I've refurbished rootns kernel patch set first time since February.

I was missing a workload for the feature but having container entrance without co-operative unmount makes a whole a lot more sense now than it made then :-)

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=rootns

It's easiest to depict as "soft kexec" (as mental model).

#linux #kernel #container #security

If I had to pick single biggest long term security risk for companies and other organizations, I'd pick Claude Code. Anthropic is a flawed company when it comes to security.

Just so that you know this is a complete joke:

https://github.com/anthropic-experimental/sandbox-runtime

But it inspired me. I'm doing for fun a small sandboxing tool that eats the same JSON but has a bit more clever way to setup protections :-) And compatible with actions/runners in Git hosting sites as I'm not using Linux namespaces.

Explained to LinkedIn what mathematicians do as a profession as apparently this was not clear in the first place :-)

#mathematics #openai #linkedin

found some random unidentifed sun glasses while cleaning up my place. now all i is a van, duct tape...

Still useful and also frequently used references in 2026 :-)

#x86 #arm #assembly

Not only did LF pick Jack Dorsey's Goose to their umbrella but also its main discussion forums are Discord and X.

Everything wrong. Together.

https://aaif.io/

Wow, pretty cool. I think I passed Buildroot black belt test ;-)

I have latest GNOME packaged for Buildroot. The artifacts produced by each build are installer ISO and container images, and the build is fully reproducible.

There's other stuff too like all ostree shenanigans and NVIDIA Container Toolkit but honestly they are like walk in the park compared to GNOME.

#buildroot #gnome #wayland

tpm2_asymmetric.ko:

https://lore.kernel.org/linux-integrity/ahKKikSt249xjoqK@kernel.org/T/#t

Apparently I trashed subject line in cover letter.

Test program I wrote highlights what it does [1]:

export TPM2TOOLS_TCTI="${TPM2TOOLS_TCTI:-device:/dev/tpmrm0}"

WORK=$(mktemp -d)
trap 'rm -rf "$WORK"; tpm2_clear' EXIT

openssl ecparam -genkey -name prime256v1 -noout -out "$WORK/ec_key.pem"

tpm2_createprimary --hierarchy o -G ecc -c "$WORK/primary.ctx"
tpm2_evictcontrol -C o -c "$WORK/primary.ctx" 0x81000001

tpm2_import -C 0x81000001 -G ecc \
  -i "$WORK/ec_key.pem" \
  -u "$WORK/key.pub" -r "$WORK/key.priv"

tpm2_encodeobject -C 0x81000001 \
  -u "$WORK/key.pub" -r "$WORK/key.priv" \
  -o "$WORK/tpm2_key.pem"
openssl asn1parse -inform pem -in "$WORK/tpm2_key.pem" \
  -noout -out "$WORK/tpm2_key.der"

openssl req -new -x509 -key "$WORK/ec_key.pem" \
  -out "$WORK/cert.pem" -days 1 \
  -subj "/CN=tpm2_asymmetric_test" -sha256
openssl x509 -in "$WORK/cert.pem" -outform der -out "$WORK/cert.der"

TPM2_KEY=$(keyctl padd asymmetric "tpm2_asymmetric" @s < "$WORK/tpm2_key.der")
X509_KEY=$(keyctl padd asymmetric "x509_ecdsa" @s < "$WORK/cert.der")

printf "tpm2 asymmetric cross-verification test data" > "$WORK/testdata"
openssl dgst -sha256 -binary "$WORK/testdata" > "$WORK/hash.bin"

keyctl pkey_sign $TPM2_KEY 0 "$WORK/hash.bin" enc=x962 hash=sha256 \
  > "$WORK/sig_tpm.der"
keyctl pkey_verify $X509_KEY 0 "$WORK/hash.bin" "$WORK/sig_tpm.der" \
  enc=x962 hash=sha256
echo "PASS: TPM2 key signed, X.509 key verified"

openssl dgst -sha256 -sign "$WORK/ec_key.pem" \
  -out "$WORK/sig_sw.der" "$WORK/testdata"
keyctl pkey_verify $TPM2_KEY 0 "$WORK/hash.bin" "$WORK/sig_sw.der" \
  enc=x962 hash=sha256
echo "PASS: OpenSSL signed, TPM2 key verified"

[1] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd-test.git/tree/overlay/usr/local/bin/tpmdd_tpm2_asymmetric.sh?h=main

Things change:

1. 2025: Jack Dorsey's talk was disqualified from FOSDEM.
2. 2026: Jack Dorsey's agent tool called 'goose' is inducted as a Linux Foundation project.

I miss the times when we only had slot machines.

https://github.com/srikanth-mg/riscv-tee-ibex

Cool, some years ago I fixed a bug in page table bootstrap code of Keystone Enclave.

I often listen Google I/O talks while working and it was pretty good this year. It was also like the first sane delivery of how they see the world this year actually from any of the big tech companies. Overall it was also very much aligned with my own thinking, which made me really happy. So kudos for Google for delivering a positive message.

There's huge problem, or unanswered qeustion, related purely to business, whenit comes to these agentic workflows that actually nobody is not talking about all that much.

We have zero idea of:

1. How the stuff coming from end of the pipeline will sell.
2. How the customers will react. I mean non-developer customers.

Answering to question 2 might be difficult tho given that most companies do AI tools to other AI companies.

I tried for experiment the end outcomes of one big promoter that I found from Youtube called "Theo*". I leave it there because I don't know what the letters are after that.

I downloaded his agent desktop tool, and run it in a sandbox. Well, it looked like me exactly kind of output I get when I *start* a project with AI. I do often ramp up initial stub of a projet with AI because it is great exactly for that part. It was slow and even with like good intentions I would except better UI even from college/university graduate. Super low quality software.

This tells me exactly what I've witnessed overall. People get a rush using these tools and feel of achievement when from outside perspective the results are not all that great. Yes, you can use them to run multiple project simultaneously but then none of them are what customers will be absolutely love because ultimately love for a product must come from its creator.

To summarize this, one has to ALWAYS remember that there is exactly one part of development pipeline that cares zero about R&D. It's the sink of that pipeline, i.e. a real customer.

This generative AI is so amazing, everyone gets the exact same web site.

It is probably good general security advice to state that it is not advicable to use open source software that has less than two years of backlog. It's quite too often "an dgentic dump".

I've started to use arXiv.org to look for open source projects when I need something. GitHub has been "slossed" (is that a word?). So yeah, arXiv.org is my Github search engine because if few article's reference to a project I have enough heuristical knowledge to considering trying it out :-)

This era reminds me most how factory lines worked in USSR.

If I use AI it is somewhat planned operation or like not anything what is going on right now. Totally different planet.

https://blog.mozilla.org/en/privacy-security/ai-security-zero-day-vulnerabilities/

There has been bugs post Mythos. Some of them even somewhat low-hanging fruit.

Justin Frankel is also the creator of Reaper, one of the most innovative DAW's ever made :-)

https://www.youtube.com/watch?v=MqNSOU2ubnw

The thing that I dislike the most in uutils is that it is trying break the governance of basic tools that we use, not only the functionality and compatibility.

I guess since Anthropic has AI philosopher, it is starting to trend also among "AI natives" at career sites :-) Some of Anthropic's shit is so weird that I enjoy it almost.

Keynote speaker is last season.