| *** povbot has joined #maemo | 08:26 | |
| *** Guest64392 has joined #maemo | 08:27 | |
| *** Tenhi_0 has joined #maemo | 08:28 | |
| *** timeless has joined #maemo | 08:28 | |
| *** povbot has joined #maemo | 09:36 | |
| *** jskarvad has joined #maemo | 10:14 | |
| *** jskarvad has quit IRC | 10:14 | |
| *** jskarvad has joined #maemo | 10:14 | |
| *** Hurrian has quit IRC | 10:26 | |
| *** florian_kc has joined #maemo | 10:27 | |
| *** florian_kc is now known as florian | 10:31 | |
| *** mhlavink_afk has joined #maemo | 10:42 | |
| *** mhlavink has quit IRC | 10:43 | |
| *** geaaru has joined #maemo | 10:44 | |
| *** eMHa__ has quit IRC | 11:01 | |
| bencoh | yay, gnuboy works fine on n900 .... I wonder how people could stick with laggy closed-source vgb :/ | 11:54 |
|---|---|---|
| KotCzarny | make a tmo entry about it? | 11:55 |
| bencoh | yeah, I haven't finished packaging it yet, it and has no GUI either, but ... | 11:55 |
| KotCzarny | writing gui shouldnt be hard in pygtk | 11:56 |
| bencoh | I can't stand python, and writing GUIs is exactly the part I hate/suck at anyway | 11:56 |
| bencoh | so ... feel free :) | 11:56 |
| bencoh | actually the main reason it would need a GUI is to set key bindings | 11:57 |
| bencoh | (although I patched it to print unmapped keysyms to stdout so discovering needed keycodes wouldn't be too hard) | 11:58 |
| KotCzarny | python is easy | 11:58 |
| KotCzarny | much easier than perl anyway ;) | 11:58 |
| bencoh | I personally think it's braindead, but that's beyond the scope of this chan | 11:59 |
| KotCzarny | why so? its a scripting language with beautyfying feat built in | 11:59 |
| KotCzarny | and makes writing apps from scratch easy | 12:00 |
| KotCzarny | though i agree, on resource limited system (n900) its not useful for anything else than configuration editors/launchers | 12:01 |
| *** chem|st_ is now known as chem|st | 12:05 | |
| *** eMHa__ has joined #maemo | 12:06 | |
| *** troulouliou_div2 has joined #maemo | 12:12 | |
| *** zGrr has joined #maemo | 12:14 | |
| *** troulouliou_div2 has quit IRC | 12:30 | |
| *** dreamer has quit IRC | 12:30 | |
| *** dreamer has joined #maemo | 12:36 | |
| *** Guest14187 is now known as warfare | 12:36 | |
| Xxaxx | or spy device with webcam/mic, wifi proxy to local network etc | 12:37 |
| Sicelo | bencoh: yay! | 12:37 |
| *** troulouliou_div2 has joined #maemo | 12:45 | |
| *** BitEvil is now known as SpeedEvil | 13:48 | |
| *** N-Mi has joined #maemo | 13:48 | |
| *** eMHa has joined #maemo | 13:49 | |
| *** eMHa__ has quit IRC | 13:49 | |
| *** LauRoman has quit IRC | 14:41 | |
| *** LauRoman has joined #maemo | 14:44 | |
| *** dreamer has quit IRC | 14:45 | |
| *** dreamer has joined #maemo | 14:45 | |
| *** xorly| has joined #maemo | 16:09 | |
| *** RST38h has joined #maemo | 16:16 | |
| *** sunshavi has joined #maemo | 16:19 | |
| *** arcean has quit IRC | 16:26 | |
| *** xorly| has quit IRC | 16:39 | |
| *** xorly| has joined #maemo | 16:45 | |
| *** robink_ is now known as robink | 16:58 | |
| *** L29Ah has left #maemo | 17:03 | |
| *** xorly| has quit IRC | 17:09 | |
| *** japa-fi has joined #maemo | 17:20 | |
| *** xorly| has joined #maemo | 17:28 | |
| *** L29Ah has joined #maemo | 17:30 | |
| *** eMHa has quit IRC | 17:38 | |
| *** capitanocrunch has joined #maemo | 17:41 | |
| *** capitanocrunch has quit IRC | 17:48 | |
| *** radekp has quit IRC | 18:01 | |
| *** eMHa has joined #maemo | 18:07 | |
| *** florian has quit IRC | 18:10 | |
| *** freemangordon_ has joined #maemo | 18:20 | |
| * L29Ah slaps Wizzup with a portage tree | 18:33 | |
| *** xorly| has quit IRC | 18:35 | |
| *** xorly| has joined #maemo | 18:43 | |
| *** Pali has joined #maemo | 18:49 | |
| *** japa-fi has quit IRC | 18:53 | |
| *** zGrr has quit IRC | 18:54 | |
| *** ds3 has joined #maemo | 18:55 | |
| *** xorly| has quit IRC | 18:57 | |
| *** xorly| has joined #maemo | 19:00 | |
| *** Sui_dorimu has joined #maemo | 19:19 | |
| *** tanty is now known as tanty_off | 19:20 | |
| *** Venusaur has quit IRC | 19:22 | |
| dkbrz | hmm.. is u-boot capable booting off kernel found on encrypted LUKS partition on SD card (like GRUB does), or do I need unencrypted /boot for kernel and initrd on a separate partition? | 19:29 |
| *** xorly| has quit IRC | 19:38 | |
| *** CatButts has quit IRC | 19:41 | |
| *** jskarvad has quit IRC | 19:44 | |
| Pali | dkbrz: u-boot in maemo extras does not support LUKS | 19:46 |
| Pali | but I have no idea if new version of u-boot has support for LUKS or not | 19:46 |
| Pali | dkbrz: better ask on #u-boot channel | 19:47 |
| dkbrz | Pali: thanks | 19:47 |
| Pali | maybe look at this: https://packages.debian.org/sid/grub-uboot-bin | 19:48 |
