Saturday, 2022-04-23

sadoon[m]Working on building a secure PC for work, had Intel ME neutered from the first motherboard I ever bought, a Gigabyte Z77 DS3H with a quad core Xeon, those were fun days00:21
sadoon[m]Once I have that setup and fully encrypted I'll be ready to sit at work doing unrelated work lol00:21
sadoon[m]That's how I'll access libre-soc's power server :D00:22
programmerjakewell...I have an AMD 3900X .. I probably won't replace the proprietary firmware...too much hassle00:23
sadoon[m]You pretty much can't unfortunately00:23
programmerjakeyup...hence too much hassle00:23
sadoon[m]It's ironically easier with intel00:23
sadoon[m]Just clipped on an SPI flasher and bam, me_cleaner done00:24
programmerjakeoh, speaking of intel firmware:
sadoon[m]By the time they do something actually good for security/privacy we'll already have powerpc's and risv-v's everywhere I bet00:29
sadoon[m]Even if intel open sourced literally everything their architecture is way too bloated and inferior at this point00:30
programmerjakewell...them adding aes instructions made it more feasible to encrypt not everything they do is bad for security/privacy00:30
sadoon[m]Of course00:30
sadoon[m]But it's security as long as you play inside their fences00:31
sadoon[m]I already asked this in #talos-workstation but maybe someone here knows, is it at all possible to get hibernation working on openpower because this is bugging me00:34
programmerjakewell...with the proposal to research spectre-proof processor microarchitecture that was sumitted as part of the WIP 20-something million euro grant...we'll likely have a way to fix everyone's cpu designs...making them correct (in terms of not having speculation leak data through timing channels)00:35
sadoon[m]That's awesome00:35
programmerjakeI insisted that we add that since I came up with a way to do that but nearly no one else understood it enough to be convinced it could work...00:36
programmerjakeso making a working prototype could possibly convince people it'll work00:36
sadoon[m]Good on you00:36
programmerjakesee if you're curious00:38
sadoon[m]Will definitely read, thanks00:38
programmerjakesorry, idk about hibernation00:39
sadoon[m]It's ok, not many people do heh00:39
sadoon[m]Seems not many use the feature nowadays00:39
sadoon[m]But it's really helpful00:39
sadoon[m]I wanna keep my machines off when I can to save their lifespans00:39
programmerjakeI'd expect that's just built into linux's swap system to swap everything out then power-off, so shouldn't be architecture-dependent...00:40
sadoon[m]I thought that too but apparently it's disabled by default for powerpc64le kernels and I had to manually enable it so..00:41
programmerjakedid you find the commit disabling it? maybe it'll say why it broke00:42
sadoon[m]Oh wow, I got it to power off by removing some kernel cmdline params00:42
sadoon[m]programmerjake: No it's disabled in kconfig00:42
sadoon[m]Not hardcoded00:42
programmerjakethe commit changing linux's default kconfig to have it disabled is what I meant00:43
sadoon[m]Ah, never thought of that00:43
sadoon[m]But first I'd have to find whether it's a debian thing or all distros do this00:43
sadoon[m]Time to check the latest and greatest ubuntu vm I just installed00:43
sadoon[m]Or if it works just ignore that completely lol00:44
programmerjakeif it's broke, it might appear to work but corrupt something...00:44
sadoon[m]That's scary00:44
sadoon[m]Let's find out00:44
programmerjakeit may be hard to find out...just rebooting might not be enough00:45
sadoon[m]I meant also looking into what you suggested00:45
sadoon[m]But it's almost 3 am here so if it doesn't boot I'm gonna hit the pillow00:45
programmerjakesleep well!00:46
sadoon[m]Lovely black screen so far00:46
sadoon[m]Thanks you too :)00:46
programmerjake:) it's 16:46 here so I won't be sleeping for around 9hr00:47
sadoon[m]Sleep well when you do heh00:47
*** kylel1 is now known as kylel09:31
sadoon[m]I sent you the public key @lkcl17:04
lkclsadoon[m], got it. you should now be able to ssh -p922 sadoon@talos1.libre-soc.org17:05
lkcldon't type a password17:05
sadoon[m]I need qemu and libvirt installed, is that possible?17:11
sadoon[m]With a key added and libvirt installed all I would need is to login using virt-manager in usermode and run a vm in which I can build packages17:12
lkclset up a chroot and do what you like17:12
lkclfor god's sake don't install *anything* in the main system17:12
lkcli really mean it.17:13
sadoon[m]I don't think I have priviliges to do that anyways :P17:13
sadoon[m]don't worry17:13
lkclyes you do, i added you to sudoers17:13
lkclso you can17:13
lkclsudo bash17:13
lkcl(no password)17:13
sadoon[m]ah, but I won't :D17:13
lkclgit clone dev-env-setup17:13
lkclfollowed by ./mk-deb-chroot {whatever}17:13
lkcland inside that basically do what you like17:13
sadoon[m]is it possible to use qemu-kvm in a chroot?17:14
