marcan changed the topic of #asahi to: Asahi Linux: porting Linux to Apple Silicon macs | General project discussion | GitHub: https://alx.sh/g | Wiki: https://alx.sh/w | Topics: #asahi-dev #asahi-re #asahi-gpu #asahi-offtopic | Keep things on topic | Logs: https://alx.sh/l/asahi
Hexagon has joined #asahi
artemist has joined #asahi
odmir has joined #asahi
raster- has joined #asahi
raster has quit [Disconnected by services]
raster- is now known as raster
mrkajetanp has quit [Quit: WeeChat 3.1]
<marcan>
it's going to be hard selling most of these proprietary Apple security features on Linux
<marcan>
Linux cares about working on the hardware, but single-system security features that touch core code are unlikely to fly
<marcan>
until other systems start suopporting ~equivalent stuff, if that happens then we may be able to support apple-specific implementations as long as the core codepaths remain the same
linkmauve has quit [Ping timeout: 276 seconds]
raster has quit [Quit: Gettin' stinky!]
odmir has quit [Ping timeout: 240 seconds]
odmir has joined #asahi
aquijoule_ has joined #asahi
richbridger has quit [Ping timeout: 265 seconds]
maknho has quit [Ping timeout: 252 seconds]
maknho has joined #asahi
Bublik has quit [Ping timeout: 240 seconds]
Bublik has joined #asahi
odmir has quit [Ping timeout: 240 seconds]
phiologe has joined #asahi
PhilippvK has quit [Ping timeout: 276 seconds]
marvin24 has quit [Ping timeout: 250 seconds]
marvin24 has joined #asahi
<sorear>
it's very pkeys-like
VinDuv has joined #asahi
ephe_meral1 has joined #asahi
jeffmiw_ has joined #asahi
jeffmiw_ has quit [Ping timeout: 240 seconds]
maknho_ has joined #asahi
maknho has quit [Ping timeout: 268 seconds]
VinDuv has quit [Quit: Leaving.]
maknho_ has quit [Quit: WeeChat 2.3]
maknho has joined #asahi
CDFH_ has joined #asahi
CDFH has quit [Ping timeout: 260 seconds]
<agraf>
marcan: I suspect you could rebuild something similar to PPL in PV logic for VMs generically.
<dottedmag>
marcan: Do they care about number of device types, or about number of devices out there? Would it be easier to sell "this feature will eventually cover ~8% of all laptops/desktops in the world"?
<marcan>
dottedmag: it wouldn't cover 8% of all laptops/desktops because people wouldn't *use* it
<sven>
or we just don't enable SPRR/GXF and we're done with it
<marcan>
this whole thing only makes any sense if you lock down the kernel
<marcan>
sven: that's what I'm saying
<marcan>
dottedmag: Apple *enforces* kernel lockdown, because they can do that
<marcan>
and that makes ~every macos user protected
<sven>
marcan: yeah, and I agree
<marcan>
but how many linux users turn on kernel lockdown?
<marcan>
because if you don't this whole thing is ~useless
<marcan>
same with rootless etc
<marcan>
apple gets to push all this security stuff because they control the platform
<dottedmag>
Ah, ok. Nevertheless, "single-system" sounds weird: it sounds like if you churn out 1000 devices, each in batches of 1000, it will be easier to push features into kernel than if you produce 2 devices, in millions each.
<marcan>
but on linux it's all optional, and the only people who really care are the people running cloud servers, and the 1% of infosec folks
<marcan>
heck even I don't care for my desktops
<marcan>
I like being able to load modules
<dottedmag>
Yeah, macmini clouds are not going to take over the world any time soon.
<marcan>
(and realize I'm an infosec person; I'm being very pragmatic here)
<mjg59_>
marcan: Lockdown's on by default on all desktop/laptop hardware sold since 2012 unless you disable secure boot first
<sven>
I think PPL is also more about protecting user land and enforcing code signing than the kernel itself. for the kernel they already have this thing where they can lock down a range for writes and then disallow running in EL1/2 outside of that range
<marcan>
mjg59_: that one's news to me, heh
<mjg59_>
marcan: You don't get a signed bootloader unless your kernel does that
<marcan>
right
<marcan>
mjg59_: ironically, not macs I think?
<marcan>
obviously the T2 stuff does secureboot
<mjg59_>
Heh, yeah, no Macs
<marcan>
but I don't think UEFI on previous intel macs has any equivalent toggle
<mjg59_>
And no way to re-key the T2s
<mjg59_>
Having a DTB flag to enable lockdown would seem reasonable
<marcan>
and my previous machine was purchased in *checks* 2012
<mjg59_>
And then let the bootloader inject that based on firmware config
<marcan>
(and was a barebone anyway)
<marcan>
so in my defense I haven't had to deal with any proper secureboot x86 machines ;)
<marcan>
(except the surface I messed with recently)
<marcan>
mjg59_: firmware config?
<mjg59_>
marcan: Er yeah ok I guess not actually firmware in this scenario
<marcan>
I think I'd just want that flag hardcoded in m1n1/u-boot (possibly patched at install time by a script)
<marcan>
if the user wants to switch modes/keys they can go into 1TR and redo that
<marcan>
no point in expanding that attack surface
<marcan>
as far as all the prior stages are concerned we are already in permissive mode; the only root of trust we have is m1n1 itself which is effectively hashed and locked down and can only be modified from 1TR
<marcan>
so it stands to reason that any security toggling should happen from there too
<mjg59_>
Yeah - are you able to set any metadata in 1TR?
