#qi-hardware IRC log for Friday, 2014-04-11

Web-aptosid876_ello00:05
w3bspl0itworking on a device with secure boot00:07
w3bspl0itboot loader is signed and verfies kernel00:07
w3bspl0itneed to disable secure boot00:07
w3bspl0iti had some thoughts00:07
w3bspl0itaccess boot loader in memory but UART is disabled for that00:08
w3bspl0itall interrupts are disabled00:09
w3bspl0itpossible to boot from sd card but verfication still in place00:11
wpwrakthat's ... on the ben ?00:13
w3bspl0itstreaming player00:13
wpwrakthen i suppose how you design your "secure boot" would depend on what sort of hardware that player has ...00:19
w3bspl0itRoku 3 streaming player00:23
DocScrutinizer05OUCH! tivoization or what?11:19
DocScrutinizer05you want to "root" a tivoized device? forget it, probably simply not worth it, even IF possible11:20
whitequarkehh, plenty of cases where the vendor is a complete idiot11:23
whitequarke.g. galaxy s ii11:23
whitequarkthe "secure boot" key is zeroed :D11:24
whitequarkand there's some code which indicates that they never actually bothered to turn off "development mode" in production11:24
DocScrutinizer05secure boot is da shite, usually the core developers don't bother or even hate it. It's a management decision that makes implementation of tivoization a product requirement11:29
DocScrutinizer05a quote from infobot about ~'#maemo aegis':11:31
DocScrutinizer05http://www.developer.nokia.com/Community/Wiki/Harmattan:Developer_Library/Developing_for_Harmattan/Harmattan_security/Security_guide , or "The purpose of this framework is: ... to make sure that the platform meets the requirements set by third party software that requires a safe execution environment.", or http://en.wikipedia.org/wiki/Trusted_Computing#Criticism, or  http://en.qi-hardware.com/w/images/1/10/ME_382_LockedUpTechnology2.11:31
DocScrutinizer05gif11:31
wpwrak"secure boot" has valid purposes. but you rarely see it used for them.11:31
DocScrutinizer05the "valid purposes" are pretty hard to implement and deploy, without producing negative impact on user's freedom11:32
wpwrakof course, why make the effort to make something better for the customer if it's so much more fun to just be an asshole ? :)11:32
wpwrakwell, sometimes the priority isn't freedom but security. e.g., think of a password safe. you _want_ it to be hard to mess with its internals.11:33
DocScrutinizer05Nokia claimed aegis was "for the user's security", in fact it been one huge PITA11:33
DocScrutinizer05you can't protect your password vault by any other means than forbidding installation of any software that's not certified by a central authority11:34
DocScrutinizer05http://www.youtube.com/watch?v=0cbS_lDJuJg11:35
wpwrakwell, i plan to give anelok a bit more flexibility. i want to leave it to the user to install certificates, or to revoke them. that would include the certificate they use to install certificates.11:37
DocScrutinizer05then you need to ship the device with this TPM infra already set up and engaged, and you need to deploy the root cert private key in a separate channel to user11:40
DocScrutinizer05and of course each root cert needs to be unique11:42
DocScrutinizer05otherwise rogue-user is using the privkey you send to him, to compromise/root devices you send to other customers11:43
DocScrutinizer05then each user basically needs a tool to sign installation packages in a trusted environment with his unique private key11:47
DocScrutinizer05dunno what's your benchmark for "trusted environment" in the latter, maybe a standard PC would satisfy your security requirements11:49
DocScrutinizer05anyway you must be sure about that environment not compromising your private key or the packages you sign11:50
DocScrutinizer05and obviously you don't want to install the privkey to anelok, no matter how trusted you consider this environment. So on-platform signing is a nogo11:51
DocScrutinizer05at this point you should stand back a step or two, look at the whole picture and ask "what's the purpose of this exercise?"11:54
DocScrutinizer05avoid rogue software getting installed on your secure device aka anelok? can as well egt implemented with proper usual unix/posix permissions/capabilities11:55
