01:59 <Dylanger> <robclark> "fwiw, this is the config (v5.18)..." <- Are you working on Fedora for Strongbad?! 💦

02:03 <robclark> not really.. I'm running fedora (semi hacked up) on one of my lazors because I like fedora and my muscle memory is to type "dnf install ...".. it isn't too hard to get working if you are comfortable screwing around with partitions and kernel config, but maybe not something I'd encourage someone who wasn't to try

02:14 <Dylanger> Mine is too

02:14 <Dylanger> I'd like to give it a go, do you have SELinux enabled and working?

02:14 <Dylanger> Fedora Silverblue would be my ultimate

02:15 <Dylanger> Yeah fair, I'm using my Duet 5 (Debian Sid/Cadmium) for meetings now so it's sorta important that it works

02:15 <Dylanger> > but maybe not something I'd encourage someone who wasn't to try

02:16 <robclark> I haven't tried silverblue (although one of these days if I do a from-scratch install, I'd like to try it.. didn't have any particular problems w/ selinux. Had to enable a few things in kernel config, but otherwise things seemed to work. I'm using upstream kernel (rather than fedora kernel) and no initrd

02:16 <Dylanger> I think we've discussed this before, a major problem would be Depthcharge

02:16 <Dylanger> Silverblue really needs a flexible bootloader

02:16 <robclark> root partition was just dd games to extract the partition from a pre-install image and dd to rootfs partition.. I deleted everything but the two boot/kernel partitions and created one large partition for the rest

02:17 <robclark> hmm, ok, that might be more of a challenge then

02:17 <robclark> (I'd still like to try it on *some* device, if not a chromebook)

02:17 <Dylanger> The second the Acer Chromebook Spin 513 drops (Kompanio 1380) I'll use my Duet 5 as a test device

02:18 <Dylanger> robclark: It's fantastic for development, I use it to compile AOSP. absolutely love it

02:19 <robclark> the fedora lazor is my upstream dev device, fwiw.. for work stuff, my daily driver is a corp enrolled CrOS lazor (since I kinda need to be corp enrolled to access anything)

02:19 <Dylanger> Get some attestation on your attestation 🤣

02:20 <robclark> more or less ;-)

02:20 <Dylanger> From what I hear Google's Attestation stuff is really good, I assume all Chromebooks use the H1 to do attestation

02:20 <Dylanger> So far I haven't been able to get the H1 to present in vanilla Linux yet

02:20 <Dylanger> I'd really, really like if I could use Keymaster/Keymint APIs

02:20 <robclark> yup, afaiu.. but the network setup is fairly different from anywhere I've worked before.. there isn't really an "intranet" as such

02:22 <robclark> https://en.wikipedia.org/wiki/BeyondCorp

02:23 <Dylanger> Ahhh yeah I remember reading about this

02:27 <robclark> down side, I suppose, is you can't really use $preferred_distro to get work done.. but otherwise it is a kinda neat setup, and for most folks makes it pretty easy to work anywhere (ie. obviously doesn't solve the needing to have physical access to hw issue)

02:30 <Dylanger> I love just grabbing the Duet 5 and going, ARM being amazing with battery I charge it like, once a month

02:30 <Dylanger> I managed to get initramfs working thanks to help from people in here

02:30 <Dylanger> So LUKs etc is all working, its fantastic

02:32 <robclark> main reason I skip initrd is just to reduce cycle time when doing upstream kernel work.. also the reason I keep both boot partitions

02:32 <Dylanger> Yeah that's fair enough

02:33 <robclark> (alnd luks doesn't matter for this device, it has no private keys.. I only push *to* it and never *from* it)

02:33 <Dylanger> https://talks.osfc.io/media/osfc2018/submissions/XK9VCT/resources/gsc_copy_5CECKVA.pdf

02:33 <Dylanger> Hmm I don't think the H1 runs a Keymaster/Keymint TA, only Weaver

02:34 <robclark> (which is a setup I'd recommend for dev device.. keep things you can push to anything that flows into kernel or any other big open src project something that has secure boot enabled)

02:35 <Dylanger> You're right, currently I don't have any sort of verification going on, something could totally rewrite my kernel and I wouldn't know it

02:35 <Dylanger> I don't have SELinux enforcing either

02:35 <Dylanger> So that

02:35 <Dylanger> * So that'd be ezpz

02:36 <Dylanger> Dylanger: I guess unless you used Weaver to seal a key to PCRs, I have no idea how Weaver relates to TPM functions tho

02:38 <robclark> I just kinda assume that latest -rc (or linux-next) kernel has some cve that hasn't been discovered yet.. do develop code on trusted device, and git push to untrusted device to test

02:38 <robclark> s/do/so/

02:40 <Dylanger> That's where Silverblue shines, I just wish I could use the TPM's EK to sign git commits or something (anything to attest the key was generated on secure hardware), TCG over-complicated the spec so much imo

02:43 <robclark> yeah, tbf there is room for improvement over just relying on ssh keys on trusted machine to push anywhere that gets pulled/merged into upstream project

02:43 <robclark> but at least it is better than nothing ;-)

02:48 <Dylanger> The reason I haven't bothered with signing kernels yet is because the kernel itself doesn't do any verification (verity?), if Silverblue worked, whambam, you'd sign the kernel (replace keys in depthcharge) and you'd have a really good level of verification all the way to fs/bins because of ostree

02:50 <robclark> well, signing aside, you should probably not trust a dev kernel until there has been some time to discover and fix bugs