IRC log of #maemo for Monday, 2016-09-26

*** povbot has joined #maemo08:26
*** Guest64392 has joined #maemo08:27
*** Tenhi_0 has joined #maemo08:28
*** timeless has joined #maemo08:28
*** povbot has joined #maemo09:36
*** jskarvad has joined #maemo10:14
*** jskarvad has quit IRC10:14
*** jskarvad has joined #maemo10:14
*** Hurrian has quit IRC10:26
*** florian_kc has joined #maemo10:27
*** florian_kc is now known as florian10:31
*** mhlavink_afk has joined #maemo10:42
*** mhlavink has quit IRC10:43
*** geaaru has joined #maemo10:44
*** eMHa__ has quit IRC11:01
bencohyay, gnuboy works fine on n900 .... I wonder how people could stick with laggy closed-source vgb :/11:54
KotCzarnymake a tmo entry about it?11:55
bencohyeah, I haven't finished packaging it yet, it and has no GUI either, but ...11:55
KotCzarnywriting gui shouldnt be hard in pygtk11:56
bencohI can't stand python, and writing GUIs is exactly the part I hate/suck at anyway11:56
bencohso ... feel free :)11:56
bencohactually the main reason it would need a GUI is to set key bindings11:57
bencoh(although I patched it to print unmapped keysyms to stdout so discovering needed keycodes wouldn't be too hard)11:58
KotCzarnypython is easy11:58
KotCzarnymuch easier than perl anyway ;)11:58
bencohI personally think it's braindead, but that's beyond the scope of this chan11:59
KotCzarnywhy so? its a scripting language with beautyfying feat built in11:59
KotCzarnyand makes writing apps from scratch easy12:00
KotCzarnythough i agree, on resource limited system (n900) its not useful for anything else than configuration editors/launchers12:01
*** chem|st_ is now known as chem|st12:05
*** eMHa__ has joined #maemo12:06
*** troulouliou_div2 has joined #maemo12:12
*** zGrr has joined #maemo12:14
*** troulouliou_div2 has quit IRC12:30
*** dreamer has quit IRC12:30
*** dreamer has joined #maemo12:36
*** Guest14187 is now known as warfare12:36
Xxaxxor spy device with webcam/mic, wifi proxy to local network etc12:37
Sicelobencoh: yay!12:37
*** troulouliou_div2 has joined #maemo12:45
*** BitEvil is now known as SpeedEvil13:48
*** N-Mi has joined #maemo13:48
*** eMHa has joined #maemo13:49
*** eMHa__ has quit IRC13:49
*** LauRoman has quit IRC14:41
*** LauRoman has joined #maemo14:44
*** dreamer has quit IRC14:45
*** dreamer has joined #maemo14:45
*** xorly| has joined #maemo16:09
*** RST38h has joined #maemo16:16
*** sunshavi has joined #maemo16:19
*** arcean has quit IRC16:26
*** xorly| has quit IRC16:39
*** xorly| has joined #maemo16:45
*** robink_ is now known as robink16:58
*** L29Ah has left #maemo17:03
*** xorly| has quit IRC17:09
*** japa-fi has joined #maemo17:20
*** xorly| has joined #maemo17:28
*** L29Ah has joined #maemo17:30
*** eMHa has quit IRC17:38
*** capitanocrunch has joined #maemo17:41
*** capitanocrunch has quit IRC17:48
*** radekp has quit IRC18:01
*** eMHa has joined #maemo18:07
*** florian has quit IRC18:10
*** freemangordon_ has joined #maemo18:20
* L29Ah slaps Wizzup with a portage tree18:33
*** xorly| has quit IRC18:35
*** xorly| has joined #maemo18:43
*** Pali has joined #maemo18:49
*** japa-fi has quit IRC18:53
*** zGrr has quit IRC18:54
*** ds3 has joined #maemo18:55
*** xorly| has quit IRC18:57
*** xorly| has joined #maemo19:00
*** Sui_dorimu has joined #maemo19:19
*** tanty is now known as tanty_off19:20
*** Venusaur has quit IRC19:22
dkbrzhmm.. is u-boot capable booting off kernel found on encrypted LUKS partition on SD card (like GRUB does), or do I need unencrypted /boot for kernel and initrd on a separate partition?19:29
*** xorly| has quit IRC19:38
*** CatButts has quit IRC19:41
*** jskarvad has quit IRC19:44
Palidkbrz: u-boot in maemo extras does not support LUKS19:46
Palibut I have no idea if new version of u-boot has support for LUKS or not19:46
Palidkbrz: better ask on #u-boot channel19:47
dkbrzPali: thanks19:47
Palimaybe look at this: https://packages.debian.org/sid/grub-uboot-bin19:48
Paliit has some luks support: https://packages.debian.org/sid/armel/grub-uboot-bin/filelist19:48
Palilooks like this acts as grub for third stage bootloader19:49
Palibut still something needs to be unencrypted...19:49
Paliprobably overkill and useless...19:49
Palidkbrz: anyway, if you found something, let me know, luks + uboot sounds very interesting19:50
dkbrzPali: sure.19:51
dkbrz19:51 < Marex> dkbrz: no, but you can use grub-efi on top of u-boot, which supports that19:52
dkbrzso, that's the standard approach I guess19:53
Paliit is useless for n90019:54
*** stejae has joined #maemo19:54
Paliyou can boot directly unencrypted kernel19:54
*** stejae is now known as Guest3286619:54
*** florian has joined #maemo19:54
Palior boot unecrypted grub which boot encrypted kernel19:54
*** Guest32866 is now known as stejae19:55
*** stejae has joined #maemo19:55
Paliboth options are probably same secure...19:56
Paliman with physical access to SD card can change boot code easily (e.g. switching SD card)19:56
