marcan changed the topic of #asahi to: Asahi Linux: porting Linux to Apple Silicon macs | "Does XXX work yet?": https://alx.sh/fs | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Topics: #asahi-dev #asahi-re #asahi-gpu #asahi-alt #asahi-stream #asahi-offtopic | Keep things on topic | Logs: https://alx.sh/l/asahi
jjanzic has quit [Read error: No route to host]
jjanzic has joined #asahi
nsklaus has quit [Remote host closed the connection]
drubrkletern has quit [Remote host closed the connection]
quarkyalice has quit [Remote host closed the connection]
Brainium has quit [Quit: Konversation terminated!]
das_j has quit [Remote host closed the connection]
das_j has joined #asahi
marvin24_ has joined #asahi
marvin24 has quit [Ping timeout: 480 seconds]
ec0 has quit [Remote host closed the connection]
ec0 has joined #asahi
possiblemeatball has quit [Quit: Quit]
pthariensflame has joined #asahi
crabbedhaloablut has joined #asahi
pthariensflame has quit []
Zopolis4 has joined #asahi
darkapex2 has quit []
darkapex has joined #asahi
das_j has quit [Read error: Connection reset by peer]
das_j has joined #asahi
rvalue- has quit [Ping timeout: 480 seconds]
rvalue has joined #asahi
guillaume_g has joined #asahi
kaazoo has joined #asahi
Zopolis4 has quit [Quit: Connection closed for inactivity]
nimprod3l has joined #asahi
nimprod3l has quit []
MajorBiscuit has joined #asahi
MajorBiscuit has quit []
bisko has joined #asahi
darkapex has quit [Ping timeout: 480 seconds]
das_j has quit [Remote host closed the connection]
darkapex has joined #asahi
das_j has joined #asahi
whyirc has joined #asahi
<whyirc>
Hello everyone
<whyirc>
I have to buy a new laptop today/tomorrow, but it will be delivered in a month or even two
<whyirc>
And the final question is - m1 pro or m2 pro
<whyirc>
I'm more interested in a long term benefits of my choice, not the fact that i'll need to wait for some time that is <2-3 months for asahi support
<whyirc>
So the question is - can i expect m2 pro machines to be at least as supported as m1 pro in near future?
<whyirc>
I understand that there's no simple answer, it would be really helpfull to me if you share your best guess about this
<whyirc>
I'll be using it as a machine for heavy rust development and i don't really interested in GPU stuff
<ChaosPrincess>
i dont see why not
<whyirc>
Well, it seems to me that this is quite possible because more users and developers have laptops on m1p than on m2p
<whyirc>
And that's why i asking about it
<j`ey>
m2p is being worked on by some of the devs currently, so yes, it will be supported
<whyirc>
Big thanks
<whyirc>
And i almost forgot about my final question
<whyirc>
As far as i understand for now any asahi-running macbook can be easy evil-maided by booting from usb via u-boot's interface
<ChaosPrincess>
that is correct
<whyirc>
Is it possible to disable (or even better - password-lock) usb-boot functionality?
<ChaosPrincess>
you can disable u-boot shell and force it to always follow the boot script
<whyirc>
Thanks
<ChaosPrincess>
at which point, it becomes evil-maidable via grub :P
<whyirc>
I plan to use systemd-boot anyway
<whyirc>
And i know how to lock it
<whyirc>
So yeah
<pipppero>
i'd be interested in docs to achieve trusted boot with sysd-boot
<whyirc>
Is there some other known easy ways of achieving successful evil maid on a asahi macbook (before grub/systemd-boot stage, at this point i have a pretty clear idea of what's going on and i don't think that i will be much different on apple silicon) if there's only firevault-enabled macos and uboot-locked asahi?
abd has joined #asahi
<whyirc>
Maybe some tricks with recovery
<ChaosPrincess>
if macos is filevault-enabled, recover asks for a user password before allowing you to do anything
<whyirc>
@pipppero I think that if I have free time and it will not be much more difficult than I expect, I will be able to make a secure boot at least in stage 1 m1n1
<whyirc>
ChaosPrincess, AFAIK in a dualboot asahi-macos setup there is 3 recoveries - 1TR, macos recoveryOS, asahi stub recoveryOS, am i correct?
<whyirc>
Will 1TR and recoveryOS from asahi stub prompt me for a firevault password?
<ChaosPrincess>
you arent quite correct as to the roles of the recoveries, but yes, there are 3 and they all prompt for filevault password
<whyirc>
I have near-zero knowledge about macos internals apart from what i got by casually reading asahi wiki a week ago)
<whyirc>
Big thanks for your explanation
<ChaosPrincess>
also, maybe enable find my mac in macos
<ChaosPrincess>
its more theft-deterrence than anti-evil-maid, but that also increases security a bit
<whyirc>
Does it have any disadvantages in terms of privacy?
