Simple Secure Boot in Fedora

April 13th, 2024, 8 min read

Fedora doesn't use a proper secure boot setup: It doesn't use unified kernel images and still leaves unsigned initrd files around. Generally, it still seems to consider secure boot support just as means to boot and install on secure-boot locked machines with Microsoft's keys, instead of a proper security tool a user should make use of to really own their own machines.

In this article we'll explore how we can setup secure boot with custom keys. The result works pretty well, and uses no fancy trickery or weird hacks, but is probably still firmly outside of what Fedora supports and will perhaps break with future Fedora releases.

Note: I use Fedora 40 in this article; it may or may not apply to other Fedora 40 versions, both earlier and later. As far as I understand Fedora is actively working on systemd-boot support, UKIs, and secure boot; the whole area is pretty much a moving target and may change a lot in between Fedora releases.

Read more…

Build Arch Linux packages on OBS

February 22nd, 2024, 4 min read

Suse generously sponsors a public build service for packages at Let's try to use it to build Arch packages into a personal repository.

Read more…

Repackaging images with mkosi

January 29th, 2024, 4 min read

In a fediverse discussion following my last post about mkosi I got nerd-sniped to try and repackage System Rescue into an USI with mkosi.

In this post we'll explore how to do this.

Read more…

Arch Linux rescue image with mkosi

January 28th, 2024, 9 min read

In this post we'll build a small single-file Arch Linux rescue image for EFI systems.

We will end up with a single EFI executable of about 400 MiB (further optimization can get it down to about 200MiB) which embeds a fully-fledged Arch Linux system. We can then put this image on the EFI partition and sign it for secure boot, which gives us a rescue single-file rescue system to boot into in case the main Arch installation does not boot anymore. From that rescue system we can then chroot into the main installation to repair it.

The image will include metadata which enables systemd-boot to automatically discover the image and add it to its menu when we place in /efi/EFI/Linux (the bootloader specification calls these "type 2 entries", see Type #2 EFI Unified Kernel Images).

You can find my personal version of the image built in this post at

Read more…

Teardown in GNOME Shell extensions

December 7th, 2023, 3 min read

GNOME Shell extensions can get disabled any time for various reasons, so it's essential to properly clean up the entire extension state when an extension gets disabled. GNOME Shell doesn't provide a lot of infrastructure for this purpose, tho, so let's roll our own pattern for properly destroying a GNOME Shell extension in Typescript.

Read more…

Typescript setup for GNOME Shell extensions

November 2nd, 2023, 5 min read

The ecosystem for GNOME Shell has come a long way in the last few years. We now have a comprehensive guide for extension developers and good API docs for the underlying native libraries. The API documentation in GNOME Shell itself is still lacking, but meanwhile its Javascript source code is a surprisingly good and readable reference.

With GNOME 45 the shell took another big step: It finally uses ES modules now instead of the legacy import syntax of GJS. While this causes major breakage for all extensions, requiring every single extension to be ported to the ES modules, it finally enables mostly seamless integration with standard Javascript tooling which is increasingly build around ES modules these days.

Together with another recent tool this means we finally have Typescript for shell extensions!

Read more…

logcontrol – an underappreciated systemd feature

October 25th, 2023, 1 min read

Systemd has this feature which lets you change the log level of a service on the fly. You can actually do this:

$ sudo systemctl service-log-level systemd-resolved.service debug
$ resolvectl query
$ sudo systemctl service-log-level systemd-resolved.service info

to get a debug log of systemd-resolved trying to resolve a specific domain.

This is backed by dbus: If a service listens on dbus and has its bus name defined in its unit file then it can expose the log control interface on its bus connection to let systemctl change its log level and log target.

All of systemd's own services support this interface, but unfortunately it hasn't seen wide-spread adoption outside systemd yet.
Which is kinda sad, because it's really a great feature for debugging.

I certainly plan to use it more, so I put up on

Read more…

Install Arch with Secure boot, TPM2-based LUKS encryption, and systemd-homed

January 6th, 2022, 10 min read

Update: I no longer use dracut, and the corresponding part of this blog post no longer reflects my setup.

This article describes my Arch Linux setup which combines Secure Boot with custom keys, TPM2-based full disk encryption and systemd-homed into a fully encrypted and authenticated, yet convenient Linux system.

This setup draws inspiration from Authenticated Boot and Disk Encryption on Linux and Unlocking LUKS2 volumes with TPM2, FIDO2, PKCS#11 Security Hardware on systemd 248 by Lennart Poettering, and combines my previous posts Unlock LUKS rootfs with TPM2 key, Secure boot on Arch Linux with sbctl and dracut, and Arch Linux with LUKS and (almost) no configuration.

Read more…

Unlock LUKS rootfs with TPM2 key

December 27th, 2021, 3 min read

Historically cryptsetup and LUKS only supported good old passwords; however recent systemd versions extend cryptsetup with additional key types such as FIDO tokens and TPM devices.

