ChanServ changed the topic of #aarch64-laptops to: Linux support for AArch64 Laptops (Asus NovaGo TP370QL - HP Envy x2 - Lenovo Mixx 630 - Lenovo Yoga C630)
falk689_ has quit [Remote host closed the connection]
falk689 has joined #aarch64-laptops
amstan has quit [Server closed connection]
amstan has joined #aarch64-laptops
jonasbits has quit [Ping timeout: 480 seconds]
hexdump01 has joined #aarch64-laptops
hexdump0815 has quit [Ping timeout: 480 seconds]
hexdump0815 has joined #aarch64-laptops
hexdump01 has quit [Ping timeout: 480 seconds]
davidebeatrici[m] has quit [Server closed connection]
davidebeatrici[m] has joined #aarch64-laptops
shoragan has quit [Server closed connection]
shoragan has joined #aarch64-laptops
falk689 has quit [Remote host closed the connection]
falk689 has joined #aarch64-laptops
pierro78 has joined #aarch64-laptops
leezu has joined #aarch64-laptops
<leezu> Is it possible to sign custom kernels and enforce signed only boot / disable dev boot? Is it possible to disable the developer mode screen and directly boot the kernel?
<amstan> leezu: before i get into the longer spiel, you do know about the short delay gbb flag, right?
<leezu> amstan: Yes, I'm using the 0x19 flag
<leezu> I guess the first question is if there's an established procedure to add a custom signing key
<leezu> But before getting to that: I was just flashing the 0x19 flag on the DE version of lazor but it failed and "Your flash chip is in an unknown state." https://pastebin.com/MmkVDBGy
<leezu> Have you seen that before?
<amstan> did you remove write protect?
<leezu> I thought I did, but apparently not. Now it works
<amstan> ok, so once you have that going.... signing
<amstan> there's this tool called futility that can help you sign things
<amstan> so you could resign your firmware with your own keys
<amstan> then you have to do the same with your kernel around this step: https://github.com/archlinuxarm/PKGBUILDs/blob/master/core/linux-aarch64/PKGBUILD#L219
<amstan> at that point switching to normal mode should work
<amstan> then you need some kind of extra code, idk really where, to handle the normal to dev transition, otherwise all of this is kind of pointless if you can just switch to dev mode whenever you want with your data right there is still kind of insecure
<leezu> In this setup, there would be no signature validation besides checking that there is a signature?
<amstan> in dev mode there is no signature validation (this is why that link has a blank one), in normal mode there is
<leezu> My confusion is how do I register my public signing key so that the signed blob would be accepted by normal mode
<amstan> "futility"
<amstan> leezu: https://bpa.st/GQ3A
<amstan> i was going to send you to https://source.chromium.org/search?q=vbutil&ss=chromium for inspiration
<leezu> Thank you, so futility enables users to rebuild the firmware including their own key. Once flashed, enabling dev_boot_signed_only (Enable developer mode boot only from official kernels) for example would keep dev mode on but only allow booting with kernels signed by my key
<amstan> why do you want to keep dev mode on?
<amstan> i'm pretty sure dev_boot_signed_only is for testing, not for what you want it to use
<amstan> you can just use normal mode at that point
<leezu> Wouldn't it address the "otherwise all of this is kind of pointless if you can just switch to dev mode whenever you want with your data right there is still kind of insecure"?
<leezu> The emmc is fully encrypted besides the kernel partition. So as long as that one is signed and can't be modified without my key, what threat do you see from switching between normal and dev mode?
<amstan> well, for one your dev mode would look identical to normal dev mode while it boots, so how will you know nobody hacked you?
<leezu> I'm unclear about the type of hack feasible without having my private signing key?
<amstan> i guess maybe
<amstan> but i still don't think dev_boot_signed_only is meant for normal usage, so it's not necessarly secure
<amstan> i think it's more for quick testing of keys in dev mode
steevdave[m] has quit [Server closed connection]
steevdave[m] has joined #aarch64-laptops
<leezu> Do you have any suggestion how we can gain clarity on the security of dev_boot_signed_only?
<amstan> https://code.google.com/archive/p/chromium-os/issues/36011 mentions that "doesn't enforce the entire chain of trust"
<amstan> why don't you just use normal mode?
<leezu> I think the threat model here is that even if I use the normal mode, anyone can switch to dev mode by simply pressing "esc + refresh" and pressing the power button?
go4godvin has quit [Server closed connection]
Guest565 has joined #aarch64-laptops
luxio_39[m] has quit [Server closed connection]
luxio_39[m] has joined #aarch64-laptops
jonasbits has joined #aarch64-laptops
jonasbits_ has joined #aarch64-laptops
jonasbits has quit [Ping timeout: 480 seconds]
pierro78 has quit [Remote host closed the connection]
Votes78 has joined #aarch64-laptops