#avb — Public Fediverse posts

Jeder von uns braucht mal einen Rat, Herr #Dobrindt!

Die unabhängige Beratung ist für viele Überlebende schwerer Gewalt im Asylverfahren unverzichtbar, um ihr Recht auf Schutz bei den Behörden geltend zu machen. So ging es auch unserer Klientin.

Jetzt sollen Menschen wie sie ohne unabhängige Beratung dastehen. Das sagt das @bmi.

Noch können wir diese Entscheidung verhindern! Der Haushalt für 2027 wird im November im Bundestag beschlossen.

Lasst uns laut werden!

#Asyl #Flucht #Asylverfahrensberatung #Bochum #AVB

Jeder von uns braucht mal einen Rat, Herr #Dobrindt!

Die unabhängige Beratung ist für viele Überlebende schwerer Gewalt im Asylverfahren unverzichtbar, um ihr Recht auf Schutz bei den Behörden geltend zu machen. So ging es auch unserer Klientin.

Jetzt sollen Menschen wie sie ohne unabhängige Beratung dastehen. Das sagt das @bmi.

Noch können wir diese Entscheidung verhindern! Der Haushalt für 2027 wird im November im Bundestag beschlossen.

Lasst uns laut werden!

#Asyl #Flucht #Asylverfahrensberatung #Bochum #AVB

Jeder von uns braucht mal einen Rat, Herr #Dobrindt!

Die unabhängige Beratung ist für viele Überlebende schwerer Gewalt im Asylverfahren unverzichtbar, um ihr Recht auf Schutz bei den Behörden geltend zu machen. So ging es auch unserer Klientin.

Jetzt sollen Menschen wie sie ohne unabhängige Beratung dastehen. Das sagt das @bmi.

Noch können wir diese Entscheidung verhindern! Der Haushalt für 2027 wird im November im Bundestag beschlossen.

Lasst uns laut werden!

#Asyl #Flucht #Asylverfahrensberatung #Bochum #AVB

Jeder von uns braucht mal einen Rat, Herr #Dobrindt!

Die unabhängige Beratung ist für viele Überlebende schwerer Gewalt im Asylverfahren unverzichtbar, um ihr Recht auf Schutz bei den Behörden geltend zu machen. So ging es auch unserer Klientin.

Jetzt sollen Menschen wie sie ohne unabhängige Beratung dastehen. Das sagt das @bmi.

Noch können wir diese Entscheidung verhindern! Der Haushalt für 2027 wird im November im Bundestag beschlossen.

Lasst uns laut werden!

#Asyl #Flucht #Asylverfahrensberatung #Bochum #AVB

Jeder von uns braucht mal einen Rat, Herr #Dobrindt!

Die unabhängige Beratung ist für viele Überlebende schwerer Gewalt im Asylverfahren unverzichtbar, um ihr Recht auf Schutz bei den Behörden geltend zu machen. So ging es auch unserer Klientin.

Jetzt sollen Menschen wie sie ohne unabhängige Beratung dastehen. Das sagt das @bmi.

Noch können wir diese Entscheidung verhindern! Der Haushalt für 2027 wird im November im Bundestag beschlossen.

Lasst uns laut werden!

#Asyl #Flucht #Asylverfahrensberatung #Bochum #AVB
Weniger anzeigen

Erinnert sich noch jemand an die Argumente für die sogenannte #Migrationswende? Kommunen und Länder sollten entlastet werden.

Stellt sich heraus, #Dobrindt macht nicht nur Politik gegen #Geflüchtete, sondern auch gegen die Wirtschaft, gegen Kommunen und Länder. Letztere beschweren sich jetzt zurecht:

https://taz.de/Nach-Dobrindts-Kuerzungen/!6173418/

#Asyl #Migration #AVB #Asylverfahrensberatung #Integrationskurse

Erinnert sich noch jemand an die Argumente für die sogenannte #Migrationswende? Kommunen und Länder sollten entlastet werden.

