Basic smoke test that TPM2 RSA asymmetric must pass to be usable:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256

#tpm #linux #kernel

asymmetric #TPM2 key type RFC: https://lore.kernel.org/linux-crypto/20240518213700.5960-1-jarkko@kernel.org/T/#t #linux #kernel

A new asymmetric key type tpm2_key_rsa: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=tpm2_key

Missing still integration to the pre-existing ASN.1 parser but can already sign with the null seed (default if parent is not defined).

I though this would be most logical way to define asymmetric key. Later on tpm2_key_ecdsa can be added. Also for RSA we should use TPM2_RSA_Decrypt for decryption and signing, whereas ECDSA requires potentially more expensive TPM2_Sign and TPM2_EncryptDecrypt.

It is still experimental. Testing the key type itself without parser first with the help of null seed, and then adding bits to call the ASN.1 parser by implementing asymmetric_key_parser. This derived work from James Prestwood’s earlier work from 2020.

when saving kconfig files with nvim for some reason all text paragraphs show diff in all lines of the paragraph. no configuration changes in nvim, suddenly appeared issue, maybe because some update dunno.

never happens anywhere else (tested e.g. with Sublime Text with NeoVintageous).

IMHO, a rational choice. Distributors know how to enable this for workstation/server, and for devices that are not fast enough have always e.g. fTPM in TrustZone option.

https://lore.kernel.org/linux-integrity/20240518113424.13486-1-jarkko@kernel.org/T/#u

#Rust crate for #zmodem: https://crates.io/crates/zmodem2 #rustlang

#buildroot is probably quite nice way to generate initramfs and kernel for systemd-ukify.

ukify build --linux=images/bzImage --initrd=images/roofs.cpio

Or along the lines.

I.e use Unified Kernel Image (UKI) in kernel testing.

#linux #kernel

#swtpm and #libtpms packages in progress for #buildroot: https://gitlab.com/jarkkojs/buildroot/-/commits/swtpm/?ref_type=heads #linux #tpm

In addition to "show me the code", there is always also "show me the payload".

The easiest way to move forward with a feature is not to have best possible code quality (at least when tagged as RFC). Instead, having a provable payload for the feature is essential.

https://lore.kernel.org/all/D1BC3VWXKTNC.2DB9JIIDOFIOQ@kernel.org/

I had no idea that we have that many sets of capabilities, oh dear... https://lore.kernel.org/all/D1BBFWKGIA94.JP53QNURY3J4@kernel.org/

I fixed some bugs in page tables of RISC-V Keystone enclaves (bootstrapping code of page tables) last Fall to get them working with CVA6 RISC-V CPU, and now I get steadily emails from people who are trying to use Keystone but cannot get it working for various reasons.

Not blaming those people but clearly the project is not too community oriented 🤷 I try respond politely that I don’t have the bandwidth.

Does not come as surprise tho because I wrote a trivial in-kernel driver PoC to which project showed no interest, still continuing with their OOT-drver:

• https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-riscv-keystone.git/commit/?h=keystone-5.19.y
• https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-riscv-keystone.git/commit/?h=keystone

Cannot recall which one was newer version because it is such a long time since I wrote these :-)

#riscv #keystone #enclave #linux

I love it that my play stats on Bandcamp look like an MSEG envelope curve.

#MusicProduction #Bandcamp

Submitted a security issue to Signal App about the privacy issue on how they use Intel SGX :-) Let's see how this goes...

⚡️ 🇦🇷 A theft of a radioactive material capsule in Buenos Aires, Argentina has raised concerns among the population. The capsule contained a 45ml container of radioactive liquid and was stolen from a nuclear medicine company. Authorities have been alerted and are investigating the incident. https://www.riskmap.com/incidents/2132301/articles/222305988/

New development policy: code generated by a large language model or similar technology (e.g. ChatGPT, GitHub Copilot) is presumed to be tainted (i.e. of unclear copyright, not fitting NetBSD's licensing goals) and cannot be committed to NetBSD.

https://www.NetBSD.org/developers/commit-guidelines.html

"No Arduino! If you aim to master embedded systems, Arduino won’t cut it. It’s a playground for hobbyists, not the battleground for engineers. The purpose is not to scare you — It’s to help you out. It is to give you a proper direction." -https://medium.com/@umerfarooqai/embedded-engineering-roadmap-say-no-to-arduino-a0eed8e1bf10

Well, that at least scares me. How I think is that one should take the simplest possible tool to get a PoC.

Otherwise, all energy might be consumed in useless and pointless battles. Conserving energy, prioritizing and picking the right battles is what engineers IMHO do.

#arduino #engineer

Last bit from my side for TPM2 asymmetric keys: https://lore.kernel.org/linux-crypto/20240515150213.32491-1-jarkko@kernel.org/T/#u

Now I'll wait for some patches from James Prestwood based on his previous work: https://lore.kernel.org/keyrings/20200518172704.29608-1-prestwoj@gmail.com/

"FBI seize BreachForums hacking forum used to leak stolen data"

https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/

Pull request 4/4 pulled this time for asymmetric keys :-) https://lkml.org/lkml/2024/5/15/699

My PR's were in chaos about a year ago, and Linus also complained about the quality. This was mostly because the startup I was in went out of business and lots of stuff going on in life overall but I've gradually improved my process to make it more fail-safe. Results start to show and four PR's to four subsystems was a non-issue :-)

In the next life crisis: I'm prepared

Will Google release an ad today that can outcringe Apple's latest?

#gemini
#googleIO
#encringification