#spectrum on 2019-11-06

2019-08-29 20:55 qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/

06:37 <pie_> heh. point and click. https://www.reuters.com/article/us-usa-spying-raven-specialreport/special-report-inside-the-uaes-secret-hacking-team-of-u-s-mercenaries-idUSKCN1PO19O

06:37 <pie_> fun times... :I

07:01 <IdleBot_59b8da4c> I wonder if there is anyone left who knows what NOBUS means _and_ believes in it

07:04 <pie_> #angst

07:17 <pie_> IdleBot_59b8da4c: alternatively, they are also "US"

07:23 <IdleBot_59b8da4c> And Shadow Brokers, who also get the NOBUS capabilities by breaking security on intermediate deployment servers? If they want to maintain simultaneously that SB=US _and_ SB=Russia, that would be pretty revealing… (it might be that there are bureaucracy natural selection effects that do lead to interests of nominally-in-conflict elites better aligned than inside-country alignment, but normally the special services deny _that_ level of mar

07:29 IdleBot_59b8da4c has quit [Remote host closed the connection]

07:29 IdleBot_51f8eb57 has joined #spectrum

07:32 <pie_> you fuck up sometimes

07:33 <pie_> xD

07:33 <pie_> ok i wasnt being serious, hold onű

07:33 <pie_> whats SB?

07:33 <pie_> I havent read as many spy books as im starting to assume you ahve

07:33 <pie_> oh its shadowbrokers

07:33 <pie_> duh.

07:34 <IdleBot_51f8eb57> There is some number of failures when «nobody except those who managed to use our failures, which happen at least quarterly» starts sounding unconvincing

07:35 <pie_> not to defend them, but can you even have NOBUS for software

07:36 <IdleBot_51f8eb57> I am criticizing the claim more than failure to achieve it

07:36 <pie_> hm

09:29 tilpner_ is now known as tilpner

15:04 <tazjin> might be interesting for some of you: https://opensource.googleblog.com/2019/11/opentitan-open-sourcing-transparent.html

15:07 <qyliss> Interesting

15:27 <IdleBot_51f8eb57> does not seem to say anything about constraints on the motherboard design (and probably a lot of other things) needed to make this useful

15:46 <tazjin> IdleBot_51f8eb57: afaict this is just the initial project launch - we do all motherboard design in-house, so it's likely <speculation>that the opentitan team want to find external motherboard manufacturers to collaborate with before publishing information on how titan can be used for mb integrity verification etc. </speculation>

15:47 <tazjin> small steps, but it's starting to feel like trust issues are being worked on on so many fronts that we're slowly getting somewhere

15:53 <IdleBot_51f8eb57> At that point I guess I can say we are getting to a worse place. If only large companies can be remotely sure that the MB integration is done right, devices are easier to lock, but no easier to trust

16:01 <tazjin> but publishing integration info in tandem with a manufacturer actually announcing support for it doesn't mean that it's just that manufacter that *can* support it

16:01 <tazjin> maybe I misunderstand what you mean

16:08 <IdleBot_51f8eb57> Well, when mainboard manufacturers who also happen to be laptop manufacturers just happen to ship the systems with badly-written malware (vulnerable to secondary exploitation by non-author) in the official OS image, trusting that integration of RoT has been done correctly seems optimistic

16:09 <IdleBot_51f8eb57> And if they do integrate it correctly, they get a useful tool from imposing the configuration on the user

16:09 <IdleBot_51f8eb57> (like unlocked Chromebooks with a single-button (!!!) wipe on a 10s boot warning)

18:32 <hyperfekt> qyliss: finally got myself to take a look at the crosvm stuff

18:57 <qyliss> hyperfekt: yeah?

18:58 <hyperfekt> qyliss: push'd

18:59 <hyperfekt> have you gotten virtfs to work? if so i might want to add a test for crosvm

18:59 <qyliss> hyperfekt: I still haven't got it to boot lol

18:59 <qyliss> Because I don't want an initrd

19:07 <hyperfekt> oh wow, google is implementing virtio-fs for crosvm this very moment

19:09 <qyliss> :3

19:40 <IdleBot_51f8eb57> I have virtio-9p working inside NixOS initramfs iff CrosVM is run with --disable-sandbox

19:40 <IdleBot_51f8eb57> Of course virtio-fs in crosvm is Not Paranoid Enough for our long-termplan as it requires host FS access

19:41 <IdleBot_51f8eb57> I have no idea how, but inside CrosVM I do not get working overlayfs. Go figure

19:41 <IdleBot_51f8eb57> I guess it would be nice if we could have one VM export FS via virtio to another VM that imports it via virtio and then runs virtio-fs on top of that

19:41 <tilpner> Custom kernel, IdleBot_51f8eb57?

19:44 <IdleBot_51f8eb57> No, I decided to try booting a standard NixOS build-vm

19:44 <tilpner> Huh

19:44 <tilpner> :q

19:44 * tilpner wrong focus

19:46 Thierry64 has quit [Ping timeout: 240 seconds]

19:48 <hyperfekt> IdleBot_51f8eb57: What would be the point of chaining virtfs and virtio-fs?

20:03 <IdleBot_51f8eb57> Not chaining: serving FS from a VM to a sibling VM, using virtio as transport to avoid networking overhead

20:07 <hyperfekt> oh so you just mean inter-vm virtio-fs, gotcha

20:09 <IdleBot_51f8eb57> I am not sure CrosVM currently supports non-built-in virtio endpoints, which is sad