Notices by Lennart Poettering (pid_eins@mastodon.social), page 6

My 1st FOSDEM talk is now online, too. An exciting hour of me rambling about our TPM future, with a focus on what's in store for distributions:

https://video.fosdem.org/2024/ua2118/fosdem-2024-1985-ukis-tpms-immutable-initrds-and-full-disk-encryption-what-distributions-should-keep-in-mind-when-hopping-onto-the-system-integrity-train.av1.webm

Enjoy!

I must say, I enjoy the picture of Vienna very much, that is on the Linux Plumbers Conference page at the top. Any people from Salzburg around, who wouldn't agree with that?

I mean, Vienna or Salzburg – doesn't really matter, right, the important thing is: Bavaria, amirite? ;-)

Here's another little feature we scheduled for the next systemd release. Everyone knows SSH well, and it's great to connect to hosts remotely, and even do file transfer. It's probably *the* single most relevant way to talk to some host for administration and various other tasks. It's a bit fragile though: it requires networking, and that even if we talk to a local VM or full OS container. But precisely networking is one of the things you might want to administer via SSH, hence you have a cyclic…

systemd v255 has just been tagged. We are now leaving the 8bit era, brace for v256 coming up next! https://lists.freedesktop.org/archives/systemd-devel/2023-December/049745.html

This is the good stuff:

→ https://fedoramagazine.org/create-images-directly-from-rhel-and-rhel-ubi-package-using-mkosi/

written by @zbyszek

Here's a little new project of mine:

https://github.com/poettering/diskomator

It's an mkosi-built OS-in-a-single-EFI-binary whose only job is to expose all local disks via NVMe-TCP. You can write it to an USB stick, or drop it in your ESP, and if you boot it, all block devices are exposed to the network. The suggested command line to connect to this disk is shown on screen.

This makes use of the systemd-storagetm service we added for systemd v255, as well as the `esp` output added in mkosi v19.

So we merged this → https://github.com/systemd/systemd/pull/28891 into systemd today. I like to believe that this is a major step towards closing the "TPM gap" we have on Linux toward other OSes. It can automatically generate an automatic TPM2 PCR policy from various inputs covering the PCRs that generally are hard to predict by the OS vendor, i.e. things like local firmware versions, extension cards and so on. It stores this in an NV index in the TPM. Things like LUKS can then be locked against that NV index.

And because everybody loves screenshots. This is the tool when it analyzes the local TPM2 event log (i.e. all PCR measurements), validates them and tries to find a matching component in its database. Pretty, eh?

Did you know you could control brightness of the red dot on the i of the "ThinkPad" on the top-side of your thinkpad? I sure didn't:

this turns it off:

echo 0 | sudo tee /sys/class/leds/tpacpi\:\:lid_logo_dot/brightness

and this turns it on:

echo 255 | sudo tee /sys/class/leds/tpacpi\:\:lid_logo_dot/brightness

I don't really know what this information is good for, but hey, isn't it awesome to have a 1px display on the outside of your laptop?

@dalias @jamesh @mariusor

UNIX access controls suck though, since they control access to objects, not operations. And they are incompatible with potentially interactive authentication. Both of these things are what Polkit brings to the table: you authenticate actions, and you can allow them to require re-authentication by a user, interactively.

@dalias @jamesh @mariusor and what's even worse. they are permanent: file ownership/ACL entries are persistently made on some inode, and there's no scheme to clean that up again (unless some – brittle – logic cleans this up manually). Moreover if you have access to an inode you basically have access to it forever, just by keeping an fd open.

UNIX access control works for simple, relatively static, non-interactive cases, but Polkit is precisely supposed to fill the gap where that's not enough.

@mariusor unlikely. And D-Bus has its weaknesses, but security-wise it's a lot more sound than suid/fcaps mess. It has interactive auth via Polkit even. I mean, I'd do it differently sure in my ideal world that only exists in my head, but it's a fundamental improvement over fucking suid/fcaps, hence all power to D-Bus.

I'd welcome a distribution that'd try hard to address this, and basically run the whole OS with NNP set. Of course, this is not an easy task, people expect their su/sudo to just work, but I am sure these are all addressable, by switching to IPC based privilege elevation for such things.

This whole mess just makes me think we should try harder to kick suid/fcaps out of general purpose Linux distributions. The whole concept is fundamentally backwards, and one of the major weaknesses of traditional UNIX I am sure. The idea behind suid/fcaps of first granting the privileges, inheriting some major, uncontrolled part of the execution environment/resource context/security context and then expecting the binary to securely gate its misuse is just a major mistake: https://www.openwall.com/lists/oss-security/2023/10/03/2

We recently added a new document to the systemd website focussing on one specific facet of the service manager: the fdstore. A concept that people should really use more to facilitate "seamless" service restarts and various other things. Please have a look:

https://systemd.io/FILE_DESCRIPTOR_STORE/

Reminder: we maintain a kernel feature wishlist here as part of the uapi group:

https://github.com/uapi-group/kernel-features

I just added a bunch of new entries to it (at the bottom). If you are looking for something to hack on (and have some kernel expertise, or would like to acquire it), would be more than excellent to work on those!

The excellent CCC VOC people published the AllSystemsGo! videos from this week. Here's the UKI talk I did there:

https://media.ccc.de/v/all-systems-go-2023-185-unified-kernel-images-ukis-

Enjoy!

And so many more excellent other talks: https://media.ccc.de/b/conferences/all_systems_go/asg2023

And here's my other talk, about TPM2 and Linux: https://media.ccc.de/v/all-systems-go-2023-186-linux-tpms

Busy at the Image-Based Linux Summit, Berlin!