when it comes to infosec i'm glad at least that the "era of silly security questions" is over.

it was super-frustating to copy-paste set-and-forget one-time pad answers to questions such as "what was your mothers maiden name", when they were still a thing.

i don't know who invented them but the person should get some kind of worst invention of IT ever award or something.

#infosec #password

Next thing I'll add to tpm2sh is direct support for keyctl syscall and key re-creation in kernel. After that I can revisit asymmetric keys kernel patch set :-)

for what is worth here's arch installation running for my Ryzen 9950X desktop :-)

https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/sysdarch.git/

Just though to upload it somewhere for backup.

It has secure boot (sbctl), TPM2 unlock, and finally EXT4, which is probably a twist from current standards (but is so convenient given universal support everywhere).

rust learning of today: to avoid integer overflows when summing up lengths, always use checked_add in such situations :-)

E.g., this is wrong:

    let total_body_len =
        handle_area_size + parameter_area_size_field_len + param_area_size + sessions_len;

And this is right:

    let total_body_len = handle_area_size
        .checked_add(parameter_area_size_field_len)
        .and_then(|len| len.checked_add(param_area_size))
        .and_then(|len| len.checked_add(sessions_len))
        .ok_or(TpmProtocolError::IntegerTooLarge)?;

#rustlang

Heh, Amazon's satellite internet service launched yesterday and their first marketing angle is “how about you get your AWS Direct Connect over satellite instead of paying for cross connects”
https://www.aboutamazon.com/news/amazon-leo/amazon-leo-satellite-internet-ultra-pro

Here is my Ukraine peace proposal:

1. Putin is sent to The Hague.
2. Russian soldiers leave Ukraine including Crimea.
3. Russia returns all kidnapped Ukrainian children.
4. Russia releases all Ukrainian prisoners.
5. Russia pays damages for everything their war has destroyed.
6. Russia pays damages to Ukrainian families who have lost family members.
7. Russia pays damages to every person who has been tortured, abducted or otherwise criminally mistreated.
8. Ukraine becomes a member of the EU.

the main problem with confidential computing is and will be that it is not hacker enabled ecosystem.

or it's as hacker enabled as IBM mainframes.

i.e., there is no such thing as distruptive innovation.

it might be commercially viable story for companies that produce the hardware to other big companies but it is still a sad story ;-)

and you do not own the hardware EVEN if you buy it because it's locked in to the CPU companies CA.

This screenshot shows strong evidence of:

1. OpenSSL cross-compatibility.
2. tpm2-tools cross-compatibility.
3. Linux kernel compatibility (as in trusted keys and in future also asymmetric keys).

#linux #kernel #tpm #rustlang

in kernel testing i've moved from qemu to "libvirt + qemu" :-) why i haven't done this before...

As of tpm2sh 0.15.14 my microecosystem :-)

#linux #tpm #rustlang

In tpm2sh 0.15.14 TPMKey ASN.1 policy engine starts to be actually stable. I've committed into not expanding features up until key and cache management are polished and it starts to deliver results :-)

#linux #tpm #rustlang

the next piece sliced from tpm2sh: https://crates.io/crates/tpm2-vtpm

Still in very early phases. Now my micro ecosystem has:

1. tpm2-protocol
2. tpm2-crypto (software crypto for doing TPM2 related operations like generating encrypted seeds).
3. tpm2-policy-language
4. tpm2-tpmkey
5. tpm2-vtpm

I think what I get right vs. TSS2 etc. that I'm not building a "big SDK" but instead of common sense re-usable components not enforcing architecture or policy.

#linux #rustlang #tpm

typst is superb, have been using it for two years now for all documentation. especially for presentations polylux is a viable alternative for beamer.

tdf is super nice previewer when doing presentations, have "typst watch" refreshing it :-)

BTW, diagram is also made with Typst.

57 companies are responsible for 80% of the global greenhouse gas emissions since 2016.

Unless you run those companies, why are you being forced to pay for climate change damage?

I've uplifted tpm2-tpmkey [1] to address quirks of the TPM policy command encoding in the ASN.1 [2] spec.

It has quite short errata now: TPM2_PolicyAuthorize returns InvalidPolicy (which will be addressed some day). Other than that it addresses empty policies, special handling for TPM2_PolicySecret and other weirdness.

Plus, has 'parentPublic" extension, which enables implict and automatic parent key discovery.

Other than this crate is decoupled from all crypto libraries, other than pem crate and implementing encoder and decoder with rasn. I
Lot's of stuff have been piled, so it needs boil for a while after all these changes but now it is at least in the ballpark.

[1] https://docs.rs/tpm2-tpmkey/latest/tpm2_tpmkey/
[2] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.txt

bpftop is super nice (just learned about its existence)

Is there some "good known" ECDH reference income-outcomes documented? Lacking unit tests for ECHD in tpm2-crypto. OK, I'll go check RFC first ;-)

#linux #tpm #rustlang

sudo-rs Affected By Multiple Security Vulnerabilities - Impacting Ubuntu 25.10

The Ubuntu 25.10 transition to using some Rust system utilities continues proving quite rocky. Beyond some early performance issues with Rust Coreutils, breakage for some executables, and broken unattended upgrades due to a Rust Coreutils bug, it's also sudo-rs now causing Ubuntu developers some headaches. There are two moderate security issues affecting su…
https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10

In my personal opinion: Instead of banning, say, Chinese companies from delivering infrastructure components like the EU is pondering with Huawei and mobile networks, the ultimate goal should be to demand open source software/firmware for these components and reproducible builds of all software components so #DigitalSovereignty becomes default.