From 2ca7dbb5b0c7b50d2bc049b9c8fb0ef076e641ab Mon Sep 17 00:00:00 2001 From: Justus Perlwitz Date: Sat, 20 Jul 2024 21:42:56 +0900 Subject: [PATCH 1/2] Document how to test NixOS build with QEMU --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index 57d9584..5e28bb7 100644 --- a/README.md +++ b/README.md @@ -225,6 +225,19 @@ sudo cp -v result/iso/yubikeyLive.iso /dev/sdc ; sync Skip steps to create a temporary working directory and a hardened configuration, as they are already part of the image. +If you want to test your build before copying it into a USB stick, you can try it out on your machine using a tool like QEMU. +Please keep in mind that a virtualized environment does not provide the same amount of security as an ephemeral system (see *Prepare environment* above). +Here is an example QEMU invocation after placing `yubikeyLive` in `result/iso` using the above `nix build` command: + +```console +# Launch with 4G memory, 2 CPUs and KVM enabled +qemu-system-x86_64 \ + -enable-kvm \ + -m 4G \ + -smp 2 \ + -drive readonly=on,media=cdrom,format=raw,file=result/iso/yubikeyLive.iso +``` + **Arch** ```console From 8a286bb34122c450608669a650310dda04633594 Mon Sep 17 00:00:00 2001 From: Justus Perlwitz Date: Sat, 20 Jul 2024 21:43:25 +0900 Subject: [PATCH 2/2] Remove trailing whitespace in README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5e28bb7..28b25dd 100644 --- a/README.md +++ b/README.md @@ -2032,7 +2032,7 @@ sudo nft -f ./nftables.conf **Review the System State** -`NetworkManager` should be the only listening service on port 68/udp to obtain a DHCP lease (and 58/icmp6 if you have IPv6). +`NetworkManager` should be the only listening service on port 68/udp to obtain a DHCP lease (and 58/icmp6 if you have IPv6). If you want to look at every process's command line arguments you can use `ps axjf`. This prints a process tree which may have a large number of lines but should be easy to read on a live image or fresh install. @@ -2042,7 +2042,7 @@ ps axjf # List all processes in a process tree ps aux # BSD syntax, list all processes but no process tree ``` -If you find any additional processes listening on the network that aren't needed, take note and disable them with one of the following: +If you find any additional processes listening on the network that aren't needed, take note and disable them with one of the following: ```bash sudo systemctl stop # Stops services managed by systemctl