> The host key section makes me wonder about doing this with servers, but what are the security guarantees in places like the cloud with that? Are you relegated to a software TPM, and if so, what guarantees does a software TPM have?
For the cloud? You would probably have a software TPM so not super secure, but you would still prevent the keys from being extracted away from the server. And if you don't trust your hypervisor/cloud provider you probably have other issues?
In my head the security guarantees are more straightforward for physical servers where you have a fTPM or a dTPM.
> My question after reading the README.md: what are the requirements from the OS? Can it be Windows, Linux, etc?
Thanks for the quick answers! I don't know much about TPMs, so I'll have to read about software ones to find out about that model.
One of my clients has security audits where even certs result in fights about "secrets on the machine" and having this one level of indirection for host keys may help out, even if a SWTPM doesn't provide much. At least, depending on how the SWTPM presents on the filesystem.
This just reads like a LLM trying to come up with a conspiracy theory around systemd.
It somehow got hyper-fixated on "three" for no particular reason and seems like it decided to harpen down that fact without explaining anything around it?
The `base` hook installs the shell PID 1, the `systemd` hook installs systemd as PID1. The default hook setup was changed with the latest'ish release to default too the `systemd` hook setup.
> Maintainers: You’re a primary maintainer or core team member of a public repo with 5,000+ GitHub stars or 1M+ monthly NPM downloads. You've made commits, releases, or PR reviews within the last 3 months.
Laughable.
This is a tiny, if even unimportant, fraction of the FOSS community that runs the modern tech stack.
I'm tired of grub too. That's one of the packages on my shitlist. Currently it is broken on my system, as it has been in the past from time to time. I'm tired of the unreliability and have decided to write my own bootloader instead. It will be simple and bulletproof.
I already laid the basic foundation and have the kernel loading into memory and booting. Next step is to get the memory map and pass that along. It's BIOS only for the moment; EFI support will come later, along with other architectures. (PowerPC is next.)
Secure Boot allows you to enroll your own keys. This is part of the spec, and there are no shipped firmwares that prevents you from going through this process.
Android lets you put your own signed keys in on certain phones. For now.
The banking apps still won't trust them, though.
To add a quote from Lennart himself:
"The OS configuration and state (i.e. /etc/ and /var/) must be encrypted, and authenticated before they are used. The encryption key should be bound to the TPM device; i.e system data should be locked to a security concept belonging to the system, not the user."
Your system will not belong to you anymore. Just as it is with Android.
Banks do this because they have made their own requirement that the mobile device is a trust root that can authenticate the user. There are better, limited-purpose devices that can do this, but they are not popular/ubiquitous like smartphones, so here we are.
The oppressive part of this scheme is that Google's integrity check only passes for _their_ keys, which form a chain of trust through the TEE/TPM, through the bootloader and finally through the system image. Crucially, the only part banks should care about should just be the TEE and some secure storage, but Google provides an easy attestation scheme only for the entire hardware/software environment and not just the secure hardware bit that already lives in your phone and can't be phished.
It would be freaking cool if someone could turn your TPM into a Yubikey and have it be useful for you and your bank without having to verify the entire system firmware, bootloader and operating system.
> This is part of the spec, and there are no shipped firmwares that prevents you from going through this process.
Microsoft required that users be able to enroll their own keys on x86. On ARM, they used to mandate that users could not enroll their own keys. That they later changed this does not erase the past. Also, I've anecdotally heard claims of buggy implementations that do in fact prevent users from changing secure boot settings.
Don't get me wrong, I'm happy to attribute a lot of malice to Microsoft, but in this case I really do believe that it was incompetence. Everything I've ever read about 90%+ of hardware vendors is that shipping hilariously broken firmware is an everyday occurrence for them.
This reminds me of when I enrolled only my own keys into a gigabyte AB350 and I just soft-bricked it because presumably some opt-rom required MS keys.
