jasongrossman has quit [Ping timeout: 255 seconds]
jasongrossman has joined #nixos-chat
jasongrossman has quit [Ping timeout: 268 seconds]
elvishjerricco has quit [Ping timeout: 258 seconds]
Peetz0r has joined #nixos-chat
elvishjerricco has joined #nixos-chat
elvishjerricco has quit [Max SendQ exceeded]
elvishjerricco has joined #nixos-chat
jackdk_ has joined #nixos-chat
jackdk has quit [Disconnected by services]
jackdk_ is now known as jackdk
jasongrossman has joined #nixos-chat
drakonis1 has quit [Quit: WeeChat 2.3]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 268 seconds]
Myhlamaeus has quit [Ping timeout: 240 seconds]
avn has quit [Ping timeout: 268 seconds]
avn has joined #nixos-chat
<infinisil>
Aw yeah, feels so nice to do a big refactor in Haskell, just fixing type errors for a whole while, but once it compiles, it probably runs just fine already :)
<clever>
Could not find a version that satisfies the requirement cffi==1.10.0 (from -r /tmp/vpython_bootstrap068857683/requirements.txt (line 4)) (from versions: )
<clever>
No matching distribution found for cffi==1.10.0 (from -r /tmp/vpython_bootstrap068857683/requirements.txt (line 4))
<clever>
infinisil: any experience with python and pip?
<infinisil>
Python a bit (for university), pip a bit (for nixpkgs maintenance)
<infinisil>
The dynamic nature of those two annoys me
<clever>
i get the above error when i run `gclient sync --with_branch_heads --with_tags`
<clever>
and careful trying to replicate my setup, it downloads 30gig worth of git repos :P
<clever>
infinisil: attempting to build electron, on nixos
jasongrossman has quit [Ping timeout: 268 seconds]
drakonis_ has quit [Remote host closed the connection]
endformationage has quit [Ping timeout: 245 seconds]
jasongrossman has joined #nixos-chat
jtojnar has joined #nixos-chat
jasongrossman has quit [Ping timeout: 245 seconds]
jasongrossman has joined #nixos-chat
pie__ has joined #nixos-chat
waleee has joined #nixos-chat
<andi->
Sometimes I wish we would have more formalisms/standards/qa/… in NixOS... on the other side at my job right now: Bikeshedding for a debian release version scheme for multiple days now..
<gchristensen>
+1
* andi-
sits back and drinks tea while the "experts" decide.
<gchristensen>
the debian release version scheme is very trivial, just call `next-debian-version-number` where `next-debian-version-number` is aliased to `uuidgen`
<andi->
it is more like that: packagename-2.1.2.3~git~201000000000.asdfeg+foo123-1+baz-dez-1
<andi->
vs something with less ~ and more + and -
<gchristensen>
yeah :(
<andi->
and there is no definitiv list of rules for that making it the ultimate timesink for packaging debian things..
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
infinisil has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
infinisil has joined #nixos-chat
jasongrossman has quit [Ping timeout: 245 seconds]
jasongrossman has joined #nixos-chat
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
jasongrossman has joined #nixos-chat
<infinisil>
I should implement a karma weight for the bot
<infinisil>
Such that people who often ++ have less valuable karma giving points
<infinisil>
Not pointing any fingers here of course!
__monty__ has joined #nixos-chat
<tilpner>
Hey, anyone around who understands encrypted /boot?
<tilpner>
I'm struggling to come up with an attack that it prevents
<tilpner>
And my laptop's already wiped, but I can't decide on a partitioning layout
<tilpner>
(Yes, I know! I thought I did the research before-hand)
<tilpner>
The attacker has physical access to the laptop, so he can put a backdoored kernel into an unencrypted /boot, which either triggers automatically, or from e.g. incoming network traffic or javascript on some website. That's bad, game over
<infinisil>
tilpner: Sounds good, why would encrypted /boot not prevent that?
