"i use linux as my operating system," i state proudly to the unkempt, bearded man. he swivels around in his desk chair with a devilish gleam in his eyes, ready to mansplain with extreme precision.
"actually," he says with a grin, "linux is just the kernel. you use GNU+linux."
i don't miss a beat and reply with a smirk, "i use alpine, a distro that doesn't include the GNU coreutils, or any other GNU code. it's linux, but it's not GNU+linux."

the smile quickly drops from the man's face. his body begins convulsing and he foams at the mouth as he drop to the floor with a sickly thud. as he writhes around he screams "I-IT WAS COMPILED WITH GCC! THAT MEANS IT'S STILL GNU!"
coolly, i reply "if windows was compiled with gcc, would that make it GNU?" i interrupt his response with "and work is being made on the kernel to make it more compiler-agnostic. even if you were correct, you won't be for long."

with a sickly wheeze, the last of the man's life is ejected from his body. he lies on the floor, cold and limp. i've womansplained him to death.

Who called it “code review” instead of “objection-oriented programming”

Time to write Linux PAM module in Rust for the ethprague conference. Rust over C because it is much nicer environment to talk web APIs. And yeah, pam-rs exists. It is about ethereum network based authentication, details at the con.

a conference committee wanted to know my telegram nick so...

If I ever had a tattoo, it would probably say: "x.509". It already feels like one 🤷 #x509

The TPM bus encryption and integrity protection changes prepared by @jejb and @jarkko were merged for #Linux 6.10: https://git.kernel.org/torvalds/c/b19239143e393d4b52b3b9a17c7ac07138f2cfd4

"[…] The key pair on TPM side is generated from so called null random seed per power on of the machine [1]. This supports the TPM encryption of the hard drive by adding layer of protection against bus interposer attacks. […]"

[1 https://lore.kernel.org/linux-integrity/20240429202811.13643-1-James.Bottomley@HansenPartnership.com/

you first, asshole

In addition to @LWN subscription I renewed now my #Medium subscription :-)

I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.

I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.

I should publish this humble and not so exciting crate (stalled since Dec) and now I found the motivating factor. I make it compile with gccrs.

Maybe this will leads to contributions, who knows, or epic failure but should be interesting and exciting in all cases :-)

The stimulus obviously comes from GCC 14 release, which has the first experimental version of gccrs. And in my free time I do prefer GPL licensed code base for utilities and apps over MIT/Apache, so gccrs makes more sense for me than rustc in that sense (and not judging other viewpoints, it is my personal and subjective preference).

https://gitlab.com/jarkkojs/zmodem2

#gcc #rust #zmodem #gpl

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

Finally HMAC encryption for in-kernel TPM clients is going to a release! Has been hanging there for a long time.

LUKS2 and distributions starting to support it motivated me to rewrite the buffering code last Spring because that was my main turn-down in the original patch set, and then James took over and cleaned up the functionality and I reviewed it for few rounds until it was good enough.

With this and TPM2 sealed hard drive encryption there is a somewhat reasonable security model without having to type encryption password to a bootloader prompt (which is tedious). I.e. login and go.

A rare case of security feature also increasing user experience.

#linux #kernel #tpm #luks2

My first trial to split pull request to TPM, trusted keys, keyring parts: all three pull requests taken by pr-tracker-bot :—–O

One more left for asymmetric keys. Cannot believe this, I always screw up with this dance at least first time :-) Really made my Monday!

Classic version control:

The City of #Helsinki Education Division #databreach has upto 120000 victims: "the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division."

The attacker also gained access to confidential or sensitive records stored on a network share. The beach occurred due to unpatched known vulnerability getting exploited to gain unauthorized access. https://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds https://www.hel.fi/en/decision-making/data-breach #infosec #cybersecurity

Sometimes it feels like every day is a x.509 day tbh... #x509

Let's put this into nutshell.

In Signal, SGX *does not* help the user to secure contact delivery. You have to *believe* that signal.org is trustworthy plain and simple.

In Signal, SGX does only help signal.org to secure contact delivery from 3rd party adversaries.

The marketing has been somewhat misleading with this for number of years although there has not been any actual lies. They are actually claiming only the 2nd clause but at the same time claiming that it would improve users privacy.

Users privacy can be objectively said to be improved only if one can test and measure that this is really the case. Otherwise it is up to you to believe that signal.org is doing the right thing, and not e.g. just emulate the associated opcodes.

I personally believe that they are doing the (morally) right thing, and using legit SGX, but I would feel more convinced if they would also provide hard evidence on the topic, i.e. certificate delivery and verification in the app using Intel's CA.

#signal #sgx #infosec @signalapp

A smoke test for trusted keys: https://gitlab.com/jarkkojs/linux-tpmdd-test/-/commit/b737d6ca4f45fa171e623f8e1038801edf17c323

Running:

cmake -Bbuild && make -Cbuild buildroot-prepare
pushd build/buildroot/build
make
images/run-tests.sh

Runs successfully at least with my master, containing the HMAC encryption patches.

Failing in in-progress asymmetric key branch so had to extend the test to cover trusted keys (vs. writing commands manually):

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=tpm2_key

#linux #kernel #tpm #keys

Submitted abstract to #ethprague CfP. I own 0 ETH 🤷 #Linux and authentication related stuff. #ethereum

Learned a cool trick in Python, if need to have more deterministic latency for a thread: shutdown the gc as prologue and do collection once as epilogue.

I.e.

gc.disable()
# Do stuff that does not cause CPU
# exceptions or interrupts.
gc.collect()

I also noticed that MicroPython has pretty usable inline assembler.

This makes me wonder if you could implement Python version of https://rtic.rs/2/book/en/ running hard real-time tasks on bare metal.

This is more like learning thing than challenging thing… I.e. by doing the similar thing perhaps in limited scope in other language it is easier to get grip of the original target…

#python #rustlang

A 26-year-old Finnish man was sentenced to more than six years in prison today after being convicted of hacking into an online psychotherapy clinic, leaking tens of thousands of patient therapy records, and attempting to extort the clinic and patients.

https://krebsonsecurity.com/2024/04/man-who-mass-extorted-psychotherapy-patients-gets-six-years/

Even though Julius "Zeekill" Kivimaki has a cybercrime rap sheet thicker than a dictionary, he will end up serving roughly half that time, because all that stuff he did before he turned 18 doesn't count toward first-time offender status.

BTW, the CEO of the now-bankrupt psychotherapy practice was prosecuted as well (database credentials "root/root") but received a suspended sentence.