In addition to @LWN subscription I renewed now my #Medium subscription :-)

I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.

I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.

I should publish this humble and not so exciting crate (stalled since Dec) and now I found the motivating factor. I make it compile with gccrs.

Maybe this will leads to contributions, who knows, or epic failure but should be interesting and exciting in all cases :-)

The stimulus obviously comes from GCC 14 release, which has the first experimental version of gccrs. And in my free time I do prefer GPL licensed code base for utilities and apps over MIT/Apache, so gccrs makes more sense for me than rustc in that sense (and not judging other viewpoints, it is my personal and subjective preference).

https://gitlab.com/jarkkojs/zmodem2

#gcc #rust #zmodem #gpl

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

Finally HMAC encryption for in-kernel TPM clients is going to a release! Has been hanging there for a long time.

LUKS2 and distributions starting to support it motivated me to rewrite the buffering code last Spring because that was my main turn-down in the original patch set, and then James took over and cleaned up the functionality and I reviewed it for few rounds until it was good enough.

With this and TPM2 sealed hard drive encryption there is a somewhat reasonable security model without having to type encryption password to a bootloader prompt (which is tedious). I.e. login and go.

A rare case of security feature also increasing user experience.

#linux #kernel #tpm #luks2

My first trial to split pull request to TPM, trusted keys, keyring parts: all three pull requests taken by pr-tracker-bot :—–O

One more left for asymmetric keys. Cannot believe this, I always screw up with this dance at least first time :-) Really made my Monday!

Classic version control:

The City of #Helsinki Education Division #databreach has upto 120000 victims: "the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division."

The attacker also gained access to confidential or sensitive records stored on a network share. The beach occurred due to unpatched known vulnerability getting exploited to gain unauthorized access. https://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds https://www.hel.fi/en/decision-making/data-breach #infosec #cybersecurity

Sometimes it feels like every day is a x.509 day tbh... #x509

Let's put this into nutshell.

In Signal, SGX *does not* help the user to secure contact delivery. You have to *believe* that signal.org is trustworthy plain and simple.

In Signal, SGX does only help signal.org to secure contact delivery from 3rd party adversaries.

The marketing has been somewhat misleading with this for number of years although there has not been any actual lies. They are actually claiming only the 2nd clause but at the same time claiming that it would improve users privacy.

Users privacy can be objectively said to be improved only if one can test and measure that this is really the case. Otherwise it is up to you to believe that signal.org is doing the right thing, and not e.g. just emulate the associated opcodes.

I personally believe that they are doing the (morally) right thing, and using legit SGX, but I would feel more convinced if they would also provide hard evidence on the topic, i.e. certificate delivery and verification in the app using Intel's CA.

#signal #sgx #infosec @signalapp

A smoke test for trusted keys: https://gitlab.com/jarkkojs/linux-tpmdd-test/-/commit/b737d6ca4f45fa171e623f8e1038801edf17c323

Running:

cmake -Bbuild && make -Cbuild buildroot-prepare
pushd build/buildroot/build
make
images/run-tests.sh

Runs successfully at least with my master, containing the HMAC encryption patches.

Failing in in-progress asymmetric key branch so had to extend the test to cover trusted keys (vs. writing commands manually):

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=tpm2_key

#linux #kernel #tpm #keys

Submitted abstract to #ethprague CfP. I own 0 ETH 🤷 #Linux and authentication related stuff. #ethereum

Learned a cool trick in Python, if need to have more deterministic latency for a thread: shutdown the gc as prologue and do collection once as epilogue.

I.e.

gc.disable()
# Do stuff that does not cause CPU
# exceptions or interrupts.
gc.collect()

I also noticed that MicroPython has pretty usable inline assembler.

This makes me wonder if you could implement Python version of https://rtic.rs/2/book/en/ running hard real-time tasks on bare metal.

This is more like learning thing than challenging thing… I.e. by doing the similar thing perhaps in limited scope in other language it is easier to get grip of the original target…

#python #rustlang

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/

Even though Julius "Zeekill" Kivimaki has a cybercrime rap sheet thicker than a dictionary, he will end up serving roughly half that time, because all that stuff he did before he turned 18 doesn't count toward first-time offender status.

BTW, the CEO of the now-bankrupt psychotherapy practice was prosecuted as well (database credentials "root/root") but received a suspended sentence.

hmm... https://www.phoronix.com/news/Linux-610-TPM-Encrypt-Integrity. so it is not yet pulled so no need to announce in the current state "unfinished work" (by definition, given that it is not pulled) ;-)

I'll try to get asymmetric keys soon out which cleans this stack up further as a side-effect. If this did not make into 6.10 then I'll just add it on top of that patch set.

The single biggest issue in confidential computing is still. that there is no legit way to deliver cryptographic proof to client/browser inherited from CPU attestation. i.e. a x509 certificate. and so that it is vendor-neutral. not sure if even @signalapp can do this. who cares what you run in the backend if you cannot prove it.

this is still somewhat solid reference: https://www.decentriq.com/article/swiss-cheese-to-cheddar-securing-amd-sev-snp-early-boot

I wonder if it would make sense to elf stamp kernel images with some sort of. identifier to check where the image is at in the mainline reflecting to the latest of https://docs.kernel.org/process/cve.html. Or maybe this already exist. It would make in the mainline perhaps because then you could detect "too old" when running multiple distributions.

imho at least qemu would need snp and tdx emulation in upstream for like testing patches. i mean most have x86 so even rigged emulation would do the job for trivial patch testing

SDL3 Adds PipeWire Camera Support

Adding to the growing list of features coming with the SDL3 release for this hardware/software abstraction layer commonly used by cross-platform games and other software is PipeWire camera capturing support...
https://www.phoronix.com/news/SDL3-PipeWire-Camera-Capture

#GNOME 47 Desktop Environment Is Slated for Release on September 18th, 2024 https://9to5linux.com/gnome-47-desktop-environment-release-date-slated-for-september-18th-2024

@gnome #Linux #OpenSource