<clever>
simpler to replace the motherboard, if they have time
<clever>
dings and dents + stickers are hard to replicate
<clever>
so anybody can grab the windows bootloader, pop it into a hdd, and run unsigned code, if secureboot is on
<clever>
about the MS certs, there is a debug option in a signed bootloader, that causes it to run unsigned code
<clever>
makefu: and if the maid is able to reset the bios (or replace the entire motherboard), secureboot wont do a thing
<clever>
makefu: the MS certs are now useless
<clever>
makefu: it would need to be secureboot with your own certs
<clever>
so thats more of a recovery thing, then a daily use option
<clever>
just remember, tha an evil maid could replace the hdd, with oen that asks for a passphrase, and phones-home
<clever>
but nothing stops you from also having a normal passphrase on the luks, as a second way in
<clever>
my understanding, is that if configured correctly, the TPM will give access to protected key material, which can be used to unlock the rootfs encryption
<clever>
catern: you can also read the dwm expression to see if something better has been setup
<clever>
catern: by applying .overrideAttrs to the dwm derivation, and adding a postPatch hook
<clever>
sphalerite: and apple claims its not a security problem
<clever>
sphalerite: the bug only lets you send signals to processes en-mass, usually -9'ing everything as root
<clever>
correction, copumpkin
<clever>
joepie91: and last i asked, sphalerite cant find the bug that shal not be named in the XNU source, nor reproduce it in a custom build of it
<clever>
joepie91: so you could allow google-chrome, but not allow everything else
<clever>
joepie91: you can also give nixpkgs a function, that takes a package name and then says yes or no
<clever>
dang, it probably needs some changes to use setuid
<clever>
Unode: did you enable the service in services and set the .package attribute?
<clever>
samueldr: i generally just use cp, i never bothered to learn install, and i think its mostly to manage setting modes (which nix undoes) and auto-creating directories (mkdir -pv)
<clever>
each has a different way of escaping the contents
<clever>
it depends on if its a "string" or ''string''
<clever>
bgamari: which is in the section you linked, down 1 page
<clever>
Since ${ and '' have special meaning in indented strings, you need a way to quote them. ${ can be escaped by prefixing it with '' (that is, two single quotes), i.e., ''${. '' can be escaped by prefixing it with ', i.e., '''. Finally, linefeed, carriage-return and tab characters can be written as ''\n, ''\r, ''\t.
<clever>
nixpkgs or nix manual?
<clever>
bgamari: 2 options, depending on what you need
<clever>
nix-repl> '' $${abc} ''
<clever>
"$${abc} "
<clever>
nix-repl> '' ''${abc} ''
<clever>
"${abc} "
<clever>
using the nix from the first phase (if it passed)
<clever>
then it re-evals the config, with the VM options
<clever>
nixos-rebuild will first eval your config once, without the VM options, to find the nix with your nixos packageOverrides (this is what fails)
<clever>
thats normal, its a bug
<clever>
does it still build a result symlink?
<clever>
where did you try that?
<clever>
which obeys the nixos option i previously linked
<clever>
Guest17: there are mostly 3 parts, nix itself, nixpkgs (a set of packages written in nix), and then nixos (a set of packages that build a linux distro)
<clever>
Myrl-saki: then they will land in /etc/ of the dom0
<clever>
Myrl-saki: use environment.etc to add files to dom0_config
<clever>
which will give you a fully interactive qemu window, so you can manualy do xl create
<clever>
so you want to build qemu-script and then manualy run testit outside of the sandbox
<clever>
yeah, 64 would try to run it within a nix sandbox
<clever>
Myrl-saki: you would want to comment out the shutdown on 31 (already done) and then manually run one of the qemu scripts (either line 46 or 64)
<clever>
Myrl-saki: the gist just prooves xen is working, and doesnt spawn a domU
<clever>
Myrl-saki: ah, thats missing from the gist, line 29-ish
<clever>
Myrl-saki: `xl create` is ran inside the dom0, pointed to a config file that refers to the halvm unikernel
<clever>
Myrl-saki: and that spawns a domU
<clever>
tilpner: ah, thats a nice idea, provide overlays that can fix security holes, to quickly fix things
<clever>
Myrl-saki: the xen hypervisor is fairly dumb, and it needs a lot of help from userland tools in dom0
<clever>
xen requires an OS in dom0, and option 1 uses nixos for that
<clever>
Myrl-saki: yeah, option 1 runs full nixos under the qemu
<clever>
amunier: line 4 fetches from github (you can also use fetchurl), and then 24 copies it over
<clever>
amunier: in this case, it was a git sub-module, but the same basics apply
<clever>
havent actually done anything with halvm myself, was mostly helping a friend with automated testing of their code
<clever>
Myrl-saki: but it could be modified to just open a qemu window and leave it interactive
<clever>
Myrl-saki: option 1 is currently setup to do everything under nix-build, including booting the halvm and running a test script against it
<clever>
amunier: to ensure things remain pure
<clever>
amunier: nix disables all network during the build
<clever>
amunier: pkgs.fetchurl and then cp it in the preConfigure phase
<clever>
amunier: you will need to pre-download those files to the right spot, and potentially disable the download operation if it doesnt auto-detect the file
<clever>
cant find the gist for option 3, but i was patching qemu to directly support the xen hypercalls
<clever>
2 just runs the halvm unikernel under linux userland, but it fails to setup the halvm heap
<clever>
either the whole chain, or run a crosscert daemon that can provide certs at runtime
<clever>
The full root certificates are generally too large to be embedded into the iPXE binary, and so only the SHA-256 fingerprints will be included by default.
