ChanServ changed the topic of #asahi to: Asahi Linux: porting Linux to Apple Silicon macs | "Does XXX work yet?": https://alx.sh/fs | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Topics: #asahi-dev #asahi-re #asahi-gpu #asahi-alt #asahi-stream #asahi-offtopic | Keep things on topic | Logs: https://alx.sh/l/asahi
john-cabaj has joined #asahi
cylm has joined #asahi
cylm_ has quit [Ping timeout: 480 seconds]
john-cabaj has quit [Ping timeout: 480 seconds]
pb17 has quit [Ping timeout: 480 seconds]
pb17 has joined #asahi
KxCORP5894 has quit [Quit: Bye!]
KxCORP5894 has joined #asahi
jibsaramnim has quit [Quit: Leaving.]
john-cabaj has joined #asahi
vx has quit [Quit: G-Line: User has been permanently banned from this network.]
vx has joined #asahi
Brainium has quit [Quit: Konversation terminated!]
chadmed has quit [Quit: Konversation terminated!]
chadmed has joined #asahi
Shorden has joined #asahi
cylm has quit [Quit: WeeChat 4.3.4]
ddxtanx has joined #asahi
pb17 has quit [Ping timeout: 480 seconds]
marvin24 has joined #asahi
marvin24_ has quit [Ping timeout: 480 seconds]
pb17 has joined #asahi
ten1572377432463050666 has joined #asahi
ten157237743246305066 has quit [Ping timeout: 480 seconds]
ten1572377432463050666 is now known as ten157237743246305066
john-cabaj has quit [Ping timeout: 480 seconds]
bdju has quit [Read error: Connection reset by peer]
bdju has joined #asahi
cisco87 has quit [Remote host closed the connection]
ddxtanx has quit [Remote host closed the connection]
chadmed has quit [Quit: Konversation terminated!]
chadmed has joined #asahi
nullroute has quit [Quit: bai]
nullroute has joined #asahi
ddxtanx has joined #asahi
vx has quit [Quit: G-Line: User has been permanently banned from this network.]
vx has joined #asahi
<LarstiQ>
I'm having some trouble with Kanshi since I only seem to get HDMI-A-1 as indentifier I can't distinguish between different monitors, is that just me or also for other people?
<chadmed>
LarstiQ: we havent hooked up EDID/DisplayID yet
Shorden has quit [Ping timeout: 480 seconds]
<LarstiQ>
chadmed: that would explain it :)
pb17 has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
<LarstiQ>
how particular is that to the hardware?
Shorden has quit [Ping timeout: 480 seconds]
<chadmed>
the firmware probably has it somewhere in some data structure but its entirely specific
<chadmed>
the job of our driver is to answer calls from the drm api and get the data from the hardware and give it back to whoever asked for it in the format its expected in
<chadmed>
the dcp firmware has it stored somewhere in some format
Shorden has joined #asahi
pb17 has joined #asahi
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
<LarstiQ>
right, so some reverse engineering needed
vx has quit [Quit: G-Line: User has been permanently banned from this network.]
tanty has quit [Remote host closed the connection]
JoshuaAshton has quit [Remote host closed the connection]
FLHerne has quit [Remote host closed the connection]
FLHerne has joined #asahi
tanty has joined #asahi
pb17 has joined #asahi
ddxtanx has quit [Remote host closed the connection]
ddxtanx has joined #asahi
JoshuaAshton has joined #asahi
Shorden has joined #asahi
ten157237743246305066 has quit [Remote host closed the connection]
ten157237743246305066 has joined #asahi
Shorden has quit [Ping timeout: 480 seconds]
bdju_ has quit [Quit: Reconnecting]
bdju has joined #asahi
Shorden has joined #asahi
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
sprokkel has joined #asahi
<chadmed>
yeah
cylm has joined #asahi
<chadmed>
there will be some dcp callback somewhere to do it
<chadmed>
it might already even be known and just not wired up
Shorden has quit [Ping timeout: 480 seconds]
sprokkel2 has joined #asahi
Shorden has joined #asahi
sprokkel has quit [Ping timeout: 480 seconds]
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
sprokkel has joined #asahi
sprokkel2 has quit [Ping timeout: 480 seconds]
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
Shorden has quit [Ping timeout: 480 seconds]
Brainium has joined #asahi
pb17 has quit [Ping timeout: 480 seconds]
d1w0u has joined #asahi
Shorden has joined #asahi
ten157237743246305066 has quit [Ping timeout: 480 seconds]
Shorden has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
pb17 has joined #asahi
d1w0u has quit [Ping timeout: 480 seconds]
sprokkel2 has joined #asahi
d1w0u has joined #asahi
<d1w0u>
Hi, I am searching information to enable Secure Boot, sign the U-Boot and the Kernel, but I can't find any information.
