Jarkko Sakkinen
Posts
4522Following
316Followers
478OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
jarkko
@kernellogger @jejb The main reason I went to the attic, wiped the dust and started cleaning up this was that I bought Mac Mini M2 Pro and was disappointed that I need to type text before the system even boots itself. So literally user experience made me work on a sec feature ;-) There was already somewhat recent support in systemd and LUKS2 for the TPM2 encrypted boot but it is not really compelling security model overall if the busses leak... So this kind of completes that work.
2
0
0
@raiderrobert but the Larry Wall "quote" came to mind just to remind to relax even if it has been a while so that's why I put it there :-)
0
0
1
Jarkko Sakkinen
jarkko
@raiderrobert lol, I actually have been dealing with a search tree yesterday, or more like planning one, otherwise would maybe once a year ;-) a coincidence
1
0
1
@raiderrobert Larry Wall said in one interview said that he learns when things come across and then deals with them, but otherwise does not worry about too much. I'm believer of this philosophy, so any time window is fine :-)
1
1
1
@raiderrobert Larry Wall said in one interview said that he learns when things come across and then deals with them, but otherwise does not worry about too much. I'm believer of this philosophy, so any time window is fine :-)
1
1
1
Jarkko Sakkinen
repeated
repeated
Thorsten Leemhuis (acct. 1/4)
kernellogger@fosstodon.orgThe TPM bus encryption and integrity protection changes prepared by @jejb and @jarkko were merged for #Linux 6.10: https://git.kernel.org/torvalds/c/b19239143e393d4b52b3b9a17c7ac07138f2cfd4
"[…] The key pair on TPM side is generated from so called null random seed per power on of the machine [1]. This supports the TPM encryption of the hard drive by adding layer of protection against bus interposer attacks. […]"
1
1
1
Jarkko Sakkinen
repeated
repeated
Jarkko Sakkinen
jarkko
In addition to @LWN subscription I renewed now my #Medium subscription :-)
I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.
I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.
I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.
I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.
0
0
0
Jarkko Sakkinen
jarkko
Edited 1 year ago
I should publish this humble and not so exciting crate (stalled since Dec) and now I found the motivating factor. I make it compile with gccrs.
Maybe this will leads to contributions, who knows, or epic failure but should be interesting and exciting in all cases :-)
The stimulus obviously comes from GCC 14 release, which has the first experimental version of gccrs. And in my free time I do prefer GPL licensed code base for utilities and apps over MIT/Apache, so gccrs makes more sense for me than rustc in that sense (and not judging other viewpoints, it is my personal and subjective preference).
0
2
4
@Foxboron @stepan Right missed somehow the cryptenroll part. Well I don't use Arch Linux, it was an example, and this stuff is not universally enabled yet. So was more broad and before the v6.10 changes measured boot was wide-open for online attacks, which is now fixed with bus encryption and integrity protection. I just use stock OpenSUSE installation.
I'm neither sure how well this is enabled in arch-install which i sometimes use for VM's mainly for kernel testing. Manual configuration is no-go because they are VM's that don't have long lifetime. I use this route for kernel testing only if arch-install fulfills those needs. Does it BTW already take care of LUKS2?
I'm neither sure how well this is enabled in arch-install which i sometimes use for VM's mainly for kernel testing. Manual configuration is no-go because they are VM's that don't have long lifetime. I use this route for kernel testing only if arch-install fulfills those needs. Does it BTW already take care of LUKS2?
1
0
0
@Foxboron @stepan With this measured boot stuff I'd wait maybe a while so that Fedora and OpenSUSE catch up and stabilize the integration. Should give a good overall reference model. And obviously weight if it makes "existentially" sense for Arch Linux (I personally think it does but not my call 🙂 ).
It is orthogonal feature towards secure boot, i.e. they do not fight with each other. You can have either or both enabled/disable. All combinations should work. Obvious plus with measured boot is that it does not required *any* special keys. You can still have a recovery passphrase in luks2 if something goes terribly wrong, e.g if in the kernel update process the policy hash is not correctly updated, and similar situations.
It is orthogonal feature towards secure boot, i.e. they do not fight with each other. You can have either or both enabled/disable. All combinations should work. Obvious plus with measured boot is that it does not required *any* special keys. You can still have a recovery passphrase in luks2 if something goes terribly wrong, e.g if in the kernel update process the policy hash is not correctly updated, and similar situations.
1
0
0
Jarkko Sakkinen
jarkko
Edited 1 year ago
TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.
For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.
So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.
Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.
Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.
So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷
#tpm #linux #archlinux #opensuse #secureboot #security
For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.
So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.
Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.
Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.
So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷
#tpm #linux #archlinux #opensuse #secureboot #security
2
0
2