Iterating HMAC encryption steadily to be great again: https://lore.kernel.org/linux-integrity/20251210172027.109938-1-jarkko@kernel.org/

I don't think it has unsolvable issues but it will need some rework. Just needs a few iterations like this.

I think also that once it is functionally and quality wise significantly improved it makes sense to replace CONFIG_TCG_TPM_HMAC with kernel command-line parameters and set of parameters.

Other remarks that I put mostly here for myself as a remainder (I love Mastodon bookmarks):

1. One thing that was properly handled in the first iteration was also that despite ECC-NIST-P256/SHA256 might be de-facto and pratically everywhere in western countries, there's also large population in a distant country at Asia relyingon SM2/SM3. I.e. we eventually need SM2/SM3 to be univeral.
2. Initialization itself should be *conditional* i.e., it will complain if feature cannot be enabled but that's all. It can be then supplemented with "panic_on_warn" style parametr, if somone has a problem with this.
3. Relying only on null key generated at boot is a great for some systems (laptops/desktops) but for embedded systems especially it is a major performance hit. Thus also persistent root key should be an option.
4. During power on hwrng was the worst glitch. The patch set above already improves the situation by making read request "opportunistic" instead of committing to an amount. No grand plan for this but I do have a sack of ideas in my pocket. This will gradually improve over time with no grand plan tbh ;-)

#linux #kernel #tpm

Second Windows post of the day ;-)

What is the pass alternative for Windows that is fully compatible with pass' database?

Microsoft has a multi-decade long history of features, which most people want to proactively disable: https://arstechnica.com/ai/2025/12/microsoft-slashes-ai-sales-growth-targets-as-customers-resist-unproven-agents/

Some things never change ;-)

I have one ThinkPad with Windows and in that when reinstalling the OS, the challenge is always to find out how to mitigate Microsoft's latest attempts to disable local (only) accounts. It's a forever-going puzzle game really.

#microsoft

installed a webcam in order to make a better appearance at telcos ;-)

@andrew nope, i just whatever gnome provides me and complain in social media ;-)

Now it hit me what I was doing wrong in TPM2 asymmetric keys.

Introducing new key types was a wrong strategy. Instead, pre-existing ECC and RSA key types should be layered i.e., you turn "TPM2 magic switch" on and kernel generates import blob etc. dance behind the curtains.

This has numerous benefits. E.g., there can be then also "TEE magic switch" depending on platform and generally speaking this is the best for users as they don't need to overturn their configuration.

#linux #kernel #tpm

My friend Tuomo wrote a window manager called 'pwm' during early 00's. I liked the idea of attaching multiple client windows to a single frame much more than tiling window managers. I used that wm for quite a while and wish that someone would bring that concept back.

Also, 'rsaParent' is just weird thing to have. Why not just have the whole TPM2B_PUBLIC blob for the parent key and applications can cherry pick what they want instead? It makes zero sense.

A great example, why "parent" attribute does not really work in TPMKey ASN.1 definition is Linux kernel.

We have explicit parameter for parent handle called 'keyhandle' because the attribute stored in the ASN.1 is useless and ambiguous data.

#linux #kernel #tpm

@pinkforest nope, i know it exist but have not had any use on what i do :-)

One reason I've stuck on ext4 is that I also run Bitwig Studio on my Linux machine, and generally speaking ext4 has more predictable latency (and more options for recovering data). Ultimately the choice file system is a throughput vs latency question, and this is probably also why Apple never migrated from HFS(+) to ZFS :-)

I think it would be great if we put endorsement certificates for sysfs.

I.e. with very little code/scripting on can then provide tools and means for remote attestation server to generate challenges (e.g. during OS installation).

#linux #kernel #tpm

Applied a largeish patch [1] to my master:

1. 11 files changed, 508 insertions(+), 566 deletions(-)
2. https://lore.kernel.org/linux-integrity/20251206113110.1793407-4-jarkko@kernel.org/

There's no really sane way to split this so thus I thought it is good idea to early merge it in the beginning of the release cycle in order to maximize coverage :-)

@Netux I'm not 100% sure if I need them but it is good idea to include MS signatures in order to be robust with oproms. Thus, in a common case you want to do that despite owning the KEK keys.

Phew, total 4 separate pull requests for 6.19, all landed without complains :-)

Awesome, it went through first time. Finally had time to actually enable secure boot with sbctl.

Here’s what I did:

1. Enabled secure boot in custom mode (i.e., not standard mode) from BIOS settings.
2. Erased all keys. This triggers so called “setup mode” for the next boot.
3. Typed bunch of random commands :-)

I did the script couple of weeks ago but did not have time to test it live (until now).

3/4 PRs done for 6.19, one to go

Just like there is this half-insulting term "SJW", or "social justice warrior", there should another term "NWW" aka "non-woke warrior" IMHO.

... when I was young IDEs had NON-WOKE names such as "Code Warrior" ;-)

alias readelf='readelf -W'

like the first thing to ever do with readelf ;-)

I think it would be nice patch to merge as it does early roundwork for policy execution as side-effect.