lkclput qemu in it, upgrade it, put libvirt in it, i don't care what you do17:14
lkcltry it. you'll almost certainly find it succeeds17:14
sadoon[m]but even then libvirt wouldn't be exposed to my ssh user, hmmm17:14
lkclif it's a service then start it manually and it'll work fine17:17
lkclbut if it's a network service please don't do that17:18
lkclor if you do, configure it to only be accessible over localhost or other ssh connection17:18
sadoon[m]I guess it does count as a network service18:02
sadoon[m]Either that or I can use pure qemu but it'll be a bit problematic18:03
lkclok then you'll need to isolate it. localhost only, ssh tunnelling18:03
lkclor i can explain how to join to its VPN18:04
lkclor, you could just use it as a remote-ssh tunnelling point to get to your machine at home18:04
lkcloh you were going to move it, weren't you18:04
sadoon[m]Move what18:10
lkclyour TALOS218:10
sadoon[m]I'm still not sure but it seems like it's the only option18:10
lkcltry ssh -R (or is it ssh -L)18:11
lkclyou should be able to use it to ssh back to your workstation, right now18:11
sadoon[m]This ssh thing might prove more trouble than its worth18:11
lkclssh -R 222:localhost:22 talos1.libre-soc.org18:11
lkcl(i think)18:11
lkclssh -p222 localhost18:12
lkcland it should take you right back to the very machine you just logged in from18:12
sadoon[m]I am very confused right now :p18:12
lkcl1 sec18:13
lkclwhat machine - locally - are you logging in from?18:14
sadoon[m]Say it's my laptop for now18:14
lkclok, is your laptop running an ssh server, on port 22?18:15
lkclok then type this command:18:15
lkclssh -p922 -R 2222:localhost:22 talos1.libre-soc.org18:16
lkcl(sorry, i was on port 2222 already, i've freed it up now)18:16
lkclssh -p922 -R 2222:localhost:22 sadoon@talos1.libre-soc.org18:17
lkclnote the login name, sorry18:17
sadoon[m]I'm i n18:17
lkclok grat18:17
lkclssh -v -p2222 localhost18:17
lkclssh -v -p2222 yourlaptoplocalusername@localhost18:17
lkclssh -v -p2222 your**LAPTOP**localusername@localhost18:17
sadoon[m]Alright I'm back to my laptop18:18
sadoon[m]But thru libre-soc of course18:18
lkclyeees, exactly.18:18
sadoon[m]I'm being thick18:18
lkclso now you can set up a script - on your own TALOS-II workstation - that does that ssh into talos1.libre-soc.org18:19
lkclfrom work18:19
lkclyou can ssh to talos1.libre-soc.org18:19
sadoon[m]I see now18:19
sadoon[m]Then we have an even better option18:19
lkcland then ssh *again* into your own TALOS-II workstation18:19
lkclnow, if you also include "-X" - or if you install rdesktop - you can actually get remote GUI18:20
sadoon[m]I already have a server that hosts my website18:20
lkcli've installed xrdp before now18:20
sadoon[m]I could just do that can't I?18:20
lkcland ssh tunnelled it over18:20
lkclwell if you have console access (ssh access) to your server, then yes18:20
sadoon[m]Yup of course18:20
sadoon[m]That is so awesome18:21
lkclit was horrendously slow, because i had a really poor ADSL connection at home18:21
sadoon[m]And to think I was about to move my talos to work heh18:21
lkcland of course, if your work also has ADSL then you end up with the XRDP protocol being limited each way to the minimum of the *two* ADSL connections18:21
sadoon[m]Ok so now here's the plan, I set up my good ol' Xeon at work and give it an ssh key for my server and login with -R from my talos to my server18:21
lkclxdrp is the server version matching rdesktop18:22
lkclyou know rdesktop?18:22
sadoon[m]I don't need X even18:22
sadoon[m]I just need libvirt18:22
sadoon[m]through virt-manager I get access to all my VMs back at home18:22
lkclyou _can_ use "ssh -c" to perform the ssh-over-the-ssh automatically in a single command18:22
lkclssh -c 'ssh ....'18:22
lkclwhich is bizarre but effective18:23
sadoon[m]Yeah ssh -c is one of my favorites18:23
sadoon[m]I use it for some scripts18:23
lkclpffh, then you know it already :)18:23
lkclssh -L is the other way round btw18:23
sadoon[m]No wait18:23
sadoon[m]That was another one18:23
sadoon[m]-c  -- select encryption cipher18:24
lkclif you wanted a service on the *remote* system to *look* like it's accessible locally18:24
lkcl1 sec18:24
lkcljust "ssh {options} 'ssh {more options}'" then18:24
lkclyou get the idea18:24
sadoon[m]Yes yes ssh and run ssh on the remote system in one command18:25
sadoon[m]That's what I meant18:25
sadoon[m]the -c was probably a su or sudo thing18:25
sadoon[m]So now the next step is to get libvirt to login directly to my talos transparently18:36
sadoon[m]I assume that this would use the port forwarding feature?18:36
sadoon[m]To forward the ssh port18:36
sadoon[m]Ok so I solved the issue by simply tunneling my workstation to my server, sshing into the server, "virsh start vm" and sshing then into the VM20:15
sadoon[m]I don't need a GUI or to log into libvirt because 99% of my work is in a terminal20:15

Generated by 2.17.1 by Marius Gedminas - find it at!