A generic flashing and verification script draft (will be edited over time):

#!/usr/bin/env bash
#
# Authors:
# Jarkko Sakkinen <jarkko.sakkinen@tuni.fi>

set -e

if [ $# -ne 2 ]; then
    echo "`basename $0` <payload> <block device>"
    exit 1
fi

PAYLOAD=`realpath $1`
SIZE=`wc -c $1 | cut -d' ' -f1`
START="2048"
END="$((START + (SIZE >> 9)  + 1))"

parted --script $2 mklabel gpt
parted --script $2 mkpart primary fat32 ${START}s ${END}s

PARTITION="${2}1"
if [ ! -b $PARTITION ]; then
  echo "Invalid partition"
  exit 1
fi

echo "Payload: $PAYLOAD"
echo "Partition: $PARTITION"

DD_OPTIONS="count=$((END - START)) bs=512 status=progress conv=sync"

dd if="$PAYLOAD" of="$PARTITION" $DD_OPTIONS
sync

echo "Payload MD5: `dd if="$PAYLOAD" $DD_OPTIONS 2> /dev/null | md5sum`"
echo "Partition MD5: `dd if="$PARTITION" $DD_OPTIONS 2> /dev/null | md5sum`"

#flashing #firmware #image #riscv #CVA6 #Keystone #EFI #note

@linjaaho Pitää todeta, että mullakin on nollatoleranssi sikäli, että en naura misogynisten tai rasististen juttujen mukana, vaan vaihdan seuraa :-) Uskon, että tuollainen kuvakaappaussota pikemminkin vie rasistisia viestejä eteenpäin, koska negatiivinenkin mainos on mainos somessa.

Something that has probably existed forever but I just learned. You can pass status=progress to dd, and it will show progress. #note

@linjaaho Epäsuosittu mielipide ehkä, mutta mielestäni kaikkeen toksiseen läppään ei pidä puuttua, vaan sille pitää kääntää ainoastaan selkänsä. Siihen pitää puuttua vasta silloin, kun se aiheuttaa todellista henkilöön tai yhteiskuntaan kohdistuvaa uhkaa. Nollatolerenssin kanssa on menty ehkä vähän överiksi, tai se on otettu vähän liian kirjaimellisesti ja laput silmillä.

Would be nice if you could at least simulate #keystone with widely available SBC's, even with insecure #attestation (or no attestation at all). #riscv #opensbi #sanctum.

https://github.com/keystone-enclave/keystone/issues/339

@linjaaho joo ja ihan liberaaleiltakin tyypeiltä saattaa kaatokännissä tulla wa-viesteissä ties mitä päätöntä läppää.

Fom now on you are required to scp -O to your router instead of scp with no flags whatsoever. #openwrt

I love the new #feature in #openssh, which breaks backwards #compatibility with e.g. #dropbear with the default options: https://www.openssh.com/txt/release-9.0 #ssh

OK cool:

$ sudo apt dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# You can verify the status of security fixes using the `pro fix` command.
# E.g., a recent Ruby vulnerability can be checked with: `pro fix USN-6219-1`
# For more detail see: https://ubuntu.com/security/notices/USN-6219-1
#
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

$ pro fix
usage: pro fix <CVE-yyyy-nnnn+>|<USN-nnnn-d+> [flags]
the following arguments are required: security_issue

#ubuntu #cve #security #note

An example of creating a minimal #Linux #kernel config that boots and prints output to the console:

make tinyconfig
./scripts/config -e CONFIG_MULTIUSER -e CONFIG_TTY -e CONFIG_64BIT -e CONFIG_PRINTK
make -j `nproc`
qemu-system-x86_64 -kernel arch/x86/boot/bzImage

#note

#home #skeleton #dotfiles https://github.com/jarkkojs/home

#Virtualization adds enough complexity to make the evaluation of threat scenarios more "closed box", whereas with SGX you have a better overall picture of the points of leakage in-between the #secure and #insecure worlds. I mean #TDX even authenticates by using good old SGX.

I still think that #Intel #SGX has some advantages over #SEV and #TDX. Its #security model is easier to understand and is always per page granularity. For anything ulta-secure I would not have hard time to pick the right option.

@dvdmonster The specific application I'm using it for I unfortunately cannot share. Since I'm still pretty unseasoned with FPGAs, the workflow is stil in the seek position :-)

Setting up #FPGA #lab. #Digilent #Genesys2

refine struct tpm_buf to handle sized buffers (TPM2B): https://lore.kernel.org/linux-integrity/20230821033630.1039527-1-jarkko@kernel.org/ #Linux #kernel #TPM #LKML

Now it is possible to emulate both TPM1 and TPM2 with TIS and CRB interfaces:

commit 993b0e9dceebc11e38b3156069b7e4fa5cf20abc (HEAD -> linux-6.5.y, origin/linux-6.5.y)
Author: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>
Date:   Sun Aug 20 15:15:23 2023 +0000

    configs/qemu_x86_64: add --tpm-crb and --tpm1 to start-qemu.sh

    Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>

Two common #GNU #make patterns I tend to use often with #Buildroot:

1. time ( make &> build.txt; )

2. time ( make 2>&1 | tee build.txt; )

#note

@mjg59 @wamserma Not sure if this you are aiming for but Intel SGX records all page updates to mrenclave field residing in the SGX Enclave Control Structure (SECS) of an enclave.

cosmetic but still useful: https://lkml.org/lkml/2023/8/19/213 #linux #kernel #tpm #selftests #lkml