<arianvp> Mic92: systemd-boot will measure the efistub that is booted into PCR 8
<arianvp> the efistub contains what roothash to boot; which systemd uses to figure out what partition to startup automatically
<arianvp> and then verify integrity
<arianvp> TPM can then attest cryptographically the measurement it took; and report it back
<arianvp> you can use this to decide whether a node is tainted or not; and e.g. use that whether it will have access to credentials in your cloud
<arianvp> You could even use it in deciding whether it can decrypt a LUKS volume etc
<arianvp> as you can connect credentials to PCR measurements; and seal them with them inside the TPM
<arianvp> it's all really cool.
<arianvp> And Google exposes this in their cloud really well (All machines have a vTPM; and you can retrieve attestations through a rest API iirc)
<arianvp> I think also all Packet.com boards have TPMs
<arianvp> SecureBoot is a next step; but honestly it's too complicated for its own good
<arianvp> measured boot is already a good first step :)
<arianvp> I'll try to upstream this to NixOS; it's now just on my own nix-based OS
<arianvp> we'll need cryptsetup support in systemd; so we need to merge flokli 's patches :)
<arianvp> ... I should also upstream my systemd derivation. I'm running systemd with just one patch at the moment
<flokli> arianvp: you might want to comment on https://github.com/NixOS/nixpkgs/issues/80038
<{^_^}> #80038 (by flokli, 24 weeks ago, open): systemd: improve our downstream patch situation
<Mic92> arianvp: do you build something like a hypervisor?
<arianvp> no; i'm piggybacking on google cloud here
<arianvp> they virtualise the TPM
<flokli> zfs people: with cryptsetup.target there, want to see if https://github.com/NixOS/nixpkgs/issues/31258 can now be solved?
<{^_^}> #31258 (by jamagin, 2 years ago, open): zfs-import services do not wait for LUKS devices to be opened (need a cryptsetup.target)
<andi-> That hasn't been an issue for me for ~2 years
<andi-> All my ZFS' are within luks containers
<qyliss> I think spacekookie had this issue yesterday possibly
<qyliss> Or a very similar one
<qyliss> Oh, no, that says it's about non-root zpools, so never mind
tsruser has joined #nixos-systemd
tsruser has quit [Client Quit]
tsruser has joined #nixos-systemd
tsruser has quit []
tsruser has joined #nixos-systemd
tsruser has quit []
tsruser has joined #nixos-systemd
<flokli> yeah, so all the crypto volumes we unlock in initrd are already unlocked by the time systemd wakes up
<flokli> this is about /etc/crypttab, and using systemd with crypttab support
<flokli> which hasn't been possible before the merge of #66856
<{^_^}> https://github.com/NixOS/nixpkgs/pull/66856 (by flokli, 50 weeks ago, merged): systemd: build with cryptsetup support, add cryptsetup generators
<flokli> in the longer run, we should also see to improve the zfs story with systemd
<flokli> (looking towards systemd-in-initrd, and unlocking luks and zfs volumes via systemd-ask-password
<Mic92> flokli dracut has some code for zfs unlocking. upstream also provides a zfs generators these ays
<Mic92> I don't see that much value in the zfs generators over our legacy mountpoints though. It's a bit more to type but more predictable.
<Mic92> openzfs's dracut module
tsruser has quit [Ping timeout: 264 seconds]
<Mic92> I might just steel this and maybe increase the re-try count for / further than 5
<Mic92> without / it panics anyway
<flokli> mhhm
<Mic92> we are currently doing zfs load-key -a
<Mic92> This decrypts all datasets, so its not quite compatible with this code
<flokli> yeah, it's probably all a bit more work to make it work nicely
<flokli> but the luks code also tries to reuse the entered password to decrypt other volumes
<Mic92> The luks code knows upfront what devices to decrypt so
tsruser has joined #nixos-systemd
tsruser has quit [Ping timeout: 240 seconds]
tsruser2 has joined #nixos-systemd
tsruser2 has quit [Ping timeout: 256 seconds]
tsruser has joined #nixos-systemd
tsruser has quit [Ping timeout: 260 seconds]
tsruser has joined #nixos-systemd
tsruser2 has joined #nixos-systemd
tsruser has quit [Ping timeout: 265 seconds]
tsruser2 has quit []