and open an unauthenticated pipe and execute whatever comes out of it in the kernel 🎉 | 09:15:11 |
| @elvishjerricco:matrix.org | oof | 09:15:12 |
| @elvishjerricco:matrix.org | The trusted boot crowd has a lot of ambition around separating root from kernel so that even root can't ruin trusted boot. I think this falls in an adjacent category; initrd shouldn't be capable of undermining system security by allowing arbitrary logic encoded at runtime | 09:17:14 |
| @elvishjerricco:matrix.org | It's.... probably not actually all that helpful | 09:17:42 |
| @elvishjerricco:matrix.org | but I can see the perspective that values it | 09:17:55 |
 @lily:lily.flowers | If your threat model just wants to avoid arbitrary execution by an attacker physically present at the machine (but cannot open the machine and muck with the electronics -- you're always screwed in that case), you really just need to ensure no custom kernel cmdline is passed in at all (like lanzaboote started doing). Also I don't think the recovery shell will run by default anyway except maybe if it makes it to rescue.target and you enter the root password (I may be misremembering that though) | 11:21:45 |
| @lily:lily.flowers | I can get the desire to want to avoid any dynamic interpretation, but if the initrd always runs the same code (and said code doesn't depend on external factors hopefully...) just restricting cmdline should handle most reasonable threat models in conjunction with secure boot/bios password/etc I feel | 11:23:52 |
| @lily:lily.flowers | (Also assuming initrd is cryptographically verified like with lanzaboote or if you are just generating UKIs or something) | 11:24:49 |
|  @mixis:bau-ha.us set a profile picture. | 18:09:05 |
| @elvishjerricco:matrix.org |
Also I don't think the recovery shell will run by default anyway
yea by default the root password isn't set, so systemd-sulogin-shell just rejects you altogether. You have to actually set it in your nixos config.
| 19:09:21 |
| 22 Feb 2023 |
|  lgcl (she/they) changed their display name from lgcl to lgcl (they/them). | 20:32:54 |
| 23 Feb 2023 |
 @kranzes:matrix.org | Does anyone here use plymouth and would like to debug & test a new PR for it? | 13:32:59 |
| @kranzes:matrix.org | https://github.com/NixOS/nixpkgs/pull/217728 | 13:33:03 |
| @kranzes:matrix.org | This needs to be tested and debugged for both initrds | 13:35:15 |
| @lily:lily.flowers | In reply to @kranzes:matrix.org
Does anyone here use plymouth and would like to debug & test a new PR for it? I don't use plymouth but I could be convinced to test it if no one else does | 13:40:07 |
| @janne.hess:helsinki-systems.de | I had it once for testing but I don't have the config anymore | 13:40:34 |
| @janne.hess:helsinki-systems.de | Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo | 13:40:52 |
| @janne.hess:helsinki-systems.de | * Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo and flicker-free boot | 13:41:15 |
| @elvishjerricco:matrix.org | I use plymouth+systemd-initrd | 13:41:32 |
 @linus:schreibt.jetzt | What does BGRT mean? | 13:41:33 |
 K900 | Boot Graphics Resource Table | 13:41:41 |
| @elvishjerricco:matrix.org | Don't currently have time to test that though | 13:41:45 |
| @janne.hess:helsinki-systems.de | In reply to @linus:schreibt.jetzt
What does BGRT mean? It's your vendor logo from your UEFI | 13:41:45 |
| @linus:schreibt.jetzt | aah | 13:41:48 |
| @janne.hess:helsinki-systems.de | What Windows is doing | 13:41:54 |
| K900 | I'm just annoyed AMDGPU has what seems to be a forced modeset on boot | 13:42:19 |
| @janne.hess:helsinki-systems.de | In reply to @k900:0upti.me
I'm just annoyed AMDGPU has what seems to be a forced modeset on boot Have you tried amdgpu.dc=0? | 13:42:51 |
