@linjaaho Epäsuosittu mielipide ehkä, mutta mielestäni kaikkeen toksiseen läppään ei pidä puuttua, vaan sille pitää kääntää ainoastaan selkänsä. Siihen pitää puuttua vasta silloin, kun se aiheuttaa todellista henkilöön tai yhteiskuntaan kohdistuvaa uhkaa. Nollatolerenssin kanssa on menty ehkä vähän överiksi, tai se on otettu vähän liian kirjaimellisesti ja laput silmillä.

Would be nice if you could at least simulate #keystone with widely available SBC's, even with insecure #attestation (or no attestation at all). #riscv #opensbi #sanctum.

https://github.com/keystone-enclave/keystone/issues/339

@linjaaho joo ja ihan liberaaleiltakin tyypeiltä saattaa kaatokännissä tulla wa-viesteissä ties mitä päätöntä läppää.

Fom now on you are required to scp -O to your router instead of scp with no flags whatsoever. #openwrt

I love the new #feature in #openssh, which breaks backwards #compatibility with e.g. #dropbear with the default options: https://www.openssh.com/txt/release-9.0 #ssh

OK cool:

$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

$ pro fix
usage: pro fix <CVE-yyyy-nnnn+>|<USN-nnnn-d+> [flags]
the following arguments are required: security_issue

#ubuntu #cve #security #note

An example of creating a minimal #Linux #kernel config that boots and prints output to the console:

make tinyconfig
./scripts/config -e CONFIG_MULTIUSER -e CONFIG_TTY -e CONFIG_64BIT -e CONFIG_PRINTK
make -j `nproc`
qemu-system-x86_64 -kernel arch/x86/boot/bzImage

#note

#home #skeleton #dotfiles https://github.com/jarkkojs/home

#Virtualization adds enough complexity to make the evaluation of threat scenarios more "closed box", whereas with SGX you have a better overall picture of the points of leakage in-between the #secure and #insecure worlds. I mean #TDX even authenticates by using good old SGX.

I still think that #Intel #SGX has some advantages over #SEV and #TDX. Its #security model is easier to understand and is always per page granularity. For anything ulta-secure I would not have hard time to pick the right option.

@dvdmonster The specific application I'm using it for I unfortunately cannot share. Since I'm still pretty unseasoned with FPGAs, the workflow is stil in the seek position :-)

Setting up #FPGA #lab. #Digilent #Genesys2

refine struct tpm_buf to handle sized buffers (TPM2B): https://lore.kernel.org/linux-integrity/20230821033630.1039527-1-jarkko@kernel.org/ #Linux #kernel #TPM #LKML

Now it is possible to emulate both TPM1 and TPM2 with TIS and CRB interfaces:

commit 993b0e9dceebc11e38b3156069b7e4fa5cf20abc (HEAD -> linux-6.5.y, origin/linux-6.5.y)
Author: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>
Date:   Sun Aug 20 15:15:23 2023 +0000

    configs/qemu_x86_64: add --tpm-crb and --tpm1 to start-qemu.sh

    Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>

Two common #GNU #make patterns I tend to use often with #Buildroot:

1. time ( make &> build.txt; )

2. time ( make 2>&1 | tee build.txt; )

#note

@mjg59 @wamserma Not sure if this you are aiming for but Intel SGX records all page updates to mrenclave field residing in the SGX Enclave Control Structure (SECS) of an enclave.

cosmetic but still useful: https://lkml.org/lkml/2023/8/19/213 #linux #kernel #tpm #selftests #lkml

See also new options added to start-qemu.sh.

There is a 6.x.y branch for each kernel version for each kernel release, which I won’t rebase after its creation (e.g. #Github style requests are semantically possible to such branch). For 6.5.y only qemu_x86_64_defconfig target is supported but I might add new targets in future. Testing is also now limited to kselftest, which I might expand in the future (as time allows). Pull requests are of course welcome for improvements.

I created a #Buildroot environment that I’ve started to use for #Linux #kernel #testing, targeted to my kernel tree.