Probably would make sense for e.g. Linux Foundation or similar industry faction to develop AI that would look for license infringements from code similarly as it works for code generation.

Probably it will happen that someone uses this new stuff, makes some money, injects GPL with the help of AI and is enforced to open up the whole thing. Detecting these early is also beneficial for those who use AI for their business because it is less damage when the infringement is detected early.

So not for "fighting against AI" but to make it more legit (sort of).

One more PR for Linux v6.10 https://lore.kernel.org/linux-integrity/D1EVFNB6HJZ8.2ZRZB8Y0K3TV5@kernel.org/T/#u

#linux #kernel

OK, I submitted an abstract for kernel summit track: "TPM2 story so far...". It would be from the angle of thinking it more like a protocol or contract that all kinds of hardware and TEE's can speak than just a chip per se...

Not that motivated to travel, so not a huge disappointment if not accepted :-) But yeah I have an angle and will prepare that one properly if accepted. So done my duty I guess at least...

https://lpc.events/event/18/abstracts/1801/

#linux #kernel #tpm

My 5 cents on #POSIX capabilities: https://lore.kernel.org/keyrings/D1ETFJFE9Y48.1T8I7SIPGFMQ2@kernel.org

Not that realistic effort tho...

Would be nice if there was more lean openssl like command-line tool that would all that openssl, keyctl and tpm2-tools does in this test:

https://lore.kernel.org/linux-integrity/D1ERDC16XLUO.578U4ZE7VXW@kernel.org/T/#m262b2fdde64286acaa3879e552b0ba70c79328d4

Remarks:

• openssl: RSA key generation and PEM-to-DER conversion.
• tpm2-tools: Hardware bound object generation and raw-to-PEM conversion.
• keyctl operates with the Linux keyring and sets up asymmetric key with private key in TPM2.

Would be nice if with one command at least I could get a DER blob with the binding to the machine where it is run and then use keyctl. Head hurts watching that script dump. I’m surprised that I got it working at all.

#linux #kernel #tpm #tpm2 #keyctl #openssl

My #CI hack can do kernel CI in any possible runner: https://gitlab.com/jarkkojs/linux-tpmdd-test

It builds #BuildRoot environment and runs tests inside it. Probably this something more infrastructural, dunno have not checked :-)

I.e.

git clone https://gitlab.com/jarkkojs/linux-tpmdd-test.git
cd linux-tpmdd-test
cmake -Bbuild && make -Cbuild buildroot-prepare
make -Cbuild/buildroot/build
build/buildroot/build/images/run-tests.sh

It uses TCL’s (in)famous expect to check the output and uses socat and UNIX socket for communications with appropriate QEMU options. And yeah it supports also TPM chips so can be made to boot up modern #systemd installation (have not done so but might in future).

Runner’s ISA does not matter as everything is built up from ground, including toolchain so supports both x86 and ARM although the build itself is x86 ATM. Essentially it can run tests exactly how I would run them on desktop.

https://lwn.net/Articles/972713/

#linux #kernel #gitlab

[$] What's next for the SLUB allocator https://lwn.net/Articles/974138/ #LWN

Sent a patch set that adds a new driver tpm2_key_rsa, which is asymmetric key type for the sake of interoperability with #x509. Also covers grounds for future drivers such as probably tpm2_key_ecdsa.

https://lore.kernel.org/linux-integrity/20240520184727.22038-1-jarkko@kernel.org/T/#t

