<gchristensen> so the strange thing, afaict, is this grew the image by 194M: https://github.com/grahamc/packet-nix-builder/commit/47d27501d9d65fada0a1ff242f3a18af5377212b
andi- has joined #nixos-aarch64
<gchristensen> yeah, that commit took it from 1372958549 to 1567525492 bytes
<Irenes[m]> woo! got FEL to work on the PineA64 dev boards I have. not actually booting through it, but that isn't really what I'm trying to do right now anyway.
<simpson> Exciting.
<Irenes[m]> I had a lot of hurdles with waiting for hardware to arrive and stuff; I'm glad that it does in fact work, heh.
<Irenes[m]> thank you
vika_nezrimaya has quit [Ping timeout: 265 seconds]
ryantrinkle has quit [Ping timeout: 255 seconds]
<samueldr> Irenes[m]: A64-LTS or the non-LTS?
<samueldr> I have some (brief) notes about using FEL for flashing the SPI NOR on the LTS https://nixos.wiki/wiki/NixOS_on_ARM/PINE_A64-LTS#SPI_NOR_flash
<samueldr> I have succesfully used the special sd card image to trigger FEL after having had a valid program on the flash
<gchristensen> I guess I'll `xz` compress this initrd's squashfs better
ryantrinkle has joined #nixos-aarch64
<clever> gchristensen: have you tried my trick to just skip the squashfs entirely?
<gchristensen> I haven't actually (but this uses an xz instead of a squash)
<gchristensen> better compression didn't help
<gchristensen> going to bed, will try again tomorrow
h0m1 has quit [Ping timeout: 256 seconds]
h0m1 has joined #nixos-aarch64
<thefloweringash> I saw something like that when I was iterating, but I didn't find a better answer than "make it smaller".
<thefloweringash> "thefloweringash: can you send me a follow-up PR?" -- probably, what for?
ryantrinkle has quit [Ping timeout: 260 seconds]
cptchaos83 has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
cptchaos83 has joined #nixos-aarch64
lordcirth_ has joined #nixos-aarch64
<Irenes[m]> samueldr: the non-LTS. I'm intending to experiment with the eFuses for signed boot, and people have reported that burning the eFuses doesn't work on the LTS.
<Irenes[m]> I'm probably not going to mess with the SPI but I appreciate the notes anyway, they could be relevant
<Irenes[m]> ah yeah, I have that Wiki page open in another window, it's been helpful despite being for the LTS :)
<Irenes[m]> thank you for writing it
<Irenes[m]> it was particularly helpful to know that the upper USB port is the one to plug into; I hadn't found any other source for that
<samueldr> yeah, they share a lot
<samueldr> I hope you document your secure boot findings well, and maybe even the sources of info
<samueldr> I found it hard to *begin* searching about that
<thefloweringash> hmmm, maybe relevant to our pxe issues: https://www.syslinux.org/archives/2002-March/000248.html
orivej has quit [Ping timeout: 256 seconds]
Acou_Bass has quit [Ping timeout: 265 seconds]
t184256 has left #nixos-aarch64 ["Error from remote client"]
t184256 has joined #nixos-aarch64
Acou_Bass has joined #nixos-aarch64
zupo has joined #nixos-aarch64
Acou_Bass has quit [Quit: ZNC 1.7.4 - https://znc.in]
Acou_Bass has joined #nixos-aarch64
<Irenes[m]> I will definitely document it
<Irenes[m]> there is a lot of information about the eFuse format on the sunxi wiki, most notably https://linux-sunxi.org/SID_Register_Guide and https://linux-sunxi.org/TOC0
<Irenes[m]> and I've spoken with apritzel, who helped me put it in context
<Irenes[m]> I haven't ruled out trying to reverse-engineer the boot0 at some point; it's not really secure while it's possible for an attacker to start it in FEL mode
<clever> Irenes[m]: thats an A20 based device ive used before, and the wiki claims to link to the source for boot0
<clever> and this claims to be the mask rom
<Irenes[m]> thank you. I will check it :)
<Irenes[m]> I doubt they actually put the crypto parts in the source, but it is worth checking
zupo has quit [Ping timeout: 260 seconds]
zupo has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bennofs has quit [Ping timeout: 272 seconds]
orivej has joined #nixos-aarch64
zupo has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
vika_nezrimaya has joined #nixos-aarch64
tilpner_ is now known as tilpner
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
zupo has quit [Ping timeout: 240 seconds]
zupo has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<gchristensen> thefloweringash: can you generate the VM's host key on the host, and then copy it in place in the VM?
<gchristensen> the extracted cpio archives from these two images:
<gchristensen> [nix-shell:~]# du -s -h ./a.extract/ ./b.extract/
<gchristensen> 1.7G ./a.extract/
<gchristensen> 272M ./b.extract/
<gchristensen> ...??
<srk> that's a lot!
<gchristensen> the diff causing this is 50 bytes added to a .py file
<srk> no way :)
<gchristensen> way
<srk> was looking at that and it doesn't make sense :D
<gchristensen> you're right :)
<srk> and if you diff path nix/store/nix-path-registration ?
<gchristensen> identical
<gchristensen> interesting ...
<gchristensen> a.extract's extraction has 2 files (?) b.extract doesn't have
<gchristensen> # diff <(cat a.list | sed -e 's#^..extract##') <(cat b.list | sed -e 's#^..extract##')
<gchristensen> 2,4d1
<gchristensen> < /[�2Olz9B�
<gchristensen> < /c7Ds�S �{nZǺ=ev��U~s��S�
<gchristensen> �j�O�-Ƭi=5;իf�W{2N�#WZǗf,}mʎ�㱹o�[�|߬ �9�Y3fw˭f��5&=ԫ=k�n4�]f��D�
<srk> oh wow
<gchristensen> I think something is wrong :)
<srk> indeed. maybe try without xz?
<gchristensen> unrelated I think
<srk> does it also appear in tar tf list?
<srk> and in nix-path-registration?
<gchristensen> (2min)
<srk> np, no rush
<gchristensen> so this actually isn't in the nix store, but directly in the root of the initrd
<gchristensen> you can take a look, too: curl netboot.gsc.io/hydra-aarch64-linux.old/initrd > b curl netboot.gsc.io/hydra-aarch64-linux/initrd > a
<srk> downloading
<gchristensen> make sure to `gunzip` them, then I used `mkdir a.extract; cd a.extract; cpio -idv ../a` to extract
<srk> cpio has this flag
<srk> --device-independent, --reproducible
<srk> Create device-independent (reproducible) archives
<srk> do you test on x86 or aarch64?
<srk> that's set.. (cd root && find * -print0 | sort -z | cpio -o -H newc -R +0:+0 --reproducible --null | $compressor >> $out/initrd)
<gchristensen> I did both of these extractions on an x86 box
<srk> same here, they look the same expcept for cpio archive size
<srk> hm they both look broken here :D
<srk> $ ll -h a b
<srk> -rw-r--r-- 1 srk users 2.2G Mar 9 13:55 a
<srk> -rw-r--r-- 1 srk users 1.5G Mar 9 13:47 b
<gchristensen> m!
<gchristensen> hm!
