| 20 Feb 2023 |
 @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
but like the kernel already has turing complete shit with bpf or whatever it's called so you're already screwed Ah so you think they don't have a custom one with grsecurity? But yeah, it's hard to defend this measure | 09:12:31 |
 @elvishjerricco:matrix.org | I mean I think it's an entirely reasonable thing to want | 09:12:55 |
| @janne.hess:helsinki-systems.de | Will try when I find time, probably just need to use makeBinaryWrapper and rewrite my shitty bash code to shitty c code | 09:13:10 |
| @elvishjerricco:matrix.org | I think it's ridiculous that the kernel allows turing complete logic from userspace | 09:13:11 |
| @elvishjerricco:matrix.org | zfs made a more egregious version of this mistake by including a Lua interpreter in kernel space | 09:13:32 |
| @elvishjerricco:matrix.org | like... please don't do that | 09:13:42 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
zfs made a more egregious version of this mistake by including a Lua interpreter in kernel space I mean … still better than a fully ruby env? | 09:13:59 |
| @elvishjerricco:matrix.org | Oh no is there ruby in the kernel?? | 09:14:27 |
| @janne.hess:helsinki-systems.de | No, that's the point. Rather have lua than ruby | 09:14:41 |
| @elvishjerricco:matrix.org | ah lol fair enough | 09:14:50 |
| @janne.hess:helsinki-systems.de | Or just go the way of anti-cheat on windows and open an unauthenticated pipe and execute whatever comes out of it 🎉 | 09:15:02 |
| @janne.hess:helsinki-systems.de | * Or just go the way of anti-cheat on windows and open an unauthenticated pipe and execute whatever comes out of it in the kernel 🎉 | 09:15:11 |
| @elvishjerricco:matrix.org | oof | 09:15:12 |
| @elvishjerricco:matrix.org | The trusted boot crowd has a lot of ambition around separating root from kernel so that even root can't ruin trusted boot. I think this falls in an adjacent category; initrd shouldn't be capable of undermining system security by allowing arbitrary logic encoded at runtime | 09:17:14 |
| @elvishjerricco:matrix.org | It's.... probably not actually all that helpful | 09:17:42 |
| @elvishjerricco:matrix.org | but I can see the perspective that values it | 09:17:55 |
 @lily:lily.flowers | If your threat model just wants to avoid arbitrary execution by an attacker physically present at the machine (but cannot open the machine and muck with the electronics -- you're always screwed in that case), you really just need to ensure no custom kernel cmdline is passed in at all (like lanzaboote started doing). Also I don't think the recovery shell will run by default anyway except maybe if it makes it to rescue.target and you enter the root password (I may be misremembering that though) | 11:21:45 |
| @lily:lily.flowers | I can get the desire to want to avoid any dynamic interpretation, but if the initrd always runs the same code (and said code doesn't depend on external factors hopefully...) just restricting cmdline should handle most reasonable threat models in conjunction with secure boot/bios password/etc I feel | 11:23:52 |
| @lily:lily.flowers | (Also assuming initrd is cryptographically verified like with lanzaboote or if you are just generating UKIs or something) | 11:24:49 |
|  @mixis:bau-ha.us set a profile picture. | 18:09:05 |
| @elvishjerricco:matrix.org |
Also I don't think the recovery shell will run by default anyway
yea by default the root password isn't set, so systemd-sulogin-shell just rejects you altogether. You have to actually set it in your nixos config.
| 19:09:21 |
| 22 Feb 2023 |
|  lgcl (she/they) changed their display name from lgcl to lgcl (they/them). | 20:32:54 |
| 23 Feb 2023 |
 @kranzes:matrix.org | Does anyone here use plymouth and would like to debug & test a new PR for it? | 13:32:59 |
| @kranzes:matrix.org | https://github.com/NixOS/nixpkgs/pull/217728 | 13:33:03 |
| @kranzes:matrix.org | This needs to be tested and debugged for both initrds | 13:35:15 |
| @lily:lily.flowers | In reply to @kranzes:matrix.org
Does anyone here use plymouth and would like to debug & test a new PR for it? I don't use plymouth but I could be convinced to test it if no one else does | 13:40:07 |
| @janne.hess:helsinki-systems.de | I had it once for testing but I don't have the config anymore | 13:40:34 |
| @janne.hess:helsinki-systems.de | Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo | 13:40:52 |
| @janne.hess:helsinki-systems.de | * Lily Foster: you could test it with https://github.com/helsinki-systems/plymouth-theme-nixos-bgrt 😏 That gives you a spinning nixos logo and flicker-free boot | 13:41:15 |
| @elvishjerricco:matrix.org | I use plymouth+systemd-initrd | 13:41:32 |
