| 21 Aug 2022 |
|  greaka changed their display name from greaka ⚡️ to greaka . | 09:25:58 |
| 23 Aug 2022 |
|  Echo joined the room. | 00:50:12 |
| 24 Aug 2022 |
|  underpantsgnome changed their display name from tinybronca to underpantsgnome. | 23:04:15 |
| 30 Aug 2022 |
|  aru joined the room. | 14:43:03 |
| aru left the room. | 14:55:33 |
| 2 Sep 2022 |
|  linj joined the room. | 12:43:36 |
| 4 Sep 2022 |
 raitobezarius | https://github.com/NixOS/nixpkgs/pull/189676 | 13:31:03 |
| 5 Sep 2022 |
 @grahamc:nixos.org | attempt #3 :x | 01:22:12 |
|  Ronny joined the room. | 06:02:13 |
| 7 Sep 2022 |
|  Alexandre joined the room. | 09:40:54 |
| 11 Sep 2022 |
| Ronny changed their profile picture. | 21:27:04 |
| 14 Sep 2022 |
|  ElvishJerricco joined the room. | 23:27:09 |
| ElvishJerricco | Zhaofeng Li: So moving over here because it seems more relevant: That patch doesn't seem to apply to NixOS. Based on the Loaded initrd from command line option message you see when booting with systemd-boot, that code path in that patch doesn't seem to measure the initrd | 23:28:25 |
| ElvishJerricco | which is odd. I dunno why you'd only measure one of those two branches. Either it's measured elsewhere or this is a kernel bug | 23:30:45 |
| ElvishJerricco | Though honestly I guess it doesn't matter. The attacker can always override the cmdline if you're not using a UKI anyway. So UKI it is | 23:53:37 |
| 15 Sep 2022 |
 Zhaofeng Li | In reply to @elvishjerricco:matrix.org
Zhaofeng Li: So moving over here because it seems more relevant: That patch doesn't seem to apply to NixOS. Based on the Loaded initrd from command line option message you see when booting with systemd-boot, that code path in that patch doesn't seem to measure the initrd Wow, that's certainly very weird. What are those two code paths? | 01:16:07 |
| ElvishJerricco | Zhaofeng Li: This branch does measure it, but this branch doesn't, which seems to be the one we hit with nixos | 01:18:00 |
| Zhaofeng Li | Ah, so supplying initrd= via the cmdline doesn't trigger the measurement, awkward | 01:25:19 |
| ElvishJerricco | and I can't imagine why they wouldn't want to measure it. It seems perfectly possible there | 01:25:40 |
| ElvishJerricco | Like, just move the measurement call to after the if else if block or something | 01:26:25 |
| Zhaofeng Li | Nice opportunity to cook up a patch, it seems 👀 | 01:28:36 |
| Zhaofeng Li | Also an opportunity to move to using the initrd directive in systemd-boot instead of adding the initrd= in the cmdline | 01:29:09 |
| ElvishJerricco | Zhaofeng Li: We do use the initrd directive. But (and I can't remember where I read this), I believe systemd-boot just converts that directive into an initrd= cmdline option. | 01:31:41 |
| Zhaofeng Li | If this is the case, the systemd-boot docs are dangerously incorrect. This is very surprising. | 01:33:00 |
| ElvishJerricco | That's what this wiki says: https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/ | 01:33:48 |
| ElvishJerricco | Where are the docs wrong about this? | 01:34:05 |
| ElvishJerricco | And yea, my boot entries on my desktop have an initrd directive, but obviously I still get that "Loaded initrd from command line option" message | 01:34:39 |
| Zhaofeng Li | I mean, the docs are wrong about initrd being measured in PCR 9 under normal usecases (the initrd directive) | 01:36:47 |
| ElvishJerricco | oh yes | 01:36:57 |
| ElvishJerricco | yes that's certainly true | 01:37:01 |
