<sewn>
how minimal if your initramfs and kernel are already present on your boot
<sewn>
how clean if its just a giant frankenstein of those two
<kris_>
oh you're gonna hate me
<sewn>
secure ok sure
<sewn>
kris_: im not here to ad hominem you
<kris_>
i have 6 different kernels, 6 different initramfs images on my /boot
<sewn>
im just trying to see how its logical
<sewn>
i do not care about this information
<kris_>
it's clean because it's the only file exposed on my disk unencrypted
<sewn>
answer answer
<kris_>
ok sorry
<sewn>
i dont like attacking cool people >:(
<kris_>
i don't care if my /boot is messy because it's not a split partition, it's just part of my root
<kris_>
my ESP, however, *is* limited and id prefer there only be one file there that i need to protect
<sewn>
ohhhhhhhhhh
<kris_>
and usually i keep a shit ton of kernels around anyway
<sewn>
that makes sense
<kris_>
incase i feel like rolling a new uki with an old kernel
<kris_>
which has happened multiple times
<sewn>
so its not exactly clean its just secure
<kris_>
it's clean in terms of attack surface
<kris_>
that's more what i had meant by that
<sewn>
okay but why does that matter
<sewn>
if your disk is encrypted with LUKS already
<kris_>
because you can protect the kernel, initramfs, cmdline, etc with *one* secure boot signature instead of having to either sign multiple things or use some weird of back-authentication
<kris_>
i sign my uki with my own secure boot keys
<sewn>
okay but why does protecting the kernel or cmdline matter
<kris_>
external modification
<sewn>
and how will that make a difference to your disk
<sewn>
it can be modified okay then what
<kris_>
no the point is that it cant be
<kris_>
if it's not signed from my decrypted root with my keys on my encrypted root it won't boot it
<kris_>
so the only thing i'm trusting in my boot chain is my motherboards firmware
<kris_>
which is the only thing i cant really do anything about
<sewn>
so if i were to just get only your disk
<sewn>
i need the kernel to decrypt it?
<kris_>
the point is that *my* machine won't boot it so i dont get keylogged from my initramfs or similar
<kris_>
or modified cmdline to disable certain things i have enabled like kstack randomization
<kris_>
or modified kernel that's been harmed in some way
<sewn>
so hypothetically
<kris_>
if you were to get my disk, you could boot it up perfectly fine
<kris_>
and thats where luks comes in
<kris_>
ive been kinda looking into trying to tie my luks setup to my motherboard though via my tpm
<kris_>
so all of this plus if it's not plugged into exactly this motherboard it's completely useless
<sewn>
its possible for someone to take your machine, dissasemble it or boot a usb by going into a open bios, disable secure boot or get the ssd, boot and change the initramfs, and put everything back exactly as it was just to add a keylogger to get your password and just THEN, then what????? if the password is sent over the network its pointless because it already has access to your unencrypted root by then
<kris_>
so you can't, for example, clone it 500 times and brute force all of those at once with different settings
<kris_>
my bios is password protected and it persists through CMOS resets
<kris_>
usb drives wont boot because i havent signed them
<sewn>
first scenario then
<sewn>
oh wait that is not possible without opening up your /boot
<kris_>
correct
<kris_>
now you're starting to get it
<sewn>
well theoretically now with the disk
<sewn>
i can just bruteforce
<sewn>
lol
<kris_>
yeah honestly i really doubt that
<sewn>
i mean its not backed up by the internet
<kris_>
i use argon2id with a full minute of itertime on a core ultra 7 265k
<sewn>
a test is instantaneous
<kris_>
theoretically at the moment nothing can brute it
<kris_>
and, another thing, if you were to detach luks headers and place them elsewhere, there is no known technology that can decrypt it :p
<kris_>
and you also get plausible deniability by doing that
<kris_>
there's no *proof* any data at all exists
* sewn
observes as kris_ uses their machine
<sewn>
surely it doesnt exist surely
<kris_>
sorry chief i'm chatting from my phone and literally just wiped my desktop and overwrote it with random data
<kris_>
etc
<sewn>
but why would you choose to do that
<kris_>
shrug
<sewn>
and just leave your machine out in the open
<sewn>
are you stupi
<kris_>
oh i treat my computers like a drink in a bar
<kris_>
unless its within my sight 24/7 it's compromised
<sewn>
but it costs thousands
<kris_>
my desktop doesnt leave my bedroom sewn i just like security
<kris_>
that's what i went to uni for and otherwise
<sewn>
if it doesnt leave your bedroom
<sewn>
why the FUCK does ANY of this security matter
* kris_
has been raided by the police in the past
<sewn>
oh
<sewn>
what the
<sewn>
explain????
