<samueldr>
> When secure boot is properly configured, and if the mainboard is located in a physically secure environment (e.g., a secure computing room or locked desktop case),
<samueldr>
oof
<{^_^}>
error: syntax error, unexpected ',', expecting ')', at (string):318:40
<samueldr>
so I guess from that that the secure boot options can be reset via physical access
<samueldr>
I wonder if it's something that the POWER9 doesn't support, to have a key written, fused, to the CPU
<samueldr>
the allwinner A64 (apparently) supports it
<samueldr>
(though I wouldn't call that open at all)
<samueldr>
(and secure? heh, maybe?)
<samueldr>
I say "apparently" because I haven't verified personally
<gchristensen>
physical access to the hardware is usually considered an end
<samueldr>
with proper secure boot it shouldn't be
<samueldr>
but yeah, the hardware could be switched around
ottidmes has joined #nixos-chat
<samueldr>
still, I wonder if I read too much in the phrasing
<gchristensen>
you can make your laptop tamper-evident with carefully placed stickers or nail polish for example
<gchristensen>
and then if you'd at least know you got evil maid'd
<samueldr>
yep
<samueldr>
if you _actually_ control the secure boot keys from the cpu bringup, which validates the firmware, and so on, it would be the best security currently possible
<samueldr>
(actually being that on intel, and I guess AMD, the cpu has an OEM-supplied set of keys that validates the bios, which in turn starts secure boot)
<danderson>
the POWER architecture has true secure chain of custody boot starting with in-CPU keys, afaik
<samueldr>
danderson: so I possibly read too much in the sentence?
<danderson>
difference is all the firmware is also open, so you can inspect it and verify
<samueldr>
(so it is not out of the realm of possibilities to have a TLA agency ask nicely for an OEM's keys)
<danderson>
samueldr: where was the sentence in context?
<samueldr>
>> An owner-controlled, CPU-based secure boot mode also is available at any time. When secure boot is properly configured, and if the mainboard is located in a physically secure environment (e.g., a secure computing room or locked desktop case), you can be assured that only your pre-approved and pre-audited firmware, kernel, and user space components are executing on a Blackbird™ system.
<samueldr>
to me this read "you can reset the secure boot chain via physical access"
<danderson>
hm. yeah, it does read that way doesn't it
<samueldr>
which i guess if you remove the CPU and place your own is still true
<danderson>
that's pretty generally the case, yeah. Physical access implies everything including "I can decap the CPU and insert microprobes to change its brain
<samueldr>
yeah, though as many hurdles there are the better it is
<samueldr>
and one of them is not allowing to reset the secure boot chain!
<danderson>
although if you combine this system with tamper sensors, you can make a practical attack very hard
<samueldr>
(without introducing different hardware)
<danderson>
i.e. alarm and scorch keys if accelerometers, light sensors, chassis intrusion switches, etc. trip
<danderson>
but honestly, for Serious Security(tm), a secure facility isn't too hard to build to very high standards. If you can afford it.
<danderson>
and if you can't... Well, it's still pretty good security if an attacker can't mess with you over the internet :)
<danderson>
another thing to note is the performance of those POWER CPUs
<danderson>
it's... not very good
<danderson>
the $500 entry level quad-core barely beats an entry level Ryzen CPU
<danderson>
for several hundred more
<danderson>
so I guess the question is really: how parallelizable is your workload (to take advantage of that 4-way SMT), and how much do you value a fully open + securable system
<colemickens>
How could you allow user-changeable keys without having "you can reset SB chain w/ physical access" ? I guess if they shipped it open and locked in the first value it sees?
<Ashy>
i love the idea of a power9 system with foss all the way down
<Ashy>
but it's impossible to justify in a work context
waleee-cl has quit [Quit: Connection closed for inactivity]
<samueldr>
colemickens: shipping open and locking it
<samueldr>
colemickens: that's how the A64 does it
<samueldr>
in theory that's also how intel does it
<samueldr>
you should be able to burn the fuses in the proper sku if it's shipped without it being finalized
<samueldr>
IIRC one "exploit" (or, more aptly said, common flaw) at one point is that the cpus may not be shipped finalized
<samueldr>
I don't recall if I checked whether my laptop is in manufacturing mode still
rajivr has joined #nixos-chat
<danderson>
for professional use, another option is to set up a sale with pre-burned keys
<danderson>
when you make the purchase, you tell Raptor or whomever what public key to burn into the CPU before shipping. You hold the private key, so when you take delivery you can verify that the key is correct and only you get to install firmware
<danderson>
but that's more for larger volume type deals
<clever>
danderson: internally, the rpi does support something similar, but i dont think any vendors provide un-burnt chips
<clever>
there is a 16 byte per-device key in OTP memory on the SoC, which is involved in validating the signatures on bootcode.bin and the rpi4 eeprom
<clever>
but all vc4 models have signature checking disabled with a key pre-burnt, and the vc4 model (pi4) has the same key burnt onto every unit, with checks enabled
<clever>
oops, vc4 and vc6!
cole-h has joined #nixos-chat
<bqv>
Is it possible to have comments in json?