I exchanged it for an Asrock board and there I can enable secure boot without MS keys and still have it boot cuz they actually let you choose what level of signing the opt-rom needs when you enable secure boot.
What I want to say with this is that it requires the company to actually care to provide a good experience.
Note that the comment you replied to does not even mention phones. Locked down Secure Boot on UEFI is not uncommon on mobile platforms, such as x86-64 tablets.
I wish the myth of the spec would die at this point.
Many motherboards secure boot implimentation violates the supposed standard and does not allow you to invalidate the pre-loaded keys you don't approve of.
> The TPM has nothing remotely resembling per-user PCRs.
The system could extend one of the PCRs, or an NVPCR, with some unique user credential locked to the user directory. Then you can't recreate the PCR records in any immediate way.
But you can't just recreate a key under one of the hierarchies anyway. You still need to posses the keyfile.
> The system could extend one of the PCRs, or an NVPCR, with some unique user credential locked to the user directory. Then you can't recreate the PCR records in any immediate way.
Sure, but can the system context-switch that PCR between two different users?
> but for almost any economically important project all the major contributors and maintainers are on the payroll of one of the big tech interests or a foundation funded by them.
"almost" is the load bearing word here, and/or a weasel word. Define what an "economically important project" is.
> Also just to be clear: node is filled with povertyware and you should be extremely careful what you grab from npm.
Is "povertyware" what we call software written by people and released for free now?
> "almost" is the load bearing word here, and/or a weasel word. Define what an "economically important project" is.
Linux, clang, python, react, blink, v8, openssl... You know what I mean. I stand by what I said. Do you have a counterexample you think is clearly unfunded? They exist[1], but they're rare.
> Is "povertyware" what we call software written by people and released for free now?
It's software subject to economic coercion owing to the lack of means of its maintainership. It's 100% fine for you to write and release software for free, but if a third party bets their own product on it they're subject to an attack where I hand you $7M to look the other way while I borrow your shell.
[1] The xz-utils attack is the flag bearer for this kind of messup, obviously.
Unfunded is kind of a stretch, but at least libxml2.
Essentially "povertyware" as you call it when you consider the trillion dollar companies built on top of them? Now that's way easier: SQLite, PostgreSQL, ffmpeg, imagemagick, numpy, pandas, GTK, curl, zlib, libpng, zxing or any other popular qr/barcode library, etc...
> Linux, clang, python, react, blink, v8, openssl... You know what I mean. I stand by what I said. Do you have a counterexample you think is clearly unfunded? They exist[1], but they're rare.
For Linux "all the major contributors and maintainers are on the payroll of one of the big tech interests or a foundation funded by them" is simply not true. It's trivial to prove this by just looking at the maintainers of the subsystems. Making this claim is nonsense to begin with.
Same is true for several major contributors to the Python compiler and subsequent libraries as well.
You will move the goalpost by trying to narrow down what "major contributor" means.
> It's software subject to economic coercion owing to the lack of means of its maintainership. It's 100% fine for you to write and release software for free, but if a third party bets their own product on it they're subject to an attack where I hand you $7M to look the other way while I borrow your shell.
So without knowing anyone you are making a value judgement on the (probable?) lack of ethics? Excuse me?
> Who exactly are you thinking of that needs a job but doesn't have one?
That is not your claim. Your claim is that they "are on the payroll of one of the big tech interests or a foundation funded by them". Which is simply not true.
You can easily find several maintainers of these projects doing this as their part-time hobby project, have cut a deal at work or simply don't work at place that funds Linux development.
I'm not going to call out individual I know the situation and/or their employment history.
For the cloud? You would probably have a software TPM so not super secure, but you would still prevent the keys from being extracted away from the server. And if you don't trust your hypervisor/cloud provider you probably have other issues?
In my head the security guarantees are more straightforward for physical servers where you have a fTPM or a dTPM.
> My question after reading the README.md: what are the requirements from the OS? Can it be Windows, Linux, etc?
This only supports Linux.
reply