<kris_>
i was like 12 years old and hanging out with the wrong people
<sewn>
oh so just once
<kris_>
i didnt do anything but my friends did and my stuff became evidence due to it
<kris_>
or well
<kris_>
okay ill admit now that the statute of limitations is up that we had a pretty massive botnet and that part i was kinda involved in
<kris_>
but that isnt what got anyone in trouble
<kris_>
they decided to start swatting people and stuff, actual losers
<kris_>
i was NOT involved in that
<sewn>
so just once
<kris_>
yeah
<sewn>
youre not stupid enough to be raided again
<sewn>
so why does it matter
<kris_>
it has no reason to happen again but i dont see why you wouldn't take more security for free
<sewn>
to have such a securly, tightly-knit desktop
<sewn>
guh
<kris_>
and in the united states i cannot be forced to comply with police in terms of self-incrimination
<sewn>
is it not at a loss of convenience
<kris_>
no because i have the setup of this mostly automated by my void installer
<kris_>
and i turn on my pc once per day so the time it takes to boot doesnt bug me
<kris_>
i am patience
<kris_>
sewn what do you use then if you're not using a uki, grub?
<sewn>
limine or systemd-boot (future) or bare efibootmgr (if on kiss, which is never)
<sewn>
but yk all of this stuff sounds hella interesting
<sewn>
i literally give no shits about my security at all
<kris_>
i still need to add systemd-boot to my void installer
<kris_>
and recommend it over grub
* kris_
fucking HATES grub
<sewn>
even though i would be beheaded by my govt if they were to find out anything about what i have or do
<sewn>
well not beheaded but just jailed or executed
<kris_>
sounds like you should take this more seriously then and potentially leave
<kris_>
once you can
<sewn>
pfft ion care
<kris_>
i have no idea what part of the world you're in but that sounds pretty terrible
<sewn>
anyways i do want to look into security just for the fun of it
<sewn>
ive been wondering what i can do with my phone
<kris_>
yeah i got into this at kind of a young age
<kris_>
started pentesting stuff @ school
<sewn>
...i can tell
<sewn>
whats your phone setup
<kris_>
nothing secure lol
<kris_>
lineageos + microg on a oneplus 8t
<kris_>
unlocked bootloader
<sewn>
guh
<sewn>
i have the same thing
<kris_>
at some point ill replace it with something more secure
<sewn>
but with kernelsu and lsposed
<kris_>
i dont root
<kris_>
root is just.. bad?