<whyirc>
And is it possible to turn it on without apple id? I really don't want to use apple id it if it's not necessary
<ChaosPrincess>
i _think_ no
<pipppero>
i don't think you can
<pipppero>
it's tied to the findmy network
<pipppero>
i don't believe apple does wacky stuff with findmy data honestly
<ChaosPrincess>
from what i remember, if fmm is enabled, the device broadcasts its id encrypted with rotating keys that can only be decrypted with your apple id keys
<ChaosPrincess>
and just get an apple id, burner email, John Doe as the name, and you are all set :P
<whyirc>
> that can only be decrypted with your apple id keys
<whyirc>
How much do i "own" this keys?
<ChaosPrincess>
if you enable "advanced data protection", those are stored inside hsms on apple servers and are encrypted by your apple id password
<pipppero>
you get a recovery key as well
<whyirc>
Lol, my private keys that are stored on a apple's server with password that they can be easily capture then i log in
<whyirc>
Sounds funny
<ChaosPrincess>
well, yes
<ChaosPrincess>
but they also can just sign an evil firmware with their keys and there is nothing you can do about it :P
<pipppero>
as usual, this kind of stuff depends on your threat model
<whyirc>
I want to protect myself form a passive data collection first
<pipppero>
i wouldn't use a mac then, considering you don't 100% own the hardware
<pipppero>
but nowadays, who does?
<whyirc>
And only second from malicious firmware updates
<ChaosPrincess>
then enable fmm, and dont boot macos ever
<whyirc>
@pipppero everything else is worse in a order of magnitude(
<ChaosPrincess>
pipppero: talos :P
<pipppero>
i never followed the modern powerpc saga, you really own it?
<whyirc>
Laptop > pc
<ChaosPrincess>
iirc yes
<pipppero>
unless you own the fab that fabbed the chip, you never own anything! :^)
<waldi>
and modern nics got low bandwidth side band access for secondary processors. so you are not even safe from the flash chip
<pipppero>
computers were a mistake
bps has joined #asahi
giskard has joined #asahi
<ChaosPrincess>
"i own a printer and a gun in case it makes a noise i dont recognize"?
<whyirc>
We can't know for sure, so it's bett to use probabilities. I think that even with the fact that apple is obviously evil, for me a macbook with asahi will be a far better choice than x86 laptops. Linux laptops with coreboot (system76, starlabs, etc) just don't have basic firmware security features such as boot guard, so it's just trash.
<whyirc>
best*
<whyirc>
I'm missing the edit button...
<whyirc>
Corporate dell and lenovo cost about the same (and sometimes more!) than a macbook, while having much worse performance, energy efficiency and everything in general, they are not much more trustworthy than apple, and given that this is a typical x86 with just fucking large attack surface, why when there is macbook + asahi?
<pipppero>
if your threat model is fine with the amount of trust that you have to give to apple, then everything is fine
whyirc has quit [Quit: Page closed]
whyirc has joined #asahi
<zocker>
i would rather trust apple and macos than f** lenovo
<whyirc>
The problem is that you need to trust manufacturer anyway, and in case of a macbook i trust only apple, in case of a for example some thinkpad/dell xps i need to trust intel, ami/insyde/etc, lenovo and probably even more
<whyirc>
And apart from trust, there's much more attack surface on a typical x86 laptop then there's on a apple silicon platform, at least to my knowledge
<zocker>
as soon as asahi linux gets ready for mainstream use it will be a major security upgrade compared to all the x86 platforms
<pipppero>
apple *does* license IP blocks from other companies
<pipppero>
so you're trusting apple and whoever they trust
<whyirc>
Other companies have a supply chain too
<whyirc>
And my best guess will be that apple's supply chain is much shorter
<whyirc>
But i don't know
<zocker>
i know someone who went down this firmware rabbithole too deeply. he's still stuck on a thinkpad x230 because of that. :D
<whyirc>
So i think that in a lot of use cases macbooks are just better for linux
<pipppero>
i think macbooks are better for linux because the hardware makes for a better experience overall
<pipppero>
i've been preaching this since i got a retina 13" in 2013
whyirc has quit [Quit: Page closed]
nsklaus has joined #asahi
gladiac has joined #asahi
giskard has quit [Ping timeout: 480 seconds]
abd has quit [Remote host closed the connection]
jeisom has joined #asahi
Guest1130 has quit []
vx has joined #asahi
vx is now known as Guest1222
whyirc has joined #asahi
abd has joined #asahi
whyirc has quit []
alarmer has joined #asahi
Guest1222 has quit []
vx^ has joined #asahi
jess has quit []
giskard has joined #asahi
alarmer has quit [Ping timeout: 480 seconds]
abd has quit [Ping timeout: 480 seconds]
possiblemeatball has joined #asahi
brolin has joined #asahi
Armlin has joined #asahi
alyssa has left #asahi [#asahi]
delsol has joined #asahi
bps has quit [Ping timeout: 480 seconds]
darkapex1 has joined #asahi
darkapex has quit [Remote host closed the connection]
i509vcb has quit [Quit: Connection closed for inactivity]
bgb has joined #asahi
bps has quit [Ping timeout: 480 seconds]
bps has joined #asahi
<marcan>
ChaosPrincess: Find My isn't going to work properly with asahi
<marcan>
I mean the theft lock will, but not the actual location tracking
<ChaosPrincess>
this is for theft lock
<ChaosPrincess>
so you can remotely disable dfu
<marcan>
yeah
<marcan>
that's fine
<marcan>
just don't expect any location tracking stuff to work :p
<marcan>
that relies on the OS pushing that data to the bluetooth controller, which we obviously don't do
<marcan>
pipppero, whyirc: there is no room for passive data collection if you run asahi
<marcan>
iBoot doesn't have any network features and all the coprocessors are behind IOMMUs
<marcan>
there is no all-powerful backdoor CPU like on x86 (ME, PSP)
<j`ey>
not even an all powerful exception level!
