| 24 Dec 2025 |
 matthewcroughan - nix.zone | pentane ⭔: can you lock the device with your own nixos setup? | 20:24:50 |
| matthewcroughan - nix.zone | oh yeah I'll be at 39c3 too, so maybe we can meetup and you can do a quick FAQ? :D | 20:25:10 |
| matthewcroughan - nix.zone | I'll document such a setup too if you help me figure it out | 20:25:27 |
 sebastian | Sound great, let's do that. | 20:28:39 |
 pentane | yep, you just need to flash the avb_pkmd.bin generated by generateKeysScript instead of the one provided by upstream grapheneos | 20:45:00 |
| pentane | yeah i need to rewrite all the docs at some point, theyre horribly outdated xc | 20:45:21 |
| matthewcroughan - nix.zone | ah, and then you need to keep those keys safe? | 20:46:31 |
| pentane | exactly | 20:46:38 |
| pentane | and pass them to the releaseScript to sign your target files with them | 20:46:58 |
| matthewcroughan - nix.zone | can you embed those keys into a yubikey? | 20:47:21 |
| matthewcroughan - nix.zone | or perhaps derive them rom one | 20:47:29 |
| matthewcroughan - nix.zone | * or perhaps derive them from one | 20:47:31 |
| pentane | hmm, youd have to take a look at build/tools/releasetools/sign_target_files_apks.py to see what it supports | 20:49:19 |
| pentane | afaik CalyxOS is doing something with HSMs in that direction? | 20:49:52 |
