@ljs Yeah, I wanted to add this because my point was not to say that they were stupid or "lower". Smart people that the system was exploiting, that is what I wanted to say :-)

@ljs Those uneducated people became educated and smart so you need to pay them. And thus we just now have a new generation of crap.

Probably it meant for something more advanced like scheduler than I'm working on right now but I'm not sure if I get in my use (emphasis on this) these scoped allocations.

They feels as bad and confusing as the cleanup stack in Symbian. So I just use regular gotos for exceptions. That is more transparent.

So I guess they are just for different application than I have.

ECC creation for ECDSA:

tpm2_createprimary --hierarchy o -G ecc -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
openssl ecparam -name prime256v1 -genkey -noout -out private.pem
tpm2_import -C 0x81000001 -G ecc -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`

@bluca @pid_eins I wonder if makes sense for you: https://lore.kernel.org/linux-integrity/20240523212515.4875-1-jarkko@kernel.org/

It is somewhat practical feature: never have.private keys stored in plain text, neither in drive nor memory. TPM2 can open it but not publish it, and the public key is available for clients for encryption and verifying signatures. TPM2 decrypts and signs. So it is kind of “private halve in hardware” and “public halve in software”.

Only when the key is first created it is in plain text like:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der

The final priv.der can be only decrypted by the TPM when it opens it:

serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`

So the point of all this is that you can use this to sign and encrypt wifi credentials (iwd), root keyrings (e.g. gnome-keyring) and sign x.509 certificates without exposing the private key once first created or acquired.

For 6.11 tpm2_key_rsa is planned and right after that tpm2_key_ecdsa (not sure whether in 6.11 or 6.12). Not sure if this makes sense for systemd but I thought it might.

@ljs This is 2nd coming of AI BTW :-) First coming was based on uneducated human labor in masses in the early 00's. It played well then...

Is it me or why akcipher has two undocumented parameters: "algo OID" and "params length". They are still considered as ABI but not even their size types are documented, let alone the semantics.

Only module I can find that uses algo OID is crypto/testmgr.h, or sets a value into it.

From crypto/asymmetric/public_key.c I found that they are u32's.

And I set them zero by looking my call chain layer by layer where in all layers they are ignored:

1. tpm2_key_rsa_encrypt
2. pkcs1pad_set_pub_key
3. rsa_set_pub_key

And I found the actual call chain by tracing with kprobes.

So I just memset 8 bytes after my key data to zero given that everything is undocumented but by tracing and grepping I've managed to nail them hopefully stable values.

Feels flakky tbh to have documentation based on reverse engineering o_O I wonder why there is no even some struct for those last magical 8 bytes...

#linux #kernel #crypto

https://thenewstack.io/c-gordon-bell-father-of-the-pdp-8-and-vax-has-died/

So the gist of is_module() would be that it would have different semantics than IS_MODULE(): it could be used to e.g. check modules in a loop.

Compilation would generate a new ELF section with following entries:

<ASCIIZ string><0 or 1>

The string would contain module name.

Also, it would enabled to add lsmod -b to enumerate built-in modules, which give nice way to carve up more information about a running test kernel. This would obviously need perhaps a new file to procfs for built-in modules (for regular there is /proc/modules).

I guess recent crypto bug can be sorted otherwise but this feels useful enough to document it.

#linux #kernel #kmod #module

I guess not required for the bug fix but as an idea this type of thing for kmod could be perhaps useful:

https://lore.kernel.org/linux-crypto/D1GXRKNG42V4.1ZHV4H7HVNXHO@kernel.org/

#linux #kernel

Removed #LSP shenanigans from my #nvim config. I don't really care about it and I hate to need external demons to make text editor do its job. It is even worse than plugins, which I neither love. And I never use auto-complete because it does stuff faster than my head can keep up.

Overall for me #ctags is still best possible experience when indexing source code. It crawls deep, does not do anything automatically and does not require external 3rd party prgrams.

And yeah it is stupid as hell, and thus can index whole #Linux tree without trying to understand it. With LSP indexing is build config dependent, which makes it crippled.

With #Rust I use rusty-tags: https://github.com/dan-t/rusty-tags

We are pleased to announce the release of Alpine Linux 3.20.0, the first in the v3.20 stable series.

This is the first stable release that includes Risc-V 64 support thanks to Milk-V.

Upgrades includes among others:

- Rust 1.78
- Python 3.12
- KDE 6

https://www.alpinelinux.org/posts/Alpine-3.20.0-released.html

Thanks to all the contributors who worked hard on getting this release out!

#AlpineLinux

Good news and this is what I use (before that #vim).

Still, I would take editor any day with zero plugins and best picks of the plugins as additional features :-) And by heart compatibility with the familiar vim commands.

https://neovim.io/doc/user/news-0.10.html

#neovim

@liw Mä oon aina ollut sitä mieltä, että naiset vois mun puolesta dominoida johtotehtävissä. Aina kun ollut naispomo, niin homma ollut paremmin balanssissa, ja saanut keskittyä ei-toksisessa ympäristössä omaan juttuunsa. Pitäisköhän liittyä, ja tuoda tämä tuon yhdistyksen agendalle!

Kattoo Suomen talouslukujakin niin kyllähän kaikki menny päin helvettiä, kun saatu rinkirunkkausporukka ruoriin.

Kyllähän eka CEO:kin oli nainen, kun aattelee antiikin kreikkaa. Miehet vaan toimitti tyhjää ja juopotteli :-)

@vbabka lol going there has been like a "dark secret" for me, feels like i was doing something nasty :D but tech is tech for me and i'm interested on everything in tech, even blockchains (as a tech, not a vehicle to make profit), so i don't see anything wrong in it.

you can be critical about stuff (like i'm a bit critical on some aspects of rust) without overlooking into it.

@vbabka Yeah, exactly :D Feels like going to a war zone. But they pay the trip, I have a small demo and my old friend Sonja lives Prague so I don't have to brainwash myself for the whole weekend.

@vbabka Yeah, I mean that instruction is a bit ambiguous on the key type :-) I'll just try it for fun and non-profit...

@vbabka hmm... so cert key is not changing. i need to try if i can just use another auth key rooted to that cert key :-)
that is ecdsa key is also old but just not atm the one in yubikey.

Booked flights to Prague, will go there from 30-May to 03-Jun in order to attend and present at Ethprague conference.

Actually even TCG_TPM is not in x86 defconfig but this would mean two switches just to get the basic environment ongoing if it was not default I think this sweet spot solution in this case.