Submitted a security issue to Signal App about the privacy issue on how they use Intel SGX :-) Let's see how this goes...

⚡️ 🇦🇷 A theft of a radioactive material capsule in Buenos Aires, Argentina has raised concerns among the population. The capsule contained a 45ml container of radioactive liquid and was stolen from a nuclear medicine company. Authorities have been alerted and are investigating the incident. https://www.riskmap.com/incidents/2132301/articles/222305988/

New development policy: code generated by a large language model or similar technology (e.g. ChatGPT, GitHub Copilot) is presumed to be tainted (i.e. of unclear copyright, not fitting NetBSD's licensing goals) and cannot be committed to NetBSD.

https://www.NetBSD.org/developers/commit-guidelines.html

"No Arduino! If you aim to master embedded systems, Arduino won’t cut it. It’s a playground for hobbyists, not the battleground for engineers. The purpose is not to scare you — It’s to help you out. It is to give you a proper direction." -https://medium.com/@umerfarooqai/embedded-engineering-roadmap-say-no-to-arduino-a0eed8e1bf10

Well, that at least scares me. How I think is that one should take the simplest possible tool to get a PoC.

Otherwise, all energy might be consumed in useless and pointless battles. Conserving energy, prioritizing and picking the right battles is what engineers IMHO do.

#arduino #engineer

Last bit from my side for TPM2 asymmetric keys: https://lore.kernel.org/linux-crypto/20240515150213.32491-1-jarkko@kernel.org/T/#u

Now I'll wait for some patches from James Prestwood based on his previous work: https://lore.kernel.org/keyrings/20200518172704.29608-1-prestwoj@gmail.com/

"FBI seize BreachForums hacking forum used to leak stolen data"

https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/

Pull request 4/4 pulled this time for asymmetric keys :-) https://lkml.org/lkml/2024/5/15/699

My PR's were in chaos about a year ago, and Linus also complained about the quality. This was mostly because the startup I was in went out of business and lots of stuff going on in life overall but I've gradually improved my process to make it more fail-safe. Results start to show and four PR's to four subsystems was a non-issue :-)

In the next life crisis: I'm prepared

Will Google release an ad today that can outcringe Apple's latest?

#gemini
#googleIO
#encringification

"i use linux as my operating system," i state proudly to the unkempt, bearded man. he swivels around in his desk chair with a devilish gleam in his eyes, ready to mansplain with extreme precision.
"actually," he says with a grin, "linux is just the kernel. you use GNU+linux."
i don't miss a beat and reply with a smirk, "i use alpine, a distro that doesn't include the GNU coreutils, or any other GNU code. it's linux, but it's not GNU+linux."

the smile quickly drops from the man's face. his body begins convulsing and he foams at the mouth as he drop to the floor with a sickly thud. as he writhes around he screams "I-IT WAS COMPILED WITH GCC! THAT MEANS IT'S STILL GNU!"
coolly, i reply "if windows was compiled with gcc, would that make it GNU?" i interrupt his response with "and work is being made on the kernel to make it more compiler-agnostic. even if you were correct, you won't be for long."

with a sickly wheeze, the last of the man's life is ejected from his body. he lies on the floor, cold and limp. i've womansplained him to death.

Who called it “code review” instead of “objection-oriented programming”

Time to write Linux PAM module in Rust for the ethprague conference. Rust over C because it is much nicer environment to talk web APIs. And yeah, pam-rs exists. It is about ethereum network based authentication, details at the con.

a conference committee wanted to know my telegram nick so...

If I ever had a tattoo, it would probably say: "x.509". It already feels like one 🤷 #x509

The TPM bus encryption and integrity protection changes prepared by @jejb and @jarkko were merged for #Linux 6.10: https://git.kernel.org/torvalds/c/b19239143e393d4b52b3b9a17c7ac07138f2cfd4

"[…] The key pair on TPM side is generated from so called null random seed per power on of the machine [1]. This supports the TPM encryption of the hard drive by adding layer of protection against bus interposer attacks. […]"

[1 https://lore.kernel.org/linux-integrity/20240429202811.13643-1-James.Bottomley@HansenPartnership.com/

you first, asshole

In addition to @LWN subscription I renewed now my #Medium subscription :-)

I also order Computer Music through pocketmags.com, Helsingin Sanomat (digital version https://www.hs.fi/) and of course @skrollilehti.

I like to read good stuff, and am willing to pay for it I guess. I also generally prefer paid version of any web service rather than a free service because then there is less hidden gotchas involved.

I should publish this humble and not so exciting crate (stalled since Dec) and now I found the motivating factor. I make it compile with gccrs.

Maybe this will leads to contributions, who knows, or epic failure but should be interesting and exciting in all cases :-)

The stimulus obviously comes from GCC 14 release, which has the first experimental version of gccrs. And in my free time I do prefer GPL licensed code base for utilities and apps over MIT/Apache, so gccrs makes more sense for me than rustc in that sense (and not judging other viewpoints, it is my personal and subjective preference).

https://gitlab.com/jarkkojs/zmodem2

#gcc #rust #zmodem #gpl

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/ but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

Finally HMAC encryption for in-kernel TPM clients is going to a release! Has been hanging there for a long time.

LUKS2 and distributions starting to support it motivated me to rewrite the buffering code last Spring because that was my main turn-down in the original patch set, and then James took over and cleaned up the functionality and I reviewed it for few rounds until it was good enough.

With this and TPM2 sealed hard drive encryption there is a somewhat reasonable security model without having to type encryption password to a bootloader prompt (which is tedious). I.e. login and go.

A rare case of security feature also increasing user experience.

#linux #kernel #tpm #luks2

My first trial to split pull request to TPM, trusted keys, keyring parts: all three pull requests taken by pr-tracker-bot :—–O

One more left for asymmetric keys. Cannot believe this, I always screw up with this dance at least first time :-) Really made my Monday!