Posts
4871
Following
323
Followers
491
Linux kernel hacker and maintainer etc.

OpenPGP: 3AB05486C7752FE1

Jarkko Sakkinen

Edited 8 hours ago
I discarded mocktpm from tpm2sh but I'm planning to implement a *non-generic* TPM emulator.

I.e. I look at Infineon 96xx capabilities and behavior and limit the features match that chipset, and like have non-optionated CA (either generated or provided) for endorsement keys, and not wholealot configuration.

And yeah, I'll implement ability to bind QEMU.

This is to have something super easy (vs swtpm) to get a fake TPM chip for kernel tests and developing and test stuff like Himmelblau IDM.

#linux #kernel #tpm #himmelblau
0
0
0

Jarkko Sakkinen

cool someone asked me about my unfinished / backlogged patch set [1].

I stopped working on that since I thought nobody cares about the feature. I also stopped working on it because TPM2 user space sucked and it is really hard to experiment whether uapi makes sense for that reason.

Now I have my own user space that exactly has strong external capaiblities, compiles fluently to BuildRoot image, and there's one company/person that wants the feature.

I guess updating this patch set is next in my queue after tpm2sh :-)

[1] https://lore.kernel.org/linux-integrity/20240528210823.28798-1-jarkko@kernel.org/
0
0
0

Jarkko Sakkinen

Noteworthy in this is the implict parent discovery without having to specify parent when loading keys :-) It recursively loads always the whole hierarchy where parent key is discovered either among persistent keys or cache.

#linux #kernel #tpm
0
0
0

Jarkko Sakkinen

I'm so happy that I've made on full usable computer program with Rust now, including backend code (tpm2-protocol).

It does not really matter if it is good or bad but a psychological barrier has definitely been broken. Program #2 will be so much easier and fun than this ;-)
0
0
5
@lkundrak lool i don't know who she but googled and ;D fuck
1
0
0
@jwildeboer @pjakobs not to mention that everyone had Atari joystick ports in the 80s and early 90s :-)
1
0
1
@jwildeboer @pjakobs Atari 800 had innovative Atari SIO bus designed by Joe Decuir, who later on took the same basic design, and created USB ;-)
1
0
2

Jarkko Sakkinen

Edited 2 days ago
I sometimes wonder Linux Foundation is not involved with Himmelblau IDM, given how important project it is for the Linux ecosystem overall.

https://mytechinsights.wordpress.com/2025/08/06/himmelblau-1-0-released-finally-real-intune-policy-enforcement-on-linux/

#himmelblau #azure #intune @linuxfoundation
0
0
0

Jarkko Sakkinen

Edited 2 days ago
0
0
0
@Aissen @geal I prefer combinator parsers over PEG because in combinator parsers with the price of higher "initial cost" you get re-usable components, and maintenance costs over long period of time are much lower than with PEG (assuming that grammar is relatively stable). And yeah, everything lives in the same closure (i.e. in the Rust implementation).
0
0
1
actually #rasn would be another. it saved me from bunch of bloated dependencies and allowed me to easily write my own parsers for PCKS#1, PCKS#8, SEC1 and X.509.
0
0
0

Jarkko Sakkinen

#nom is like the first library in Rust of which I can say that I love it, and not because it is "powered by Rust" but because it is such a great peace of work overall :-) #rustlang
3
0
1

Jarkko Sakkinen

Edited 2 days ago
Now that I can actually clean up tpm2sh as I reached "zero known relevant bugs" state couple of days ago, some cool features will spun from that.

E.g., most of the time you don't have to specify parent key, the tool will discover it for you.

I'll also implement virtual persistent handles by retaining in cache TPMKey ASN.1 file in addition to context and that enables to implement fake evict operation to 0x81-range.

And already now management of TPM2 sessions is mostly transparent like it should be, and implicitly created HMAC sessions will gain parameter encryption soon.

In pre-existing TPM2 stacks (e.g., tpm2-tool) having sessions exposed out naked to the user is like having a TLS stack where you would need manually implement session key exchange dance. It's just plain fucking wrong imho :-)

#tpm2sh
0
0
0

AGRO TURBO.EXE SATAN 🇺🇦🇨🇿

breaking: white house being replaced by a white trailer park

1
1
1
@Netux kexec is not isolated environment from the host system, and quite complicated to use to begin with for anything really.
1
0
1
@Netux i build about 10 VMs per day or something :-) Every time I test a single kernel patch I build a fresh VM around it. Not the size but dependencies is the optimization parameter here.
1
0
1
Dropping curl has significant effect to my VM image build times. Why I have not realized this before ;-)
1
0
2

Jarkko Sakkinen

For VM/embedded images socat is pretty alternative to curl as it has 50% less dependencies and you can still web e.g.,

printf 'GET / HTTP/1.1\r\nHost: www.iki.fi\r\nConnection: close\r\n\r\n' | socat OPENSSL:www.iki.fi:443 -

I’ve replaced curl with socat in my BuildRoot images for kernel testing because it is less bloated than curl ;-)

1
0
1
Show older