| 26 Dec 2021 |
|  bernardo changed their display name from bernardo to bernardo ooo. | 20:57:46 |
| 28 Dec 2021 |
|  hax404 joined the room. | 00:50:30 |
| 29 Dec 2021 |
|  Zhaofeng Li joined the room. | 03:59:56 |
| 30 Dec 2021 |
|  Adit joined the room. | 07:44:29 |
| 31 Dec 2021 |
|  mexisme joined the room. | 23:10:59 |
| 2 Jan 2022 |
|  zuckerberg joined the room. | 04:14:39 |
| 11 Jan 2022 |
| bernardo changed their display name from bernardo ooo to bernardo. | 21:22:51 |
| 13 Jan 2022 |
|  hougo left the room. | 08:08:45 |
| 14 Jan 2022 |
|  Chinchilla Washington changed their display name from Rev. CornWallace III (novus ordo seclorum) to coilWinder. | 04:39:44 |
| Chinchilla Washington changed their display name from coilWinder to CoilWinder (novus ordo seclorum). | 04:42:07 |
| 20 Jan 2022 |
|  andi- left the room. | 08:30:57 |
| 24 Jan 2022 |
 colemickens | Are general Secure Boot questions okay here? | 22:31:52 |
| colemickens | I got NixOS booting in Secure Boot mode by using Fedora's shim and disabling validation in the shim. I'm nervous though that another UEFI update will reset NVRAM, I'll lose the disabled validation and be locked out again. Curious if anyone knows for sure. | 22:32:34 |
| Zhaofeng Li | You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot | 22:34:15 |
| Zhaofeng Li | Does your motherboard vendor allow enrolling your own keys? | 22:34:46 |
| colemickens | I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) | 22:35:50 |
| Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades | 22:37:37 |
| Zhaofeng Li | In reply to @colemickens:matrix.org
I'm pretty sure my laptop doesn't, but now I'm realizing that it well could have the same issue (does user enrolled keys get stored in nvram) * Both of my laptop (Framework) and custom desktop allow this, and they do survive BIOS upgrades in my case | 22:37:44 |
| Zhaofeng Li | And it's not just user enrolled keys, you are enrolling the PK and transitioning Secure Boot to User mode | 22:38:46 |
| Zhaofeng Li | BIOSes usually have an option to use the "default" setup which would enroll the Microsoft PK | 22:39:21 |
| colemickens | Actually, it does have a "Reset to Setup Mode" that will clear the platform key and let me enroll one. | 22:39:58 |
| colemickens | But :/ also I dual-boot Windows. idk if one can enroll multiple platform keys | 22:40:12 |
| Zhaofeng Li | Yeah, that's what you want to use | 22:40:16 |
| Zhaofeng Li | You can still dual-boot Windows, just allow Microsoft's certificates in your db | 22:41:29 |
| Zhaofeng Li | Found it: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Dual_booting_with_other_operating_systems | 22:42:16 |
| colemickens | Hrmph, now I feel like I wasted my time with the shim, but this would require figuring out signing :s | 22:42:19 |
| Zhaofeng Li | It's actually pretty simple after you generate all the keys and enroll them in your BIOS | 22:43:13 |
| Zhaofeng Li | Everything else can be done from the OS | 22:43:30 |
| colemickens | I just assume people are signing outside the store or doing some sandboxing trick to get to the private key or something. I've always avoided that, but maybe it's not a huge deal. | 22:44:10 |
| Zhaofeng Li | In reply to @zhaofeng:zhaofeng.li
You can get actual Secure Boot signing working with https://github.com/frogamic/nix-machines/tree/main/modules/systemd-secure-boot The module here automatically creates a unified kernel image (kernel + initrd) for each generation and signs them | 22:45:10 |