<tilpner>
(Slow, am on phone)
<tilpner>
I'm not too familiar with how EFI works, but isn't there still an unencrypted grub accessible, even when I'm using encrypted /boot?
<tilpner>
Couldn't that evil grub just apply the same patch to the kernel after it has decrypted the /boot partition, but before it loads it?
<tilpner>
Is it just "it's a little harder to do with encrypted /boot", or am I missing something?
<infinisil>
Well without hardware that can verify signatures of bootloaders, I don't think encrypted boot prevents anything, the only thing it does is make it harder
<tilpner>
That's the same conclusion I came to. Is there any easy way to add that verification?
<tilpner>
I remember graham doing some secure-boot signing, but the PR is still open
<gchristensen>
it is pretty buggy as is :)
<gchristensen>
it doesn't handle /boot being full very well, which happens *a lot*
<tilpner>
So I should just not bother with encrypted /boot?
<gchristensen>
I have no opinions
<infinisil>
tilpner: What you can do instead to fully secure your computer is to put the unencrypted bootloader on a memory stick, and fully encrypt the machine
<tilpner>
So I would boot off the usb stick, which I need to keep plugged in for every rebuild?
<infinisil>
Probably
<infinisil>
Alternatively it might be possible to only use the stick to decrypt a /boot on the machine, and then boot from that
<samueldr>
with grub and one of the FS it can deal with, e.g. ext4 on luks, it might be possible to have it read the system's encrypted /boot
<gchristensen>
I guess the improvement there is you can detach the bootloader and carry it with you? not sure I grok it
<infinisil>
gchristensen: The improvement is that the machine can be fully encrypted, like actually fully, not a single byte readable
<samueldr>
assuming a "stateless" grub on usb drive, it would only be needed at boot time, meaning it would be possible to only use it to boot, and remove it otherwise
<tilpner>
I like this last option a lot
<gchristensen>
except the part that is removable and possibly trivially replaceable with a look-a-like
<samueldr>
note: grub is s.l.o.w at decrypting things :)
<infinisil>
gchristensen: How would that attack work?
<gchristensen>
it probably isn't even worth exploring, unless someone is actually concerned about this happening
<samueldr>
whenever you don't have it with you, someone could snag it, image it, put it back, note brand; then make a new one with $forged thing
<joepie91>
Q: what is the benefit of "fully encrypted, not a single byte readable"?
<gchristensen>
I also ask joepie91's q
<joepie91>
like, what does this prevent?
<infinisil>
joepie91: People could change the initial unencrypted bootloader to read your password or such
<joepie91>
encrypting your bootloader doesn't prevent bootloader replacement
<joepie91>
so that seems like a moot point
<joepie91>
encryption provides confidentiality, not tamper-resistance
<joepie91>
(except for in really narrow circumstances that primarily concern confidentiality)
<infinisil>
joepie91: How could anybody create a luks disk that unlocks with the same exact password you use for the original disk?
