| 31 Oct 2024 |
 sophie | In reply to @elvishjerricco:matrix.org
see: this wonderful disaster what is this...? | 21:10:55 |
 ElvishJerricco | sophie: some (slightly outdated) modules I use to do a cursed combination of remote attestation and TPM2-bound disk encryption with tailscale | 21:11:50 |
| sophie | I'm just trying to unpick how the remote attestation works | 21:12:35 |
| ElvishJerricco | basically, there's a TPM2-bound zvol that contains SSH host keys and tailscale state. This allows me to remote in, and the fact that tailscale and SSH host keys were automatically decrypted informs me that the TPM2's boot measurements were correct. Once logged in, I can enter the TPM2 pin for decrypting the root FS | 21:13:36 |
| ElvishJerricco | it would be better to do, like, actual remote attestation, but this is adequate | 21:14:13 |
| sophie | ah so the system boots into a state and waits for the TPM2 pin to be provided over the SSH session it started with the protected host keys | 21:15:07 |
| ElvishJerricco | yep | 21:15:15 |
| ElvishJerricco | so the host keys are critical. They basically are the attestation | 21:15:29 |
| sophie | interesting. I've always wanted to try out that remote attestation and stuff | 21:16:01 |
| ElvishJerricco | eventually I'm going to get it set up with some kind of app on my phone, so the server sends a notification to my phone with a remote attestation report and asks the phone to decrypt the volume key. I check the app, give it a nod of approval, and the system boots | 21:17:06 |
| sophie | if you're using Android, you can put the keys into an encrypted space with the encryption keys protected by the secure element too :) might be possible on iOS too but not tried that | 21:18:52 |
| ElvishJerricco | yea, tough choice between storing a wrapped key on the disk vs storing a wrapped key on the phone | 21:20:40 |
| ElvishJerricco | different tradeoffs between the two | 21:20:46 |
| sophie | could either use the stored key on the phone as the TPM2 pin or have the password be a combination of both keys | 21:22:15 |
| ElvishJerricco | yea that's interesting | 21:23:17 |
| 1 Nov 2024 |
|  Thales Menato joined the room. | 01:28:00 |
|  Ryan Yin joined the room. | 14:20:56 |
| 2 Nov 2024 |
|  @birhaman:pub.solar changed their profile picture. | 03:42:05 |
| @birhaman:pub.solar changed their profile picture. | 03:45:35 |
|  @icarus_dh:matrix.org joined the room. | 14:07:03 |
| 3 Nov 2024 |
|  Sam joined the room. | 14:34:19 |
|  @mrtrk:matrix.org left the room. | 16:15:51 |
|  Kiruya Momochi 百地希留耶 joined the room. | 19:50:31 |
| Kiruya Momochi 百地希留耶 changed their display name from 百地希留耶 to Kiruya Momochi 百地希留耶. | 19:57:42 |
| 4 Nov 2024 |
|  @optimusgray:technogeek.ninja joined the room. | 01:18:36 |
|  rhousand joined the room. | 17:23:43 |
| 5 Nov 2024 |
|  liv [she/her] joined the room. | 20:31:27 |
| 6 Nov 2024 |
|  @seapat:matrix.org joined the room. | 13:45:46 |
 Scrumplex | Is there a way I can instruct Nix to prefer building locally over using remote builders?
I am on a x86_64-linux machine and I have a x86_64-linux remote builder. Currently Nix seems to prefer the remote builder, even though I have more cores (and performance per core) locally. The speed factor of the builder is 1 | 14:56:44 |
| Scrumplex | According to the documentation of nix.conf, the speed factor must be a positive integer, so I can't really do something like 0.5 | 14:57:09 |
