3hhh

Most maintainers in your situation tend to go with something like `flatpak` / `flathub` to support all Linux distros at once. The startup performance is worse than with native packages...

> This is not linked to detached signed digests validation against your public key fused in ROM. Pretty sure it is somewhere as otherwise replay attacks would just work. Btw...

Without any understanding of how the replay attack protection works, I doubt we'll be able to find out whether a more precise error message could be implemented or not. Btw...

Ok, I _think_ I now understand how the replay attack protection in `heads` is supposed to work (it's called "rollback counter" though, which made me ignore that part of the...

Are you sure the failure comes from `increment_tpm_counter`? In [current master](https://github.com/osresearch/heads/blob/d24def4b594e92c432d3ec84f995bfabb137d6c0/initrd/etc/functions#L283) `increment_tpm_counter` prints "Counter increment failed". As I [had said](https://github.com/osresearch/heads/issues/1255#issuecomment-1364668812) I rather think it's [verify_rollback_counter](https://github.com/osresearch/heads/blob/139ecb82b254da0b3808421e00fb6a8b11edbdb9/initrd/bin/kexec-select-boot#L80) and voted for changing its...

> So my question here is what die "Invalid TPM counter state" should become. > > die "Invalid TPM counter state. Replay attack?!" Enough? I now consider my initial proposal...

From my experience with coreboot and two T530: I physically cut out the part of the board case that was blocking access to the ROM chips. This is a bit...

[qubes-qrexec-proxy](https://github.com/3hhh/qubes-qrexec-proxy) has a pretty similar architecture and it should be fairly straightforward to implement a [source](https://github.com/3hhh/qubes-qrexec-proxy/blob/master/plugins/__init__.py#L250) & [destination](https://github.com/3hhh/qubes-qrexec-proxy/blob/master/plugins/__init__.py#L276) plugin for ssh with it (destination = ssh server, source = ssh...

Btw there's also that issue of ~20 mountable devices per VM (`/dev/xvdc` --> `/dev/xvdz`). I'm usually at 19 or so. ^^

> This allows to run arbitrary commands early in initialization, which is useful for things like replacing Qubes GUI packages in a specific VM. Just use systemd for that?