DocScrutinizer05no root password, no installation of rogue software11:56
DocScrutinizer05nota bene to avoid flashing a new kernel by rogue hax0r you don't need any of that cert and TPM/tivoization crap. You just need to make sure the flashing is asking for a unique password assigned to your particular device12:03
DocScrutinizer05IOW as long as yur ROM bootloader has a feature to flash new kernel but doesn't allow readout of the kernel on device, it's absolutely sufficient when you hardcode your individual unlock key for the TPM storage to your kernel before flashing it12:08
DocScrutinizer05of course it's even better when your lowest stage bootloader (aka ROMBL) already asks for a password to allow anything to run on the device, during boot12:12
wpwrak(separate channel) correct. each user needs to get a "personal" master certificate. plus is encouraged to change it, so that not even the issuer has a way of knowing.12:13
DocScrutinizer05this way nobody who doesn't know your password could install any software at all to the device. Still no PKI and certs and stuff needed12:13
wpwrak(environment) anelok can still generate private keys. that's not insecure because what those keys are protecting is anelok itself. so if it's already compromised, you don't make things worse.12:14
DocScrutinizer05but also not better12:15
wpwrakbetter than "safe" ? :)12:15
DocScrutinizer05better than "already compromised"12:15
wpwrakwell yes, but if it's gone, it's gone.12:16
wpwrakyou can't put the genie back in the bottle12:16
DocScrutinizer05exactly, the whole thing is a bloated monster to establish... snakeoil, usually. Or tivoization which means you assign root to somebody else (manuf) and you don't own your own device anymore12:17
wpwrakthe latter is not the idea. you get all the keys you want. the device may or may not come with "immutable" flash. (would be a nice order-time option)12:18
wpwrakif "immutable", you can't even blank it. if "mutable", you (or anyone else) can.12:18
DocScrutinizer05sure somebody could run your original kernel in a virtual machine, on anelok, thus tricking you into thinking the device is still "clean". But could they *really* or is this just a theoretical attack vector that doesn't fit through the eye of the needle of your actual hardware resources?12:19
wpwrakblanking means that all keys are deleted. so the device can't access things it has access to before blanking. but of course you could then install any malicious firmware you want.12:20
wpwrakkernel ? anelok doesn't run linux. it's just a lowly cortex M0+12:20
DocScrutinizer05doesn't matter12:21
DocScrutinizer05call it kernel or call it main()12:21
DocScrutinizer05I don't see how cert PKI helps in all this12:22
wpwraki'm not talking about the global scheme, with verisign, thawte, cacert, turktrust, and all these. that's obviously pointless.12:24
DocScrutinizer05grrrrr, ZNC acting up12:25
wpwraki'm not talking about the global scheme, with verisign, thawte, cacert, turktrust, and all these. that's obviously pointless.12:25
wpwrakthe issuer would be anelok.com. then you're free to do what you want.12:25
DocScrutinizer05me neither does12:25
wpwrakanyway, gotta run. dentist's appintment.12:25
DocScrutinizer05eeew12:25
DocScrutinizer05(ZNC) hmm12:27
DocScrutinizer05roh: did you boot andromeda?12:27
DocScrutinizer05(thus lagrange)12:28
DocScrutinizer05nevermind12:28
wpwrak(eew) naw, dental procedures are pretty tame nowadays. well, if you go to a capable dentist. if you choose one whose principal professional experience is with four-legged patients, you may get what you deserve :)15:47
larscor just compensate their lack of talent with enough NO ;)16:05
grrk-bzztHello16:15
grrk-bzztWhat's the state of Qi-Hardware?16:15
DocScrutinizer5142  ;)16:30
wpwrakstable, unchanging, unyielding :)16:32
DocScrutinizer51or16:35
DocScrutinizer51!status16:36
Action: wpwrak wasted almost an entire week more than kyak ! :)16:53
kyakwpwrak: you produced 3 Mb of text :)16:53
kyakin 3 years16:53
wpwrakabout 10% of my 1st hard disk :)16:53
kyak--)16:53
eintopf:/17:16
grrk-bzztwpwrak, stable as in "dead"?17:47
eintopfoh18:04
wpwrakgrrk-bzzt: more like the pyramids. relaxed, majestetic, not worried by what hurries past them, but yes, not dancing and jumping around either.18:09
grrk-bzztThat was a strange explanation18:16
wpwrakthanks ;-)18:19
larscI'd say it is suspended until further notice18:31
wpwrakexcellent explanation of heartbleed: http://xkcd.com/1354/18:33
wpwraklarsc: one could say we're here, engines running, but idling18:50
larscMy engines are off and the dust covers are on ;)18:55
wpwrakcareful. they're still idling. noxious gases may build up under those covers.18:58
eintopfwe need some upstarter project to search the mh37019:00
eintopfvia echolons19:00
wpwrakthere was some crowdsearching where a satellite imaging company made some images available19:02
eintopfmhh19:03
wpwrakalas, only of a very tiny and in the end completely irrelevant region19:03
eintopfnow I got some news about "all are alive and the plane was hijacked from terrorsit"19:04
eintopfwpwrak: I don't understand some point at the at86rf231 datasheet :(19:05
eintopfthey describe a "Frame Receive Procedure" which doesn't work19:05
wpwrakeintopf: first, consider this: http://pics.nase-bohren.de/instruction-manual.jpg19:19
wpwrakand which part of the procedure do you disagree with ?19:20
eintopf:)19:21
eintopfpage 126 figure 10-1 desribes "Transactions between AT86RF231 and Microcontroller during Receive"19:22
eintopfFirst IRQ_2 occures (IRQ_\RX_START)19:22
eintopfwhich indicates that's an rx interrupt, so I make a spinlock for is_rx or something else19:23
eintopfthen waiting for the IRQ3 (IRQ_TRX_END)19:23
eintopfbut I can't to that19:23
wpwraki don't like thw word "spinlock" in this context, but go on ...19:23
eintopf, because the RX_START interrupt occurs after SFD19:23
eintopfwpwrak: yes I know :(19:24
eintopfpage 39 describes when IRQ2 (RX_START) occurs19:24
wpwrak(after SFD) correct, even after PHR (page 39, figure on top)19:24
wpwrakyeah :)19:24
eintopfah, we understand :)19:24
eintopfwpwrak: I don't know if I really need only the TRX_END irq for tx/rx19:25
eintopfbecause then I need a spinlock is_tx19:25
eintopfbecause I don't know what I am doing when TRX_END occurs19:26
wpwraktrue, there is a race condition19:26
wpwrakwhat you could do is:19:26
eintopfmaybe read the TRX_STATE19:26
wpwrak- if you're in RX mode, any TRX_END means that something has arrived19:26
eintopfyea... and I get the TRX_STATE also when I reading out the IRQ_STATUS19:27
eintopfthat's the first receiving byte19:27
wpwrak- if you're in TX mode, first enter PLL_ON and make sure you've arrived there. then check TRX_END. and only then you're really in TX mode.19:27
wpwrakyou can set it up to do this, yes. careful, though: the 230 can't do that.19:28
wpwrakonly 231/232/23319:28
eintopf... :(19:28
eintopfokay, thanks19:28
wpwrakof course, the 230 has many other interesting problems ;-)19:28
eintopfI tought there would be also some IRQ's for a successful statechange19:29
eintopfbut there is nothing...19:29
eintopfwpwrak: but why the hell they describe the receive procedure like this19:31
eintopfit doesn't work for me19:31
eintopfI need to write a mail to atmel19:33
larscwpwrak: do you know any production ready things that use 6lowpan?19:34
wpwraki'm not even sure what PLL_ON does if you're in BUSY_RX. it seems that it would wait until the frame ends, then return to RX_ON, and then execute the PLL_ON19:35
wpwraklarsc: hmm no, but then i don't have much of an industry overview19:36
wpwrak(assuming you mean "finished" products, not just components. else there are some adapters, including of course atben/atusb :)19:38
eintopfah, I need to change the SPI_CMD_MODE for the trx state...19:38
eintopfwpwrak: :/19:38
larscwe may or may not (I can't neither deny or confirm at this point ;)) want to build a demo showing interoptability with 3rd party 6lowpan solutions19:38
eintopfit works with contiki19:39
eintopfpoint to point19:39
eintopfbut not tinyOS, the tinyOS 6lowpan stack isn't rfc complaint19:40
eintopf(I mean the BLIP stack)19:40
eintopflarsc: I run also coap on my linux system19:41
wpwraklarsc: linux-based ? (your end)19:41
larscyes19:42
larscbut also contiki19:42
wpwrakcontiki .. the suffering :)19:43
eintopfwpwrak: http://sourceforge.net/p/libcoap/code/ci/master/tree/str.c#l1819:44
eintopflook at this code19:44
eintopfI don't understand it19:44