<marcan>
(which is still a pretty good state of affairs all things considered; it does mean we need to figure out SEP credential management since that is how a user authenticates to 1TR)
<marcan>
nvram bootargs should work I think? I think those are global though, not per-OS, though OSes in secure mode ignore them
<marcan>
there is also the whole csrutil/SIP thing
<marcan>
if we really want to abuse those flags for secureboot, we could
<mjg59_>
Oh, right, you just switch the hash out
<marcan>
yeah
<marcan>
I mean, I don't really see a point in trying to use any apple infra for this, when we can just swap out the bootloader
<mjg59_>
Yeah
<marcan>
might as well reduce dependencies on their stuff
<mjg59_>
I never got the automatic secure boot→lockdown patch upstream, but it seems reasonable to tag on with that
<marcan>
I should grab the latest macos beta and see if apple have improved any of the OS adoption stuff
<marcan>
that is a blocker for macos-free installs
<marcan>
(and I need to reverse engineer the user db stuff to make it work...)
<marcan>
mjg59_: wait, didn't kernel lockdown show up in like 2019?
<mjg59_>
marcan: Everyone had been shipping it as external patches for years
<marcan>
heh
StreetW-dc has joined #asahi
<StreetW-dc>
Hello. I have a PC with Windows XP. I like Windows XP. But here is many tasks need solutions. I think to replace Windows XP by other OS that not worse XP. What can you recommend?
StreetW-dc has quit [Ping timeout: 240 seconds]
raster has joined #asahi
herbas has joined #asahi
herbas has quit [Client Quit]
kettenis1 has quit [Ping timeout: 245 seconds]
kettenis has joined #asahi
linkmauve has joined #asahi
jeffmiw_ has joined #asahi
jeffmiw_ has quit [Ping timeout: 252 seconds]
prusnak has quit [Quit: Connection closed for inactivity]
modrobert has quit [Read error: Connection reset by peer]
m0drobert has joined #asahi
jeffmiw_ has joined #asahi
jeffmiw_ has quit [Ping timeout: 240 seconds]
taziden has quit [Quit: WeeChat 2.3]
taziden has joined #asahi
taziden has quit [Client Quit]
qyousef_ has quit [Ping timeout: 265 seconds]
kettenis has quit [Ping timeout: 260 seconds]
kettenis has joined #asahi
kharit[m] has quit [Quit: Idle for 30+ days]
vimal has quit [Quit: Leaving]
<modwizcode>
I think the default on lockdown mode is fairly permissive iirc?
<modwizcode>
I wonder if a feature like the GX implementation cuold be generically useful if it was introduced as a core architecture feature
VinDuv has joined #asahi
<svenpeter>
The default gx mode is that page table permissions behave as you’d expect them to
<svenpeter>
And I don’t really see how it would be useful for Linux. Implementing it would probably be along the lines of implementing a new (sub)architecture
<svenpeter>
Xnu uses it to enforce code signing in user land afaict
klaus has quit [Quit: leaving]
klaus has joined #asahi
klaus has quit [Quit: leaving]
klaus has joined #asahi
taziden has joined #asahi
ephe_meral1 has quit [Ping timeout: 268 seconds]
klaus has quit [Quit: leaving]
klaus has joined #asahi
odmir has joined #asahi
odmir has quit [Remote host closed the connection]
odmir has joined #asahi
klaus has quit [*.net *.split]
m0drobert has quit [*.net *.split]
Hexagon has quit [*.net *.split]
bsandro has quit [*.net *.split]
bgianf has quit [*.net *.split]
Shiz has quit [*.net *.split]
tmlind has quit [*.net *.split]
inglor has quit [*.net *.split]
vlixa has quit [*.net *.split]
Ziemas has quit [*.net *.split]
flying_sausages has quit [*.net *.split]
macc24 has quit [*.net *.split]
inglor has joined #asahi
bgianf has joined #asahi
bsandro has joined #asahi
tmlind has joined #asahi
Ziemas has joined #asahi
macc24 has joined #asahi
vlixa has joined #asahi
flying_sausages has joined #asahi
m0drobert has joined #asahi
klaus has joined #asahi
Shiz has joined #asahi
Hexagon has joined #asahi
odmir has quit [Remote host closed the connection]
odmir has joined #asahi
odmir has quit [Remote host closed the connection]
odmir has joined #asahi
raster has quit [Quit: Gettin' stinky!]
raster has joined #asahi
raster has quit [Client Quit]
odmir has quit [Remote host closed the connection]
odmir has joined #asahi
odmir has quit [Ping timeout: 240 seconds]
maknho_ has joined #asahi
maknho has quit [Ping timeout: 268 seconds]
maknho_ has quit [Ping timeout: 252 seconds]
maknho_ has joined #asahi
raster has joined #asahi
maknho__ has joined #asahi
maknho__ has quit [Client Quit]
maknho_ has quit [Ping timeout: 240 seconds]
VinDuv has quit [Quit: Leaving.]
maknho has joined #asahi
klaus has quit [Quit: leaving]
klaus has joined #asahi
kettenis has quit [Ping timeout: 265 seconds]
kettenis has joined #asahi
<davidrysk[m]>
svenpeter: I wonder if the default gx mode is different on iOS. :)
odmir has joined #asahi
raster has quit [Quit: Gettin' stinky!]
linkmauve has quit [Ping timeout: 240 seconds]
odmir has quit [Remote host closed the connection]
odmir has joined #asahi
jeffmiw_ has joined #asahi
jeffmiw_ has quit [Ping timeout: 252 seconds]
linkmauve has joined #asahi
zopieux has quit [Ping timeout: 260 seconds]
zopieux has joined #asahi
rjeffman has quit [Ping timeout: 260 seconds]
zkrx has quit [Ping timeout: 260 seconds]
choozy has joined #asahi
raster has joined #asahi
zkrx has joined #asahi
odmir has quit [Remote host closed the connection]
<sven>
davidrysk[m]: same thing. it's just that xnu (both on iphone and m1) quickly changes that during startup