jackdk has quit [Remote host closed the connection]
<joepie91>
I don't see how that's a requirement
<joepie91>
when you're tampering with the boot process, it's pretty much irrelevant what's on disk if you can insert your own fake password screen
<joepie91>
you don't even really need to touch the original
<infinisil>
Okay so I'll try to be clearer with what I mean: The machine's disk is fully encrypted, you can't boot from it and you won't need to, you can't read any byte. To boot it you use a trusted usb stick containing a boot loader you can enter your password to for the machine's disk
<samueldr>
considering a situation where the bootloader is separate from the machine, the attack surface changes a bit, but it's basically moving the issue to a separate piece that might or might not be easier to proejct
<samueldr>
protect*
Myhlamaeus has joined #nixos-chat
<infinisil>
samueldr: Ah yeah I guess, but I'll argue that an usb stick is easier to keep with you for a trust base than a computer
<joepie91>
but... the USB stick just contains the bootloader
<samueldr>
yeah
<joepie91>
plug in a different USB stick with a luks implementation and you can do the same thing
<joepie91>
the USB stick doesn't contain a key
<samueldr>
though, an EFI-based solution could allow secure boot to verify the usb drive, since the grub there should be pretty stateless
<joepie91>
so unless you actually encode a key or token of some sort into your USB peripheral, putting your bootloader on a thumbdrive does exactly nothing to prevent against boot process tampering
<joepie91>
there are so many ways to fuck with things, if somebody has that kind of access and intent
<infinisil>
But the point is, you don't leave your usb stick out of sight
<infinisil>
In comparison to your laptop
<joepie91>
samueldr: yes, but then the whole 'modified bootloader' thing wouldn't be a concern anymore anyway because all bootloader stuff needs to be signed
<infinisil>
My assumption is that you trust the stick
clefru has quit [Quit: WeeChat 2.4]
<joepie91>
infinisil: I *don't need the USB stick* to attack your system
<joepie91>
you're treating it like a key but it isn't
<infinisil>
joepie91: Okay you have my machine, how do you attack it?
<joepie91>
insert my own bootloader into the process, change the boot order, make it look like the thing that's on your USB stick, have it pass through to the actual USB stick
<joepie91>
done
<joepie91>
this is just a phishing attack
<joepie91>
inserting a bootloader can be done through any amount of ways, including abusing an extra disk partition that might be creatable or even just inserting a different thumbdrive
<joepie91>
with enough access, even solder the storage chip to the USB port internally
<joepie91>
so you don't see it's there
<infinisil>
I won't be booting from the machine's boot loader, I'll be using the stick to boot
<joepie91>
no, you THINK you're using the stick to boot
<joepie91>
that is the point
<infinisil>
Oh
<gchristensen>
I have to leave my USB stick out of sight every time I fly
<joepie91>
nothing keeps me from modifying the boot settings in bios/uefi to boot from something else instead
<joepie91>
without you realizing it because it looks the same
<infinisil>
joepie91: So you're talking about modifying the firmware that allows you to select what to boot?
<samueldr>
"nothing keeps me" depends on the security of the bootloader wrt the password protection of settings I guess
<joepie91>
infinisil: that's generally a standard feature in your bios/uefi, no firmware modifying needed
<joepie91>
samueldr: 99 out of 100 times it's trivial to bypass/reset
<gchristensen>
you don't even need to change the bios/uefi firmware if you just get a similar usb stick
<joepie91>
plus that
<samueldr>
all points to "what are you protecting from?"
<joepie91>
so long as I can somehow convince the bios/uefi to pick my storage device/partition instead of your USB stick, you're done
<gchristensen>
exactly
<infinisil>
joepie91: When I press <alt> on my laptop while booting, it doesn't even get to bios/uefi (I don't think), it just opens a very small selection of what things you can boot from. It's possible to modify that?
<gchristensen>
it doesn't matter if you think it is the same usb stick and it isn't
<infinisil>
Stuff like Refind and grub are at a later stage than that
<samueldr>
that's the EFI
<samueldr>
the firmware
<joepie91>
^
<joepie91>
and you aren't going to be pressing alt :)
<joepie91>
at some point, you're going to be lazy and let it boot into the default
<joepie91>
and that's enough
<infinisil>
Oh but I'm not considering that
<infinisil>
When I say "I'm going to boot from the stick" i really mean "press alt to select the stick to boot"
<infinisil>
If you're not doing that then sure, all safety out of the window
<gchristensen>
it doesn't matter if you are tricked in to thinking it is the same stick!
<samueldr>
or it might be the same stick!
<infinisil>
And I'm also assuming that I can trust my stick, as many times mentioned already
<gchristensen>
this is an attack anybody could pull at nixcon: see you boot once, buy the same stick off amazon with 2hr delivery, install whatever to the disk and be done
<gchristensen>
an attack not feasible for a friendly hacker at nixcon: buying a new laptop or pwning your on-disk bootloader
<infinisil>
I mean, it probably makes sense to also add a key to your boot loader on the stick
<infinisil>
Such that you can't just use a different one
<gchristensen>
like secureboot?
