Posts
4802
Following
319
Followers
489
Linux kernel hacker and maintainer etc.

OpenPGP: 3AB05486C7752FE1

Jarkko Sakkinen

if there is one open source project, which i hope to succeed more than any other project, it must be Servo. it's super important that it will become game changer and real distruptor.
0
4
2

Jarkko Sakkinen

Edited 23 hours ago

i realized that you an do mustache templates with just plain jq:

jq -n -r \
  --arg domains "$TENANT_DOMAIN" \
  --arg hsm_type "$HSM_TYPE" \
  --argjson enable_hello "$ENABLE_HELLO" \
  '
    "[global]\ndebug = true\ndomains = \($domains)\nhome_alias = CN\nhome_attr = CN\nid_attr_map = name\npam_allow_groups =\nuse_etc_skel = true\nlocal_groups = users\nhsm_type = \($hsm_type)\nenable_hello = \($enable_hello)"
  ' > "$BUILD_DIR/himmelblau.conf"

need to apply this idea to my kernel pull request scripts :-)

template here is:

[global]
debug = true
domains = {{domains}}
home_alias = CN
home_attr = CN
id_attr_map = name
pam_allow_groups =
use_etc_skel = true
local_groups = users
hsm_type = {{hsm_type}}
enable_hello = {{enable_hello}}
0
0
0
because bash is my top 3 favorite programming languages and favorite scripting language :-)
0
0
0

Jarkko Sakkinen

I've been thinking that post 0.11 tpm2sh cool feature would be remote attestation and demo would be remote attestation client and server in bash.
1
0
0
I'll likely fix those glitches within a week or so and then it's ready for release :-)

The key insight here is that 50% of hardware is realized the software that creates interface for it, and for TPM2 the "software defined object" portion has been quite horrible :-) And it's pretty bad across the board form programming interfaces to tooling with absolutely no developer or sysadmin ergonomics consider anywhere.

On the other hand, by having right kind of software interface for TPM2, makes it like it was a completely new piece of hardware that did not exist before. I.e. not a brick.
0
0
0

Jarkko Sakkinen

Edited yesterday
yay, now tpm2sh has software digest calculator for policy expressions (which can query e.g. PCR values but does not exercise policy tpm commands), the remaining errata is not a huge stretch:

https://github.com/puavo-org/tpm2sh/issues/2

Many of the things are just minor collapses while turning this over and over again. Sessions need still a bit of work but lot of the functionality is already there...

I'd like to add quote generation etc. for Remote Attestation purposes but it is definitely out of scope and better just to stabilize the command set.

Sessions are represented like this (to be cosmetic tweaked in some places):

session://handle=0x02000000;nonce=135eac83db00e0c691fba1653405e79f8f285964e18add0488337fc7caf90606;attrs=00;key=;alg=sha256

And there's already `--session` argument but further I'll add an environment variable TPM2SH_SESSION, which command not only read but also update (to enable chaining e.g., nonce needs to be updated).

The general gist and main goal of the command set and "command-line experience" is to enable both user interactive experience and also TPM2 access for shell implemented tools such as password managers.

Load loads both external PKCS#8 and TPM ASN.1. Convert command converts PKCS#8 to TPM ASN.1.

So instead of this:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

You can just:

tpm2sh create-primary rsa:2048:sha256 --output file://owner.txt
openssl genrsa -out private.pem 2048
tpm2sh convert --parent "tpm://0x81000001" file://private.pem --output file://key.priv.der

#linux #rust #tpm
1
2
1
and just like during winter war this is one thing where the thinking is universal for far right to left: putinists don't have future in finnish politics and governing. it is outside of scope of the usual political debate.
0
0
1

Jarkko Sakkinen

Edited yesterday
two fun facts about kiova and tampere:

1. last year it was 70th anniversary of twin town friendship between tampere and kiova (tampere is my hown town).
2. kiova has a street called "tampere", which was named in 2014 to celebrate 60th anniversary of friendship, which has lasted well over its "soviet origins".

my generation does not know what it is like to be at war obviously and it would be obnoxious to say that "i get it" when it comes to war at ukraine. however, we owe to our grandparents to not forget, not make compromises and generally not to be ignorant of the situation.

