<
arianvp>
Mic92: systemd-boot will measure the efistub that is booted into PCR 8
<
arianvp>
the efistub contains what roothash to boot; which systemd uses to figure out what partition to startup automatically
<
arianvp>
and then verify integrity
<
arianvp>
TPM can then attest cryptographically the measurement it took; and report it back
<
arianvp>
you can use this to decide whether a node is tainted or not; and e.g. use that whether it will have access to credentials in your cloud
<
arianvp>
You could even use it in deciding whether it can decrypt a LUKS volume etc
<
arianvp>
as you can connect credentials to PCR measurements; and seal them with them inside the TPM
<
arianvp>
it's all really cool.
<
arianvp>
And Google exposes this in their cloud really well (All machines have a vTPM; and you can retrieve attestations through a rest API iirc)
<
arianvp>
I think also all Packet.com boards have TPMs
<
arianvp>
SecureBoot is a next step; but honestly it's too complicated for its own good
<
arianvp>
measured boot is already a good first step :)
<
arianvp>
I'll try to upstream this to NixOS; it's now just on my own nix-based OS
<
arianvp>
we'll need cryptsetup support in systemd; so we need to merge flokli 's patches :)
<
arianvp>
... I should also upstream my systemd derivation. I'm running systemd with just one patch at the moment
<
{^_^}>
#80038 (by flokli, 24 weeks ago, open): systemd: improve our downstream patch situation
<
Mic92>
arianvp: do you build something like a hypervisor?
<
arianvp>
no; i'm piggybacking on google cloud here
<
arianvp>
they virtualise the TPM
<
{^_^}>
#31258 (by jamagin, 2 years ago, open): zfs-import services do not wait for LUKS devices to be opened (need a cryptsetup.target)
<
andi->
That hasn't been an issue for me for ~2 years
<
andi->
All my ZFS' are within luks containers
<
qyliss>
I think spacekookie had this issue yesterday possibly
<
qyliss>
Or a very similar one
<
qyliss>
Oh, no, that says it's about non-root zpools, so never mind
tsruser has joined #nixos-systemd
tsruser has quit [Client Quit]
tsruser has joined #nixos-systemd
tsruser has quit []
tsruser has joined #nixos-systemd
tsruser has quit []
tsruser has joined #nixos-systemd
<
flokli>
yeah, so all the crypto volumes we unlock in initrd are already unlocked by the time systemd wakes up
<
flokli>
this is about /etc/crypttab, and using systemd with crypttab support
<
flokli>
which hasn't been possible before the merge of #66856
<
flokli>
in the longer run, we should also see to improve the zfs story with systemd
<
flokli>
(looking towards systemd-in-initrd, and unlocking luks and zfs volumes via systemd-ask-password
<
Mic92>
flokli dracut has some code for zfs unlocking. upstream also provides a zfs generators these ays
<
Mic92>
I don't see that much value in the zfs generators over our legacy mountpoints though. It's a bit more to type but more predictable.
<
Mic92>
openzfs's dracut module
tsruser has quit [Ping timeout: 264 seconds]
<
Mic92>
I might just steel this and maybe increase the re-try count for / further than 5
<
Mic92>
without / it panics anyway
<
Mic92>
we are currently doing zfs load-key -a
<
Mic92>
This decrypts all datasets, so its not quite compatible with this code
<
flokli>
yeah, it's probably all a bit more work to make it work nicely
<
flokli>
but the luks code also tries to reuse the entered password to decrypt other volumes
<
Mic92>
The luks code knows upfront what devices to decrypt so
tsruser has joined #nixos-systemd
tsruser has quit [Ping timeout: 240 seconds]
tsruser2 has joined #nixos-systemd
tsruser2 has quit [Ping timeout: 256 seconds]
tsruser has joined #nixos-systemd
tsruser has quit [Ping timeout: 260 seconds]
tsruser has joined #nixos-systemd
tsruser2 has joined #nixos-systemd
tsruser has quit [Ping timeout: 265 seconds]
tsruser2 has quit []