| 27 Jul 2023 |
|  ribosomerocker joined the room. | 02:59:22 |
| 31 Jul 2023 |
 baloo | Could someone merge that one for me? https://github.com/NixOS/nixpkgs/pull/245962 | 04:03:54 |
| 9 Aug 2023 |
|  gkleen joined the room. | 10:41:36 |
| 13 Aug 2023 |
|  nevoyu joined the room. | 01:24:55 |
| 15 Aug 2023 |
| nevoyu left the room. | 19:34:10 |
| 18 Aug 2023 |
|  Shados joined the room. | 05:42:10 |
|  Xandor Schiefer joined the room. | 09:15:44 |
| 19 Aug 2023 |
|  khalil left the room. | 19:50:07 |
| 31 Aug 2023 |
|  Philip Taron (UTC-8) joined the room. | 21:47:01 |
| 9 Sep 2023 |
|  Moritz Sanft joined the room. | 12:13:37 |
| 16 Sep 2023 |
|  Majiir Paktu joined the room. | 00:04:45 |
 arkivm | I have sent an RFC for keylime and its services here: https://github.com/NixOS/nixpkgs/pull/255540
any feedback would be appreciated. | 22:39:51 |
| 17 Sep 2023 |
 raitobezarius | arkivm: wouldn't it be better to have keylime-agent and keylime as two differen tservices? | 11:39:36 |
| raitobezarius | you want to run the agent on clients | 11:39:39 |
| raitobezarius | the rest on servers | 11:39:43 |
| raitobezarius | also this service is non-configurable and use all presets from the package themselves | 11:40:25 |
| raitobezarius | minimally, we should have settings option for each relevant configuration file | 11:40:36 |
| 18 Sep 2023 |
| arkivm | raitobezarius: That's how I initially started. Right now, services.keylime.enable doesn't turn on any services. You can selectively pick services.keylime.<keylime_modules>.enable where keylime_modules can be agent, registrar and verifier. But if you think splitting it into two modules (one for agent and the rest as one) has better modularity, I can split them. | 04:45:33 |
| arkivm | I don't have much experience running keylime in production. I have played around with it only in local experimental setup. But, I agree that the default options may not be what everyone wants. What options should be configurable? Do you have some insights? | 04:48:19 |
| arkivm | Updated the PR by separating agent and the rest. | 06:32:39 |
| raitobezarius | I am not sure keylime should be packaged in nixpkgs, especially if you don't plan to have production usage | 07:53:03 |
| raitobezarius | It makes more sense to wait for someone who have expert knowledge rather than rush and package something that's meh in terms of security for such a piece of software | 07:53:23 |
| 21 Sep 2023 |
|  dedmunwalk joined the room. | 23:06:14 |
| 23 Sep 2023 |
 ElvishJerricco | This isn't exactly NixOS, but I'm trying to test out Ubuntu's new TPM based FDE in a libvirt VM, but the TPM entered DA lockout mode during installation, and I'm not sure how to get it out of it. When my Steam Deck entered lockout, I just had to wait 15mins, but no amount of waiting (up to several hours) has helped here. | 06:18:21 |
| ElvishJerricco | oh, well deleting the VM and starting anew, the installation failure isn't what I thought: cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between
(I enrolled MS secure boot keys with sbctl from a nixos ISO, but there was a hard shutoff before booting into the ubuntu ISO)
| 07:19:43 |
| ElvishJerricco | and after that installation failure, the swtpm is in lockout mode | 07:20:20 |
| ElvishJerricco | so I wonder if libvirt isn't shutting down swtpm correctly | 07:20:38 |
|  Snuupy joined the room. | 10:17:56 |
| ElvishJerricco | Huh, apparently I had to make sure the installation disk was first in the boot order. Attempting and failing to boot the empty hard drive messed with the secure boot measurements or something | 19:51:37 |
| 24 Sep 2023 |
 flokli | This smells like a firmware issue/mistake a bunch of vendors initially did as well | 08:02:10 |
