| 17 Sep 2023 |
 raitobezarius | arkivm: wouldn't it be better to have keylime-agent and keylime as two differen tservices? | 11:39:36 |
| raitobezarius | you want to run the agent on clients | 11:39:39 |
| raitobezarius | the rest on servers | 11:39:43 |
| raitobezarius | also this service is non-configurable and use all presets from the package themselves | 11:40:25 |
| raitobezarius | minimally, we should have settings option for each relevant configuration file | 11:40:36 |
| 18 Sep 2023 |
 arkivm | raitobezarius: That's how I initially started. Right now, services.keylime.enable doesn't turn on any services. You can selectively pick services.keylime.<keylime_modules>.enable where keylime_modules can be agent, registrar and verifier. But if you think splitting it into two modules (one for agent and the rest as one) has better modularity, I can split them. | 04:45:33 |
| arkivm | I don't have much experience running keylime in production. I have played around with it only in local experimental setup. But, I agree that the default options may not be what everyone wants. What options should be configurable? Do you have some insights? | 04:48:19 |
| arkivm | Updated the PR by separating agent and the rest. | 06:32:39 |
| raitobezarius | I am not sure keylime should be packaged in nixpkgs, especially if you don't plan to have production usage | 07:53:03 |
| raitobezarius | It makes more sense to wait for someone who have expert knowledge rather than rush and package something that's meh in terms of security for such a piece of software | 07:53:23 |
| 21 Sep 2023 |
|  dedmunwalk joined the room. | 23:06:14 |
| 23 Sep 2023 |
 ElvishJerricco | This isn't exactly NixOS, but I'm trying to test out Ubuntu's new TPM based FDE in a libvirt VM, but the TPM entered DA lockout mode during installation, and I'm not sure how to get it out of it. When my Steam Deck entered lockout, I just had to wait 15mins, but no amount of waiting (up to several hours) has helped here. | 06:18:21 |
| ElvishJerricco | oh, well deleting the VM and starting anew, the installation failure isn't what I thought: cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between
(I enrolled MS secure boot keys with sbctl from a nixos ISO, but there was a hard shutoff before booting into the ubuntu ISO)
| 07:19:43 |
| ElvishJerricco | and after that installation failure, the swtpm is in lockout mode | 07:20:20 |
| ElvishJerricco | so I wonder if libvirt isn't shutting down swtpm correctly | 07:20:38 |
|  Snuupy joined the room. | 10:17:56 |
| ElvishJerricco | Huh, apparently I had to make sure the installation disk was first in the boot order. Attempting and failing to boot the empty hard drive messed with the secure boot measurements or something | 19:51:37 |
| 24 Sep 2023 |
 flokli | This smells like a firmware issue/mistake a bunch of vendors initially did as well | 08:02:10 |
| flokli | the order of things tried out (and skipped over) shouldn't affect measurements, if it does, it's a bug in the firmware | 08:02:37 |
| raitobezarius | But if elvish is trying this in a VM | 10:07:42 |
| raitobezarius | This is OVMF | 10:07:44 |
| raitobezarius | So kinda EDK2 | 10:07:51 |
| raitobezarius | So all the firmware in the world | 10:07:55 |
| raitobezarius | I can pull out the code later | 10:08:19 |
| raitobezarius | I am used to read EDK2 now | 10:08:24 |
| ElvishJerricco | flokli: yea that's rough if OVMF has this bug :P | 20:48:48 |
| flokli | maybe that | 22:07:33 |
| flokli | * maybe that's why it's broken in all vendor firmwares ;-) | 22:07:41 |
| flokli | * maybe that's why it is/was broken in all vendor firmwares ;-) | 22:07:50 |
| 25 Sep 2023 |
|  bertof joined the room. | 10:43:50 |