Stellt sich heraus, #Dobrindt macht nicht nur Politik gegen #Geflüchtete, sondern auch gegen die Wirtschaft, gegen Kommunen und Länder. Letztere beschweren sich jetzt zurecht:

https://taz.de/Nach-Dobrindts-Kuerzungen/!6173418/

#Asyl #Migration #AVB #Asylverfahrensberatung #Integrationskurse

Aufruf/Erinnerung zur #Kundgebung:

Für den Erhalt der behördenunabängigen #Asylverfahrensberatung (AVB)!
Montag 13.4. ab 9 Uhr vor dem Bundesinnenministerium

Die #AVB ist eine Voraussetzung für annähernd faire und korrekte Verfahren, schützt Betroffene vor folgenschweren fehlerhaften Asylentscheidungen und spart dem Staat sogar Geld, indem sie langen Klageverfahren vorbeugt.

Das Bundesinnenministerium hat nun angekündigt, die Mittel für die Asylverfahrensberatung in 2027 zu streichen.

🚨 As operating systems add ID-linked logins & “safety compliance,” the digital privacy debate grows louder. Who really controls your device—the user or the state?
🔒 Data sovereignty and open systems matter now more than ever. #DigitalPrivacy #OpenSource #UserFreedom #AgeVerificationBypass #AVB #Linux

https://github.com/HaplessIdiot/ageverificationbypass

Beautiful weather for takeoff from Aviano Air Base airport (Italy) “LIPA 130655Z 27004KT CAVOK 28/21 Q1016 RMK SKC VIS MIN 9999 WIND THR05 /////KT WIND THR23 /////KT A3003 BLU” : See what it means on https://www.bigorre.org/aero/meteo/lipa/en #aviano #italy #avianoairbaseairport #lipa #avb #metar #aviation #aviationweather #avgeek #airport vl

Beautiful weather for takeoff from Aviano Air Base airport (Italy) “LIPA 130655Z 27004KT CAVOK 28/21 Q1016 RMK SKC VIS MIN 9999 WIND THR05 /////KT WIND THR23 /////KT A3003 BLU” : See what it means on https://www.bigorre.org/aero/meteo/lipa/en #aviano #italy #avianoairbaseairport #lipa #avb #metar #aviation #aviationweather #avgeek #airport vl

Aviation weather for Aviano Air Base airport (Italy) is “LIPA 020655Z 25002KT CAVOK 19/16 Q1020 RMK SKC VIS MIN 9999 WIND THR05 /////KT WIND THR23 /////KT A3012 BLU” : See what it means on https://www.bigorre.org/aero/meteo/lipa/en #aviano #italy #avianoairbaseairport #lipa #avb #metar #aviation #aviationweather #avgeek vl

Die #Grünen in #Bielefeld kritisieren die schwarz-grüne Landesregierung für die geplanten Sozialkürzungen.
Gerne mehr davon!

"Der Haushaltsentwurf sei insbesondere im Bereich der Asylberatungen eine Enttäuschung, man befürchte dramatische Folgen für das Ankommen und die Integration von Geflüchteten. (...) Besonders in Frage zu stellen sei die Streichung der Beratung für unbegleitete minderjährige Flüchtlinge. (...) Die grüne Ratsfraktion fordert deshalb die schwarz-grüne Landesregierung auf, umgehend Lösungen für die Weiterfinanzierung der unabhängigen Asylverfahrensberatungen ab Januar zu finden."

https://buff.ly/3CyXkW3
#AVB #Asylverfahrensberatung #CDU #NRW

This article will discuss securing your phone after you’ve rooted it and installed your preferred os (it will not discuss how to root your phone or change the OS). Re-securing your phone requires the installation of a custom AVB key, which not all phones support, so I’ll only be discussing Google Pixel phones (which support this) and the LineageOS distribution (which is the one I use). The reason for wanting to do this is that by default LineageOS runs with the debug keys (i.e. known to everyone) with an unlocked bootloader, meaning OS updates and even binary changes to the system partition are easy to do. Since most android phones are fully locked, this isn’t a standard attack vector for malicious apps, but if someone is targetting you directly it may become one.

This article will cover how android verified boot (AVB) works, how to install your own custom AVB key and get a stock LineageOS distribution to use it and how to turn DM verity back on to make /system immutable.

A Brief Tour of Android Verified Boot (AVB)

We’ll actually be covering the 2.0 version of AVB, but that’s what most phones use today. The proprietary bootloader of a Pixel (the fastboot capable one you get to with adb reboot bootloader) uses a vbmeta partition to find the boot/recovery system and from there either enter recovery or boot the standard OS. vbmeta contains hashes for both this boot partition and the system partition. If your phone is unlocked the bootloader will simply boot the partitions vbmeta points to without any verification. If it is locked, the vbmeta partition must be signed by a key the phone knows. Pixel phones have two keyslots: a built in one which houses either the Google key or an OEM one and the custom slot, which is blank. In the unlocked mode, you can flash your own key into the custom slot using the fastboot flash avb_custom_key command.

