Jarkko Sakkinen
Posts
4716Following
319Followers
487OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
jarkko
lifting weights felt great after three week break :-) that's the timeline for tpm2-protocol. it was unhealthy stretch as fuck but now it is done and my rust concerns have been mitigated!
i'm ready and i've fully prepared the next five year plan in the linux kernel, and more specifically in kernel sec...
i'm ready and i've fully prepared the next five year plan in the linux kernel, and more specifically in kernel sec...
0
0
1
refactor!(pipeline): uri base schema
Introduce a new object model with separation between 'tpm' objects (on-chip
references) and 'key' objects (portable key material), simplifying the
object lifecycle.
Replace the inconsistent scheme with a URI based scheme ('tpm://',
'file://', 'data://', 'pipe://') for all resource references.
Jarkko Sakkinen
jarkko
new uri based json stack with tpm and key objects depending on binding etc. and things start to actually work.
1
0
0
Jarkko Sakkinen
repeated
repeated
Canonical Ubuntu
ubuntu@ubuntu.socialHappy birthday, Linux! 🐧🎂
Here’s to 34 years of open source, community, and innovation.
1
3
0
Jarkko Sakkinen
jarkko
(sort of) EOF for this project:
https://lore.kernel.org/tpm2/aKzaTYCI2GO_UPRB@kernel.org/T/#u
The thing that really did not exist before is there, features too, stability most likely not, processes and constraints are adequate for the goals and purpose 🤷
#linux #kernel #tpm #rust
https://lore.kernel.org/tpm2/aKzaTYCI2GO_UPRB@kernel.org/T/#u
The thing that really did not exist before is there, features too, stability most likely not, processes and constraints are adequate for the goals and purpose 🤷
#linux #kernel #tpm #rust
0
0
0
Jarkko Sakkinen
jarkko
Edited 9 days ago
I had these shitty with_* wrappers for doig shit with handles in tpm2sh.
Now I'm switching to Drop traits + threadpool i.e. pretty much what every other driver does in kernel with workqueue, so using a known good pattern.
As I've understood it (might be wrong too please correct) e.g., in a Drop trait implementation it is disallowed to block.
[in drivers you tend to do this a lot e.g., given possible race conditions with fput() and releasing the resources]
Now I'm switching to Drop traits + threadpool i.e. pretty much what every other driver does in kernel with workqueue, so using a known good pattern.
As I've understood it (might be wrong too please correct) e.g., in a Drop trait implementation it is disallowed to block.
[in drivers you tend to do this a lot e.g., given possible race conditions with fput() and releasing the resources]
0
0
0
Jarkko Sakkinen
jarkko
Edited 10 days ago
All these TPM bug I've baffled around have nothing to do with tpm2-protocol. It's working perfectly :-) It's all about parameters in tpm2sh.
Two real issues so far after 0.10.0 specifically in tpm2-protocol:
1. I had deleted over half of TPM_RC values from enum during mangling it together. tpm2-protocol did not trip it returned error called InvalidDiscriminant, which also reports the integer value of undefined discriminant.
2. I had ill-defined capacity for couple of things. The error propagation and range checks worked perfectly and returned CapacityExceeded.
It's designed to be zero panic even for unreachable and "impossible" situations and error propagation seems to really work in practice too :-)
At one point I did not having parsing and building traits defined for "i8" as I was not then aware that there was enum with negative discriminants. That already was catched by the compiler as everything has TpmBuild, TpmParse and TpmSized traits down to atoms.
That i8 issue was exactly kind of twist that could easily go into production unnoticed and made me pretty convinced that the "DSL" I've defined actually does work.
Two real issues so far after 0.10.0 specifically in tpm2-protocol:
1. I had deleted over half of TPM_RC values from enum during mangling it together. tpm2-protocol did not trip it returned error called InvalidDiscriminant, which also reports the integer value of undefined discriminant.
2. I had ill-defined capacity for couple of things. The error propagation and range checks worked perfectly and returned CapacityExceeded.
It's designed to be zero panic even for unreachable and "impossible" situations and error propagation seems to really work in practice too :-)
At one point I did not having parsing and building traits defined for "i8" as I was not then aware that there was enum with negative discriminants. That already was catched by the compiler as everything has TpmBuild, TpmParse and TpmSized traits down to atoms.
That i8 issue was exactly kind of twist that could easily go into production unnoticed and made me pretty convinced that the "DSL" I've defined actually does work.
0
0
0
@lanodan It's like with Rust ecosystem that they've made the right analysis of situation i.e. for most stuff we put everything to somekind of container etc. and for 99% of stuff we pile it's great call.
But the thing is nothing ever works ideally except maybe computer science class and there is 1% where that makes absolutely no sense. So to level up I'd address these type of details too, and accept the reality. Up until that Rust is pretty much destined to be a Java for system programming sandboxed by C based ecosystem.
But the thing is nothing ever works ideally except maybe computer science class and there is 1% where that makes absolutely no sense. So to level up I'd address these type of details too, and accept the reality. Up until that Rust is pretty much destined to be a Java for system programming sandboxed by C based ecosystem.
0
0
0
@lanodan it's a special corner case and i'm talking about deployments at scale of even hundreds or thousands nodes and fucking armed guards and shit xD usually corps have this thing called Secure Development Lifecycle (SDL) process that everything to needs to comply and it is hard to map to bunch of Rust programs with random versions of random crypto.
1
0
0
Jarkko Sakkinen
jarkko
@lanodan it does not rely on assumptions. it is more like that in production you often need to have somehow certified/audited crypto. I.e. it is irrelevant how strong or weak the crypto is in some sense as long as it has gone through that process.
thus, statically linked crypto is a problem.
also it is a problem even when the crypto would audited that you can only hotfix all deployed rust by updating all possible rust programs. it's much easier to hotfix a single crypto entity, which could be DSO.
thus, statically linked crypto is a problem.
also it is a problem even when the crypto would audited that you can only hotfix all deployed rust by updating all possible rust programs. it's much easier to hotfix a single crypto entity, which could be DSO.
1
0
0
Jarkko Sakkinen
jarkko
Easiest way to test Windows compilation in Linux for Rust crate?
I'd like to add a target for https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/tpm2-protocol.git
I'd like to add a target for https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/tpm2-protocol.git
1
0
0
It would be comptetitive advantage for Rust to have first class DSO support. It's like 99% of things Rusts static linking model is exactly right thing to do but for 1% of use cases you should just have a DSO.
Prime examples:
- Core crypto libraries. These need to be hotfixe when CVE arises.
- Core graphic libraries.
- System GUI libraries.
Prime examples:
- Core crypto libraries. These need to be hotfixe when CVE arises.
- Core graphic libraries.
- System GUI libraries.
1
1
1