| 17 Sep 2023 |
 raitobezarius | minimally, we should have settings option for each relevant configuration file | 11:40:36 |
| 18 Sep 2023 |
 arkivm | raitobezarius: That's how I initially started. Right now, services.keylime.enable doesn't turn on any services. You can selectively pick services.keylime.<keylime_modules>.enable where keylime_modules can be agent, registrar and verifier. But if you think splitting it into two modules (one for agent and the rest as one) has better modularity, I can split them. | 04:45:33 |
| arkivm | I don't have much experience running keylime in production. I have played around with it only in local experimental setup. But, I agree that the default options may not be what everyone wants. What options should be configurable? Do you have some insights? | 04:48:19 |
| arkivm | Updated the PR by separating agent and the rest. | 06:32:39 |
| raitobezarius | I am not sure keylime should be packaged in nixpkgs, especially if you don't plan to have production usage | 07:53:03 |
| raitobezarius | It makes more sense to wait for someone who have expert knowledge rather than rush and package something that's meh in terms of security for such a piece of software | 07:53:23 |
| 21 Sep 2023 |
|  dedmunwalk joined the room. | 23:06:14 |
| 23 Sep 2023 |
 ElvishJerricco | This isn't exactly NixOS, but I'm trying to test out Ubuntu's new TPM based FDE in a libvirt VM, but the TPM entered DA lockout mode during installation, and I'm not sure how to get it out of it. When my Steam Deck entered lockout, I just had to wait 15mins, but no amount of waiting (up to several hours) has helped here. | 06:18:21 |
| ElvishJerricco | oh, well deleting the VM and starting anew, the installation failure isn't what I thought: cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between
(I enrolled MS secure boot keys with sbctl from a nixos ISO, but there was a hard shutoff before booting into the ubuntu ISO)
| 07:19:43 |
| ElvishJerricco | and after that installation failure, the swtpm is in lockout mode | 07:20:20 |
| ElvishJerricco | so I wonder if libvirt isn't shutting down swtpm correctly | 07:20:38 |
|  Snuupy joined the room. | 10:17:56 |
| ElvishJerricco | Huh, apparently I had to make sure the installation disk was first in the boot order. Attempting and failing to boot the empty hard drive messed with the secure boot measurements or something | 19:51:37 |