Shorden has quit [Ping timeout: 480 seconds]
sprokkel has quit [Ping timeout: 480 seconds]
Shorden has joined #asahi
<chadmed>
d1w0u: it is not yet supported
<chadmed>
there is no trust root and no efi variable storage
<d1w0u>
chadmed, will it be supported? I searched and Apple let's to set Medium Security, allowing to boot any signed OS. I thought that Fedora & Ubuntu are allowed to be verified by Microsoft's Root CA. Is it because there's a "new" OS?
sprokkel2 has quit [Ping timeout: 480 seconds]
<chadmed>
the platform is not UEFI and does not have microsoft's keys at the trust root (the SEP), so UEFI Secure Boot is entirely meaningless at every stage before u-boot
<chaos_princess>
it will be supported eventually, but for that os the setting will remain at "permissive security", "signed os" in apple-speak = macos
<chadmed>
in apple world "signed" means signed by apple. it refers to the mach-o being jumped to by iboot and not some random thing after that and also has nothing to do with uefi
<chadmed>
we need to glue the two worlds together, and for that we need sep. your macos stub/m1n1 stage 1 will _always_ be "untrusted" according to SEP/iBoot though
john-cabaj has joined #asahi
buroa233 has joined #asahi
<chadmed>
m1n1 already has some facilities for securing the boot chain and some form of secure boot will be supported in the future
buroa23 has quit [Ping timeout: 480 seconds]
buroa233 is now known as buroa23
Shorden has quit [Remote host closed the connection]
Shorden has joined #asahi
malte_ has joined #asahi
malte has quit [Ping timeout: 480 seconds]
<d1w0u>
chadmed, chaos_princess thanks
Shorden has quit [Ping timeout: 480 seconds]
<d1w0u>
what about replacing Apple's Root CA by Microsoft's or personal one?
<d1w0u>
I mean, by flashing it on the propper chip
<chadmed>
you cant
<chaos_princess>
well, focused ion beam on 5 nm process :P
<chaos_princess>
but yes, apple certs are in the bootrom
<chadmed>
its baked into the soc and also you would completely fuck up iboot and render the system totally irreparably bricked if you did
<sven>
i'm sure they have mitigations like security meshes and all that against ion beams :D
<chaos_princess>
really? iirc xbox people was "if you can afford an ion beam, you deserve your hacked xbox" and most people had the same attitude
<sven>
at least the secure enclave will definitely have additional security features. they also do quite a lot to defend against glitching and power analysis
<chadmed>
yeah but apple has significantly more trillions of dollars than ms did 20 years ago and probably greater incentive to keep it all locked away
<chadmed>
especially considering the smartphone provenance of the soc
<sven>
it's also a different threat model. ms defends against "our users want to pirate games so if cost of attack > 10 * price of a single game" eveerything's fine
Shorden has joined #asahi
<chadmed>
at the end of the day it is what it is, its not like its impossible to implement a secure boot chain or anything
<chadmed>
i tire of the "its not secure unless i have verified the photomask" larper crowd
<chadmed>
you can go buy a bunch of CVD and photolithography equipment of aliexpress and tape your own risc-v chips out if you want
<d1w0u>
sorry, i don't understand the conversation since "ion beam", but if there's an unsigned stage, that stage can be replaced by malware, infecting the whole following chain, i think it is not an easy task, but if you can't be sure that the binaries running are signed at least by a trusted CA, then in the future, maybe long future, apple machines with linux will be a target. am i wrong?
<chadmed>
youre not _technically_ wrong but i dont think youre reading what is being said
<chadmed>
it is not impossible to implement a secure boot chain - in fact we have investigated it, deemed it possible, and it is a planned feature
<chaos_princess>
m1n1 stage 1 is signed by _your_ key, and the machine will not boot if it is tampered with. the rest of the secure boot chain is possible but does not exist yet
<chadmed>
we do not need to tamper with any of apples boot tooling or security features to accomplish this - m1n1 stage 1 is signed by the SEP using your machine credentials and so is directly verified by the trust root
<chaos_princess>
the whole kmutil dance is doing the signing among other things
thansen has quit [Quit: Ping timeout (120 seconds)]
thansen has joined #asahi
<chadmed>
this is by design straight from apple. all we need to do is start signing m1n1 stage 2, which includes u-boot, and then get _that_ to verify a signed kernel (e.g. by implementing uefi var storage somehow in u-boot and using uefi secure boot)
<chadmed>
its not insurmountable, its just work that hasnt been done
<chadmed>
the fact that you have to assert physical presence and type your machine owner password in to kmutil for the sep to sign the binary means that you are effectively the trust root
<d1w0u>
so that's awesome, if i can use a key to sign the stages from m1n1, and the before part is signed by Apple, there won't be a problem.
<chadmed>
correct
<chadmed>
some very intelligent people are behind the security on this platform