Posts
4937
Following
327
Followers
492
Linux kernel hacker and maintainer etc.

OpenPGP: 3AB05486C7752FE1
jarkko

Jarkko Sakkinen

Edited 25 days ago
Servo 0.0.1

https://servo.org/blog/2025/10/20/servo-0.0.1-release/

Great news for web.

#servo #web
0
0
0
jarkko

Jarkko Sakkinen

Reply to @Aissen@social.treehouse.systems
@Aissen @geal I prefer combinator parsers over PEG because in combinator parsers with the price of higher "initial cost" you get re-usable components, and maintenance costs over long period of time are much lower than with PEG (assuming that grammar is relatively stable). And yeah, everything lives in the same closure (i.e. in the Rust implementation).
0
0
2
jarkko

Jarkko Sakkinen

Reply to @jarkko
actually #rasn would be another. it saved me from bunch of bloated dependencies and allowed me to easily write my own parsers for PCKS#1, PCKS#8, SEC1 and X.509.
0
0
0
jarkko

Jarkko Sakkinen

#nom is like the first library in Rust of which I can say that I love it, and not because it is "powered by Rust" but because it is such a great peace of work overall :-) #rustlang
3
0
2
jarkko

Jarkko Sakkinen

Edited 25 days ago
Now that I can actually clean up tpm2sh as I reached "zero known relevant bugs" state couple of days ago, some cool features will spun from that.

E.g., most of the time you don't have to specify parent key, the tool will discover it for you.

I'll also implement virtual persistent handles by retaining in cache TPMKey ASN.1 file in addition to context and that enables to implement fake evict operation to 0x81-range.

And already now management of TPM2 sessions is mostly transparent like it should be, and implicitly created HMAC sessions will gain parameter encryption soon.

In pre-existing TPM2 stacks (e.g., tpm2-tool) having sessions exposed out naked to the user is like having a TLS stack where you would need manually implement session key exchange dance. It's just plain fucking wrong imho :-)

#tpm2sh
0
0
0
jarkko

Jarkko Sakkinen

Reply to @pony@blovice.bahnhof.cz
@pony @lkundrak steve hegmeth
0
0
1
jarkko
repeated
lkundrak@metalhead.club

AGRO TURBO.EXE SNAKE 🇺🇦🇨🇿

breaking: white house being replaced by a white trailer park

1
1
1
jarkko

Jarkko Sakkinen

Reply to @Netux@mastodon.sdf.org
@Netux kexec is not isolated environment from the host system, and quite complicated to use to begin with for anything really.
1
0
1
jarkko

Jarkko Sakkinen

Reply to @Netux@mastodon.sdf.org
@Netux i build about 10 VMs per day or something :-) Every time I test a single kernel patch I build a fresh VM around it. Not the size but dependencies is the optimization parameter here.
1
0
1
jarkko

Jarkko Sakkinen

Reply to @jarkko
Dropping curl has significant effect to my VM image build times. Why I have not realized this before ;-)
1
0
2
jarkko

Jarkko Sakkinen

For VM/embedded images socat is pretty alternative to curl as it has 50% less dependencies and you can still web e.g.,

printf 'GET / HTTP/1.1\r\nHost: www.iki.fi\r\nConnection: close\r\n\r\n' | socat OPENSSL:www.iki.fi:443 -

I’ve replaced curl with socat in my BuildRoot images for kernel testing because it is less bloated than curl ;-)

1
0
1
jarkko

Jarkko Sakkinen

Edited 26 days ago
Cargo would be better if it had a separate unique and label names for dependencies, and dependency resolution used the former.

Basing immutablity to a label makes crates.io quite unrobust IMHO, and given that not all projects fly that far, otherwise useful labels stay reserved permanently, up until Sun melts.

Such dual-name scheme could be transparent to Cargo.toml: e.g. Cargo.lock could map a label to a name.

I'm not saying that names would need to have expiration time. I'm thinking more like willingly giving name back to circulation from abandoned project.

C++ has bunch of offerings now for cargo alike package managers. In that front, I'd try to find a solution that is smarter than Cargo before there is a dominating solution.

#rustlang #cargo
1
0
0
jarkko

Jarkko Sakkinen

Reply to @jarkko
@securepaul I'll put an abstract about tpm2sh for LSS once there are CfP's available next year (and little bit about protocol stack I've build for it [1]). Has been a while but I haven't had really a topic I wanted to talk about for a long time :-)

[1] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/tpm2-protocol.git
0
0
1
jarkko

Jarkko Sakkinen

Reply to @jarkko
Edited 26 days ago
i don't know how those algorithms work - i just used the fact that hex digit maps to a nibble and compile bit pattern based on that observation...
0
0
0
jarkko

Jarkko Sakkinen

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/tpm2sh.git/tree/src/wildcard.rs?h=main

made a little wildcard parser last night so that I don’t have to implement docker esque “tpm2sh reset” command.

e.g. cache can be reseted now by tpm2sh delete 'vtpm:*'

1
0
0
jarkko

Jarkko Sakkinen

Reply to @NanoRaptor@bitbang.social
@NanoRaptor it is awesome
0
0
0
jarkko
repeated
NanoRaptor@bitbang.social

Nanoraptor

386.

5
14
1
jarkko

Jarkko Sakkinen

After starting this work one Sunday on August and ~13000 lines of new Rust code after that, this is the first release where I don't have any catastrophical bugs to resolve, or have personally any immediate needs :-)

https://crates.io/crates/tpm2sh

#linux #rustlang #tpm
1
1
5
jarkko

Jarkko Sakkinen

tpm2sh policy has now more inituitive infix expressions :-) [learning nom by trial and error]
0
0
2
jarkko

Jarkko Sakkinen

I’m planning to iteratively make tpm2sh policy subcommand to compile policy expressions first into eBPF i.e., --mode ebpf option.

We can use this to address bottleneck in trusted keys in kernel: TPMKey ASN.1 provides key blob but not steps how to create policy session that authorizes the key.

Today: TpmKey ASN.1 with auth value and policy digest can be passed but really only auth value (+ PCR selection in TPM2_Create) can be used for authentication.

My vision for policy protected keys is basically:

  1. Key data is passed as TPMKey ASN.1 just like today.
  2. In addition eBPF program for creation policy session is passed when policy digest is used.

It’s perfectly secure given that a malicious eBPF program would end up to a different policy digest than what is associated with the key.

#linux #kernel #tpm

0
0
0
Show older
About social.kernel.org

Terms of service

  1. Please do not use this service in violation of the Linux Kernel Code of Conduct. Doing so will result in your account suspension with the referral of the matter to the CoC committee.

  2. "Repeating"/"boosting" someone else's status on this platform will be treated as endorsement and will fall under rule #1.

  3. You are encouraged to use this platform to promote your work on the Linux Kernel, but there is no restriction on permitted topics (with the exception of anything covered by #1 above).

  4. There is no requirement to post in English, but it should be considered the primary language of communication on this platform.

Privacy notice

The admins of this service have access to all posted statuses. They aren't looking, but if it's something they shouldn't know about, then you should not post it on this platform.

Please see the Linux Foundation Privacy Policy, which applies to this platform as well.

Getting your own account

If you would like an account on this instance, please check that the following applies to you:

  • You are listed in MAINTAINERS or CREDITS

  • OR: You have a kernel.org account or email address

  • OR: You have a long and established history of involvement with the Linux Kernel

If the above is true and you agree with the Terms of Service and Privacy Notice listed above, please use these instructions to request an account: