HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mkopec

no profile record

Submissions

Automating Firmware Security: CI for DBX and Microcode Updates in Dasharo

blog.3mdeb.com
4 points·by mkopec·vor 10 Monaten·0 comments

Research of RAM data remanence times

blog.3mdeb.com
35 points·by mkopec·vor 2 Jahren·6 comments

Trustworthy Platform Module

twpm.dasharo.com
3 points·by mkopec·vor 3 Jahren·0 comments

Show HN: A little script to check if your Ryzen PC uses Platform Secure Boot

github.com
3 points·by mkopec·vor 3 Jahren·1 comments

Dasharo Compatible with MSI Pro Z690-A Release v1.1.2

blog.3mdeb.com
2 points·by mkopec·vor 3 Jahren·0 comments

comments

mkopec
·letztes Jahr·discuss
> If all DVD players came with watermark detection instead of copy protection

That is an enormous "if". Do you think Microsoft is going to or is able to enforce this on every single software provider? Even in your Android example that's just not happening, and you can happily sideload apps. You can still develop your own apps on the same Android phone that you use for banking.

> And sorry but how many people have bypassed Playstations or Switches. This is what you’re talking about. Most people will just accept it.

People accept this with consoles because a console is a device exclusively for consuming media, and all developers apply for a devkit. I just don't see that happening in the PC space. You think Microsoft is suddenly going to dump this on third party software developers and force everyone to go through certification and to buy devkits? Without a mass exodus to Linux?
mkopec
·letztes Jahr·discuss
Google SafetyNet is basically swiss cheese with lots of bypass solutions for custom ROMs.

A TPM may only attest that it has received an expected set of measurements (hashes). As long as discrete TPMs or PCs with unlocked CPUs exist (w/o Boot Guard), one may simply take a TPM and replay "golden" measurements to it. Bypassing this would be trivially easy.

A TPM does not have control over execution on the CPU. It only receives data from the CPU. If you have control over execution on the CPU from the reset vector, you can just replay whatever you want to a TPM and extract secrets that way. That's why TPM backed disk encryption without configuring a PIN is insecure.

Microsoft does not have the same level of control over the entire PC ecosystem as Google has over Android. That's why it's important to support open source alternatives.
mkopec
·letztes Jahr·discuss
Widevine L1 requires a trusted execution environment for decrypting video and only showing it on HDCP monitors. It's built on top of Intel PAVP, AMD secure display, or ARM TrustZone in the case of ARM chromebooks and Android devices. TPM is not involved, except in the ARM case where I believe it is used for antirollback counters (on x86, the security coprocessor would probably have that responsibility).
mkopec
·letztes Jahr·discuss
> Does TPM support/requirements actually have any meaningful impact on a home user?

Disk encryption, Windows Hello and PIN bruteforce prevention. I have no love Microsoft and avoid using Windows whenever I can, but I think making those features accessible to more people is a good thing.
mkopec
·letztes Jahr·discuss
There are none. It's so immensely frustrating to me that so many people believe that a TPM is a DRM device. I'm sure Richard Stallman's Treacherous Computing article played a big part in this.

A TPM is useless for DRM, and there are way more suited solutions like Intel's PAVP that takes an encrypted video stream and puts it on the screen directly, yet I don't see nearly as much uproar about that.
mkopec
·vor 2 Jahren·discuss
I think if the process was made easy, it would save quite a bit more than 1% of these devices from the landfill, assuming you have enough power users to build a community. Plenty of people flash their chromebooks to MrChromebox UEFI to give them a new life, because it's easy enough for mere mortals, and because Google doesn't lock them down.

I believe if given the tools, people would gladly donate their time to make something fun with it. Heck, that's what I do in my spare time. But it's impossible if everything is completely locked down, as if a music streaming box contains nuclear launch codes that must be protected at all costs.
mkopec
·vor 2 Jahren·discuss
I firmly believe that permanent key fusing to lock bootloaders should be outlawed. At the very least the keys (and schematics) should be released once the device reaches EOL.

Otherwise we're just manufacturing e-waste.
mkopec
·vor 2 Jahren·discuss
Yeah, that's not something anyone should be saying to random people online.
mkopec
·vor 2 Jahren·discuss
Do Android Auto and VoLTE / VoWiFi work on Graphene these days? I also remember Google Maps and Uber being extremely problematic
mkopec
·vor 2 Jahren·discuss
Application Processor, i.e. the main processor
mkopec
·vor 2 Jahren·discuss
I would like to be able to ensure that only boot loaders signed with my private key can be executed. Secure Boot serves that purpose well, can I do that with your approach?

Likewise, demand and use cases for network boot exist, otherwise it wouldn't be here. Same goes for every other feature most users would consider bloat.
mkopec
·vor 2 Jahren·discuss
Rust won't magically fix every vulnerability and someone would have to pay a team of engineers to rewrite everything.
mkopec
·vor 2 Jahren·discuss
Some piece of code has to configure the CPU, initialize memory before you can even think about loading an OS...
mkopec
·vor 2 Jahren·discuss
All Zen 1 CPUs and newer have the PSP / ASP security processor which is ARM based and runs before the x86 cores are released from reset. This applies to all Zen models, not just the PRO versions.

The fTPM does indeed run on the PSP, so on the ARM cores, among many other things like DRAM training.
mkopec
·vor 3 Jahren·discuss
I think ChromeOS Freon was close to what you're describing, but they ended up switching to Wayland at some point
mkopec
·vor 3 Jahren·discuss
Dropping a link to a project attempting to create a fully open source TPM: https://twpm.dasharo.com/
mkopec
·vor 3 Jahren·discuss
In what manner specifically does a TPM not belong to the user, while a YubiKey does?
mkopec
·vor 3 Jahren·discuss
Right, but then the crawler devs will google this weird 999 code and handle it as a 429.

If I wanted to mess with clients I don't like, I'd just return a random valid code.
mkopec
·vor 3 Jahren·discuss
Disappointed with Lenovo's decision to enable PSB on my T14, having previously hoped one day I'd run coreboot on it, I decided to write a checker and crowdsource a list of PSB-enabled devices so that others may avoid buying hardware that disallows custom firmware.
mkopec
·vor 3 Jahren·discuss
Indeed, it seems that having another unlock option might be preferable. If you value your own live over the secrets, that is.