<samueldr>
no
<bqv>
Damn
<samueldr>
some extended json-like languages do allow it
<samueldr>
but json, strictly, no
<bqv>
Yaml does though right?
<samueldr>
IIRC yes
<bqv>
Ok that'll do
<infinisil>
bqv: Maybe check out TOML too, it's not as complex as YAML
drakonis has quit [Quit: WeeChat 2.8]
<Shados>
samueldr: I have a few intel-based systems that were shipped out still in manufacturing mode
arahael1 is now known as Arahael
endformationage has quit [Quit: WeeChat 2.7.1]
drakonis has joined #nixos-chat
cole-h has quit [Quit: Goodbye]
cjpbirkbeck has quit [Quit: Goodbye, take care]
<colemickens>
I asked in #cachix, but I'm seeing a weird case where it tells me "all done" for a store path, but the cachix mirror itself gives a 404 for the narinfo for that path.
kalbasit has quit [Ping timeout: 256 seconds]
drakonis has quit [Quit: WeeChat 2.8]
buckley310 has quit [Quit: Connection closed for inactivity]
<clever>
colemickens: does the narinfo exist on cache.nixos.org?
rajivr has quit [Quit: Connection closed for inactivity]
parsley936 has joined #nixos-chat
<philipp[m]>
rrsync saves the day once again!
rajivr has joined #nixos-chat
ixxie has joined #nixos-chat
<infinisil>
In a 15 minute video after a 3 minute introduction: "In this video we'll look at bla bla and bla bla"
<infinisil>
"But first, I want to thank NordVPN for spo" aaand I'm out
<gchristensen>
anyone want to see the worst thing imaginable?
<eyJhb>
gchristensen: that is waaay too cursed. :(
<eyJhb>
Tom is awesome infinisil :D
<ajs124>
That was actually pretty bad, wow. I'm struggling to think how to come up with any worse way to do that
Jackneilll has quit [Ping timeout: 256 seconds]
<gchristensen>
I'm stuck trying to figure out how to handle decimals
<ajs124>
well. does it need to be a one-liner?
<gchristensen>
I think the main requirement is it need not use division in the implementation
<infinisil>
I have an idea
<philipp[m]>
Uuugh! That's a nasty way to divide! You people live in the past! There is a perfectly good dividor library in npm that just uses wolframalpha.
<joepie91>
infinisil: tip: SponsorBlock
<joepie91>
it's like an adblocker, but for sponsor segments
<joepie91>
it's a significant quality-of-life improvement
<philipp[m]>
It even cuts out annoying beginnings and ends of music videos if you want that.
<infinisil>
I don't inherently have anything against sponsorships, *if* they actually use and like the product
<infinisil>
If I notice that they don't, I started just not watching the video
Jackneilll has joined #nixos-chat
<philipp[m]>
Are you not interested in shady vpn 3000 that totally doesn't spy on you and might not even have a publicly accessible mongodb with all your data in it?
<ajs124>
gchristensen: as long as loops and more files are allowed, it should be doable.
<eyJhb>
Anyone that have had issues with hardlinks because of nix.autoOptimiseStore ?
<ajs124>
just replace loops with recursion if loops are not allowed. that's a free life protip right there.
<ajs124>
and if files aren't allowed, (environment) variables and like... wc instead of ls should work as well
<infinisil>
gchristensen: cat /dev/random | tr -cs '[:digit:]' '\n' | while read result; do if (( result * $1 == $0 )); then echo $result; fi; done | head -1
<infinisil>
Only works if $0 is a multiple of $1 lol
<infinisil>
And it might take a while with bigger numbers!
<gchristensen>
infinisil: omg!
<Arahael>
infinisil: I was about to say... Of course... zero dollars is a multiple of any other amount of dollars you have! ;) (The multiplier being zero)
<gchristensen>
that is okay, I feel fancy enough for the two of us.
<fnlaai>
is that you bud?
<gchristensen>
that is me, bud!
<fnlaai>
how did u get those beards?
<gchristensen>
I've been practicing since I was 12!
<fnlaai>
so u didn't cut it down from 12 'til now?
<fnlaai>
cool
<gchristensen>
nah, this is my coronavirus beard, I had it cut to about 2cm before this all started
<infinisil>
That's impressive gchristensen
<fnlaai>
haha lol, like 'an event beard'
<fnlaai>
if there was ww3, then it will called ww3 beard.
