systemd: TPM and debug shell #24499
systemd: TPM and debug shell #24499
Conversation
|
@peterhoeg, thanks for your PR! By analyzing the history of the files in this pull request, we identified @joachifm, @edolstra and @vcunat to be potential reviewers. |
|
ping @abbradar |
| @@ -40,6 +40,7 @@ stdenv.mkDerivation rec { | |||
| "--with-kbd-loadkeys=${kbd}/bin/loadkeys" | |||
| "--with-kbd-setfont=${kbd}/bin/setfont" | |||
| "--with-rootprefix=$(out)" | |||
| "--with-debug-shell=${bashInteractive}" | |||
There was a problem hiding this comment.
Shouldn't this be ${bashInteractive}/bin/bash?
|
Indeed @abbradar , thanks and fixed. |
|
systemd is a mass-rebuild due utillinux, right? |
|
I'm not sure if it is due to utillinux, but it's definitely mass-rebuild. Assuming everybody is OK with this change, maybe we should introduce a "mass-rebuild-ready-to-merge" label for stuff that's not urgent. |
Since this PR is for the staging branch, it's not a problem if it causes lots of rebuilds btw. |
|
I don't have an opinion on TPM however -- it's indeed an untested feature. Maybe we can save ourselves one mass rebuild in the future when one puts some work to it, but maybe it breaks something... |
|
Any progress? |
|
None from here, no. |
|
Are there any updates on this pull request, please? |
peterhoeg
requested review from
alyssais,
basvandijk,
edolstra,
Ericson2314,
FRidh,
infinisil,
joachifm,
LnL7,
matthewbauer,
Mic92,
nbp,
thoughtpolice and
ttuegel
as code owners
Instead of referencing the impure /bin/sh, use a proper bash from the store.
|
If would be great if somebody with TPM hardware could test this out. |
ofborg
bot
added
10.rebuild-darwin: 101-500
10.rebuild-linux: 501+
10.rebuild-linux: 5001+
and removed
2.status: merge conflict
labels
|
@peterhoeg I would drop the TPM support for now until somebody tested it. |
|
I'd argue that adding TPM doesn't break anything as we are not changing existing behaviour or removing functionality, so why not just get it in there and see if it works for whoever has the hardware? |
|
If we don't know it works, there's not much value in adding a untested and potentially broken feature. |
|
@peterhoeg it is not so useful without further integration and if nobody cares enough to add this support then why should we bloat systemd more than necessary. |
|
Let's cherry-pick debug shell patch and leave TPM patch for now. I'd like to play with it (my laptop has a TPM) later. |
|
@abbradar was the debug shell patch moved into a separate PR already? |
|
@flokli Nope, sorry, forgot about it. I built a VM with it and it appears to work so I'll cherry-pick it to EDIT: Done. |
|
Thanks. As the TPM patch is really trivial ( |
Motivation for this change
Specify the debug shell instead of depending on the impure /bin/sh
Enable TPM support - systemd-boot provides a measured boot facility by
hashing boot loader, kernel and kernel commandline in the TPM's PCR
As I don't have hardware with TPM support, I cannot verify the TPM part.
@dezgeg and @aszlig , any comments?
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)