<gchristensen>
skip the usb key shenanigans and just go for secureboot
<infinisil>
Where's the catch with secureboot?
<samueldr>
depends on the firmware implementation
<infinisil>
Or the assumptions
<gchristensen>
the catch with secureboot is you're trusting your OS to not have a easily pwnable firmware
<samueldr>
assuming the firmware is done right, should be pretty flawless as long as the bootloader and chain all verify
<infinisil>
Ah, then I bet my 2012 macbook doesn't support that
<samueldr>
it might
<samueldr>
if your machine's firmware is trivially resettable, then it's a bit different :/
<samueldr>
e.g. the atom tablet/laptop thing I have, the firmware is reset by holding the power button 30s
<samueldr>
and defaults to no security
<joepie91>
lol
<joepie91>
why even bother with implementing secureboot at that point
<jasongrossman>
infinisil: OMG I love 2012 MacBooks. Never replace it, no matter what its firmware does or doesn't do.
<joepie91>
well okay, maybe it prevents software-based attacks
<gchristensen>
yay bootstrapping trust
<gchristensen>
the most bike-sheddingly horrible thing :P
<infinisil>
jasongrossman: It's lasted for now, but I'll have to replace it soon
<samueldr>
yeah, you have to determine where you place blind~ish trust at one point with that
<samueldr>
otherwise you'll need to implement your own silicon
<jasongrossman>
infinisil: Replace it only when it's worn down to a sliver by physical abrasion.
<infinisil>
Haha
<gchristensen>
samueldr: and trust the fab to not be haxorzing you
<samueldr>
exactly
<infinisil>
But seriously, if you don't have the supported hardware and you want to be as secure as possible (and you never forget to press alt during boot and can keep your stick trustworthy), I think that usb stick solution is pretty good
<infinisil>
Add a key to the stick to prevent somebody replacing it without you knowing
<gchristensen>
okay
<joepie91>
oh hey my blog is now a reference on wikipedia apparently
<samueldr>
e.g. do you assume IBG (intel boot guard) to be sufficient to protect the firmware? if so then the firmware is assumed to be replaceable only from the OEM with the right signatures; is the OEM assumed to handle this right? is the firmware bug-free? (unlikely) thinking about all that makes me dizzy :)
<samueldr>
(and has IBG been setup right? that's been found to be an issue already)
<infinisil>
That's getting too boostrappy booty for me!
<infinisil>
bootstrappy*
drakonis has joined #nixos-chat
<gchristensen>
I feel having a key root of trust be in a cheap and removable thing (talking over a protocol which is also considered to be a catastrophe for security) is a loss
<samueldr>
as for me, my attack surface is "petty thieves picking the computer and fencing it", so I encrypt, that's it, hoping I'm against no technically inclined antagonist (for now)
<gchristensen>
same-ish
<infinisil>
Yeah same for me
<infinisil>
But admittedly I don't even encrypt anything right now
<gchristensen>
oh man
<samueldr>
I'm looking at maybe getting a new computer, which would be tianocore friendly with relatively well implemented security for firmware security, might look at making a tamper-evident thing
<gchristensen>
what're we talking about USB keys for
<samueldr>
and use secure boot from that tianocore, so the firmware would be "generally trusted until it isn't", which helps against a swath of technically inclined antagonists, but definitely not against all
<samueldr>
though now i'm thinking maybe there is something better :/
* samueldr
doesn't want to think about that right now
<infinisil>
gchristensen: Well I did for a while use usb sticks for bootloading, but it got annoying over time :P. I don't have anything to protect worth this trouble
<samueldr>
infinisil: nixpkgs credentials?