<clever>
make bin/ipxe.iso TRUST=/path/to/ca1.crt,/path/to/ca2.crt
<clever>
sphalerite: ipxe does support https, but you have to embed the trusted ca's and the cert chain into the binary
<clever>
i have used a different form before, to setup servers remotely, without network control
<clever>
yeah
<clever>
and boom, nixos is on the 2nd machine
<clever>
then i just plug a second laptop into it over ethernet, f12 and network boot
<clever>
ixxie: i add this to the imports list of the configuration.nix on one laptop
<clever>
ixxie: the nixos module i just wrote, will setup the dhcpd, tftpd, ipxe, and nginx, to do everything at once
<clever>
ixxie: if you take this derivation, and throw the 3 key files up onto any http server, you can then write an ipxe script with just "chain http://example.com/netboot.ipxe" and it will boot the installer
<clever>
oh, and there is no gateway in the dhcp config
<clever>
ixxie: only config i was missing, was a line in the ipxe script, and you have to staticly configure the lan interface before dhcpd can run
<clever>
ixxie: it boots!
<clever>
causing adb to just give root
<clever>
for the kindle, there was an exploit in the backup restore process, that allows writing to root-only files, which tricks the OS into thinking its inside an emulator
<clever>
and that was able to then root and backup
<clever>
for the S3, i was able to install a new recovery without a wipe
<clever>
Mic92: the S3 and the kindle both allowed rooting without formatting
<clever>
Mic92: i have been able to root some devices without data loss
<clever>
i just never got around to it
<clever>
i can probably root this one, its just a samsung
<clever>
Mic92: and mass-storage emulation needs root
<clever>
Mic92: dang!, i havent rooted my phone yet
<clever>
ixxie: yeah, i think its about keeping the total number of commits low, when possible
<clever>
ixxie: i think that most PR's should be squashed down to one commit if its something simply in the end
<clever>
ixxie: and release.nix is hard-coded to only make 64bit images
<clever>
ixxie: ok, now the fun part, i only have a spare 32bit machine for testing the netboot
<clever>
Mic92: ah
<clever>
Mic92: what about the IP changing due to moving to a different network?
<clever>
once it does sucessfully start, systemd cant restart it upon disconnection
<clever>
but one issue that remains, is suspend/hibernation
<clever>
LnL: ive even seen somebody try to do network there, and it entirely broke the ability to boot
<clever>
aminechikhaoui: that implies that something corrupted your GPT tables
<clever>
LnL: i dont think GPT has a boot flag
<clever>
sounds completely normal
<clever>
aminechikhaoui: what partition type did you set in gparted?
<clever>
aminechikhaoui: can you gist the entire output of nixos-install?
<clever>
Unode: that would have to be patched to restore the library path
<clever>
aminechikhaoui: and what if you umount and run fsck.fat over it?
<clever>
Unode: the issue, is that every single gui app in nix would have to be re-compiled, either with a thin patchelf wrapper, or fully rebuilt, to point to the right GPU drivers
<clever>
aminechikhaoui: what if you umount and then re-mount the boot partition?
<clever>
aminechikhaoui: what does blkid say about sda?
<clever>
Unode: such changes have to occur when the package is being built
<clever>
Unode: and also the secondary issue, that hydra would have to build 3 copies of everything
<clever>
Unode: the main use of that variable, is to avoid re-compiling 90% of gui apps when you switch from nvidia to ati
<clever>
aminechikhaoui: what does "blkid /dev/sda1" say?
<clever>
aminechikhaoui: what partition number is /boot on?
<clever>
aminechikhaoui: what did you set the grub device to in the configuration.nix?
<clever>
aminechikhaoui: does dmesg say anything interesting?
<clever>
rosa_: all of them
<clever>
it needs to be changed to #!/usr/bin/env bash
<clever>
Mic92: the problem is more about generating the initrd content in a secure manner, because the pure nix side of things leaks secrets in the store
<clever>
Mic92: i think thats something to do with the bootloader, when generating the /boot files, it will read that path
<clever>
Mic92: nope
<clever>
Mic92: bootloader?
<clever>
Mic92: which bootloader are you using, and what is the sandbox set to?