| sadoon[m] | Working on building a secure PC for work, had Intel ME neutered from the first motherboard I ever bought, a Gigabyte Z77 DS3H with a quad core Xeon, those were fun days | 00:21 |
|---|---|---|
| sadoon[m] | Once I have that setup and fully encrypted I'll be ready to sit at work doing unrelated work lol | 00:21 |
| programmerjake | :) | 00:22 |
| sadoon[m] | That's how I'll access libre-soc's power server :D | 00:22 |
| programmerjake | well...I have an AMD 3900X .. I probably won't replace the proprietary firmware...too much hassle | 00:23 |
| sadoon[m] | You pretty much can't unfortunately | 00:23 |
| programmerjake | yup...hence too much hassle | 00:23 |
| sadoon[m] | It's ironically easier with intel | 00:23 |
| sadoon[m] | Just clipped on an SPI flasher and bam, me_cleaner done | 00:24 |
| programmerjake | oh, speaking of intel firmware: https://www.phoronix.com/scan.php?page=news_item&px=Intel-PSE-FW-Open-Source | 00:25 |
| sadoon[m] | By the time they do something actually good for security/privacy we'll already have powerpc's and risv-v's everywhere I bet | 00:29 |
| sadoon[m] | Even if intel open sourced literally everything their architecture is way too bloated and inferior at this point | 00:30 |
| programmerjake | well...them adding aes instructions made it more feasible to encrypt everything...so not everything they do is bad for security/privacy | 00:30 |
| sadoon[m] | Of course | 00:30 |
| sadoon[m] | But it's security as long as you play inside their fences | 00:31 |
| programmerjake | :) | 00:31 |
| sadoon[m] | I already asked this in #talos-workstation but maybe someone here knows, is it at all possible to get hibernation working on openpower because this is bugging me | 00:34 |
| programmerjake | well...with the proposal to research spectre-proof processor microarchitecture that was sumitted as part of the WIP 20-something million euro grant...we'll likely have a way to fix everyone's cpu designs...making them correct (in terms of not having speculation leak data through timing channels) | 00:35 |
| sadoon[m] | That's awesome | 00:35 |
| programmerjake | I insisted that we add that since I came up with a way to do that but nearly no one else understood it enough to be convinced it could work... | 00:36 |
| programmerjake | so making a working prototype could possibly convince people it'll work | 00:36 |
| sadoon[m] | Good on you | 00:36 |
| programmerjake | see https://bugs.libre-soc.org/show_bug.cgi?id=209 if you're curious | 00:38 |
| sadoon[m] | Will definitely read, thanks | 00:38 |
| programmerjake | sorry, idk about hibernation | 00:39 |
| sadoon[m] | It's ok, not many people do heh | 00:39 |
| sadoon[m] | Seems not many use the feature nowadays | 00:39 |
| sadoon[m] | But it's really helpful | 00:39 |
| sadoon[m] | I wanna keep my machines off when I can to save their lifespans | 00:39 |
| programmerjake | I'd expect that's just built into linux's swap system to swap everything out then power-off, so shouldn't be architecture-dependent... | 00:40 |
| sadoon[m] | I thought that too but apparently it's disabled by default for powerpc64le kernels and I had to manually enable it so.. | 00:41 |
| programmerjake | did you find the commit disabling it? maybe it'll say why it broke | 00:42 |
| sadoon[m] | Oh wow, I got it to power off by removing some kernel cmdline params | 00:42 |
| sadoon[m] | programmerjake: No it's disabled in kconfig | 00:42 |
| sadoon[m] | Not hardcoded | 00:42 |
| programmerjake | the commit changing linux's default kconfig to have it disabled is what I meant | 00:43 |
| sadoon[m] | Ah, never thought of that | 00:43 |
| sadoon[m] | But first I'd have to find whether it's a debian thing or all distros do this | 00:43 |
| sadoon[m] | Time to check the latest and greatest ubuntu vm I just installed | 00:43 |
| sadoon[m] | Or if it works just ignore that completely lol | 00:44 |
| programmerjake | if it's broke, it might appear to work but corrupt something... | 00:44 |
| sadoon[m] | That's scary | 00:44 |
| sadoon[m] | Let's find out | 00:44 |
| programmerjake | it may be hard to find out...just rebooting might not be enough | 00:45 |
| sadoon[m] | I meant also looking into what you suggested | 00:45 |
| programmerjake | ah | 00:45 |
| sadoon[m] | But it's almost 3 am here so if it doesn't boot I'm gonna hit the pillow | 00:45 |
| programmerjake | sleep well! | 00:46 |
| sadoon[m] | Lovely black screen so far | 00:46 |
| sadoon[m] | Thanks you too :) | 00:46 |
| programmerjake | :) it's 16:46 here so I won't be sleeping for around 9hr | 00:47 |
| sadoon[m] | Sleep well when you do heh | 00:47 |
| programmerjake | :) | 00:47 |
| *** kylel1 is now known as kylel | 09:31 | |
| sadoon[m] | I sent you the public key @lkcl | 17:04 |
| lkcl | sadoon[m], got it. you should now be able to ssh -p922 sadoon@talos1.libre-soc.org | 17:05 |
| lkcl | don't type a password | 17:05 |
| sadoon[m] | Awesome | 17:05 |
| sadoon[m] | Thanks | 17:05 |
| sadoon[m] | I need qemu and libvirt installed, is that possible? | 17:11 |
| sadoon[m] | With a key added and libvirt installed all I would need is to login using virt-manager in usermode and run a vm in which I can build packages | 17:12 |
| lkcl | set up a chroot and do what you like | 17:12 |
| lkcl | for god's sake don't install *anything* in the main system | 17:12 |
| lkcl | i really mean it. | 17:13 |
| sadoon[m] | I don't think I have priviliges to do that anyways :P | 17:13 |
| sadoon[m] | don't worry | 17:13 |
| lkcl | yes you do, i added you to sudoers | 17:13 |
| lkcl | so you can | 17:13 |
| lkcl | sudo bash | 17:13 |
| lkcl | (no password) | 17:13 |
| sadoon[m] | ah, but I won't :D | 17:13 |
| lkcl | git clone dev-env-setup | 17:13 |
| lkcl | followed by ./mk-deb-chroot {whatever} | 17:13 |
| lkcl | and inside that basically do what you like | 17:13 |
| sadoon[m] | is it possible to use qemu-kvm in a chroot? | 17:14 |
| lkcl | put qemu in it, upgrade it, put libvirt in it, i don't care what you do | 17:14 |
| lkcl | try it. you'll almost certainly find it succeeds | 17:14 |
| sadoon[m] | but even then libvirt wouldn't be exposed to my ssh user, hmmm | 17:14 |
| lkcl | if it's a service then start it manually and it'll work fine | 17:17 |
| lkcl | but if it's a network service please don't do that | 17:18 |
| lkcl | or if you do, configure it to only be accessible over localhost or other ssh connection | 17:18 |
| sadoon[m] | I guess it does count as a network service | 18:02 |
| sadoon[m] | Either that or I can use pure qemu but it'll be a bit problematic | 18:03 |
| lkcl | ok then you'll need to isolate it. localhost only, ssh tunnelling | 18:03 |
| lkcl | or i can explain how to join to its VPN | 18:04 |
| lkcl | or, you could just use it as a remote-ssh tunnelling point to get to your machine at home | 18:04 |
| lkcl | oh you were going to move it, weren't you | 18:04 |
| sadoon[m] | Move what | 18:10 |
| lkcl | your TALOS2 | 18:10 |
| sadoon[m] | I'm still not sure but it seems like it's the only option | 18:10 |
| lkcl | try ssh -R (or is it ssh -L) | 18:11 |
| lkcl | you should be able to use it to ssh back to your workstation, right now | 18:11 |
| sadoon[m] | This ssh thing might prove more trouble than its worth | 18:11 |
| lkcl | ssh -R 222:localhost:22 talos1.libre-soc.org | 18:11 |
| lkcl | (i think) | 18:11 |
| lkcl | then | 18:11 |
| lkcl | *on talos1.libre-soc.org* | 18:11 |
| lkcl | ssh -p222 localhost | 18:12 |
| lkcl | and it should take you right back to the very machine you just logged in from | 18:12 |
| sadoon[m] | I am very confused right now :p | 18:12 |
| lkcl | 1 sec | 18:13 |
| lkcl | right. | 18:14 |
| lkcl | what machine - locally - are you logging in from? | 18:14 |
| sadoon[m] | Say it's my laptop for now | 18:14 |
| lkcl | ok, is your laptop running an ssh server, on port 22? | 18:15 |
| sadoon[m] | Yes | 18:15 |
| lkcl | ok then type this command: | 18:15 |
| lkcl | ssh -p922 -R 2222:localhost:22 talos1.libre-soc.org | 18:16 |
| lkcl | (sorry, i was on port 2222 already, i've freed it up now) | 18:16 |
