Next version of #TPM2 asymmetric keys will also have ECDSA signatures. Almost got it ready during the weekend :-)

Should provide pretty good first coverage for https://datatracker.ietf.org/doc/draft-woodhouse-cert-best-practice/.

#linux #kernel #tpm #keys

Signal actually still defines best possible framework, despite not being fully implemented for something you claim to be truly confidential:

1. Create legal barrier with AGPL, this guarantees that the source code is unmodified.
2. Create run-time barrier with SGX/SNP/TDX, this guarantees that the run-time is unmodified. Attestation needs to have an expiration time somewhat like you need to expire share session key.

Signal implements (1) but lacks (2).

Signal actually still defines best possible framework, despite not being fully implemented for something you claim to be truly confidential:

1. Create legal barrier with AGPL, this guarantees that the source code is unmodified.
2. Create run-time barrier with SGX/SNP/TDX, this guarantees that the run-time is unmodified. Attestation needs to have an expiration time somewhat like you need to expire share session key.

Signal implements (1) but lacks (2).

@moritz @malte @katexochen

Actually the value of remote attestation and price to pay for it are related to the control of the machines where you are running your software.

If you run a software in your local hardware or controlled data center, then TPM2 by practical means does all you need for remote attestation.

Confidential computing comes beneficial when you run in the cloud and need to attest that while the deployment is out of your control, it still runs unmodified, and does the expected computation.

One corner case example of this is Signal’s contact delivery, which is claimed to be sealed by Intel SGX. This is a false marketing claim because:

1. Signal controls its own data centers, so 3rd parties are not a high risk.
2. Signal source is unmodified by legal enforcement given AGPLv3.
3. Signal does not deliver CPU attestation to the Signal app so that the app could verify it against Intel CA. This should be done periodically.

This means that Signal can hold into AGPLv3 but they could still just emulate SGX opcodes and do nothing at all. So objectively we can conclude that Signal does fake marketing with SGX.

Remote attestation is worthless if:

1. You don’t need it.
2. If you spend money on using wrong type of attestation in a wrong place without proper risk analysis.

Confidential computing is literally broken because there’s no developers. I still use NUC7 from 2018 with a Celeron CPU equipped with SGX2. In that sense all remote attestation in that arena is broken because you don’t have low barrier developing anything on top of it…

Nothing does high waves without low-barrier developer ecosystem, including local machines that can run the payloads...

@moritz @malte @katexochen

Actually the value of remote attestation and price to pay for it are related to the control of the machines where you are running your software.

If you run a software in your local hardware or controlled data center, then TPM2 by practical means does all you need for remote attestation.

Confidential computing comes beneficial when you run in the cloud and need to attest that while the deployment is out of your control, it still runs unmodified, and does the expected computation.

One corner case example of this is Signal’s contact delivery, which is claimed to be sealed by Intel SGX. This is a false marketing claim because:

1. Signal controls its own data centers, so 3rd parties are not a high risk.
2. Signal source is unmodified by legal enforcement given AGPLv3.
3. Signal does not deliver CPU attestation to the Signal app so that the app could verify it against Intel CA. This should be done periodically.

This means that Signal can hold into AGPLv3 but they could still just emulate SGX opcodes and do nothing at all. So objectively we can conclude that Signal does fake marketing with SGX.

Remote attestation is worthless if:

1. You don’t need it.
2. If you spend money on using wrong type of attestation in a wrong place without proper risk analysis.

Confidential computing is literally broken because there’s no developers. I still use NUC7 from 2018 with a Celeron CPU equipped with SGX2. In that sense all remote attestation in that arena is broken because you don’t have low barrier developing anything on top of it…

In the current state of art, containers are the worst part of Linux. I always use VM's with libvirt instead because I don't understand how the security boundary is defined.

And e.g. Docker exists as a commercial product mostly because of a failed container design in kernel.

