After I have finished with #TPM2 signing keys, I'll create a branch called p256k1 to my linux-tpmdd tree, and start doing a PoC of that #ECC curve...

I'll start with #ECDSA signature verification because that is secure without specialized hardware, and as of today #TCG is yet to support P256K1 in its #algorithm #registry.

Also this requires to implement the early version of Keccack-256 #hash algorithm because there are AFAIK padding differences with SHA-3.

#linux #kernel #keys #blockchain

@dr2chase @ariadne @vathpela Right it has "for more information". Yeah, the current Pelican template probably won't help a lot, agreed

@vbabka @ariadne @dr2chase @vathpela I actually like a lot the RISC-V version without MMU. It has memory protection based on partitions, which is super secure way to do it (so called PMP registers).

@dr2chase @vathpela @ariadne I've been following for the sake of general interest a lot Loonghorn, Elbrus and OpenMIPS, and I spotted riscv keywords in the thread ;-) I've been in a industry sabbatical working on research RISC-V chips: https://www.sochub.fi/. Apologies if I took this off-topic... No bad intentions from my side. CPU's just generally interest me.

Pro tip for the next time: scope exactly which CPU's are allowed, and which are banned in your social media post. If there is official disclaimer that bans this or any other topics. I will promise to follow it! In the top-post there was no such disclaimer, which meant that I was allowed to discuss also other CPU architectures than the aforementioned Loongson :-)

@dr2chase @vathpela @ariadne Thanks, should actually make that home page ;-) I've had a few interviews and should update that during July. It is a bit early to close a job contract for most companies at this point.

@vbabka @ariadne @dr2chase @vathpela Yeah one of the most common root design failures when it comes to various side-channel attacks :-) Vulnerability by design. Other would be CPU caches or combination of these two :-)

I wonder why vfat in kconfig does not select these options:

• CONFIG_NLS_CODEPAGE_437
• CONFIG_NLS_ISO8859_1

Noticed this while putting together #systemd image. You really cannot use FAT meaningfully without 437, so there should be IMHO either depends or select relation between these and FAT kconfig options.

In my opinion selecting VFAT in 2024 from kconfig should lead to selecting all the options that are required for filenames at minimum because it has exactly two use cases:

1. USB sticks
2. ESP

In both cases proper interpretation of filenames is required.

PS. I also wonder why systemd does not list them as its required CONFIG_*. They are not obvious kconfig options in the context of kernel QA ;-) I always begin with tinyconfig and add up from there when doing this. Using ESP is required by practical means with systemd-boot so all three options should exist in this file: https://github.com/systemd/systemd/blob/main/README. I used it as a reference and failed.

#linux #kernel #vfat #codepage #437

@vathpela @dr2chase @ariadne Do you mean Intel SDM and it is verbose pseudo code by this. If that was the connection, yep, I do appreciate that side in x86 specs :-) I can more easily grasp stuff from SDM than from RISC-V specs.

Ramping up #systemd #kernel #QA: DONE!

URL: https://gitlab.com/jarkkojs/linux-tpmdd-test

Contents:

CMakeLists.txt
Config.in
LICENSE
README.md
board/x86_64/buildroot.conf
board/x86_64/genimage.cfg
board/x86_64/kselftest-tpm2.exp.in
board/x86_64/linux.config
board/x86_64/post-build.sh
board/x86_64/post-image.sh
board/x86_64/run-qemu.sh.in
board/x86_64/run-tests.sh.in
board/x86_64/ssh_config.in
buildroot-2024.02.3.patch
configs/x86_64_defconfig
external.desc
external.mk

I’ve been editing the history while ramping up this starting point but I will stop this chaotic workflow now and commit to this baseline :-) So no worries if sending pull requests…

This is also CI capable environment assuming that runner has:

• QEMU
• swtpm

The GIF-animation shows the proof that it actually also works.

Yup, I think it is most sensible to make asymmetric TPM2 key signer only, and import public key to software asymmetric key.

It's not purely just doing TPM2_Sign but also per signature type (RSAPSS, ECDSA etc.) it needs signature specific encoder to ASN.1 format.

Still sufficient to have only a single tpm2_signing_key type of module.

@cherti In my books a claim without evidence is a false claim, and frankly I don't care what your interpretation is. Even if that random guess would actually shown to be true.

@cherti Please go away, thanks.

@cherti And making false claims does not help anyone. On the contrary it leads to false beliefs.

@cherti No you made a claim without evidence.

This happens to me at least every second or third day:

# poweroff

And then my computer shuts down :-) #qemu

Those took care of remaining errors, now systemd gives zero fails awesome :---)

CONFIG_NLS_ISO8859_1=y

Given “codepage cp437 not found” adding: CONFIG_NLS_CODEPAGE_437=y

Before even considering any changes to the #kernel #PGP #maintainer guide I wonder what is the use and purpose of:

- gpg-agent-browser.socket
- gpg-agent-extra.socket

I keep them disabled because I need only gpg-agent.socket and gpg-agent-ssh.socket but for completeness sake would be nice to know what they are.

@cherti Why are you making such claims then?