dkbrzyes, but grub option reveals less, so maybe better from privacy perspective19:57
Paliattacker will either see your unecrypted grub or unencrypted kernel image19:57
dkbrzif device lost/stolen = not you being of interest for some letters ogranisations19:57
PaliI think it is widely known that on n900 is running linux kernel19:58
bencohwe'd actually need a way to sign/check bootloaders and check the first one in hw, but ..... meh :)19:58
PaliX-Loader is signed by nokia key19:59
PaliNOLO not (thankfully!)19:59
Palisee what happened with N9/N950 and harmattan19:59
Paliuseless device for hacking19:59
bencohthat's what I suspected yeah .... but that means we cant add signature check code to it19:59
bencohthus cant ensure our 2nd-stage bootloader hasn't been modified19:59
PaliI think it is better20:00
Palimodifying 2nd stage bootloader without active system and equipment is no so easy20:00
dkbrzmore from #u-boot:20:00
dkbrz19:57 < Marex> dkbrz: if you want to encrypt all things, add small SPI NOR for u-boot, encrypt and checksum that one using the bootrom (make CPU your root of trust) and then store both the u-boot and kernel in  that NOR20:00
dkbrz19:58 < Marex> dkbrz: u-boot can decrypt kernel using CPU's crypto engine and boot it, kernel can then decrypt, verify and mount the FS from initramfs20:00
bencohyup, it'd be better than nothing, or than encryption20:00
*** CatButts has joined #maemo20:06
KotCzarnydkbrz, just an idea, boot linux then somehow load/kexec encrypted kernel?20:11
dkbrzKotCzarny: it sounds even more complex than u-boot + grub. :)20:12
KotCzarnyor make kernel requiring decryption key avilable via bt dongle20:12
Paliwhat is problem with having kernel image unencrypted?20:12
dkbrzPali: some more privacy only. Actually, for my purposes it's ok. Just Have all other system with full encryptions, maybe a bit lowering expectation and less mental comfort :)20:16
dkbrzbut chainloading grub sounds interesting, I'll try it just of curiosity20:21
*** troulouliou_div2 has quit IRC20:41
*** freemangordon_ has quit IRC20:46
*** geaaru has quit IRC20:48
*** N-Mi has quit IRC21:11
*** trumee has quit IRC21:31
*** trumee has joined #maemo21:36
* DocScrutinizer05 beats bencoh with a huge wet Aegis21:38
*** japa-fi has joined #maemo21:48
DocScrutinizer05an attacker able to do anything you might try to stop with such encryption (i.e. replacing kernel by an unsigned one) is also able to do basically all the things you might want to forbid via that encrypted kernel22:03
DocScrutinizer05sorry22:03
DocScrutinizer05sorrythat was poorly worded, but actually still to the point22:04
*** krnlyng has quit IRC22:05
DocScrutinizer05more normal language: what does it help when you can tell an attacker replaced the kernel and your system doesn't boot the non-encrypted/signed new kernel, when the same attacker that sneaked in that new kernel already copied all your protected stuff since he could do that as well when he could replace the kernel22:05
DocScrutinizer05yes, somebody with physical access could sneak in a kernel that discloses your master password while they only could steal the encrypted partition22:18
*** krnlyng has joined #maemo22:19
*** japa-fi has quit IRC22:25
*** japa-fi has joined #maemo22:37
*** BCMM has joined #maemo22:37
*** atk has quit IRC22:40
*** atk has joined #maemo22:40
*** xorly| has joined #maemo22:44
bencohDocScrutinizer05: ?22:55
*** xorly| has quit IRC22:55
*** xorly has joined #maemo22:55
bencohI only said that the only way to "garantee" "security" would be to keep a chain of signed software, from 1st-stage bootloader (checked by hw) to kernel/initrd22:56
Paliand who will have signing keys?22:58
Palihow will be distributed (to HW)?22:58
Paliand who will be able to change them?22:58
bencohPali: on n900, we just cant do it :)22:59
KotCzarnyor just attach some explosives and trigger anything suspicious22:59
Paliwho is responsible for security audit of that HW signature verification code?22:59
Paliand how to replace them if security problem will be found?22:59
Paliit is not about n900, those are general questions for any phone23:00
bencohPali: device vendor23:00
PaliI say that if owner of phone does not have all above in his own control, then there is no real security23:01
bencohindeed, and that's exactly what happened with n900 :)23:03
KotCzarnyits still leaps and bounds better than most of the phones today23:04
Sicelotrue ... i have taken ownership of my dad's old SGS4 - the hardware is nice (processor, ram, display) - but the OS just leaves a lot to be desired. i feel boxed in :(23:09
KotCzarnyport maemo to it ;)23:16
Sicelohaha .. the Replicant team seems to have had significant problems porting to it ..23:41
Siceloso you can already see the chances for Maemo23:42
SiceloCM works good apparently23:42

Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!