Posts
4591
Following
317
Followers
476
Linux kernel hacker and maintainer etc.

OpenPGP: 3AB05486C7752FE1
@liw would be interesting to know how gitoxide performs the same task :-)
2
0
0

Jarkko Sakkinen

Edited 1 year ago
@monsieuricon BTW, I must have been doing something wrong at the time but I recall sending my public key for wot and https://www.kernel.org/doc/wot/ does not have it. still i've used signed tags as long as I can remember to past.

I recall that I have required amount of blessings for my key (need to sanity check). I guess I need to re-submit the public key, right?
1
0
0

Jarkko Sakkinen

Edited 1 year ago
@krzk This is true :-) [earlier response that i deleted was for a different person and different discussion]
0
0
0
@duxsco hey i'll check this out thanks! could be useful
0
0
0

@monsieuricon so is there some difference compared to:

gpg --output "$USER-public.pgp" --armor --export $USER
gpg --output "$USER-private.pgp" --armor --export-secret-key $USER
gpg --export-ownertrust > "$USER-ownertrust.pgp"

Not trying to argue against just trying to understand what I’m reading :-)

1
0
0

Jarkko Sakkinen

Edited 1 year ago
@duxsco Then you probably can use your own judgement but we are talking about best practices for kernel maintainers and I have hard time to see how dumping ~/.gnupg to a tar would be such.

If you want to back up public keys it is better idea similarly just export them to a separate file (and also ownertrust has an export command).

For Linux the only thing that matters is that the private master key is never stolen and that should be the only single focus of the instructions.
0
0
0

Jarkko Sakkinen

I think that the single biggest security flaw with Intel TDX and AMD SEV-SNP is the lack of spread who can test the features.

E.g. I still test new SGX features with NUC7. It is the latest and greatest in the area for open source community use.

Features like TDX and SNP are by practical means proprietary and closed features with an open source license. They do not drive any major open source projects because they are completely out of reach for the most.

I think this a real shame. E.g. I could find a lot of use for running local daemons sealed with such extra layer of protection.
0
0
1
@duxsco The factorized 16x durability increase should be quite true given how wear-leveling algorithms work on memory technology devices. I.e. they should be expected to end up to the slots in NAND storage which are spread nicely and to least used locations.
0
0
0

Jarkko Sakkinen

Edited 1 year ago
I think worst possible question for a job interview I could imagine would be "explain configfs, debugfs, securityfs, procfs, tracefs and sysfs categorizing their roles and differences".

I would not pass.

#linux #kernel
3
1
4

Jarkko Sakkinen

Edited 1 year ago

@duxsco My “alternative” approach to the one proposed in the guide (I quite strictly follow it otherwise) has a measurable benefit: it is more durable given the 16 spare copies of the secret material.

I’ve been even thinking to send a patch to kernel-pgp-guide.txt and that was sort of grounds to make this post. I think that just packing ~/.gnupg is somewhat dirty approach…

I’d like to also point out that this approach also mirrors on how paperkey use is instructed, so it is not asymmetrical. IMHO, processes should have only asymmetry if you have some very well rationalized explicit reason to do that when it comes privacy and security.

1
0
0
@duxsco If I really wanted to backup ownertrust I can e.g. make a mastodon post with the contents :-) it does not contain any secret material. We are talking here about backing up material that can neither be lost nor shared.
1
0
0

Jarkko Sakkinen

Edited 1 year ago

@duxsco I can pull public keys from keyserver and ownertrust is neither something that cannot be re-created.

Public key restore:

gpg --recv-keys 5107E66D34788A93E3227C903AB05486C7752FE1
1
0
0
not 16 USB sticks, only couple but both have 16 spare copies of the same secret key. and i also have the doomsday printed backup :-)
0
0
0

Jarkko Sakkinen

Edited 1 year ago

In Linux kernel maintainer PGP guide I don’t understand the section “Back up your whole GnuPG directory”, and it is also asymmetric with the section discussing paperkey.

AFAIK, this should be sufficient:

gpg --output "priv_0.pgp" --armor --export-secret-key

I do 16 of these and then copy those to an USB stick (i.e. one for each hex digit).

#linux #kernel #pgp

2
0
0

Jarkko Sakkinen

Now that I understand how Ubuntu TPM2 boots looking into OpenSUSE systemd boot version:

- https://news.opensuse.org/2023/12/20/systemd-fde/
- https://www.youtube.com/watch?v=drgo6pvn5hI

I'll check also Fedora albeit I'd guess it is like OpenSUSE (follow cross-distribution standard ways) and unlike Ubuntu (ignoring the common good).
0
1
2

Jarkko Sakkinen

Edited 1 year ago
0
1
0

Jarkko Sakkinen

these have been best #headphone's ive had so far both for #music (listening and producing) and #teams etc meetings. and fully repairable and from recyclable plastic: https://aiaiai.audio/headphones/tma-2-studio-wireless-plus
0
0
1

Jarkko Sakkinen

two copies of me, i like to use different color smiley for each, and name them in web services as "yellow key" etc. :-) #yubikey #openpgp #fido2
0
1
6

Jarkko Sakkinen

Edited 1 year ago
When I backup #OpenPGP private master key to USB stick I tend to do priv_0.gpg, priv_1.gpg up to priv_f.gpg. They are identical but little bit of redundancy should bit more durability. I.e. hex amount of spare copies.
0
0
0

Jarkko Sakkinen

execmem patches v7 providing initial pieces of framework for allocating trampoline executable memory for tracing tools, and kprobes implementation for RISC-V: https://lore.kernel.org/linux-riscv/20240326134616.7691-1-jarkko@kernel.org/T/#t

#tracing #kprobes #linux #kernel
0
1
2
Show older