The vbmeta partition also contains a boot flags region which tells the bootloader how to boot the OS. The two flags the OS knows about are in external/avb/libavb/avb_vbmeta_image.h:

/* Flags for the vbmeta image. * * AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED: If this flag is set, * hashtree image verification will be disabled. * * AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED: If this flag is set, * verification will be disabled and descriptors will not be parsed. */typedef enum {  AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED = (1 << 0),  AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED = (1 << 1)} AvbVBMetaImageFlags;

if the first flag is set then dm-verity is disabled and if the second one is set, the bootloader doesn’t pass the hash of the vbmeta partition on the kernel command line. In a standard LineageOS build, both these flags are set.

The reason for passing the vbmeta hash on the command line is so the android init process can load the vbmeta partition, hash it and verify against what the bootloader passed in, thus confirming there hasn’t been a time of check to time of use (TOCTOU) security breach. The init process cannot verify the signature for itself because the vbmeta signing public key isn’t built into the OS (which allows the OS to be signed after the images are build).

The description of the AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED flag is slightly wrong. A standard android build always seems to calculate the dm-verity hash tree and insert it into the vbmeta partition (where it is verified by the vbmeta signature) it’s just that if this flag is set, the android init process won’t load the dm-verity hash tree and the system partition will thus be mutable.

Creating and Using your own custom Boot Key

Obviously android doesn’t use any standard tool form for its keys, so you have to create your own RSA 2048 (the literature implies it will work with 4096 as well but I haven’t tried it) AVB custom key using say openssl, then use avbtool (found in external/avb as a python script) to convert your RSA public key to a form that can be flashed in the phone:

avbtool extract_public_key --key pubkey.pem --output pkmd.bin

This can then be flashed to the unlocked phone (in the bootloader fastboot) with

fastboot flash avb_custom_key pkmd.bin

And you’re all set up to boot a custom signed OS.

Signing your LineageOS

There is a wrinkle to this: to re-sign the OS, you need the target-files.zip intermediate build, not the ROM install file. Unfortunately, this is pretty big (38GB for lineage-19.1) and doesn’t seem to be available for download any more. If you can find it, you can re-sign the stock LineageOS, but if not you have to build it yourself. Instructions for both building and re-signing can be found here. You need to follow this but in addition you must add two extra flags to the sign_target_files_apks command:

--avb_vbmeta_key=/path/to/private/avb.key--avb_vbmeta_algorithm=SHA256_RSA2048

Which will ensure the vbmeta partition is signed with the key you created above.

Optionally Enabling dm-verity

If you want to enable dm-verity, you have to change the vbmeta flags to 0 (enable both hashtree and vbmeta verification) before you execute the signing command above. These flags are stored in the META/misc_info.txt file which you can extract from target-files.zip with

unzip target-files.zip META/misc_info.txt

And once done you can vi this file to find the line

avb_vbmeta_args=--flags 3 --padding_size 4096 --rollback_index 1804212800

If you update the 3 to 0 this will unset the two disable flags and allow you to do a dm-verity verified boot. Then use zip to replace this updated file

zip -u target-files.zip META/misc_info.txt

And then proceed with signing the updated target-files.zip

Wrinkle for Android-12 (lineage-19.1) and above

For all these versions, this patch ensures that if the vbmeta was signed then the vbmeta hash must be verified, otherwise the system will crash in early init, so you have no choice and must alter the avb_vbmeta_args above to either --flags 1 or --flags 0 so the vbmeta hash is passed in to init. Since you have to alter the flags anyway, you might as well enable dm-verity (set to 0) at the same time.

Re-Lock the Bootloader

Once you have installed both your custom keys and your custom signed boot image, you are ready to re-lock the bootloader. Beware that some phones will erase your data partition when you do this (the Google advice says they shouldn’t, but not all manufacturers bother to follow it), so make sure you have a backup (or are playing with a newly rooted phone).

fastboot flashing lock

Check with a reboot (the phone should now display a yellow warning triangle saying it is booting a custom OS rather than the orange unsigned OS one). If everything goes according to plan you can enter the developer settings and click the “OEM Unlocking” settings to disabled and your phone can no longer be unlocked without your say so.

