My new CI environment for TPM, ARM TEE (TrustZone/SMC) and Linux keyring. Made itself useful within 5 minutes after power on: https://lore.kernel.org/linux-integrity/CX342W32D30U.330BVFC336MA8@kernel.org/T/#t.

Environment: https://github.com/jarkkojs/buildroot-tpmdd/tree/linux-6.6.y

Fix sudo in #OpenSUSE #Tumbleweed:

$ sudo cat /etc/polkit-1/rules.d/60-local.rules
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
});
$ sudo systemctl restart polkit.service

I.e. when root login has been disabled earlier with:

# passwd -d root
# passwd -l root

#note

For zmodem built-in transmit workflows allows much less involved experience when a single program has control of the serial port traffic... easier to prevent trashing the session transcript and implement canceling of the file transfer.

i was thinking also that it would nice to have a line input/editor mode (perhaps for larger quantities of text) later on. i guess the point is to make more reliable and robust console when logging into a home router, FPGA board, SBC etc. and not make feature-wise a general purpose tool.

This feels a glitch but works:

impl Drop for Main {
    fn drop(&mut self) {
        eprintln!("end\n");
        terminal::disable_raw_mode().expect("terminal::disable_raw_mode()");
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let _main = Main;

I wonder if there is a leaner pattern. This is pretty good Rust exercise/refresher project as you have input handling, command-line arguments, streaming, interactive i/o and file transfer later on. All basics of most system software. And nothing too fancy so that the project does not blow up out of proportions. #rustlang

Serial TTY sessions are working now. The next stop is #zmodem:

 target/debug/tior
Connect to serial port

Usage: tior [OPTIONS] <COMMAND>

Commands:
  open  Open TTY
  list  List available devices
  help  Print this message or the help of the given subcommand(s)

Options:
  -s, --speed <SPEED>                Line speed [default: 115200]
  -d, --data-bits <DATA_BITS>        Line data bits [default: 8]
  -f, --flow-control <FLOW_CONTROL>  Flow control [default: none] [possible values: none, software, hardware]
  -p, --parity <PARITY>              Parity [default: none] [possible values: none, odd, even]
  -h, --help                         Print help
  -V, --version                      Print version

The binary is about 5.8 MiB after the strip, not too bad.

This also shows that Rust main site maintainers have really thought the integrity here so that it is easy for user and fairly secure. Theres a reason why --proto '=https' --tlsv1.2 is there, unlike in many other projects. Gives guarantees.

Very cool, started yesterday and I can already talk to my #FPGA :-)

sudo target/debug/tior open /dev/ttyUSB0
Hello World!
init SPI
status: 0x0000000000000025
status: 0x0000000000000025
SPI initialized!
initializing SD...
SD command cmd0 	response : 01
SD command cmd55 	response : 01
SD command cmd41 	response : 01
SD command cmd55 	response : 01
SD command cmd41 	response : 01
SD command cmd55 	response : 01
SD command cmd41 	response : 01
SD command cmd55 	response : 01
SD command cmd41 	response : 01
SD command cmd55 	response : 01
SD command cmd41 	response : 01
SD command cmd55 	response : 01

Most of the time went to learning #clap, #serde and #tokio.

In #OpenSUSE, the package name you want to install is systemd-devel, not libudev-devel 🙂 #udev #linux

Installing #rustup:

alias rustup="curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s --"

E.g.

rustup --no-modify-path

Just though that good to write this up since I see some distributions packaging rustup, which makes no sense (for #rustc and #cargo it does for obvious reasons).

It is also totally safe to run rustup this way kudos to the amazing #TLS 1.2.

#rustlang

@timojyrinki not that i like always what they do but on average one problem away from life when you can live with the defaults dictated to you :---)

@timojyrinki I just always use defacto gnome, however they feel to package it. the only savvy thing is probably using #alacritty instead of the default terminal (whatever it is called these days) because tabs are extra clutter when you have a #tmux session.

and right, because alacritty configuration is just a single file, i.e. easy to store to git with the rest of the dotfiles, and having terminal configured correctly whenever needed is pretty essential...

@vbabka i guess so too. do not need much else than up-to-date packages, and the QA is probably on average best within rolling release distributions so pretty objective choice tbh :-)

@timojyrinki I need just latest versions of git, nvim etc. and stable desktop. The main reason for switching from Debian. Especially I've been frustrated on downloading nvim binary from Github all the time since nvim version sticks at 0.7.something. I hate configuring my desktop and that is already way too much overhead :-) Other than latest packages, it is all the same for me what distro it is tbh.

I mean all tuning energy is already overconsumed by work so unnecessary extras just for the joy is not my thing. I even gave my NVIDIA RTX card to my daughter so that she can play some new Harry Potter game and bought Arc A770 because usually Intel GPU's have better chances to work out-of-the-box (even tho it is getting better for NVIDIA but I think this still a good bet).

Installing #OpenSUSE #Tumbleweed to my desktop. Seems like a good sweet spot having latest packages and professional QA for a workstation.

@vbabka Funny given that I've upstreamed the first "coco" thing in the kernel :-) Looks like a list that I should be in.

@vbabka OK, totally new list to me, perhaps I'll subscribe to it.

@vbabka I put a comment to the Youtube video :-)

@vbabka The reason I'm contacting is that for a new implementation the best approach would be to make the state of the TPM parametrized instead of holding it inside the implementation.

So the use case would be e.g. SGX enclave:

1. Pass a state blob from untrusted OS to with the TPM command to the enclave.
2. Enclave processes the TPM command, encrypts the state blob and returns it back to the caller.

Global state in the current implementations is IMHO the biggest problem so it would be a loss to get yet another implementation with such. Stateless software TPM would be sort of universal across various TEE's.

@vbabka Very much indeed! Might even considering contacting the presenter. Thank you.

Rust makes no magic here but usually people who get into Rust tend to be enthusiastic about code in the first place. Both Microsoft and IBM TPM are crap code at least in my standards. It does not take long to browse either's repository and realize this. And yeah, for new user space code I think Rust is the best available choice so it is better than starting from zero with C/C++.

I think it is strongest competitor so far for Access Virus, and the plugin side is better implemented, as it can run independent without requiring the hardware. Still for some sounds hardware adds a bit extra with a real analog filter so I would probably bounce stuff to audio through hardware.