| 24 Jan 2022 |
 Zhaofeng Li | You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot | 22:34:15 |
| Zhaofeng Li | Does your motherboard vendor allow enrolling your own keys? | 22:34:46 |
 @colemickens:matrix.org | I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) | 22:35:50 |
| Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades | 22:37:37 |
| Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) * Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades in my case | 22:37:44 |
| Zhaofeng Li | And it's not just user enrolled keys, you are enrolling the PK and transitioning Secure Boot to User mode | 22:38:46 |
| Zhaofeng Li | BIOSes usually have an option to use the "default" setup which would enroll the Microsoft PK | 22:39:21 |
| @colemickens:matrix.org | Actually, it does have a "Reset to Setup Mode" that will clear the platform key and let me enroll one. | 22:39:58 |
| @colemickens:matrix.org | But :/ also I dual-boot Windows. idk if one can enroll multiple platform keys | 22:40:12 |
| Zhaofeng Li | Yeah, that's what you want to use | 22:40:16 |
| Zhaofeng Li | You can still dual-boot Windows, just allow Microsoft's certificates in your db | 22:41:29 |
| Zhaofeng Li | Found it: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Dual_booting_with_other_operating_systems | 22:42:16 |
| @colemickens:matrix.org | Hrmph, now I feel like I wasted my time with the shim, but this would require figuring out signing :s | 22:42:19 |
| Zhaofeng Li | It's actually pretty simple after you generate all the keys and enroll them in your BIOS | 22:43:13 |
| Zhaofeng Li | Everything else can be done from the OS | 22:43:30 |
| @colemickens:matrix.org | I just assume people are signing outside the store or doing some sandboxing trick to get to the private key or something. I've always avoided that, but maybe it's not a huge deal. | 22:44:10 |
| Zhaofeng Li | In reply to @zhaofeng:zhaofeng.li
You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot The module here automatically creates a unified kernel image (kernel + initrd) for each generation and signs them | 22:45:10 |
| Zhaofeng Li | And the end-user experience is seamless | 22:45:23 |
| @colemickens:matrix.org | Oh, right, it just takes a path to the key. | 22:45:40 |
| @colemickens:matrix.org | Huh, why was I over thinking this. | 22:45:46 |
| @colemickens:matrix.org | Neato. | 22:45:49 |
| @colemickens:matrix.org | Thanks a bunch Zhaofeng Li , I'll have to spend another weekend day trying to do this the right way then! | 22:47:21 |
| 31 Jan 2022 |
|  @bernardo:matrix.parity.io changed their profile picture. | 11:49:42 |
| 2 Feb 2022 |
|  @cw:kernelpanic.cafe changed their display name from CoilWinder (novus ordo seclorum) to Chuck Winter. | 08:37:03 |
| 3 Feb 2022 |
|  lvkm joined the room. | 08:49:27 |
|  lewo joined the room. | 21:47:17 |
| 4 Feb 2022 |
 @mic92:nixos.dev | is this any good? https://github.com/whooo/tpm2-ssh-agent | 14:08:18 |
| 15 Feb 2022 |
 @stigo:matrix.org | In reply to @mic92:nixos.dev
is this any good? https://github.com/whooo/tpm2-ssh-agent I've been using gpg with tpm for ssh for a while now, quite happy with it. Unable to change passphrases for tpm backed keys tho. | 16:02:28 |
| @stigo:matrix.org | Was wondering if anyone has had any luck setting up TPM2 with LUKS on NixOS? | 16:03:08 |
| @mic92:nixos.dev | I try to keep my system gnupg-free because of bad past experiences. I think andi- was working on that, but don't know the status | 16:04:05 |
