Posts
4417
Following
315
Followers
470
Linux kernel hacker and maintainer etc.

OpenPGP: 3AB05486C7752FE1

Jarkko Sakkinen

Probably would make sense for e.g. Linux Foundation or similar industry faction to develop AI that would look for license infringements from code similarly as it works for code generation.

Probably it will happen that someone uses this new stuff, makes some money, injects GPL with the help of AI and is enforced to open up the whole thing. Detecting these early is also beneficial for those who use AI for their business because it is less damage when the infringement is detected early.

So not for "fighting against AI" but to make it more legit (sort of).
0
0
0
I was shuffling between kernel summit and boot-time security but picked kernel summit because of less likely to get accepted ;-)

Yeah, and reading some newer FSF material, and seeing how untrue it was, also inspired.
0
0
1

Jarkko Sakkinen

Edited 1 year ago
OK, I submitted an abstract for kernel summit track: "TPM2 story so far...". It would be from the angle of thinking it more like a protocol or contract that all kinds of hardware and TEE's can speak than just a chip per se...

Not that motivated to travel, so not a huge disappointment if not accepted :-) But yeah I have an angle and will prepare that one properly if accepted. So done my duty I guess at least...

https://lpc.events/event/18/abstracts/1801/

#linux #kernel #tpm
4
0
1

Jarkko Sakkinen

My 5 cents on #POSIX capabilities: https://lore.kernel.org/keyrings/D1ETFJFE9Y48.1T8I7SIPGFMQ2@kernel.org

Not that realistic effort tho...
0
0
0
And all TPM2 related built-in and talking to /dev/tpm0 no compromises ;-) Otherwise it is as good as tpm2-tss-engine and similar, which are not that great for my needs.
0
0
0

Jarkko Sakkinen

Would be nice if there was more lean openssl like command-line tool that would all that openssl, keyctl and tpm2-tools does in this test:

https://lore.kernel.org/linux-integrity/D1ERDC16XLUO.578U4ZE7VXW@kernel.org/T/#m262b2fdde64286acaa3879e552b0ba70c79328d4

Remarks:

  • openssl: RSA key generation and PEM-to-DER conversion.
  • tpm2-tools: Hardware bound object generation and raw-to-PEM conversion.
  • keyctl operates with the Linux keyring and sets up asymmetric key with private key in TPM2.

Would be nice if with one command at least I could get a DER blob with the binding to the machine where it is run and then use keyctl. Head hurts watching that script dump. I’m surprised that I got it working at all.

#linux #kernel #tpm #tpm2 #keyctl #openssl

1
0
0
@Foxboron I love Berlin as a place :-) It is actually one of few places where I travel for leisure mainly to see my friends over there.
0
0
1
@Foxboron Nah, not that much into traveling, someone would have to enforce me :-) Happily read the summaries from LWN.

If I did not get a job by beginning of Oct I might apply for a grant from LF to get some window to land a job. Not very likely but it is good to save such tools for real and existential need. ;-)

Up until that I'm tied by my researcher contract.
1
0
1
@Foxboron not a big surprise. I guess [1] would be relevant for me but since I don't have a employer to pay it for me I'll pass :-) Maybe next year. I'll read the summaries from LWN.

[1] https://lpc.events/event/18/page/232-proposed-microconferences#sysboot
1
0
0

Jarkko Sakkinen

Edited 1 year ago

My #CI hack can do kernel CI in any possible runner: https://gitlab.com/jarkkojs/linux-tpmdd-test

It builds #BuildRoot environment and runs tests inside it. Probably this something more infrastructural, dunno have not checked :-)

I.e.

git clone https://gitlab.com/jarkkojs/linux-tpmdd-test.git
cd linux-tpmdd-test
cmake -Bbuild && make -Cbuild buildroot-prepare
make -Cbuild/buildroot/build
build/buildroot/build/images/run-tests.sh

It uses TCL’s (in)famous expect to check the output and uses socat and UNIX socket for communications with appropriate QEMU options. And yeah it supports also TPM chips so can be made to boot up modern #systemd installation (have not done so but might in future).

Runner’s ISA does not matter as everything is built up from ground, including toolchain so supports both x86 and ARM although the build itself is x86 ATM. Essentially it can run tests exactly how I would run them on desktop.

https://lwn.net/Articles/972713/

#linux #kernel #gitlab

0
0
0

LWN.net is now @LWN@lwn.net

[$] What's next for the SLUB allocator https://lwn.net/Articles/974138/

1
2
3

Jarkko Sakkinen

Sent a patch set that adds a new driver tpm2_key_rsa, which is asymmetric key type for the sake of interoperability with #x509. Also covers grounds for future drivers such as probably tpm2_key_ecdsa.

https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jarkko@kernel.org/T/#t

#linux #kernel #tpm
0
0
0
All ops work now so time to submit despite there's stuff to clean up. But it is better send before breaking it by cleaning it up :-)
0
0
0

Also decrypt works:

# echo "abcdefg" > plaintext.txt
#
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
# keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
tpm2_key_rsa: parent: 0x81000001
tpm2_key_rsa: key: 0x80000001
# cat decrypted.dat
cat decrypted.dat
abcdefg
1
0
0
Great pkey_encrypt full pass!
1
0
1

Jarkko Sakkinen

Basic smoke test that TPM2 RSA asymmetric must pass to be usable:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256

#tpm #linux #kernel

1
0
0

Jarkko Sakkinen

Edited 1 year ago

Found the reason for -EINVAL in parsing: tpm2_key: OID is "2.23.133.10.1.3" which is not TPMSealedData

https://lore.kernel.org/linux-integrity/D1DMTJYL7TFC.3J3FM36K06ECD@kernel.org/

0
0
0
Failed to have everything in the commits so this just fixed compilation errors: https://lore.kernel.org/linux-integrity/20240519002616.4432-1-jarkko@kernel.org/T/#t
1
0
0
Show older