11 Jun 2023 |
K900 | Wait so does this mean we can actually get from stage1 to stage2 without dropping the network? | 06:37:50 |
@elvishjerricco:matrix.org | K900: That's always been possible with flushBeforeStage2 = false | 06:38:05 |
@elvishjerricco:matrix.org | This just implements that in a sane way | 06:38:11 |
K900 | Oh | 06:38:13 |
K900 | I haven't really tried it because the only box I'd want to try it on gets confused when the network drops while it's booted | 06:38:41 |
K900 | (for some reason) | 06:38:42 |
@elvishjerricco:matrix.org | in fact the non-sane thing we did before was the implementation of flushBeforeStage2 = true , because systemd-networkd expects you to want to carry network configs over between stages | 06:39:06 |
@elvishjerricco:matrix.org | * in fact the non-sane thing we did before was the implementation of flushBeforeStage2 = true , because systemd-networkd expects you to want to carry network configs over between stages and just does that by default | 06:39:20 |
@elvishjerricco:matrix.org | now the real question is... do I upstream my tailscaled in initrd implementation... | 06:40:30 |
K900 | Does it need special setup? | 06:41:24 |
@elvishjerricco:matrix.org | yea | 06:41:30 |
@elvishjerricco:matrix.org | where is the tailscale state dir? | 06:41:37 |
@elvishjerricco:matrix.org | because if it isn't something persistent then it's useless | 06:41:47 |
K900 | Oh yeah makes sense | 06:41:54 |
@elvishjerricco:matrix.org | my system does it by having the tailscale state dir shared between stages and stored on a disk that's TPM2 encrypted, and unlocked in initrd without user input | 06:42:19 |
@elvishjerricco:matrix.org | letting me log in so I can enter the key for the root fs and get the system booted | 06:42:43 |
K900 | I have a horrible idea now | 06:43:15 |
@elvishjerricco:matrix.org | do tell | 06:43:23 |
K900 | You could, in theory, do OIDC with a key stored on the TPM | 06:44:20 |
@elvishjerricco:matrix.org | what's OIDC? | 06:44:38 |
K900 | OpenID Connect, which is the thing Tailscale uses for auth | 06:44:49 |
@elvishjerricco:matrix.org | so what does it mean to store a key for it on the TPM? | 06:46:02 |
K900 | It's just auth | 06:46:10 |
K900 | You sign a token with your private key | 06:46:16 |
K900 | And send it to the server that knows your public key | 06:46:23 |
K900 | So you can log in to Tailscale without any secrets ever being persisted outside the TPM | 06:46:43 |
@elvishjerricco:matrix.org | oh that's a really cool idea actually | 06:47:01 |
@elvishjerricco:matrix.org | though usually people don't actually store shit in the tpm | 06:47:08 |
@elvishjerricco:matrix.org | since space there is very limited | 06:47:12 |
@elvishjerricco:matrix.org | and I think it can only store tpm key hierarchy things? | 06:47:30 |