Jarkko Sakkinen
Posts
5043Following
329Followers
503OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
jarkko
@Foxboron I need to try that out against my tool. It already nicely operates with openssl and tpm2-tools.
tpm2sh can generate keys with policies.
The set of commands is fairly limited but it is a subset that I pick to maximize coverage for the time being: or, secret and pcr.
Unfortunately spec is quite incomplete when it comes to PolicyOr but my tool generates the full PolicyRestart dance to the file. That way e.g. kernel in future can implement a functional executor.
What executor needs to done with output data:
1. Fill policy handle with active session handle.
2. Resolve handles for PolicySecret calls.
It would be cool to maintain some kind of interoperatibility with sbctl given the state of spec and that way sort of "fill out the blanks" :-)
For auth values in the latest version I've ended up to "<handle>:<hex>" type of list of mappings. Linear list of values is quite difficult to map when you have both purely auth value authenticated object and policies referencing to handles.
tpm2sh can generate keys with policies.
The set of commands is fairly limited but it is a subset that I pick to maximize coverage for the time being: or, secret and pcr.
Unfortunately spec is quite incomplete when it comes to PolicyOr but my tool generates the full PolicyRestart dance to the file. That way e.g. kernel in future can implement a functional executor.
What executor needs to done with output data:
1. Fill policy handle with active session handle.
2. Resolve handles for PolicySecret calls.
It would be cool to maintain some kind of interoperatibility with sbctl given the state of spec and that way sort of "fill out the blanks" :-)
For auth values in the latest version I've ended up to "<handle>:<hex>" type of list of mappings. Linear list of values is quite difficult to map when you have both purely auth value authenticated object and policies referencing to handles.
1
0
0
Jarkko Sakkinen
jarkko
https://thenewstack.io/ffmpeg-to-google-fund-us-or-stop-sending-bugs/ :-----------------------)
0
1
2
Jarkko Sakkinen
jarkko
0
0
2
Jarkko Sakkinen
jarkko
1
0
1
Jarkko Sakkinen
jarkko
Edited 25 days ago
one aspect in security, which has been wrong even in some of the linux foundations pages from time to time is that they differentiate answers between "incorrect password" and "acount does not exist". this should be obviously opaque.
it allows to query which sites user has an account, which is useful information in wrong hands already.
#infosec #oracle
it allows to query which sites user has an account, which is useful information in wrong hands already.
#infosec #oracle
0
2
1
Jarkko Sakkinen
jarkko
when it comes to infosec i'm glad at least that the "era of silly security questions" is over.
it was super-frustating to copy-paste set-and-forget one-time pad answers to questions such as "what was your mothers maiden name", when they were still a thing.
i don't know who invented them but the person should get some kind of worst invention of IT ever award or something.
#infosec #password
it was super-frustating to copy-paste set-and-forget one-time pad answers to questions such as "what was your mothers maiden name", when they were still a thing.
i don't know who invented them but the person should get some kind of worst invention of IT ever award or something.
#infosec #password
1
0
2
Jarkko Sakkinen
jarkko
Next thing I'll add to tpm2sh is direct support for keyctl syscall and key re-creation in kernel. After that I can revisit asymmetric keys kernel patch set :-)
0
0
0
Jarkko Sakkinen
jarkko
Edited 25 days ago
for what is worth here's arch installation running for my Ryzen 9950X desktop :-)
https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/sysdarch.git/
Just though to upload it somewhere for backup.
It has secure boot (sbctl), TPM2 unlock, and finally EXT4, which is probably a twist from current standards (but is so convenient given universal support everywhere).
https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/sysdarch.git/
Just though to upload it somewhere for backup.
It has secure boot (sbctl), TPM2 unlock, and finally EXT4, which is probably a twist from current standards (but is so convenient given universal support everywhere).
2
0
0
Jarkko Sakkinen
jarkkorust learning of today: to avoid integer overflows when summing up lengths, always use checked_add in such situations :-)
E.g., this is wrong:
let total_body_len =
handle_area_size + parameter_area_size_field_len + param_area_size + sessions_len;
And this is right:
let total_body_len = handle_area_size
.checked_add(parameter_area_size_field_len)
.and_then(|len| len.checked_add(param_area_size))
.and_then(|len| len.checked_add(sessions_len))
.ok_or(TpmProtocolError::IntegerTooLarge)?;
Jarkko Sakkinen
jarkko
@tess Actually bullet two is the key of learning and understanding software and becoming a upstream contributor in most of major open source projects :-) You improve the system patch at a time until you understand why it works the way it does.
Thus, 180 degrees disagreement on bullet 2.
Thus, 180 degrees disagreement on bullet 2.
1
0
1
Jarkko Sakkinen
repeated
repeated
Marko Karppinen
karppinen@mastodon.onlineHeh, Amazon's satellite internet service launched yesterday and their first marketing angle is “how about you get your AWS Direct Connect over satellite instead of paying for cross connects”
https://www.aboutamazon.com/news/amazon-leo/amazon-leo-satellite-internet-ultra-pro
1
1
1
Jarkko Sakkinen
repeated
repeated
Randahl Fink
randahl@mastodon.socialHere is my Ukraine peace proposal:
1. Putin is sent to The Hague.
2. Russian soldiers leave Ukraine including Crimea.
3. Russia returns all kidnapped Ukrainian children.
4. Russia releases all Ukrainian prisoners.
5. Russia pays damages for everything their war has destroyed.
6. Russia pays damages to Ukrainian families who have lost family members.
7. Russia pays damages to every person who has been tortured, abducted or otherwise criminally mistreated.
8. Ukraine becomes a member of the EU.
2
13
2
Jarkko Sakkinen
jarkko
the main problem with confidential computing is and will be that it is not hacker enabled ecosystem.
or it's as hacker enabled as IBM mainframes.
i.e., there is no such thing as distruptive innovation.
it might be commercially viable story for companies that produce the hardware to other big companies but it is still a sad story ;-)
and you do not own the hardware EVEN if you buy it because it's locked in to the CPU companies CA.
or it's as hacker enabled as IBM mainframes.
i.e., there is no such thing as distruptive innovation.
it might be commercially viable story for companies that produce the hardware to other big companies but it is still a sad story ;-)
and you do not own the hardware EVEN if you buy it because it's locked in to the CPU companies CA.
0
0
1