<fnlaai>
infinisil what are you doing bud?
<fnlaai>
gchristensen are you on the way to somewhere?
<infinisil>
I'm just chilling, eating some breakfast, watching some videos :)
<gchristensen>
nah, just working from home like I always do
<fnlaai>
infinisil a movie? do u have a recommendation about 'gentleman' movie? like movies played by leonardo dicaprio, the wolf of wall street, the great gatsby...
<fnlaai>
gchristensen ahh I see, there's nixos logo behind you, are you working on nixos?
<infinisil>
Oh no just youtube videos. I'm not a big fan of movies tbh :P
<NinjaTrappeur>
nice bow tie!
<fnlaai>
NinjaTrappeur code in haskell bud?
<NinjaTrappeur>
yup?
<fnlaai>
just checking
<fnlaai>
mostly nixos user do FP hh.
<fnlaai>
which is cool
<fnlaai>
anyway, went into college? NinjaTrappeur
<infinisil>
Oh my god, internet historian advertises nordvpn..
<infinisil>
Can I not watch any youtube without vpn ads?
buckley310 has joined #nixos-chat
<fnlaai>
of course you can
<fnlaai>
mpv to the rescue
<infinisil>
No, I mean sponsored sections
<infinisil>
Just earlier I talked about this and how I'd stop watching videos that have sponsors like that
<philipp[m]>
Stick to capitalism hating breadtube? :D
<fnlaai>
perhaps youtube premium? i guess they call it that way? watching any videos in yt without ads or sponsors
<joepie91>
I don't think youtube premium removes sponsors
<fnlaai>
every app will capitalized as soon as possible haha
<fnlaai>
like facebook's
<fnlaai>
is that right joepie91?
<fnlaai>
facebook's instagram started to looks like a marketplace now.
<fnlaai>
that's how social media goes
<infinisil>
sponsored sections are part of the video itself, youtube premium can't remove that
<philipp[m]>
Sponsors means the host of the show talking about a product in the actual video.
<philipp[m]>
There is sponsorblock that is a crowdsourced solution, but youtube doesn't edit uploaded videos.
<bqv>
Was gonna otherwise suggest finding a way to build without gradle
<eyJhb>
bqv: how?
<bqv>
Dunno
<bqv>
That's the "finding a way" part
<eyJhb>
Didn't read finding
<eyJhb>
:p
<bqv>
Lol
<eyJhb>
But there as a fun hurdle with AntennaPod now
<eyJhb>
So yay
<bqv>
I do have a script that does all the steps, but I don't think it fetches dependencies
<samueldr>
eyJhb: maybe rubberduck debug with us?
<samueldr>
you know that halfway in the explanation you're likely to get new idea :)
<eyJhb>
Well, it is a weird bug in gradleGen, so currently just investigating how it actually works
<eyJhb>
Like, wth jar xf is :p But I will surely get stuck in a while
<eyJhb>
But considering going for a drive, because I have been tasked by cleaing out the refrigerator for the GF. She hasn't used her apartment since mid december, and her mom is coming for a visit. So yay
<__monty__>
Well, tar xf would be extract file. Maybe java's jar mimicks tar's UI?
<eyJhb>
The parser does something wrong, while getting the deps
<infinisil>
eyJhb: That's a pretty chill streamer!
<eyJhb>
It should have gotten 0.14 but it got 0.22-milestone-2
<eyJhb>
infinisil: Soviet?
<infinisil>
Ye
<eyJhb>
He has some GREAT videos, where he plays with his friends
<eyJhb>
Getting /dev/random from other computers gchristensen
<eyJhb>
:D
<ashkitten>
great way to collect entropy /s
<bqv>
nah, i'm creating a server, but banking on that it being hosted via wireguard is enough security
<ashkitten>
crowdsourced entropy...
<eyJhb>
Server for what?
<bqv>
:D
<eyJhb>
ashkitten++
<{^_^}>
ashkitten's karma got increased to 0b10011
<eyJhb>
:D
<bqv>
eyJhb: based on your knowledge of me, you can probably extrapolate the answer to that
<ashkitten>
hmmmm does mdns work over tinc?
<ashkitten>
guessing it requires multicast...
<bqv>
ashkitten: yes, iirc!
<bqv>
if in layer2 mode
<ashkitten>
switch mode, right?
<__monty__>
Does nvidia expect competition from ARM chips? Are they aiming for apple silicon?
<bqv>
ye
<eyJhb>
bqv: A british internet
<eyJhb>
Without USA
<bqv>
eyJhb: emacs
<eyJhb>
I was close
<eyJhb>
You are creating a server that just runs emacs that you can connect to?
