I’ve ranted lately a lot at #LKML about how #kernel #Bugzilla’s role in the #development #process should be defined better in the #documentation. #linux

I wonder what is the best practice to remove #passphrase from #OpenPGP subkey. I’m using #gnupg2. I’ve spend hours on this and still not able to do it :-(

I.e. I have this:

$ gpg -K
/home/jarkko/.gnupg/pubring.kbx
-------------------------------
sec   rsa4096 2019-06-24 [C] [expires: 2024-07-04]
      5107E66D34788A93E3227C903AB05486C7752FE1
uid           [ unknown] Jarkko Sakkinen <jarkko.sakkinen@iki.fi>
uid           [ unknown] Jarkko Sakkinen <jarkko@kernel.org>
uid           [ unknown] Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>
ssb   ed25519 2019-06-25 [S] [expires: 2025-07-27]
ssb   rsa4096 2020-08-11 [A]
ssb   rsa4096 2022-03-21 [E] [expires: 2024-03-20]
ssb   ed25519 2022-12-29 [A]

And I want to remove passphrase from #ed25519 #authentication #key.

Looking #LTO #tape #drives :-) I might get one at some point to support my #NAS. There's a lot of options below 1000 EUR range, and tapes are neither that expensive, when archiving frequency is maybe few times a year.

Learning #Inkscape in order to substitute #LibreOffice Draw. I moved into LibreOffice Draw some years ago from #Xfig, only because it had turned into legacy. However, I've learned over the time that the structural complexity of actual diagram tools tend to take my focus away from the actual problem, and more into fiddling between the choices in the tool itself.

I created my own12 cm x 9 cm template, which are pretty good starting point metrics (and aspect ratio) for many situations, especially when you have to embed pictures. These metrics are also in good harmony with the primitive (but functional) connector tool of Inkscape, and on keeping complexity of the diagram low :-)

Installed #Debian 12 to my #desktop #PC (migrated back from #Ubuntu). Recent switch to #Intel #ARC #GPU considerably lowered the barrier.

A shallow #Git clone with shallow clones of the #submodule’s:

git clone --depth=1 \
          --recurse-submodules \
          --shallow-submodules \
          <URL>          

#note

A generic flashing and verification script draft (will be edited over time):

#!/usr/bin/env bash
#
# Authors:
# Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>

set -e

if [ $# -ne 2 ]; then
    echo "`basename $0` <payload> <block device>"
    exit 1
fi

PAYLOAD=`realpath $1`
SIZE=`wc -c $1 | cut -d' ' -f1`
START="2048"
END="$((START + (SIZE >> 9)  + 1))"

parted --script $2 mklabel gpt
parted --script $2 mkpart primary fat32 ${START}s ${END}s

PARTITION="${2}1"
if [ ! -b $PARTITION ]; then
  echo "Invalid partition"
  exit 1
fi

echo "Payload: $PAYLOAD"
echo "Partition: $PARTITION"

DD_OPTIONS="count=$((END - START)) bs=512 status=progress conv=sync"

dd if="$PAYLOAD" of="$PARTITION" $DD_OPTIONS
sync

echo "Payload MD5: `dd if="$PAYLOAD" $DD_OPTIONS 2> /dev/null | md5sum`"
echo "Partition MD5: `dd if="$PARTITION" $DD_OPTIONS 2> /dev/null | md5sum`"

#flashing #firmware #image #riscv #CVA6 #Keystone #EFI #note

Something that has probably existed forever but I just learned. You can pass status=progress to dd, and it will show progress. #note

Would be nice if you could at least simulate #keystone with widely available SBC's, even with insecure #attestation (or no attestation at all). #riscv #opensbi #sanctum.

https://github.com/keystone-enclave/keystone/issues/339

I love the new #feature in #openssh, which breaks backwards #compatibility with e.g. #dropbear with the default options: https://www.openssh.com/txt/release-9.0 #ssh

OK cool:

$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

$ pro fix
usage: pro fix <CVE-yyyy-nnnn+>|<USN-nnnn-d+> [flags]
the following arguments are required: security_issue

#ubuntu #cve #security #note

An example of creating a minimal #Linux #kernel config that boots and prints output to the console:

make tinyconfig
./scripts/config -e CONFIG_MULTIUSER -e CONFIG_TTY -e CONFIG_64BIT -e CONFIG_PRINTK
make -j `nproc`
qemu-system-x86_64 -kernel arch/x86/boot/bzImage

#note

#home #skeleton #dotfiles https://github.com/jarkkojs/home

I still think that #Intel #SGX has some advantages over #SEV and #TDX. Its #security model is easier to understand and is always per page granularity. For anything ulta-secure I would not have hard time to pick the right option.

Setting up #FPGA #lab. #Digilent #Genesys2

refine struct tpm_buf to handle sized buffers (TPM2B): https://lore.kernel.org/linux-integrity/20230821033630.1039527-1-jarkko@kernel.org/ #Linux #kernel #TPM #LKML

Two common #GNU #make patterns I tend to use often with #Buildroot:

1. time ( make &> build.txt; )

2. time ( make 2>&1 | tee build.txt; )

#note

cosmetic but still useful: https://lkml.org/lkml/2023/8/19/213 #linux #kernel #tpm #selftests #lkml

I created a #Buildroot environment that I’ve started to use for #Linux #kernel #testing, targeted to my kernel tree.

as simple as this function might seem, it has reduced the number of remotes I have by large numbers:

function git-fetch-tag { git fetch --no-tags "$1" "refs/tags/$2:refs/tags/$2"; }

#git #note