#linux #kernel #tpm

Basic smoke test that TPM2 RSA asymmetric must pass to be usable:

tpm2_createprimary --hierarchy o -G rsa2048 -c owner.txt
tpm2_evictcontrol -c owner.txt 0x81000001
tpm2_getcap handles-persistent
openssl genrsa -out private.pem 2048
tpm2_import -C 0x81000001 -G rsa -i private.pem -u key.pub -r key.priv
tpm2_encodeobject -C 0x81000001 -u key.pub -r key.priv -o key.priv.pem
openssl asn1parse -inform pem -in key.priv.pem -noout -out key.priv.der
serial=`cat key.priv.der | keyctl padd asymmetric tpm @u`
echo "abcdefg" > plaintext.txt
keyctl pkey_encrypt $serial 0 plaintext.txt enc=pkcs1 > encrypted.dat
keyctl pkey_decrypt $serial 0 encrypted.dat enc=pkcs1 > decrypted.dat
keyctl pkey_sign $serial 0 plaintext.txt enc=pkcs1 hash=sha256 > signed.dat
keyctl pkey_verify $serial 0 plaintext.txt signed.dat enc=pkcs1 hash=sha256

#tpm #linux #kernel

asymmetric #TPM2 key type RFC: https://lore.kernel.org/linux-crypto/20240518213700.5960-1-jarkko@kernel.org/T/#t #linux #kernel

A new asymmetric key type tpm2_key_rsa: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/?h=tpm2_key

Missing still integration to the pre-existing ASN.1 parser but can already sign with the null seed (default if parent is not defined).

I though this would be most logical way to define asymmetric key. Later on tpm2_key_ecdsa can be added. Also for RSA we should use TPM2_RSA_Decrypt for decryption and signing, whereas ECDSA requires potentially more expensive TPM2_Sign and TPM2_EncryptDecrypt.

It is still experimental. Testing the key type itself without parser first with the help of null seed, and then adding bits to call the ASN.1 parser by implementing asymmetric_key_parser. This derived work from James Prestwood’s earlier work from 2020.

when saving kconfig files with nvim for some reason all text paragraphs show diff in all lines of the paragraph. no configuration changes in nvim, suddenly appeared issue, maybe because some update dunno.

never happens anywhere else (tested e.g. with Sublime Text with NeoVintageous).

IMHO, a rational choice. Distributors know how to enable this for workstation/server, and for devices that are not fast enough have always e.g. fTPM in TrustZone option.

https://lore.kernel.org/linux-integrity/20240518113424.13486-1-jarkko@kernel.org/T/#u

#Rust crate for #zmodem: https://crates.io/crates/zmodem2 #rustlang

#buildroot is probably quite nice way to generate initramfs and kernel for systemd-ukify.

ukify build --linux=images/bzImage --initrd=images/roofs.cpio

Or along the lines.

I.e use Unified Kernel Image (UKI) in kernel testing.

#linux #kernel

#swtpm and #libtpms packages in progress for #buildroot: https://gitlab.com/jarkkojs/buildroot/-/commits/swtpm/?ref_type=heads #linux #tpm

In addition to "show me the code", there is always also "show me the payload".

The easiest way to move forward with a feature is not to have best possible code quality (at least when tagged as RFC). Instead, having a provable payload for the feature is essential.

https://lore.kernel.org/all/D1BC3VWXKTNC.2DB9JIIDOFIOQ@kernel.org/

I had no idea that we have that many sets of capabilities, oh dear... https://lore.kernel.org/all/D1BBFWKGIA94.JP53QNURY3J4@kernel.org/

I fixed some bugs in page tables of RISC-V Keystone enclaves (bootstrapping code of page tables) last Fall to get them working with CVA6 RISC-V CPU, and now I get steadily emails from people who are trying to use Keystone but cannot get it working for various reasons.

Not blaming those people but clearly the project is not too community oriented 🤷 I try respond politely that I don’t have the bandwidth.

Does not come as surprise tho because I wrote a trivial in-kernel driver PoC to which project showed no interest, still continuing with their OOT-drver:

• https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-riscv-keystone.git/commit/?h=keystone-5.19.y
• https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-riscv-keystone.git/commit/?h=keystone

Cannot recall which one was newer version because it is such a long time since I wrote these :-)

#riscv #keystone #enclave #linux

I love it that my play stats on Bandcamp look like an MSEG envelope curve.

#MusicProduction #Bandcamp