<bqv>
no, runs emacsclient
<ashkitten>
emacs is so advanced an os you need an entire dedicated server to run it
<bqv>
so i don't have to go through a shell
<bqv>
i can just connect and emacsclient is there
<bqv>
no part of this actually requires telnet, i just feel like it might be nice to have it separate from ssh, and wireguard is some security
<eyJhb>
AntennaPod, you are dead to me. I have no clue why this will not work, and 100% relying on a codebase I have no clue how works. It is just nice
<gchristensen>
wireguard just means you need to have any access at all to the machine
<eyJhb>
Hmm. nice :p
<gchristensen>
not anything about who you are, just where you are
drakonis has quit [Quit: WeeChat 2.8]
<bqv>
well i mean, if someone can connect to my pc via wireguard i think them getting into my emacs session is the least of my worries
<bqv>
ditto physical access
aaronjanse has joined #nixos-chat
<ashkitten>
"good luck i'm behind seven telnets"
<__monty__>
Are you sure? That's a lot like shell access, no?
<sphalerite>
__monty__: nvidia makes its own arm chips..?
<samueldr>
yes
<samueldr>
tegra
<sphalerite>
yes, that's why I find the question a bit confusing
<bqv>
__monty__: i mean, i don't see how it's any less safe than my weechat server running locally, for example
<bqv>
especially since weechat allows exec
<__monty__>
sphalerite: Well acquiring a company seems to indicate some sort of priority.
<ashkitten>
bqv: theoretically though, can't someone craft ip packets that go from an external interface into your wireguard? net.ipv4.ip_forward is enabled by default on nixos...
<ashkitten>
not sure how everything actually works but it seems like a risk i'd rather avoid
<bqv>
ashkitten: yes, but how would they if that packet has to come from the internet?
<samueldr>
to me nvidia wanting to acquire arm is more about how they can, and to protect their own interests from another equivalent business doing the same
<bqv>
i dunno, i accept that this is risky, i just don't feel the need to fuss over it
<cransom>
woh, where's the source on ipv4 forwarding enabled by default?
<samueldr>
I don't see it negatively or positively, but I do see it can be negative depending on how they turn around the company
<gchristensen>
cransom: d'you have docker?
<bqv>
i've set up port forwarding for ssh now and i've got the metaphorical dawn chorus screaming at me from russia and china by the looks of it, that was fast
<bqv>
i thought i'd have at least an hour
<cransom>
gchristensen: sure, but i know that docker would enable forwarding.
<gchristensen>
sounds worth bisecting...
<ashkitten>
doesn't look like we're setting it explicitly anywhere in nixpkgs, fwiw
<ashkitten>
except in tests
<ashkitten>
wonder if it's some systemd or networkmanager thing
<gchristensen>
I've got forwarding enabled too ...
<ashkitten>
so clearly these things can slip past review. that's why everyone recommends multiple layers of security
<bqv>
i have it enabled explicitly
<ashkitten>
bqv: there are probably other ways for ip packets to end up being routed by the kernel besides ethernet, right?
<bqv>
reasonable point, theoretically i don't see why not
<bqv>
but like i said, i accept the risks of this, and i'm happy to fly by the seat of my pants
<ashkitten>
fair enough i guess
<gchristensen>
fair enough
<ashkitten>
good luck
<ashkitten>
oof new glasses are incredibly disorienting
<ashkitten>
they're making my eyes water?
<gchristensen>
so uncomfortable
endformationage has joined #nixos-chat
<ashkitten>
i wonder if it's significantly worse than the change for my last pair because i have an astigmatism now
__monty__ has quit [Quit: leaving]
drakonis has joined #nixos-chat
<eyJhb>
Okay, I MIGHT be crazy
<eyJhb>
But I am considering just running some basic gradle commands, and then create the deps on that
<ivan>
ashkitten: it can take a week for your visual cortex to get used to the new distortions
<eyJhb>
Which includes me, manually, trying different repos to see if they are the ones that provide this "thing"
<samueldr>
eyJhb: what's the worst that could happen?
<eyJhb>
That I kill myself
<eyJhb>
There must be a better way than this
<eyJhb>
:(
<eyJhb>
Well I guess not
<eyJhb>
But.. Since I need to maybe send several hundred HTTP requests, this would make sense to make in Go
<eyJhb>
Lets do a.. PoC in Python I guess
<eyJhb>
samueldr: seems like that will not work
<eyJhb>
Since I will just be guessing for the deps
<eyJhb>
It will however work in 99% of the cases I guess
<eyJhb>
This is hopeless
parsley936 has quit [Remote host closed the connection]