| lkcl | ssh -p922 -R 2222:localhost:22 sadoon@talos1.libre-soc.org | 18:17 |
| lkcl | note the login name, sorry | 18:17 |
| sadoon[m] | I'm i n | 18:17 |
| lkcl | ok grat | 18:17 |
| sadoon[m] | in* | 18:17 |
| lkcl | now: | 18:17 |
| lkcl | ssh -v -p2222 localhost | 18:17 |
| lkcl | sorry | 18:17 |
| lkcl | ssh -v -p2222 yourlaptoplocalusername@localhost | 18:17 |
| lkcl | ssh -v -p2222 your**LAPTOP**localusername@localhost | 18:17 |
| sadoon[m] | Alright I'm back to my laptop | 18:18 |
| lkcl | hooraaay! | 18:18 |
| lkcl | ta-daaaa | 18:18 |
| sadoon[m] | But thru libre-soc of course | 18:18 |
| lkcl | yeees, exactly. | 18:18 |
| sadoon[m] | I'm being thick | 18:18 |
| lkcl | so now you can set up a script - on your own TALOS-II workstation - that does that ssh into talos1.libre-soc.org | 18:19 |
| lkcl | then | 18:19 |
| lkcl | from work | 18:19 |
| sadoon[m] | Ohhhh | 18:19 |
| lkcl | you can ssh to talos1.libre-soc.org | 18:19 |
| sadoon[m] | I see now | 18:19 |
| sadoon[m] | Then we have an even better option | 18:19 |
| lkcl | and then ssh *again* into your own TALOS-II workstation | 18:19 |
| lkcl | now, if you also include "-X" - or if you install rdesktop - you can actually get remote GUI | 18:20 |
| sadoon[m] | I already have a server that hosts my website | 18:20 |
| lkcl | i've installed xrdp before now | 18:20 |
| sadoon[m] | I could just do that can't I? | 18:20 |
| lkcl | and ssh tunnelled it over | 18:20 |
| sadoon[m] | Nice! | 18:20 |
| lkcl | well if you have console access (ssh access) to your server, then yes | 18:20 |
| sadoon[m] | Yup of course | 18:20 |
| sadoon[m] | That is so awesome | 18:21 |
| lkcl | it was horrendously slow, because i had a really poor ADSL connection at home | 18:21 |
| sadoon[m] | And to think I was about to move my talos to work heh | 18:21 |
| lkcl | and of course, if your work also has ADSL then you end up with the XRDP protocol being limited each way to the minimum of the *two* ADSL connections | 18:21 |
| sadoon[m] | Ok so now here's the plan, I set up my good ol' Xeon at work and give it an ssh key for my server and login with -R from my talos to my server | 18:21 |
| lkcl | xdrp is the server version matching rdesktop | 18:22 |
| lkcl | you know rdesktop? | 18:22 |
| sadoon[m] | I don't need X even | 18:22 |
| lkcl | pffh | 18:22 |
| sadoon[m] | I just need libvirt | 18:22 |
| sadoon[m] | through virt-manager I get access to all my VMs back at home | 18:22 |
| lkcl | you _can_ use "ssh -c" to perform the ssh-over-the-ssh automatically in a single command | 18:22 |
| lkcl | ssh -c 'ssh ....' | 18:22 |
| lkcl | which is bizarre but effective | 18:23 |
| sadoon[m] | Yeah ssh -c is one of my favorites | 18:23 |
| sadoon[m] | I use it for some scripts | 18:23 |
| sadoon[m] | :P | 18:23 |
| lkcl | pffh, then you know it already :) | 18:23 |
| lkcl | ssh -L is the other way round btw | 18:23 |
| sadoon[m] | No wait | 18:23 |
| sadoon[m] | That was another one | 18:23 |
| sadoon[m] | -c -- select encryption cipher | 18:24 |
| lkcl | if you wanted a service on the *remote* system to *look* like it's accessible locally | 18:24 |
| lkcl | errr | 18:24 |
| lkcl | 1 sec | 18:24 |
| lkcl | just "ssh {options} 'ssh {more options}'" then | 18:24 |
| lkcl | you get the idea | 18:24 |
| sadoon[m] | Yes yes ssh and run ssh on the remote system in one command | 18:25 |
| sadoon[m] | That's what I meant | 18:25 |
| sadoon[m] | the -c was probably a su or sudo thing | 18:25 |
| sadoon[m] | So now the next step is to get libvirt to login directly to my talos transparently | 18:36 |
| sadoon[m] | I assume that this would use the port forwarding feature? | 18:36 |
| sadoon[m] | To forward the ssh port | 18:36 |
| sadoon[m] | Ok so I solved the issue by simply tunneling my workstation to my server, sshing into the server, "virsh start vm" and sshing then into the VM | 20:15 |
| sadoon[m] | I don't need a GUI or to log into libvirt because 99% of my work is in a terminal | 20:15 |
Generated by irclog2html.py 2.17.1 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!