@kernellogger yeah! it's a start still.

Always lurking in the corner and making guest appearances every now and then but never gone, and in every possible context.

If I ever had a tattoo, it would probably say: "x.509". It already feels like one 🤷 #x509

The TPM bus encryption and integrity protection changes prepared by @jejb and @jarkko were merged for #Linux 6.10: https://git.kernel.org/torvalds/c/b19239143e393d4b52b3b9a17c7ac07138f2cfd4

"[…] The key pair on TPM side is generated from so called null random seed per power on of the machine [1]. This supports the TPM encryption of the hard drive by adding layer of protection against bus interposer attacks. […]"

[1 https://lore.kernel.org/linux-integrity/20240429202811.13643-1-James.Bottomley@HansenPartnership.com/

you first, asshole

In addition to @LWN subscription I renewed now my #Medium subscription :-)

I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.

I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.

I should publish this humble and not so exciting crate (stalled since Dec) and now I found the motivating factor. I make it compile with gccrs.

Maybe this will leads to contributions, who knows, or epic failure but should be interesting and exciting in all cases :-)

The stimulus obviously comes from GCC 14 release, which has the first experimental version of gccrs. And in my free time I do prefer GPL licensed code base for utilities and apps over MIT/Apache, so gccrs makes more sense for me than rustc in that sense (and not judging other viewpoints, it is my personal and subjective preference).

https://gitlab.com/jarkkojs/zmodem2

#gcc #rust #zmodem #gpl

@Foxboron @stepan ill give it a shot in a vm and see how much i need to tweak since cryptenroll is there. soonish

@Foxboron @stepan TBH, nice to hear anyway that my knowledge of Arch Linux is deprecated :-) So that actually made this useful! Now I know.

@Foxboron @stepan Right missed somehow the cryptenroll part. Well I don't use Arch Linux, it was an example, and this stuff is not universally enabled yet. So was more broad and before the v6.10 changes measured boot was wide-open for online attacks, which is now fixed with bus encryption and integrity protection. I just use stock OpenSUSE installation.

I'm neither sure how well this is enabled in arch-install which i sometimes use for VM's mainly for kernel testing. Manual configuration is no-go because they are VM's that don't have long lifetime. I use this route for kernel testing only if arch-install fulfills those needs. Does it BTW already take care of LUKS2?

@Foxboron @stepan Might come as a surprise but Ubuntu is doing their own incompatible thing with everyone else ;-)

@Foxboron @stepan With this measured boot stuff I'd wait maybe a while so that Fedora and OpenSUSE catch up and stabilize the integration. Should give a good overall reference model. And obviously weight if it makes "existentially" sense for Arch Linux (I personally think it does but not my call 🙂 ).

It is orthogonal feature towards secure boot, i.e. they do not fight with each other. You can have either or both enabled/disable. All combinations should work. Obvious plus with measured boot is that it does not required *any* special keys. You can still have a recovery passphrase in luks2 if something goes terribly wrong, e.g if in the kernel update process the policy hash is not correctly updated, and similar situations.

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

@lindi2 @pid_eins After TPM2 asymmetric keys has landed we could conclude that the kernel side is in some sense "feature complete" as far as TPM2 is concerned.

There might be some additional stuff in EFI upcoming *possibly*. I'm thinking UKI here but since I'm not that familiar with it, I don't have exact picture what it might possibly require from kernel. But at least as far as runtime features are concerned, looking solid.

@lindi2 @pid_eins good news, Linus pulled my PR’s in queue:https://social.kernel.org/notice/AhrCE3Z7RqcBa1p1Hc. So the changes are now in the mainline.

For security research: HMAC pipe is for the kernel clients we do not want to layer /dev/tpm0. It can be done just as well in the user space (and should be when required).

I.e. right now for trusted keys, and soon’ish for asymmetric keys (feature requried for x.509 certificates [1]). You can also grep the call sites by:

$ git grep "tpm2_start_auth_session(.*);"
drivers/char/tpm/tpm2-cmd.c:	rc = tpm2_start_auth_session(chip);
drivers/char/tpm/tpm2-cmd.c:	err = tpm2_start_auth_session(chip);
include/linux/tpm.h:int tpm2_start_auth_session(struct tpm_chip *chip);
security/keys/trusted-keys/trusted_tpm2.c:	rc = tpm2_start_auth_session(chip);
security/keys/trusted-keys/trusted_tpm2.c:	rc = tpm2_start_auth_session(chip);
security/keys/trusted-keys/trusted_tpm2.c:	rc = tpm2_start_auth_session(chip);

x.509 part will be 6.11 feature.

[1] https://datatracker.ietf.org/doc/draft-woodhouse-cert-best-practice/ NOTE: a bit out of date, I chatted quickly with David and he is planning to remove TPM 1.2 and DSA keys from the draft.

Finally HMAC encryption for in-kernel TPM clients is going to a release! Has been hanging there for a long time.

LUKS2 and distributions starting to support it motivated me to rewrite the buffering code last Spring because that was my main turn-down in the original patch set, and then James took over and cleaned up the functionality and I reviewed it for few rounds until it was good enough.

With this and TPM2 sealed hard drive encryption there is a somewhat reasonable security model without having to type encryption password to a bootloader prompt (which is tedious). I.e. login and go.

A rare case of security feature also increasing user experience.

#linux #kernel #tpm #luks2

My first trial to split pull request to TPM, trusted keys, keyring parts: all three pull requests taken by pr-tracker-bot :—–O

One more left for asymmetric keys. Cannot believe this, I always screw up with this dance at least first time :-) Really made my Monday!

@grumpygamer [was a fair punishment tho]

@grumpygamer and always one of the floppy disks had a bad sector when you pirated a game from a friend :-(

Classic version control: