@jani A new day job happened in March. Also, I wrote a new TPM2 stack for Rust during the Fall. I'm planning to continue with this soon as I'm now fully functional in my day job :-) Thanks for reminding!

@monsieuricon I can live with the burden of this knowledge :-)

I've recently started to use Niri in my main desktop PC. First tiling wm where that some how intuitively works for me, and does not require too much configuration :-)

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/sysdarch.git/commit/?h=main&id=7484242542d5bdd97a507c47959d2117faf6a170

oops, sorry for lying, it is one callback delete moment, anyhow along the lines ;-)

a "one line change moment" ;-)

https://lore.kernel.org/linux-integrity/20251215231438.565522-1-jarkko@kernel.org/T/#u

Somehow these types of patches give more kicks than more complex ones.

Some news outlets etc. seem to translate making translate making support non-experimental into "Rust support getting official". I guess Rust has been "official" past 5-6 years but marked as experimental. I don't understand this type of reporting, or what it meant by "official" to begin with.

Glad previous stuff was merged but new stuff for further streamlining hmac sessions and code around has piled up:

https://lore.kernel.org/linux-integrity/20251214153808.73831-1-jarkko@kernel.org/

Improving hwrng, the prime source of latency issues, has some groundwork laid out, and latency hit should be now stable (as per small variance in expected latency).

After those have been merged it is easy to further to improve hwrng (probably by making it to pool random bytes with fixed size chunk pulls of new data, and serve caller from the pool).

i filtered candidates based on how many times they expressed their dislike of one topic or another in their candidate profiles and used that as heuristics to order the candidates :-) i.e. less dislikes, closer to pole position. i have no idea if it makes the best candidates but i want leadership to have a positive and inclusive view of the future.

casted my vote in linux foundation tab elections :-)

Iterating HMAC encryption steadily to be great again: https://lore.kernel.org/linux-integrity/20251210172027.109938-1-jarkko@kernel.org/

I don't think it has unsolvable issues but it will need some rework. Just needs a few iterations like this.

I think also that once it is functionally and quality wise significantly improved it makes sense to replace CONFIG_TCG_TPM_HMAC with kernel command-line parameters and set of parameters.

Other remarks that I put mostly here for myself as a remainder (I love Mastodon bookmarks):

1. One thing that was properly handled in the first iteration was also that despite ECC-NIST-P256/SHA256 might be de-facto and pratically everywhere in western countries, there's also large population in a distant country at Asia relyingon SM2/SM3. I.e. we eventually need SM2/SM3 to be univeral.
2. Initialization itself should be *conditional* i.e., it will complain if feature cannot be enabled but that's all. It can be then supplemented with "panic_on_warn" style parametr, if somone has a problem with this.
3. Relying only on null key generated at boot is a great for some systems (laptops/desktops) but for embedded systems especially it is a major performance hit. Thus also persistent root key should be an option.
4. During power on hwrng was the worst glitch. The patch set above already improves the situation by making read request "opportunistic" instead of committing to an amount. No grand plan for this but I do have a sack of ideas in my pocket. This will gradually improve over time with no grand plan tbh ;-)

#linux #kernel #tpm

Second Windows post of the day ;-)

What is the pass alternative for Windows that is fully compatible with pass' database?

Microsoft has a multi-decade long history of features, which most people want to proactively disable: https://arstechnica.com/ai/2025/12/microsoft-slashes-ai-sales-growth-targets-as-customers-resist-unproven-agents/

Some things never change ;-)

I have one ThinkPad with Windows and in that when reinstalling the OS, the challenge is always to find out how to mitigate Microsoft's latest attempts to disable local (only) accounts. It's a forever-going puzzle game really.

#microsoft

installed a webcam in order to make a better appearance at telcos ;-)

@andrew nope, i just whatever gnome provides me and complain in social media ;-)

Now it hit me what I was doing wrong in TPM2 asymmetric keys.

Introducing new key types was a wrong strategy. Instead, pre-existing ECC and RSA key types should be layered i.e., you turn "TPM2 magic switch" on and kernel generates import blob etc. dance behind the curtains.

This has numerous benefits. E.g., there can be then also "TEE magic switch" depending on platform and generally speaking this is the best for users as they don't need to overturn their configuration.

#linux #kernel #tpm

My friend Tuomo wrote a window manager called 'pwm' during early 00's. I liked the idea of attaching multiple client windows to a single frame much more than tiling window managers. I used that wm for quite a while and wish that someone would bring that concept back.

Also, 'rsaParent' is just weird thing to have. Why not just have the whole TPM2B_PUBLIC blob for the parent key and applications can cherry pick what they want instead? It makes zero sense.

A great example, why "parent" attribute does not really work in TPMKey ASN.1 definition is Linux kernel.

We have explicit parameter for parent handle called 'keyhandle' because the attribute stored in the ASN.1 is useless and ambiguous data.

#linux #kernel #tpm

@pinkforest nope, i know it exist but have not had any use on what i do :-)

One reason I've stuck on ext4 is that I also run Bitwig Studio on my Linux machine, and generally speaking ext4 has more predictable latency (and more options for recovering data). Ultimately the choice file system is a throughput vs latency question, and this is probably also why Apple never migrated from HFS(+) to ZFS :-)