<gchristensen>
^
<samueldr>
(hopefully kept behind security)
<infinisil>
Like github login, ssh and gpg keys?
<samueldr>
yeah
<gchristensen>
your authenticated web browser session tokens
<infinisil>
Those are encrypted with a password at least
<gchristensen>
your authenticated web browser session tokens? :)
<infinisil>
Ah yeah those could be a problem..
<jasongrossman>
joepie91: My blog is a reference on Wikipedia too. Proud moment when that happened.
<jasongrossman>
joepie91: Yours is probably something important. Mine is just logic.
<gchristensen>
for what it is worth, we can talk about USB boot tokens and every-byte-encrypted, but until your hard disk is mostly encrypted by default you are defacto less secure than your computer illiterate friends with a relatively recent laptop running windows or macos.
<joepie91>
jasongrossman: depends on who you ask, it's my ranty article about how JWTs for sessions is stupid and bad
Mithror has joined #nixos-chat
<joepie91>
(but mostly: insecure)
<jasongrossman>
joepie91: What's a JWT please?
<joepie91>
jasongrossman: JSON Web Token
<jasongrossman>
joepie91: ty
<joepie91>
tl;dr cryptographically signed blob of JSON
<joepie91>
except the crypto design is junk, and people use it for 'stateless sessions' which is a terrible idea because you can't revoke a stateless token
<joepie91>
and approximately nobody who tries to do this, has any data whatsoever to show that they actually _need_ stateless session persistence
<joepie91>
but it's one of the recent hypes
<jasongrossman>
joepie91: That does sound important.
<infinisil>
gchristensen: Ouch :P
<gchristensen>
no ouch about it
<infinisil>
Afaik macos doesn't encrypt by default
<jasongrossman>
joepie91: I've read it before, and I'll go back to it if I'm ever asked for details.
<joepie91>
aha :)
<infinisil>
gchristensen: I see, nice
<infinisil>
But really, the chance of me getting robbed is really low, I'm not that worried
<joepie91>
jasongrossman: I do like how often the article has been translated
<gchristensen>
macos and windows have code-signing on kernel modules
<joepie91>
jasongrossman: to my knowledge, it's currently also available in chinese, korean, russian, japanese, and I think french too
<gchristensen>
most linuxes, you mount the disk rw on another system and go to town
<jasongrossman>
joepie91: Wow.
<infinisil>
And encrypting takes effort, and that effort is larger than my worry about it being stolen
<joepie91>
also, interesting takeaway: the phrase 'slightly sarcastic flowchart' resonates with people
<joepie91>
lol
<gchristensen>
encrypting takes almost no effort
<gchristensen>
I haven't thought about encryption ever since I setup my laptop
<gchristensen>
this is basics! I'm happy to help you move to encrypted root
<andi->
that reminds me... unlocking a raid1 via ssh seems to be brokenish on nixos if one uses the cryptsetup-askpass script we provide.. Wanted to write a test :/
<infinisil>
gchristensen: I'd have to move my zfs pool under luks, and to do that I'll have to move all 300GB or so to a different disk, then setup luks there and copy everything back over again
<gchristensen>
sure
<gchristensen>
do you need a 300gb disk?
<infinisil>
I do have some disks lying around
<andi->
you do have backups?
<infinisil>
I do
<infinisil>
I should really buy a bunch of new disks already, I feel like all of mine will fail in a year or so
<joepie91>
give them a stresstest and look at smart data
<joepie91>
disk failures are a bathtub curve
<andi->
I moved and my raid (that wasn't a backup) failed with all disks at the same time. :-)
<joepie91>
so there's a reasonable chance that new disks will fail faster than the old ones
<andi->
So better make sure those aren't your backups ;-)
<infinisil>
joepie91: bathtub curve?