I like the idea of encrypting the rootfs with a TPM2 key; it allows booting without ugly LUKS password prompts but still it keeps data encrypted at rest, and when combined with secure boot also still protects the running system against unauthorized access.

Secure boot will prevent others from placing custom kernels on the unencrypted EFI system partition and booting these, or changing the kernel cmdline, in order to obtain root access to the unlocked rootfs. LUKS encryption with a TPM-based key bound to secure boot state protects the data if someone removes the hard disk and attempts to access it offline, or tries to disable secure boot in order to boot a custom kernel.

I’ve covered secure boot setup in a past article; this article talks about the TPM2-based encryption.

Read more…

Compose emojis

November 6th, 2021, 1 min read

I just learned a nice trick: On Linux I can actually define custom sequences for the Compose key.

I just need to create a ~/.XCompose file and can start to define new sequences for e.g. emojis:

include "%S/en_US.UTF-8/Compose"

<Multi_key> <period> <p> <r> <a> <y> : "🙏"
<Multi_key> <period> <less> <3> <parenright> : "😍"
<Multi_key> <period> <less> <3> <period> : "❤️"
<Multi_key> <period> <less> <3> <asterisk> : "😘"

man 5 Compose documents the format, though Gtk doesn’t seem to support all of it: It doesn’t handle includes apparently, and always seems to include its own hard-coded list of compose sequences.

I found a nice Gist with some sequences, and I started to write my own.

Read more…

The mysterious disapperance of Docker images

August 9th, 2021, 3 min read

A node hosts a Gitlab runner and a small k3s cluster which runs a few services as regular kubernetes deployments. A CI job pinned to that runner builds Docker images for these services services, updates the image of the corresponding deployments, and starts a few system and acceptance tests. The CI job does not push those images to the in-house registry; to avoid polluting the registry with hundreds of images it just builds locally.

Each test then scales each deployment to zero replicas to effectively stop all services, clears the system’s underlying database, and scales the service deployments back to a small number of replicas sufficient for testing.

The whole thing runs fine until one day the replicas randomly fail to start.

Read more…

HTTP Proxy in Electron flatpaks

July 27th, 2021, 1 min read

Some electron-based flatpaks (e.g. Mattermost, see for some reason ignore Gnome’s HTTP proxy settings. In this case we can set the proxy directly inside the affected flatpak.

Read more…

Secure boot on Arch Linux with sbctl and dracut

April 1st, 2021, 6 min read

I started playing around with secure boot, with the ultimately goal of setting it up on my laptop. I experimented in a libvirt/qemu VM and to my surprise a custom secure boot setup is rather easy (the Secure Boot page on the Arch Wiki suggests quite the contrary), thanks to dracut and a fairly recent tool named sbctl which just recently had it’s first release.

Read more…

Arch Linux with LUKS and (almost) no configuration

March 27th, 2021, 5 min read

Installing Arch on a LUKS-encrypted dsik traditionally required a few careful configuration steps to configure the proper root device for booting; if any of these steps was omitted or done wrongly the system would fail to boot. With systemd and dracut however a LUKS-encrypted Arch system can boot safely and reliably without any configuration:

  • Dracut builds a unified EFI kernel image including microcode and a generic initrd with systemd and cryptsetup.
  • systemd-boot automatically discovers unified kernel images installed by dracut and automatically adds them to the boot menu without explicit boot loader configuration.
  • At boot systemd automatically discovers and mounts the root file system following its DISCOVERABLE PARTITIONS specification.

The following commands demonstrate a fresh Arch installation from the Arch installation media into a libvirt VM. Installing to a pristine physical machine or a different virtual machine provider should require only minimal changes; adapting an existing system may be more difficult and require more work.

Read more…

Maven Central Releases with SBT

July 3rd, 2017, 11 min read

Coming from Haskell and Python I found releasing a Scala library a cumbersome process. The standard [Maven Central][] archive lacks a convenient web interface like that of Python’s package index or Haskell’s Hackage, and comprehensive documentation about publishing. Getting an artifact to Maven Central for the first time involves a surprising number of manual steps and a rather elaborate SBT configuration.

In this article I hope to connect all the loose ends and offer a comprehensive stepby-step guide from nothing to a Maven Central release. I will start with some prerequisites which lie outside the scope of this article, guide you through the necessary bureaucracy and cover the setup. At the end I’ll introduce sbt-release, a powerful plugin to automate the entire release.

Read more…

Calling Python from Haskell

April 15th, 2014, 7 min read

In a past version of this blog I used Pandoc to convert Markdown to HTML. It's by far the best and most powerful markdown converter, but it has one, albeit little weakness: Its syntax highlighting is based highlighting-kate, which is less good and supports less languages than the Python library Pygments, the de-facto standard highlighter used by Github and others.

It's easy to implement custom highlighting thanks to the great API of Pandoc, with just two functions in Text.Highlighting.Pygments.Pandoc:

Read more…