NixOS Security Triage - Public Room Timeline - Matrix Static

	NixOS Security Triage	703 Members
	Coordination and triage of security issues in nixpkgs	216 Servers

You have reached the beginning of time (for this room).

Sender	Message	Time
5 Jul 2024
hexa	pinged elvishjerrico in #dev:nixos.org	11:54:40
raitobezarius	i'm confused by the reports	11:57:01
raitobezarius	it took me time to reload the context	11:57:05
raitobezarius	but BIOS GRUB users are protected by cryptodisk	11:57:13
Septem9er	In reply to @emilazy:matrix.org https://github.com/NixOS/calamares-nixos-extensions/pull/25 says "#21 broke encrypted swap by mishandling the removal of crypto_keyfile.bin. This reverts the original fix. Instead, we leave BIOS the same; that was secure as it was before", I guess this was just a misunderstanding of the vuln? :/ Thanks, I didn't look at the pull request yet. They also write: NOTE: This is likely not a completely sufficient solution for users who choose manual partitioning. Mainly, if they create an unencrypted root partition with BIOS boot, it will still insecurely use crypto_keyfile.bin for other partitions that are encrypted. Since they are specifically writing about unencrypted root partitions only, it seems like they thought it wouldn't be an issue for an encrypted root partiton? Anyway, I guess this was a misunderstanding about the vulnerability. BIOS setups were definitly affected, the GHSA did specifically say it affects "non-UEFI systems".	11:57:52
emily	In reply to @raitobezarius:matrix.org but BIOS GRUB users are protected by cryptodisk the advisory says Users who installed NixOS through the graphical calamares installer, with an unencrypted /boot, on either: non-UEFI systems	11:58:16
emily	I guess the key there is "unencrypted `/boot`"?	11:58:22

Show newer messages

Back to Room ListRoom Version: 6