Conclusions and Caveats

Following the above instructions, you can updated your phone so it will verify images you signed with your AVB key, turn on dm-verity if you wish and generally make your phone much more secure. However, remember that you haven’t erased the original AVB key, so the phone can still be updated to an image signed with that key and, worse, the recovery partition of LineageOS is modified to allow rollback, so it will allow the flashing of any signed image without triggering an erase of the data partition. There are also a few more problems like, thanks to a bug in AOSP, the recovery version of fastboot will actually allow commands that are usually forbidden if the phone is locked.

https://blog.hansenpartnership.com/securing-a-rooted-android-phone/

#android #androidVerifiedBoot #AVB #lineageos

currently throwing shapes while patching some servers to this fantastic AVB set at AMF 2023

https://www.youtube.com/watch?v=TzYJJTUJzBk

#trance
#avb
#amf

Back in my blog post about Securing the Google SIP Stack, I did say I’d look at re-enabling SIP in Android-12, so with a view to doing that I tried building and booting LineageOS 19.1, but it crashed really early in the boot sequence (after the boot splash but before the boot animation started). It turns out that information on debugging the android early boot sequence is a bit scarce, so I thought I should write a post about how I did it just in case it helps someone else who’s struggling with a similar early boot problem.

How I usually Build and Boot Android

My builds are standard LineageOS with my patches to fix SIP and not much else. However, I do replace the debug keys with my signing keys and I also have an AVB key installed in the phone’s third party keyslot with which I sign the vbmeta for boot. This actually means that my phone is effectively locked but with a user supplied key (Yellow as google puts it).

My phone is now a pixel 3 (I had to say goodbye to the old Nexus One thanks to the US 3G turn off) and I do have a slightly broken Pixel 3 I play with for experimental patches, which is where I was trying to install Android-12.

Signing Seems to be the Problem

Just to verify my phone could actually boot a stock LineageOS (it could) I had to unlock it and this lead to the discovery that once unlocked, it would also boot my custom rom as well, so whatever was failing in early boot seemed to be connected with the device being locked.

I also discovered an interesting bug in the recovery rom fastboot: If you’re booting locked with your own keys, it will still let you perform all the usually forbidden fastboot commands (the one I was using was set_active). It turns out to be because of a bug in AOSP which treats yellow devices as unlocked in fastboot. Somewhat handy for debugging, but not so hot for security …

And so to Debugging Early Boot

The big problem with Android is there’s no way to get the console messages for early boot. Even if you enable adb early, it doesn’t get started until quite far in to the boot animation (which was way after the crash I was tripping over). However, android does have a pstore (previously ramoops) driver that can give you access to the previously crashed boot’s kernel messages (early init, fortunately, mostly logs to the kernel message log).

Forcing init to crash on failure

Ordinarily an init failure prints a message and reboots (to the bootloader), which doesn’t excite pstore into saving the kernel message log. fortunately there is a boot option (androidboot.init_fatal_panic) which can be set in the boot options (or kernel command line for a pixel-3 which can only boot the 4.9 kernel). If you build your own android, it’s fairly easy to add things to the android commandline (which is in boot.img) because all you need to do is extract BOOT/cmdline from the intermediate zip file you sign add any boot options you need and place it back in the zip file (before you sign it).

Unfortunately, this expedient didn’t work (no console logs appear in pstore). I did check that init was correctly panic’ing on failure by inducing an init failure in recovery mode and observing the panic (recovery mode allows you to run adb). But this induced panic also didn’t show up in pstore, meaning there’s actually some problem with pstore and early panics.

Security is the problem (as usual)

The actual problem turned out to be security (as usual): The pixel-3 does encrypted boot panic logs. The way this seems to work (at least in my reading of the google additional pstore patches) is that the bootloader itself encrypts the pstore ram area with a key on the /data partition, which means it only becomes visible after the device is unlocked. Unfortunately, if you trigger a panic before the device is unlocked (by echoing ‘c’ to /proc/sysrq-trigger) the panic message is lost, so pstore itself is useless for debugging early boot. There seems to be some communication of the keys by the vendor proprietary ramoops binary making it very difficult to figure out how it’s being done.