eintopfit's for the libcoap implementation which is also for contiki19:44
eintopfcoap_malloc(sizeof(str) + size + 1);19:45
eintopfstr is a char * and why "+ size"19:45
eintopfalways fun on a x86_64 bit system19:45
larscstr is not char *19:46
eintopfokay char19:46
wpwraklarsc: the problem is that a lot of that stuff seems to be in industrial settings and they're generally not very "open"19:46
whitequarkcontiki is truly horrible19:47
eintopfthen he makes a str *19:47
larscstr is a struct19:47
larscsizeof(str) is the size of that struct19:47
eintopfmhh19:48
eintopfthen all things makes sense19:48
eintopfs->s = ((unsigned char *)s) + sizeof(str);19:48
eintopfhe not allocate new memory19:49
eintopfsome pointer magic19:49
eintopfmhh19:49
wpwrakit looks like the sort of code that can give you heartbleed ...19:50
eintopf:D19:50
whitequarkwpwrak: it's written in C. of course it is!19:50
wpwrakespecially COAP_SET_STR in http://sourceforge.net/p/libcoap/code/ci/master/tree/str.h19:50
wpwrakthat's almost begging to be misunderstood19:50
eintopfwpwrak: the libcoap uses also autoconf defines in API headers19:51
eintopfbut I have a workaround for that19:51
wpwrakwhitequark: people who complain about C being "dangerous" are just cowards who try to avoid being held responsible for their mistakes :)19:52
eintopfthe complete buildsystem is a autoconf without automake :(19:52
wpwraka first step in the right direction. now just get rid of the rest of autocrap ...19:53
whitequarkwpwrak: or the direct opposite? they have a sense of responsibility, and so they don't want to use a tool which amplifies their mistakes by several orders of magnitude19:53
eintopfwpwrak: you don't like autotools?19:54
whitequarkI mean, building a house with lead paint is dangerous, and no amount of "don't lick lead paint if you wanna live" is going to convince anyone to change building codes19:54
whitequarkeven if lead paint is marginally cheaper than modern synthetic ones19:54
wpwrakeintopf: i'd rather depilate my testicles than use that steaming pile of bovine feces ...19:55
whitequarkusing C in 2014 is building a house painted with lead and lined with asbestos, and replying to the complaints of cancer and developmental delays that "omg, but there is already 1000 houses built like that, and we had a WHOLE BUCKET of lead paint, it's not like you can let that just *rot*."19:56
eintopfwpwrak: ah, I used google translator to understand your sentence19:56
eintopfthat's funny :)19:56
wpwrakwhitequark: you're still young. there's still plenty of time to learn to appreciate the greatness of C :)19:57
whitequarkwpwrak: it's funny, considering that I know C well enough I could write a compiler *shrug*19:58
eintopfwpwrak: it works with the TRX_STATUS in the IRQ_STATUS request19:59
whitequarkpeople seem to have a weird sense of pride in using horrible tools. true, using your homemade chainsaw without eye or hand protection probably raises your self-worth, but it doesn't help those maimed by the parts flying around at subsonic speeds20:00
wpwrakwhitequark: i didn't question your proficiency in C but your understanding of its majesty ;-)20:02
whitequarkin your own home, you can use whatever you want. the second you publish a new project in C, your fucking fingers need to be chopped off, to prevent damage to those green enough who dared to actually use that20:02
whitequarkit's a public safety issue, more or less20:02
larscna, you just shouldn't use dangerous tools if you are not trained to use them20:03
wpwrakalright alright, now go back, play some 2048, and thank the creator that linux is written in Ada ;-)20:03
whitequarka tool has no need to be majestic. a hammer isn't. I don't even *want* a majestic hammer, regardless of its safety. I want one that drives nails in20:03
wpwrakor .. what was it ... Rubbysh ? :)20:04
whitequarklarsc: sure. but there is no consensus on who is considered trained, neither there is any wide understanding of that statement20:04
whitequarkso it simply doesn't work in practice20:04
eintopfwpwrak: do you think I can also remove the tx_complete, for wait_for_completion? But I need to control that we don't send something if we already sending something20:05