🇺🇦 🇫🇮
1
1
1

Jarkko Sakkinen

Edited 2 days ago
https://github.com/puavo-org/tpm2sh/blob/main/src/mocktpm.rs

It's pretty limited as of today but looking at code I'd say it's on right track :-) Likely split to a separate project some day as it grows too large (like over 2 KSLOC). I guess it's first pure Rust TPM emulator trial with like legit grounds that it is built on top of.
0
0
0
The current feature set is pretty much scoped with kernel testing in mind. E.g., that's why I have implemented pcr-event but not pcr-extend (which can be of course done some day) :-)
1
0
0

Jarkko Sakkinen

Edited 2 days ago

The current feature set of upcoming tpm2sh 0.11. It’s quite basic but everything is tested with care and e.g., load does all the import dance for PKCS8 RSA and ECC keys without having to mess with openssl command line. I.e. single robust load command instead of:

tpm2_createprimary --hierarchy o -G ecc -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

And generally flows are somewhat polished and will be polished further before released to not have any rough corners. Finally most of non-trivial functionality is tested against built-in TPM emulator MockTPM.

Sometime after 0.11 release I’ll add also --dry-run switch that can exercise TPM commands with the emulator before applying them to the chip.

#linux #rust #tpm

1
0
0

Jarkko Sakkinen

rasn is good stuff for custom non-established DER formats. Full TPM key ASN.1 spec + my extensions (parentName, parentPubKey):

https://github.com/puavo-org/tpm2sh/blob/main/src/key/tpm_key.rs

It took me like 30 minutes after reading tutorial a bit get ongoing.
0
0
0
test driver obviously wil have differences but most of parsing code etc. translate.
0
0
0

Jarkko Sakkinen

Edited 2 days ago

great now i have a single data-drive test where test cases translate between legacy (build/parse) and new (zerocopy fat pointers):

# ...

TPM_CC_Startup Response TPM_RC_FAILURE 80010000000a00000101
TPM_CC_Startup Response TPM_RC_CONTEXT_GAP 80010000000a00000901
TPM_CC_PCR_Read Response Success 800100000038000000000000000100000000000000010020dededededededededededededededededededededededededededededededed
# ...
1
0
1

Jarkko Sakkinen

Edited 3 days ago
yay, the most complex macros, tpm_enum! and tpm_struct! have been converted to the parallel universum:

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/tpm2-protocol.git/commit/?id=4f48396e0df888ee6a5e8a2df92d71cfc05d26d8

After this it is downhill.

I'm doing this like an idiot, i.e. learning as I bump e.g., up until yesterday I was not even aware of Ref and Deref trait :-)
0
0
0

Jarkko Sakkinen

Edited 3 days ago

awesome “cast” version of tpm_enum!:

tpm_enum_cast! {
    name: TpmRcBaseCast,
    repr: TpmUint32,
    value_enum: TpmRcBaseEnumCast,
    value_repr: u32,
    variants: {
        (Success, 0x0000, "TPM_RC_SUCCESS"),
        (BadTag, 0x001E, "TPM_RC_BAD_TAG"),
        (Initialize, TPM_RC_VER1, "TPM_RC_INITIALIZE"),
        (Failure, TPM_RC_VER1 | 0x001, "TPM_RC_FAILURE"),
 // ...
0
0
0

Jarkko Sakkinen

I think zerocopy semantics goes to the level of implementation that using 3rd party crate like Google's "zerocopy" is essentially a PoC quality solution.

I could implement e.g. tpm2-protocol by using that as dependency but never could reach optimal results for the underlying data.
0
0
0

Jarkko Sakkinen

Edited 4 days ago

And this is how it works:

let (ref, tail) = TpmsClockInfoCast::from_slice(bytes);
let TpmsClockInfoFieldRef::clock(clock) = ref.field(TpmsClockInfoField::clock).unwrap()
0
0
0
Show older