Why the early panic message is lost is a bit mysterious, but unfortunately pstore on the pixel-3 has several proprietary components around the encrypted message handling that make it hard to debug. I suspect if you don’t set up the pstore encryption keys, the bootloader erases the pstore ram area instead of encrypting it, but I can’t prove that.

Although it might be possible to fix the pstore drivers to preserve the ramoops from before device unlock, the participation of the proprietary bootloader in preserving the memory doesn’t make that look like a promising avenue to explore.

Anatomy of the Pixel-3 Boot Sequence

The Pixel-3 device boots through recovery. What this means is that the initial ramdisk (from boot.img) init is what boots both the recovery and normal boot paths. The only difference is that for recovery (and fastboot), the device stays in the ramdisk and for normal boot it mounts the /system partition and pivots to it. What makes this happen or not is the boot flag androidboot.force_normal_boot=1 which is added by the bootloader. Pretty much all the binary content and init rc files in the ramdisk are for recovery and its allied menus.

Since the boot paths are pretty radically different, because the normal boot first pivots to a first stage before going on to a second, but in the manner of containers, it might be possible to boot recovery first, start a dmesg logger and then re-exec init through the normal path

Forcing Re-Exec

The idea is to signal init to re-exec itself for the normal path. Of course, there have to be a few changes to do this: An item has to be added to the recovery menu to signal init and init itself has to be modified to do the re-exec on the signal (note you can’t just kick off an init with a new command line because init must be pid 1 for booting). Once this is done, there are problems with selinux (it won’t actually allow init to re-exec) and some mount moves. The selinux problem is fixable by switching it from enforcing to permissive (boot option androidboot.selinux=permissive) and the mount moves (which are forbidden if you’re running binaries from the mount points being moved) can instead become bind mounts. The whole patch becomes 31 insertions across 7 files in android_system_core.

The signal I chose was SIGUSR1, which isn’t usually used by anything in the bootloader and the addition of a menu item to recovery to send this signal to init was also another trivial patch. So finally we have a system from which I can start adb to trace the kernel log (adb shell dmesg -w) and then signal to init to re-exec. Surprisingly this worked and produced as the last message fragment:

[ 190.966881] init: [libfs_mgr]Created logical partition system_a on device /dev/block/dm-0[ 190.967697] init: [libfs_mgr]Created logical partition vendor_a on device /dev/block/dm-1[ 190.968367] init: [libfs_mgr]Created logical partition product_a on device /dev/block/dm-2[ 190.969024] init: [libfs_mgr]Created logical partition system_ext_a on device /dev/block/dm-3[ 190.969067] init: DSU not detected, proceeding with normal boot[ 190.982957] init: [libfs_avb]Invalid hash size:[ 190.982967] init: [libfs_avb]Failed to verify vbmeta digest[ 190.982972] init: [libfs_avb]vbmeta digest error isn't allowed[ 190.982980] init: Failed to open AvbHandle: No such file or directory[ 190.982987] init: Failed to setup verity for '/system': No such file or directory[ 190.982993] init: Failed to mount /system: No such file or directory[ 190.983030] init: Failed to mount required partitions early …[ 190.983483] init: InitFatalReboot: signal 6[ 190.984849] init: #00 pc 0000000000123b38 /system/bin/init[ 190.984857] init: #01 pc 00000000000bc9a8 /system/bin/init[ 190.984864] init: #02 pc 000000000001595c /system/lib64/libbase.so[ 190.984869] init: #03 pc 0000000000014f8c /system/lib64/libbase.so[ 190.984874] init: #04 pc 00000000000e6984 /system/bin/init[ 190.984878] init: #05 pc 00000000000aa144 /system/bin/init[ 190.984883] init: #06 pc 00000000000487dc /system/lib64/libc.so[ 190.984889] init: Reboot ending, jumping to kernel

Which indicates exactly where the problem is.

Fixing the problem

Once the messages are identified, the problem turns out to be in system/core ec10d3cf6 “libfs_avb: verifying vbmeta digest early”, which is inherited from AOSP and which even says in in it’s commit message “the device will not boot if: 1. The image is signed with FLAGS_VERIFICATION_DISABLED is set 2. The device state is locked” which is basically my boot state, so thanks for that one google. Reverting this commit can be done cleanly and now the signed image boots without a problem.

