NixOS + TPMs - Public Room Timeline

	NixOS + TPMs	175 Members
		43 Servers

Load older messages

Sender	Message	Time
24 Jan 2022
colemickens	I got NixOS booting in Secure Boot mode by using Fedora's shim and disabling validation in the shim. I'm nervous though that another UEFI update will reset NVRAM, I'll lose the disabled validation and be locked out again. Curious if anyone knows for sure.	22:32:34
Zhaofeng Li	You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot	22:34:15
Zhaofeng Li	Does your motherboard vendor allow enrolling your own keys?	22:34:46
colemickens	I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram)	22:35:50
Zhaofeng Li	In reply to @colemickens:matrix.org I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades	22:37:37
Zhaofeng Li	In reply to @colemickens:matrix.org I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) * Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades in my case	22:37:44
Zhaofeng Li	And it's not just user enrolled keys, you are enrolling the PK and transitioning Secure Boot to User mode	22:38:46
Zhaofeng Li	BIOSes usually have an option to use the "default" setup which would enroll the Microsoft PK	22:39:21
colemickens	Actually, it does have a "Reset to Setup Mode" that will clear the platform key and let me enroll one.	22:39:58
colemickens	But :/ also I dual-boot Windows. idk if one can enroll multiple platform keys	22:40:12
Zhaofeng Li	Yeah, that's what you want to use	22:40:16
Zhaofeng Li	You can still dual-boot Windows, just allow Microsoft's certificates in your db	22:41:29
Zhaofeng Li	Found it: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Dual_booting_with_other_operating_systems	22:42:16
colemickens	Hrmph, now I feel like I wasted my time with the shim, but this would require figuring out signing :s	22:42:19
Zhaofeng Li	It's actually pretty simple after you generate all the keys and enroll them in your BIOS	22:43:13
Zhaofeng Li	Everything else can be done from the OS	22:43:30
colemickens	I just assume people are signing outside the store or doing some sandboxing trick to get to the private key or something. I've always avoided that, but maybe it's not a huge deal.	22:44:10
Zhaofeng Li	In reply to @zhaofeng:zhaofeng.li You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot The module here automatically creates a unified kernel image (kernel + initrd) for each generation and signs them	22:45:10
Zhaofeng Li	And the end-user experience is seamless	22:45:23
colemickens	Oh, right, it just takes a path to the key.	22:45:40
colemickens	Huh, why was I over thinking this.	22:45:46
colemickens	Neato.	22:45:49
colemickens	Thanks a bunch Zhaofeng Li , I'll have to spend another weekend day trying to do this the right way then!	22:47:21
31 Jan 2022
	bernardo changed their profile picture.	11:49:42
2 Feb 2022
	Chinchilla Washington changed their display name from CoilWinder (novus ordo seclorum) to Chuck Winter.	08:37:03
3 Feb 2022
	lvkm joined the room.	08:49:27
	lewo joined the room.	21:47:17
4 Feb 2022
Mic92 (Old)	is this any good? https://github.com/whooo/tpm2-ssh-agent	14:08:18
15 Feb 2022
stigo	In reply to @mic92:nixos.dev is this any good? https://github.com/whooo/tpm2-ssh-agent I've been using gpg with tpm for ssh for a while now, quite happy with it. Unable to change passphrases for tpm backed keys tho.	16:02:28
stigo	Was wondering if anyone has had any luck setting up TPM2 with LUKS on NixOS?	16:03:08

Show newer messages

Back to Room ListRoom Version: 6