Some earlier more Solaris Zones alike previous work: https://lwn.net/Articles/780364/

https://yotam.net/posts/linux-namespaces-are-a-poor-mans-plan9-namespaces/

CONFIG_ASN1_RUST opt-in early drafting: https://github.com/alex/rust-asn1/issues/462

#linux #kernel #rustlang

Kävin eilen huvikseen #DigiABC-koulutuksen, tässä jotain highlighteja: https://bsky.app/profile/jarkk0.bsky.social/post/3ktbnrsdw4s2x

@ryanc @mjg59 Is GPL an instance of DRM?

@ojrask En mä tarvitse kenenkään ennaltamäärittelemää kehystä omaan ajatteluun :-) En SKP:n, enkä minkään muunkaan puolueen. Se on muiden asia miettiä se, miten koneiston pitää toimiia. Varmaan ihan tärkeä asia, mutta ihminen voi valita vaan rajallisen määrän asioita elämäänsä, joita priorisoi. Politiikka nyt vaan ei ole mun prioriteetti. Jos olisi, niin jotain yhtä tärkeää jäisi tekemättä. Se on valintojen maailma.

@ojrask Sen mitä oon lukenut uiguurien tilanteesta, ei puolla millään tavalla rauhassa omalla alueellaan elämistä. Jos toteaisin mitä vaan saamelaisten tilanteesta, niin olisin itse jo tekemässä niistä vertailukelpoisia :-)

Siitä vertailukelpoisuudesta vahvasti eri mieltä, ja saamelaisten tilannetta en osaa näin kevyesti alkaa edes arvioimaan. Siitä huolimatta en usko, että jos multa menee vaikka munuainen paskaksi, niin saisin nopealla syklillä vähän käytetyn saamelaisen maksan tilalle...

... and there's some technical disadvantages.

Great thing in C is that given the most trivial binary layout, it is pretty easy to debug just in raw (disassembled) assembly without debug symbols. If you are a long timer you can quickly get an idea. And early hardware initialization is exactly the slot where this kind of simplicity does make sense.

Thus, in oreboot's case you can pretty objectively say that it is purely ideology driven project with zero actual technical "useful in the field" merits.

@stevelord yep

The Rust project that I disagree the most must be oreboot. "Saturation of an ecosystem" is not my favorite feature ever tbh. And it is just initializing the hardware. Not making world a better place, which should be always the goal. #coreboot

@ojrask Tän takia en ole koskaan ollut äärimmäisen innostunut politiikasta. Ihan sama onko kyseessä Kokoomus vai SKP, pitää aina olla oikeassa. Mä päivittelen näkemyksiäni, kun on parempaa tietoa, ja käännän takkiani yhtä usein kuin vaihdan sukkiani. Maailma on dynaamisempi kuin poliittiset mallit kykenee hahmottamaan :-) Kysehän on 150 vuotta vanhoista täysin teoreettisista malleista kuitenkin.

Esim. fyysikko tietää jo lähtökohtaisesti, että varsinaisesti mikään fysiikan viimeisinkään teoria ei itseasiassa pidä lainkaan paikkaansa, vaan se on sen hetkinen paras tiedetty malli sille datalle mitä saadaan mitattua. Kaikki fysiikka on vähän niin kuin Excel-makrojen kehittämistä. Sen takia fyysikoissa onkin porukkaa fundamentalistikristityistä ateisteisteihin, koska fysiikka ei anna sellaista mallia, joka auttaisi maailmankuvan määrittelyssä.

@ojrask No en ole mikään aktivisti tai sillain mutta kyllä mun mielestä Nury Turkelin kirja aiheesta oli ainakin itselle uskottava. Voin tietysti olla väärässäkin, mutta minut se ainakin vakuutti. Mä en blogeja kirjoittele, joten ei sillä sinänsä väliä mitä asiasta ajattelen. Kyllä tuo olisi vähintään vaatinut vakuuttavan näkemyksen siitä, että miksi voidaan todeta näin. Noin ilman argumenttia, aika kova heitto.

@ojrask No siis sillä tavalla, että ei saamelaisiin käsittääkseni kohdistu kansanmurhaa, tai niiden sisäelimiä myydä rikkaille ehkä nyt ainakin ekana tulee mieleen :-)