<marcan>
you can also technically install asahi without ever putting the device online iff it comes with a firmware new enough already, and if it doesn't just DFU it (that tells apple someone did so but it's not like they can do anything about it after)
<marcan>
however, we don't really have a flow for 100% online in the installer
<marcan>
*offline
bps has quit [Ping timeout: 480 seconds]
<marcan>
but if you install from recovery mode (after going through macos initial setup, which you can do fully offline) it won't phone home to apple during install, it'll only grab stuff from their CDN.
<marcan>
(can't promise recovery mode itself won't phone home but it's certainly lower risk than full macos)
<marcan>
it's pretty easy to manually run the installer to pull the IPSW from a local HTTP server/copy (and the asahi stuff too if you're so inclined) and then it would truly be 100% offline, we just don't have a user friendly flow for it
brolin has quit [Ping timeout: 480 seconds]
brolin has joined #asahi
Guest1144 has quit [Quit: Bridge terminating on SIGTERM]
rhysmdnz has quit [Quit: Bridge terminating on SIGTERM]
<Puto>
sounds like a lot of effort to install asahi on a stolen mac lol
ellyq has joined #asahi
<ellyq>
hi folks, hope you don't mind me popping in :)
<derzahl>
marcan: u around? sorry for offtopic, but i saw your name attached to some other code:) for lsirec, if my m1015 card is not seen at all (or by lspci or lsiutil) does that mean my card is unrecoverable? Card had RAID firmware and was visible on the pci bus, but disappeared after using megarec.exe to flash the sbrempty.bin and -cleanflash
<derzahl>
any commands with lsirec like "./lsirec 0000:01:00.0 writesbr sbr_new.bin" returns "open bar1: No such file or directory". btw, 000:01:00.0 shows up in lspci as a "PCIe Dummy Host Bridge" but i tried anyway
bgb has quit [Ping timeout: 480 seconds]
<ellyq>
it should be fine as long as PCIPID matches, lemme try that (hope that's fine, since i'm not the one you asked for help)
<ellyq>
just checked on my box, try changing 'resource1' to 'resource' on line 205 :)
<ellyq>
that being said, you should have resource[0-3] exposed, check that's the case in /sys/bus/pci/devices/0000:01:00.0/
<derzahl>
ellyq: oh you talking about lsirec.c? didnt realize at first:) let me try
<derzahl>
ellyq: yes that is what I have followed. im using a ubuntu 18.04 live cd and have disablled IOMMU and vt extensions in the bios
<derzahl>
but i have no idea what the pci address is since its not detected
<derzahl>
my best guess was that maybe it was showing up as PCIe dummy device now
<ellyq>
dmesg might tell you more about it
<derzahl>
went through it line by line
<derzahl>
i do see that the mpt2sas modules loads
<derzahl>
or MPT driver.
<derzahl>
this is the only line that stands out: [ 4202.604349] mptctl: /dev/mptctl @ (major,minor=10,220)
<derzahl>
i was gonna try rebooting in legacy bios mode, even though i think i tried that before
<ellyq>
i'd try booting something with more up-to-date kernel, 18.04 is ancient
<derzahl>
yeh, but thats what marcan's github page says worked the best
nicolas17 has joined #asahi
<derzahl>
with lsirec. plus the card is ancient. But I have also tried freebsd 13, ubuntu 20 and 22 as far as just trying to see if the card is detected
<derzahl>
and debian 10 since that was also recommended
<derzahl>
ive read people saying that these cards can pretty much always be recovered, even if not showing in lspci... but I have not found any procedure for identifying the ghost card
hightower2 has quit [Ping timeout: 480 seconds]
<jannau>
this is very much off-topic here. please move the discussion to a different place
<ellyq>
agreed, some offtopic is fine, but that's too much
<delsol>
Are you talking about old LSI SAS HBA?
<delsol>
You might try #hardware on libera. :)
<derzahl>
no problem
guillaume_g has quit []
<derzahl>
was just hoping marcan could tell me if my card is boned or not
<ellyq>
i tend to get too carried away trying to help others, sorry about that
<derzahl>
im in #hardware if you have any more ideas ellyq, thanks taking a look
<derzahl>
(on libera)
delsol has quit [Remote host closed the connection]