whitequarkwpwrak: hence "new projects". it's not realistic to rewrite all of the old C code, not least because you will introduce 9 other bugs for 1 memory safety bug fixed20:05
wpwrakeintopf: isn't the upper layer already taking care of that ? problem is that you can't return before you're done (i think)20:06
eintopfyes20:06
wpwrakeintopf: hence the ###### above would have to be changed, too, if you want to avoid the "no return" restriction20:06
eintopfmhh20:07
larscI agree that the current situation is very bad and we are kind of heading to the abyss and something has to change20:07
Action: wpwrak imagines a mime angrily pounding against an imaginary glass wall. you can see him hammer but you can't hear him scream20:08
larscbut I don't think that switching to "safe" languages will solve things20:08
larscwhat we need is formal verification20:08
larscof every instruction20:08
whitequarkthat's entirely unrealistic20:09
whitequarksafe languages achieve comparatively huge benefit (memory safety) with comparatively little cost20:09
wpwrakand until then, perhaps a bit of a review process. that was the main failing that heartbleed showed.20:09
whitequarkwpwrak: that as well. gotofail wouldn't be solved by safe languages.20:10
wpwrakyup. that's another one.20:11
whitequarkhowever, not everything (including stuff directly caused by C's braindead execution model) would be solved by review20:12
whitequarke.g. this piece https://code.google.com/p/nativeclient/issues/detail?id=245 was reviewed by a bunch of guys who are on the top of the food chain, and it still slipped through, with disastrous consequences if deployed.20:12
whitequark(explanation at http://blog.regehr.org/archives/213 ’ Type 3 functions)20:13
whitequarkthere is *absolutely no reason whatsoever* to leave the sign bit stuff undefined in the standard. there is even less reason to not enable -fwrapv by default in every single compiler that exists. yet, it persists.20:14
wpwrakthat cast doesn't look very "top of the foodchain"20:15
larscthe thing is we have tools to catch these kind of errors20:15
kyakcode review has to be automated20:15
kyakusing tools, right20:15
wpwrakfor the rest ... yes, if you change the semantics of something without changing its type, you can get tricky bugs20:15
whitequarklarsc: how many C projects are using those tools? 0.0001%?20:15
kyakformal verification is becoming more and more popular in recent years20:16
sb0whitequark, what do you think of lisp machines?20:16
wpwrake.g., i don't particularly like "int" or its malleability. of course, you could play it safe and use a "struct". yet few people do.20:16
whitequarklarsc: it's true we have them today. that wasn't the case a few years ago. the vast majority of people writing C are uneducated and will be uneducated on that matter for decades to come, probably.20:16
whitequarksb0: nothing in particular20:16
whitequarklocking the machine to a single execution model dictated by a single language seems a bit silly20:17
sb0can't the same be said of traditional CPUs - made to run C?20:17
whitequarkthey're not20:17
larscC is made to run on theses cpus20:17
larscnot vice versa20:18
whitequarkI mean, show me evidence they are. the execution model of C isn't even similar to any existing CPU20:18
wpwrakwasn't RISC pretty much in spired by C and friends ?20:18
whitequarkwpwrak: the first time I hear that20:19
whitequarksb0: the quirks of C standard very specifically come from the desire to specify the smallest possible subset of operations all interesting CPU support, while remaining backwards-compatible20:19
wpwrakthe older designs have ... more complicated histories. and frankly, i can't quite fathom what monster they would have designed the VAX architecture for. maybe Algol 68.20:20
whitequarkwpwrak: hm? weren't CISCs designed to be written by hand?20:20
whitequarkI mean, compilers didn't change very much since they first appeared, and it was always common knowledge that compiled code uses a tiny fraction of instructions CISCs provide20:21
wpwrakyou mean assembler ? well yes, some of them do make it almost look like a high-level language ...20:21
whitequarkoh, that may be what you've referred to "inspired by C"20:21
whitequarkI would say "designed to be compiled to", yes, I believe that was one of the goals20:21
