@securepaul "How did TPM2 began its journey in Linux kernel and where it is heading? Why is TPM2 important for Linux? TPM2 is more like a protocol or contract for hardware cryptography than just a chip. And it still has a legit place despite Trusted Execution Environments (TEEs) and confidential computing up-rise."

@securepaul I put something to ksummit https://lpc.events/event/18/abstracts/1801/ (first time for a loooong time).

and made a new key type :-). https://lore.kernel.org/linux-integrity/D1EWI92F6AIH.3CFED3IMI10ZA@kernel.org/T/#t

@vathpela Like any modern silicon product have a huge ecosystem of IP blocks bought from various partners. There's even companies that are specialized just doing small parts of SoC's and other products and selling those IP blocks for industry partners. And it is good to have also this ecosystem because it drives tech forward so openness is in my opinion always about finding the right balance :-) All my opinions on almost anything are these middle-ways dull ones 🤷

@vathpela So in principle I do support opening up e.g. ACM's and almost anything really but that said I also get the views of the "other side" :-)

@vathpela Sometimes (not always) the problem with vendor-specific proprietary IP (be it software or hardware) is that sub-parts might be re-licensed from other 3rd parties. So it is not always just an evil corps type of thing but opening IP could be hard to realized sometimes, even if there was will from the company.

@vathpela TPM might be easier because it is vendor neutral standard.

With confidential computing established it might make sense to have a TPM blob in linux-firmware compiled from open source base and way to certify that for distributors.

Most have some form of certificate authority alike thing in place so this would be good use of that.

Then SGX/SNP/TDX could provide a way to establish a sealed device from that and further distribute a vTPM for each virtual machine.

Probably would make sense for e.g. Linux Foundation or similar industry faction to develop AI that would look for license infringements from code similarly as it works for code generation.

Probably it will happen that someone uses this new stuff, makes some money, injects GPL with the help of AI and is enforced to open up the whole thing. Detecting these early is also beneficial for those who use AI for their business because it is less damage when the infringement is detected early.

So not for "fighting against AI" but to make it more legit (sort of).

One more PR for Linux v6.10 https://lore.kernel.org/linux-integrity/D1EVFNB6HJZ8.2ZRZB8Y0K3TV5@kernel.org/T/#u

#linux #kernel

I was shuffling between kernel summit and boot-time security but picked kernel summit because of less likely to get accepted ;-)

Yeah, and reading some newer FSF material, and seeing how untrue it was, also inspired.

OK, I submitted an abstract for kernel summit track: "TPM2 story so far...". It would be from the angle of thinking it more like a protocol or contract that all kinds of hardware and TEE's can speak than just a chip per se...

Not that motivated to travel, so not a huge disappointment if not accepted :-) But yeah I have an angle and will prepare that one properly if accepted. So done my duty I guess at least...

https://lpc.events/event/18/abstracts/1801/

#linux #kernel #tpm

My 5 cents on #POSIX capabilities: https://lore.kernel.org/keyrings/D1ETFJFE9Y48.1T8I7SIPGFMQ2@kernel.org

Not that realistic effort tho...

And all TPM2 related built-in and talking to /dev/tpm0 no compromises ;-) Otherwise it is as good as tpm2-tss-engine and similar, which are not that great for my needs.

Would be nice if there was more lean openssl like command-line tool that would all that openssl, keyctl and tpm2-tools does in this test:

https://lore.kernel.org/linux-integrity/D1ERDC16XLUO.578U4ZE7VXW@kernel.org/T/#m262b2fdde64286acaa3879e552b0ba70c79328d4

Remarks:

• openssl: RSA key generation and PEM-to-DER conversion.
• tpm2-tools: Hardware bound object generation and raw-to-PEM conversion.
• keyctl operates with the Linux keyring and sets up asymmetric key with private key in TPM2.

Would be nice if with one command at least I could get a DER blob with the binding to the machine where it is run and then use keyctl. Head hurts watching that script dump. I’m surprised that I got it working at all.

#linux #kernel #tpm #tpm2 #keyctl #openssl

@Foxboron I love Berlin as a place :-) It is actually one of few places where I travel for leisure mainly to see my friends over there.

@Foxboron Nah, not that much into traveling, someone would have to enforce me :-) Happily read the summaries from LWN.

If I did not get a job by beginning of Oct I might apply for a grant from LF to get some window to land a job. Not very likely but it is good to save such tools for real and existential need. ;-)

Up until that I'm tied by my researcher contract.

@Foxboron not a big surprise. I guess [1] would be relevant for me but since I don't have a employer to pay it for me I'll pass :-) Maybe next year. I'll read the summaries from LWN.

[1] https://lpc.events/event/18/page/232-proposed-microconferences#sysboot

My #CI hack can do kernel CI in any possible runner: https://gitlab.com/jarkkojs/linux-tpmdd-test

It builds #BuildRoot environment and runs tests inside it. Probably this something more infrastructural, dunno have not checked :-)

I.e.

git clone https://gitlab.com/jarkkojs/linux-tpmdd-test.git
cd linux-tpmdd-test
cmake -Bbuild && make -Cbuild buildroot-prepare
make -Cbuild/buildroot/build
build/buildroot/build/images/run-tests.sh

It uses TCL’s (in)famous expect to check the output and uses socat and UNIX socket for communications with appropriate QEMU options. And yeah it supports also TPM chips so can be made to boot up modern #systemd installation (have not done so but might in future).

Runner’s ISA does not matter as everything is built up from ground, including toolchain so supports both x86 and ARM although the build itself is x86 ATM. Essentially it can run tests exactly how I would run them on desktop.

https://lwn.net/Articles/972713/

#linux #kernel #gitlab

[$] What's next for the SLUB allocator https://lwn.net/Articles/974138/ #LWN

Sent a patch set that adds a new driver tpm2_key_rsa, which is asymmetric key type for the sake of interoperability with #x509. Also covers grounds for future drivers such as probably tpm2_key_ecdsa.

https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jarkko@kernel.org/T/#t

#linux #kernel #tpm