Posts
4825Following
321Followers
488OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
jarkko
LUKS2 and distributions starting to support it motivated me to rewrite the buffering code last Spring because that was my main turn-down in the original patch set, and then James took over and cleaned up the functionality and I reviewed it for few rounds until it was good enough.
With this and TPM2 sealed hard drive encryption there is a somewhat reasonable security model without having to type encryption password to a bootloader prompt (which is tedious). I.e. login and go.
A rare case of security feature also increasing user experience.
#linux #kernel #tpm #luks2
0
0
5
Jarkko Sakkinen
jarkkoMy first trial to split pull request to TPM, trusted keys, keyring parts: all three pull requests taken by pr-tracker-bot :—–O
One more left for asymmetric keys. Cannot believe this, I always screw up with this dance at least first time :-) Really made my Monday!
0
0
1
Jarkko Sakkinen
jarkko
1
0
0
repeated
1
0
1
repeated
Harry Sintonen
harrysintonen@infosec.exchangeThe City of #Helsinki Education Division #databreach has upto 120000 victims: "the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division."
The attacker also gained access to confidential or sensitive records stored on a network share. The beach occurred due to unpatched known vulnerability getting exploited to gain unauthorized access. https://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds https://www.hel.fi/en/decision-making/data-breach #infosec #cybersecurity
0
1
1
1
0
1
1
0
0
Jarkko Sakkinen
jarkko
1
0
1
Jarkko Sakkinen
jarkkoIn Signal, SGX *does not* help the user to secure contact delivery. You have to *believe* that signal.org is trustworthy plain and simple.
In Signal, SGX does only help signal.org to secure contact delivery from 3rd party adversaries.
The marketing has been somewhat misleading with this for number of years although there has not been any actual lies. They are actually claiming only the 2nd clause but at the same time claiming that it would improve users privacy.
Users privacy can be objectively said to be improved only if one can test and measure that this is really the case. Otherwise it is up to you to believe that signal.org is doing the right thing, and not e.g. just emulate the associated opcodes.
I personally believe that they are doing the (morally) right thing, and using legit SGX, but I would feel more convinced if they would also provide hard evidence on the topic, i.e. certificate delivery and verification in the app using Intel's CA.
#signal #sgx #infosec @signalapp
1
5
2
Jarkko Sakkinen
jarkkoA smoke test for trusted keys: https://gitlab.com/jarkkojs/linux-tpmdd-test/-/commit/b737d6ca4f45fa171e623f8e1038801edf17c323
Running:
cmake -Bbuild && make -Cbuild buildroot-prepare
pushd build/buildroot/build
make
images/run-tests.sh
Runs successfully at least with my master, containing the HMAC encryption patches.
Failing in in-progress asymmetric key branch so had to extend the test to cover trusted keys (vs. writing commands manually):
https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=tpm2_key
0
0
0
Depending on response I'll take that patch from him or refactor it myself.
0
0
0