@pid_eins I want to expirement at least with mok signing key stored as tpm2 private key asn1 blob to the drive and signing operation done tpm2_key_rsa instead of OpenSSL. Thus need to upscale from BuildRoot testing to something with packages 🙂

Kun juhannusyönä pistät seitsemän yrttiä ja kukkaa tyynyn alle, niin Kela määrittelee sinut maatalousyrittäjäksi ja näet unta presidentti Väyrysestä

@pid_eins I was setting up systemd with UKI manually for the first time and mixed up systemd and arch specific configuration :-) So I’m spreading FUD apparently…

Where this spins of has a legit motivation: I’m trying to get my host desktop and VM guests to be in par with latest systemd with UKI kernel so that I can debug keyring and TPM related issues in a relevant environment [1]. I’m co-maintainer for both keyring and TPM, and if you think those kernel subsystems, today systemd is the substantial user for both, and thus a great user space QA target. It is always using the latest stuff that we are delivering.

In arch specific mkinitcpio.conf there’s an array MODULES=(<list of modules>), and all examples I’ve seen put like MODULES(tpm_tis) there. A script (unsurpsingly) called `mkinitcpio then takes that description and includes them to the final initrd. Even being distro specific, that does not calculate tho, I mean any possible use case for TPM requires it to be initramfs (e.g. IMA). It is pretty much a brick unless that is the case :-) So without testing I’d guess that those examples must be wrong and I’ll try first not to add anything to MODULES… Yep, and obviously they are autoloaded, when initramfs has them. [1] https://codeberg.org/jarkko/archest-linux

Non-productive #feature extra-ordinaire in #systemd: you have to list #TPM kernel module names. Why not instead sd-tpm that would copy them all? They don’t cost much space.

EU Commission: “End encryption!”

Internet users: “End-to-end encryption!”

Mozilla is an advertising company now.

This seems completely normal and cool and not troublesome in any way.

Mozilla has acquired Anonym, a [blah blah blah] raise the bar for the advertising industry [blah blah blah] while delivering effective...
https://jwz.org/b/ykVg

Text editors of my life: 1. qedit (MS-DOS) 2. vim 3. nvim

@mikebabcock and had no other choice than arch as ext4 is not favoured with this oddball combination choice of modern and legacy features. I do e.g. use snapshots but for that I use incremental backups to my NAS rather than pile them all over the place 🤷‍♀️💣🥲

@mikebabcock Yep, breakin' the law I guess 😅 But you know this WFM me best...

WiP: Archest Linux (EXT4 + LUKS2 - LVM2): https://codeberg.org/jarkko/archest-linux/src/tag/0.1.0-rc1 Boots to login and only minor glitches still left to fixup before tagging 0.1 🐳

I like how unlayered this is, i.e. at most two subsystems layered and stack is at its heaviest a file system + LUKS2 volume (i.e. no one to many relationships). Less risk of busy file systems that cannot be unmounted at least :-)

There’s first time for everything and this my first time with UKI :-)

==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -U /efi/EFI/Linux/arch-linux.efi --splash /usr/share/systemd/bootctl/splash-arch.bmp
==> Starting build: '6.9.5-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/efi/EFI/Linux/arch-linux.efi'
  -> Using cmdline file: '/etc/kernel/cmdline'
==> Unified kernel image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux -U /efi/EFI/Linux/arch-linux-fallback.efi -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: '6.9.5-arch1-1'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [modconf]
  -> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'

Zig fluid interaction with C and C++ make it feel bit like Objective-C.

I’m experimenting if I could refurnish irssi-matrix with the idea of rendering out matrix-glib dependency, which make the barrier to improve actual features of the plugin a real pain.

To make things worse, the plugin is using a fork of matrix-glib (for good reasons tho because it not actively maintained).

I’m using the JSON parser that is part of Zig’s stdlib for the purpose. This could turn out to be something nice…

@vbabka @sl If I created a new systems language from scratch I’m not sure if I included to its stdlib anything else than memory mapping primitives.

I don’t understand why even latest of latest languages still implement POSIX API’s “best of tape drives” parts. Like e.g. Rust has only the tape drive API for files and you need to use external crate calle rust-vmm/virtual-memory to get mmap 🤷

@vbabka @sl My favorite call is fallocate() with FL_PUNCH_HOLE flag ;-) With just fallocate() and mmap() fairly complex memory management can be implemented.

Everyone’s favorite gpg-agent demonstrates pretty well vsz/rss ratio:

 main 21s
❯ ps -h -p "`pidof gpg-agent`" -o pid,comm,vsz,rss
  PID COMM           VSZ    RSS
 3739 gpg-agent 410782624   2480

For the sake of example this was executed in macOS (and for the record, numbers are KiB).

@staticnoisexyz Well, at least this is a bit different configuration that the usual suspects ;-) Now we know that this is a also feasible, and world is a better place.

WiP: Archest Linux (EXT4 + LUKS2 - LVM2): https://codeberg.org/jarkko/archest-linux #arch #archlinux

*Since January 2023, the Zig toolchain compiles all of the C and C++ code in Uber’s Go Monorepo for Linux targets.* [1]

Quite amazing.

[1] https://www.uber.com/en-FI/blog/bootstrapping-ubers-infrastructure-on-arm64-with-zig/ #ueber #zig

@ljs @lkundrak @pony i love its flat and ugly config file, much faster to edit than the modern yaml/toml pollution ;-)

$ cat .config/kitty/kitty.conf 
include current-theme.conf

font_family         MesloLGM Nerd Font Mono
bold_font           auto
italic_font         auto
bold_italic_font    auto
font_size           12.0

tab_bar_style           powerline
tab_powerline_style     round

@ljs @pony @lkundrak i love kitty and its configuration program called kitten ;-) https://sw.kovidgoyal.net/kitty/

I’ll fallback to scripts :-)

Mostly because I want this somewhat rare combination in partioning where LUKS2 is used together with EXT4 and encryption is done without LVM2 layer and swap space huge to allow testing hibernate (especially encrypted hibernate):

!/usr/bin/env sh

set -e

# Partition
sgdisk -Z /dev/nvme0n1
sgdisk -n1:0:+5G -t1:ef00 -c1:EFI /dev/nvme0n1
sgdisk -n2:0:+75G -t2:8200 -c2:secswap /dev/nvme0n1
sgdisk -N3 -t3:8304 -c3:secroot /dev/nvme0n1
partprobe -s /dev/nvme0n1

# Encrypt
cryptsetup luksFormat --type luks2 \
                      --force-password \
                        /dev/disk/by-partlabel/secroot
cryptsetup open /dev/disk/by-partlabel/secroot root
cryptsetup open --type plain \
                --key-file /dev/urandom \
                /dev/disk/by-partlabel/secswap swap

# Initialize swap
mkswap -L swap /dev/mapper/swap
swapon -L swap

# Format
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
mkfs.ext4 -L /dev/mapper/root

# Mount
mount /dev/mapper/root /mnt
mount --mkdir /mnt/boot

# Install
pacstrap -K /mnt base base-devel linux linux-firmware amd-ucode intel-ucode lvm2
genfstab -U /mnt >> /mnt/etc/fstab

In the final version TPM2 will unseal the rootfs.

So only intermediate layer in this is dm-crypt. I like how raw and transparent it will become :-) Given trivial filesystem layering and simple rootfs type (ext4) to begin with I can finally have single unified configuration for both my hosts and vm guests. And maximum transperency for debugging given tons of tools to debug ext4.

#archlinux