larscI always get dizy when I think about that stuff like the whole Linux kernel runs with full privileges20:22
wpwrak(cisc) fond memories of MOVC5 come to mind. memmove (not just memcpy !) and memset, all rolled into one single machine instruction ...20:24
sb0yeah; and it's architecturally very messy. e.g. you can access a USB stick either with fuse + libusb, or with kernel fs + usb mass storage driver20:25
wpwrakand then there's of course POLYH ...20:26
whitequarkfuse is horrible.20:26
whitequarknothing that uses fuse ever works reliably.20:26
whitequarkeventually, the server dies, and you have processes stuck on IO forever, and you just want to go somewhere and die20:26
whitequark(o°¡°o5 ;;20:26
sb0that's besides the point - and if you "kill" e.g. the ext4 module, bad things will happen too20:28
whitequarkbut you can't kill the ext4 module.20:28
whitequarkand fuse servers will happily go and die themselves. tangentially related, they also often try to provide FS over network.20:28
whitequarkFS over network is such a horrible idea it needs to be taught in school right next to Hitler20:29
sb0but the ext4 module can crash... the only reason it doesn't crash often is its code is better debugged than many fuse servers20:29
wpwrak(POLYH computes a polynom of arbitrary degree with 128-bit floating-point numbers. surprisingly, they limited the degree to <= 31. guess someone decided it would be inappropriate for the CPU to spend more than a day on a single instruction ...)20:29
whitequarksb0: well, my point is that in practice, literally no fuse servers I have tried were even remotely usable20:30
wpwrakwhitequark: in russian school, they teach hitler20:30
whitequarkeven when the code technically works well (most of the time) (e.g. sshfs), the leaky abstraction of FS over network makes it a pain to use20:31
whitequarkwpwrak: in russia, hitler teaches YOU20:31
sb0but nothing prevents people from writing a fuse server that has the same quality and stability as the ext4 kernel module20:31
whitequarksb0: nothing also prevents people to writing perfect X.509 deserializers on the first try20:32
whitequarksomehow that doesn't happen20:32
wpwrak:)20:32
sb0in fact, it should be easier, since debugging userland crashes is easier then debugging kernel crashes20:32
wpwrakand you have valgrind20:33
whitequarkI'm not analyzing the reason everything fuse related is shit. I'm stating the fact: it invariably is20:33
whitequarkI would be happy for that to not be the case20:33
wpwrakzrafa: you hear him ?20:33
whitequarkwpwrak: (valgrind... which is a very complex and expensive way to fix something that only happens because C is dumb)20:34
sb0guess that's because fewer people dare touch kernel modules than fuse - i.e. only people who know how to code to a good extent will even think about writing a kernel module20:34
kyaki'm using sshfs very regularly. Sometimes strange things happen, but not more oftern than with samba for example20:34
whitequarkkyak: all network filesystems are broken to various degree20:34
kyakwhitequark: so i need to stop using my NAS immediately?? :)20:34
whitequarkthe model that works is sync of local folders, not direct access to remote by software which can't even detect a disconnect properly or was written without regard to delays20:34
larsckyak: stop using networks!20:35
whitequarkit's... systems design 101. don't pretend that remote things are local. don't replace an interface with another one with a much wider range of failure modes without even adding a way to observe those failures20:36
larscthat would have alsoavoided the heartbleed bug20:36
kyakand also prevent this conversaion from happening20:36
larscprobably the best benefit ;)20:37
kyakwhitequark: common, give us something positive today!20:37
whitequarkkyak: you're not dead yet20:37
Action: kyak hides20:38
wpwrakdarn. so this isn't hell yet ?20:38
kyakhell no!20:38
larscwhitequark: he said something positive20:42
kyakpositive doesn't arouse much discussion :)20:44
wpwrakindeed. instant discussion death :)21:27
wpwrakzrafa: btw, did you try to flash over swd ?21:38
--- Sat Apr 12 201400:00

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!