<gchristensen>
joepie91: *hides*
waleee has quit [Quit: WeeChat 2.4]
<joepie91>
extremely biased towards the start and end of the lifespan :)
<joepie91>
disks often either fail very early in their life, or last for a long long time
<joepie91>
for HDDs, that is, does not apply to SSDs
<andi->
I have *some* wd greens from 2012... they just run and run and run.. afraid of turning them off..
<gchristensen>
haha
<joepie91>
always worth noting when looking at backblaze stuff that their usage patterns are very different from your typical desktop/laptop system
<joepie91>
their data is still useful, but don't expect it to map to your usecase 1:1 :)
<gchristensen>
for sure
<gchristensen>
personally, I've never had a HD fail on me -- so I'm pretty sure I'm dearly due
<andi->
I wonder what happend to that "glas engraving" technology from the early 2000s?
<joepie91>
infinisil: anyway, if you're unsure about the remaining lifespan of your disks, run badblocks on them first to see if they survive a full cycle or so
<joepie91>
(note: this will wipe whatever is on them!)
<joepie91>
and have a look at any failure indicators in the smart data
<joepie91>
if it all looks good, I wouldn't bother replacing them yet
<joepie91>
andi-: dunno about glass, but M-DISC is similar-ish
<joepie91>
engraves into inorganic material
<andi->
I do not recall the exact names..
<infinisil>
I see
<joepie91>
(which is why they claim it lasts much longer than regular optical media, as it isn't subject to organic rot)
<joepie91>
(regular optical media use organic dyes)
<infinisil>
Well I do need new ones anyways though, because I'm running low on space. I'm already not backing up all my media to manage for now
<joepie91>
don't let that get in the way of encrypting your disk, though :)
<joepie91>
assuming you have enough space to make a backup
<andi->
while at it: add password to all the ssh/gpg/… keys
<infinisil>
Alright I'll consider it
<joepie91>
also, when encrypting your entire disk, make sure to keep a paper note somewhere safe (like in a... safe) with the password, in case you forget it or you get hit by a bus or w/e
<gchristensen>
yeah
<joepie91>
(that only applies if your threat model is "laptop gets stolen", not if it is "NSA is interested in me" :P)
<andi->
maybe also to the later case but might not be as effective..
<gchristensen>
how does the NSA rate on the wrench-scale
<andi->
do they still have actual people and not programmers/mathematicians working there?
<joepie91>
andi-: nah, in the latter case you want all your sensitive things on a separate system for which the key only exists in your head, and loss of data is preferable over compromise
<joepie91>
gchristensen: not that high
<gchristensen>
cool, cool
<joepie91>
other TLAs rank higher I think
<joepie91>
CIA and such
<gchristensen>
I haven't been tested, but I feel I would score low on wrench-resistance
<joepie91>
that seems like a fairly universal human condition :)
<andi->
a practical "experiment" for next NixCon?
<gchristensen>
no thanks
<joepie91>
meh
<joepie91>
I want to work on my JS streams implementation
<joepie91>
but RSI :(
* gchristensen
offers a pained salute to joepie91
<andi->
enojy the sunlight(?) if you still can at your location... I recently lost a bit of all motivation for computers... The outside is nice :-)
<joepie91>
not much sun at the moment
<joepie91>
will be sunny this weekend though
<joepie91>
and temperatures are close to perfect for me at the moment
<joepie91>
I'm kind of worried about coming summer though
<joepie91>
I've gone through the winter without heating, as an experiment to see how well it would work... the results have been overall positive, with less cold hand/feet issues, and my 'comfortable ambient temperature' has dropped by like 4-5 degrees celsius
<joepie91>
(from 21 -> 16/17)
<infinisil>
andi-: It just snowed today where I'm at!
<joepie91>
but I've always had a lot of trouble with hot temperatures in the past, and after this experiment I'll either 1) adapt to that better as well, or 2) be even more miserable when it's hot
<joepie91>
lol
<joepie91>
I don't know which one it's gonna be yet
drakonis has quit [Read error: Connection reset by peer]