I note that I could also simply add hashtree verification to my boot, but LineageOS is based on the eng target, which has FLAGS_VERIFICATION_DISABLED built into the main build Makefile. It might be possible to change it, but not easily I’m guessing … although I might try fixing it this way at some point, since it would make my phones much more secure.

Conclusion

Debugging android early boot is still a terribly hard problem. Probably someone with more patience for disassembling proprietary binaries could take apart pixel-3 vendor ramoops and figure out if it’s possible to get a pstore oops log out of early boot (which would be the easiest way to debug problems). But failing that the simple hack to re-exec init worked enough to show me where the problem was (of course, if init had continued longer it would likely have run into other issues caused by the way I hacked it).

https://blog.hansenpartnership.com/debugging-android-early-boot-failures/

#00 #01 #02 #03 #04 #05 #06 #android #androidBoot #androidDebugging #androidVerifiedBoot #AVB #lineageos

Jakby co to ostrzegam 🎧🎵🎶🧑‍🎤

#yearmix #trance #asot #avb #arminvanbuuren #music

A State Of Trance Year Mix 2023 [Mixed By Armin Van Buuren] [Continuous Mix] [Armada Music B.V.]

https://youtube.com/watch?v=GisG1I9-8k8&si=WTZnHcrehMNfwosW

@emill1984

Wenn man herausgefunden hat, an welche Stellen man wieviel Hühnerblut sprengen muss, ist der Rest erstaunlich einfach...

#pipewire #avb #tsn #linux

One of my devices updated its firmware and created a few extra clock channels, which nothing seems to recognise, which in turn has created a rather lovely ATDECC pattern in the matrix.

mmmm matrix

#AVB #ATDECCART #IOMATRIX #TARTAN

On 4:20pm I enjoyed one of my #MagicBrownies. I figure it'll take about two hours to reach full effect, so that will make my evenings gym routine super fun! #cannabis #edibles #AVB

I love all of this, and all of you. Stoners.Social is quickly becoming my happy place on Mastodon. Thank you all. :)

And there went the last of my #WaterCured #AVB #weed. Making cannabutter, then cooling it and adding it immediately to #Ghirardelli #Chocolate #Brownies. Then baking it all up, cooling it, and making the best dessert known to man. I just need the right kind of ice cream next.

And really giddy-up with the #pax3, making more AVB. In the end, all of this has rendered me into a very complicated decarbing machine. LOL.

Somehow I will cope. ;)

I have enjoyed all my magic brownies. Several key lessons that I have discovered, that #AVB still packs a punch even after it’s been vaped hard. Cannabutter can quickly lose its suspension, so stir very well! The high from these edibles was different than gummy or tincture type edible. It took almost two hours for the effect to hit, but when it did, the high was firmer than I’ve had with the other kinds of edibles. Like a rush all at once, moves quickly, the high, but keeps you there for a while

Now that was a lovely night. I got my #pax3 fully charged up, two sessions, with the last a few minutes ago. Slowly working on winding down for bed.

I’m super excited about all the wild strains that are coming up. The #budkup I’ve got loaded is about 2/5ths of the way along, but the next strain is the next budkup. I had no idea how little #weed I would normally consume, but I absolutely love the flavors and aromas so far. I have the rest of my #AVB that had been water cured ready to go…

I subdivided my lovely #MagicBrownies into 100g doses. There are six pieces of #AVB #Cannabis Magic Brownies.

Taking a moment to recognize that I turned a waste product of vaping, AVB, and not only am I completely consuming the flower, but it makes a kickass #edible!

This is the kind of amazing elegance that comes with a natural medicine. Yes you can enjoy an eighth of #cannabis flower through combustion, but it creates ash. I may not be +

Hooray! Double the brownie double your pleasure. It hit much later than usual edibles do, and it hits really… firmly. Gonna make drifting to sleep a snap! #avb #MagicBrownies #cannabis

All awash in such lovely aspects of #weed tonight. Took my 50mg #CBD, then grabbed some of my little sleep-aid gummies and set them to work. As I sat in one of my most usual places, I looked over and spotted my #pax. LOL. Well! If I have to, if I really have to bust my hump, fiiiiine… I’ll have a vape sesh. Jeeesh! :D

The old #AVB #WaterCure is coming along nicely. I’m using distilled water because I don’t want any fluoride or chlorine in there, even as a ppm-level residue.