<gchristensen> [nix-shell:~]# du --apparent-size -s ./a.extract/ ./b.extract/
<gchristensen> 1698822 ./a.extract/
<gchristensen> 254004 ./b.extract/
<gchristensen> hrm
<srk> $ du --apparent-size -s ./a.e/ ./b.e/
<srk> 254000./a.e/
<srk> 254000./b.e/
<srk> trying one more time, maybe I've made an error somewhere
<srk> well I guess not because even the original gzipped b (netboot.gsc.io/hydra-aarch64-linux.old/initrd) is 1.3G
<srk> yeah, only archives differ but not extracted contents
<srk> like this is fine.. find $i.e -type f | xargs sha256sum > $i.sums
<srk> looks like we need initrd.nar
<srk> gchristensen: I see it contains stuff like 07070100000D9A0000816D0000000000000000000000010000000100D527A0000000000000000000000000000000000000005900000000nix/store/35vj4sj1p242scfbzi0x4sjbzgvlbfww-mesa-19.1.5-drivers/lib/dri/kms_swrast_dri.so
<srk> not present in the output
<srk> extracted dir
<srk> wow
ryantrinkle has joined #nixos-aarch64
orivej has quit [Ping timeout: 260 seconds]
dongcarl has joined #nixos-aarch64
zupo has joined #nixos-aarch64
ryantrinkle has quit [Ping timeout: 255 seconds]
ryantrinkle has joined #nixos-aarch64
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
<gchristensen> clever: any chance I can get you to look at these two initrd's, one which is weird, one which is less weird?
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos-aarch64
ryantrinkle has quit [Quit: Leaving.]
ryantrinkle has joined #nixos-aarch64
<clever> gchristensen: got links or expr's to build them?
<gchristensen> I think it will be most useful to poke through the actual initrds
<gchristensen> which can be downloaded, does that work?
<clever> the expr's would help more i think, so i can modify how its build and get closure info
<gchristensen> sure
<gchristensen> clever: go back to 3e0d3ee196c2fb8c88b19e2c635bc14428268eb4 to get the good build, anything after is a bad build
<clever> gchristensen: just run nix-build on that file?
<gchristensen> yeah
<clever> its processing
<gchristensen> cool :)
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
Ultrasauce has joined #nixos-aarch64
orivej has joined #nixos-aarch64
<thefloweringash> I'd like to help with this but life keeps getting in the way sorry :-(
<sphalerite> gchristensen (or anyone else with packet.com experience) is there a particular trick to get arm server types to show up on the list? Because I'm not getting them…
<thefloweringash> two quick comments: valid initrds can be concatenated (see https://unix.stackexchange.com/a/266090); alternately, if you just need to make it smaller, you could try negating / xoring / encrypting archived store paths to skip accidental retention.
<gchristensen> thefloweringash: it appears the initrd is badly made
<thefloweringash> sphalerite: it can be region dependent, I think DFW2 and NRT1 have them
<gchristensen> 50 bytes addition is causing 200M larger output which unpacks to having file names called /[�2Olz9B� and /c7Ds�S �{nZǺ=ev��U~s��S�
LinuxHackerman has joined #nixos-aarch64
<sphalerite> gchristensen: doesn't show up on either of those for me :/
<sphalerite> can they be sold out or something?
* LinuxHackerman uploaded an image: 2020-03-09-230235_screenshot.png (143KB) < https://matrix.org/_matrix/media/r0/download/matrix.mayflower.de/dKDyUpBeZjRrlyaAedpsuyVK >
<LinuxHackerman> :|
<sphalerite> not so for me ^
<thefloweringash> wat.
<gchristensen> sphalerite: hop in #packet?
<sphalerite> gchristensen: oh, that's a thing too? I just asked on the packet community slack
<gchristensen> ah
<gchristensen> it bridges
zupo has joined #nixos-aarch64
<sphalerite> "422 You are not allowed to provision c2.large.arm servers" :(
ryantrinkle has quit [Ping timeout: 256 seconds]
zupo has quit [Ping timeout: 260 seconds]
zupo has joined #nixos-aarch64
<clever> error: a 'aarch64-linux' with features {} is required to build '/nix/store/4g1zniqfsvr0ng08k4mm1wmaa03vka8x-about.json.drv', but I am a 'x86_64-linux' with features {benchmark, big-parallel, kvm, nixos-test}
<clever> gchristensen: i'll need to re-link my desktop to the community box
<gchristensen> sure
wavirc22 has quit [Ping timeout: 260 seconds]
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
ryantrinkle has joined #nixos-aarch64
orivej has quit [Ping timeout: 268 seconds]