<kris_>
unless you have an actual reason for it
<sewn>
i like rooting because of the stuff it gives me
<sewn>
allows me to have an actual working microg implem and lsposed
<kris_>
los is kind of a joke as far as security goes
<sewn>
and a passing safetynet
<kris_>
grapheneos is the gold standard as far as phone security goes but im not a fan of it
<sewn>
because otherwise NONE of my apps that i actually need to have work
<sewn>
which is why i cant use graphene
<sewn>
because safetynet doesnt work there
<kris_>
the issue i have with grapheneos is that they sandbox google play instead of microg
<sewn>
and even if they do fix that i still like lsposed
<kris_>
i used to be on divestos until it died
<kris_>
which is the imo best mobile os
<sewn>
fair enough
<kris_>
it has all of the goodies from graphene like hardened malloc and auto reboots after a certain amount of time and etc
<sewn>
i love to point out that the graphene author insulted me for trying to get safetynet working
<sewn>
its just like a bragging right idk
<kris_>
but it had rootless and sandboxed microg instead of normal gplay
<kris_>
sewn they're goofballs
<sewn>
wdym theyre
<kris_>
you should look at their twitter at some point
<sewn>
its just one person
<kris_>
well it *is* a community of devs
<kris_>
and the original grapheneos dev stepped down after louis rossman shit on him
<sewn>
im pretty sure hes still there
<sewn>
i was able to make reasonable conslusion to this
<kris_>
idk i dont keep up with it because i dont like their attitude
<sewn>
lol
<sewn>
but anyway i like lsposed because i can get to remove no screenshots on apps
<kris_>
theres just a few things that were pretty offputting to me about their twitter posts
<kris_>
like blatant misunderstanding of what secure boot does and how it works
<kris_>
and comments about microg that just arent true
<kris_>
tbh idk what lsposed is
<sewn>
basically
<sewn>
imagine it like some cheat for csgo but its for android
<kris_>
ive been running mostly just vanilla lineageos since ~2013 when it was called cyanogenmod and havent explored much past that
<sewn>
and you can plug custom scripts in
<sewn>
lmao
<kris_>
ah ic
<kris_>
i am not in a good mood
<kris_>
i need to implement zfs on my void installer and there are some things that i just really dont like
<kris_>
don't get me wrong, zfs is great
<kris_>
their encryption is not
<sewn>
have i told you about guix or nix
<kris_>
and to wrap it in luks im going to have to ship my own hook with zfsbootmenu
<kris_>
what about them
<kris_>
i daily drove nix for a bit
<sewn>
why dont you use them over your void installers
<kris_>
why would i
<kris_>
if we're talking about strictly nixos v void here, nixos is bloated as fuck and only makes sense on machines you need to scale
<kris_>
as far as the nix pkg manager on void goes, no point, i like xbps more
<sewn>
no noononono
<sewn>
im talking about the idea
<sewn>
nix/guix allow for a system completely configured from just a few files to deploy a whole system
<kris_>
yeah i get the idea, the results of designing something like that are too detrimental for me to be interested
<sewn>
but did you try guix
<kris_>
unless you mean just plugging a file into my viss and having it deploy based on that
<kris_>
which *used* to be a feature but i removed it
<sewn>
viss?
<kris_>
there is something similar though, there's a post install hook you can switch on based on the device you're running the script on
<kris_>
and do your custom install stuff there
<kris_>
like just write the script and pass it in
<kris_>
viss == void install script
<sewn>
..isnt that vis
<kris_>
Void InStall Script
<sewn>
that is stupid
<kris_>
I may be stupid.
<sewn>
i would have just named it vinstall
<sewn>
similar to other void utilities
<kris_>
sure but i dont want to give an official type vibe
<sewn>
who cares it sounds nice
<sewn>
i think my first ever repository was something like that
<sewn>
i wish archive.org backed it up
* sewn
looks at her github profile when she was 14
<sewn>
good times...
<sewn>
the repository is infact backed up just not the actual scripts themselves :(
<kris_>
archive.org is pretty op
zlg has joined #kisslinux
chungstoin has joined #kisslinux
<chungstoin>
I'm getting "--I end Kernel panic - not syncing: UFS: Unable to mount root fs on unknoun -block (0.0) 1" while trying to boot despite having proper drivers for everything (or at least I think I do)
<chungstoin>
I'm using an antix config that I know works but with more drivers for NVMe
<chungstoin>
it's not the bootloader either because I tried grub and efistub
<chungstoin>
currently on efistub
<chungstoin>
antix config for the kernel
<sewn>
it means your kernel doesn't have the fs drivers
<sewn>
but oh well youre dead
<sewn>
of course youre using artix config thats why its broken
<sewn>
artix config is designed with initramfs in mind
<sewn>
if you don't have that it won't work because the fs is a module
<chungstoin>
kernels can have built in dependency for inits?
<chungstoin>
I'm using config from antix but a kernel from kernel.org
<sewn>
...that makes no sense
<chungstoin>
or initramfs
<sewn>
make your own kernel config or use initramfs
<chungstoin>
I'll try getting initramfs to work first
<chungstoin>
thanks
<chungstoin>
I used my own configured kernel before but it also wouldn't load, probably for a different reason though
chungstoin has quit [Read error: Connection reset by peer]