| Pali | it has some luks support: https://packages.debian.org/sid/armel/grub-uboot-bin/filelist | 19:48 |
| Pali | looks like this acts as grub for third stage bootloader | 19:49 |
| Pali | but still something needs to be unencrypted... | 19:49 |
| Pali | probably overkill and useless... | 19:49 |
| Pali | dkbrz: anyway, if you found something, let me know, luks + uboot sounds very interesting | 19:50 |
| dkbrz | Pali: sure. | 19:51 |
| dkbrz | 19:51 < Marex> dkbrz: no, but you can use grub-efi on top of u-boot, which supports that | 19:52 |
| dkbrz | so, that's the standard approach I guess | 19:53 |
| Pali | it is useless for n900 | 19:54 |
| *** stejae has joined #maemo | 19:54 | |
| Pali | you can boot directly unencrypted kernel | 19:54 |
| *** stejae is now known as Guest32866 | 19:54 | |
| *** florian has joined #maemo | 19:54 | |
| Pali | or boot unecrypted grub which boot encrypted kernel | 19:54 |
| *** Guest32866 is now known as stejae | 19:55 | |
| *** stejae has joined #maemo | 19:55 | |
| Pali | both options are probably same secure... | 19:56 |
| Pali | man with physical access to SD card can change boot code easily (e.g. switching SD card) | 19:56 |
| dkbrz | yes, but grub option reveals less, so maybe better from privacy perspective | 19:57 |
| Pali | attacker will either see your unecrypted grub or unencrypted kernel image | 19:57 |
| dkbrz | if device lost/stolen = not you being of interest for some letters ogranisations | 19:57 |
| Pali | I think it is widely known that on n900 is running linux kernel | 19:58 |
| bencoh | we'd actually need a way to sign/check bootloaders and check the first one in hw, but ..... meh :) | 19:58 |
| Pali | X-Loader is signed by nokia key | 19:59 |
| Pali | NOLO not (thankfully!) | 19:59 |
| Pali | see what happened with N9/N950 and harmattan | 19:59 |
| Pali | useless device for hacking | 19:59 |
| bencoh | that's what I suspected yeah .... but that means we cant add signature check code to it | 19:59 |
| bencoh | thus cant ensure our 2nd-stage bootloader hasn't been modified | 19:59 |
| Pali | I think it is better | 20:00 |
| Pali | modifying 2nd stage bootloader without active system and equipment is no so easy | 20:00 |
| dkbrz | more from #u-boot: | 20:00 |
| dkbrz | 19:57 < Marex> dkbrz: if you want to encrypt all things, add small SPI NOR for u-boot, encrypt and checksum that one using the bootrom (make CPU your root of trust) and then store both the u-boot and kernel in that NOR | 20:00 |
| dkbrz | 19:58 < Marex> dkbrz: u-boot can decrypt kernel using CPU's crypto engine and boot it, kernel can then decrypt, verify and mount the FS from initramfs | 20:00 |
| bencoh | yup, it'd be better than nothing, or than encryption | 20:00 |
| *** CatButts has joined #maemo | 20:06 | |
| KotCzarny | dkbrz, just an idea, boot linux then somehow load/kexec encrypted kernel? | 20:11 |
| dkbrz | KotCzarny: it sounds even more complex than u-boot + grub. :) | 20:12 |
| KotCzarny | or make kernel requiring decryption key avilable via bt dongle | 20:12 |
| Pali | what is problem with having kernel image unencrypted? | 20:12 |
| dkbrz | Pali: some more privacy only. Actually, for my purposes it's ok. Just Have all other system with full encryptions, maybe a bit lowering expectation and less mental comfort :) | 20:16 |
| dkbrz | but chainloading grub sounds interesting, I'll try it just of curiosity | 20:21 |
| *** troulouliou_div2 has quit IRC | 20:41 | |
| *** freemangordon_ has quit IRC | 20:46 | |
| *** geaaru has quit IRC | 20:48 | |
| *** N-Mi has quit IRC | 21:11 | |
| *** trumee has quit IRC | 21:31 | |
| *** trumee has joined #maemo | 21:36 | |
| * DocScrutinizer05 beats bencoh with a huge wet Aegis | 21:38 | |
| *** japa-fi has joined #maemo | 21:48 | |
| DocScrutinizer05 | an attacker able to do anything you might try to stop with such encryption (i.e. replacing kernel by an unsigned one) is also able to do basically all the things you might want to forbid via that encrypted kernel | 22:03 |
| DocScrutinizer05 | sorry | 22:03 |
| DocScrutinizer05 | sorrythat was poorly worded, but actually still to the point | 22:04 |
| *** krnlyng has quit IRC | 22:05 | |
| DocScrutinizer05 | more normal language: what does it help when you can tell an attacker replaced the kernel and your system doesn't boot the non-encrypted/signed new kernel, when the same attacker that sneaked in that new kernel already copied all your protected stuff since he could do that as well when he could replace the kernel | 22:05 |
| DocScrutinizer05 | yes, somebody with physical access could sneak in a kernel that discloses your master password while they only could steal the encrypted partition | 22:18 |
| *** krnlyng has joined #maemo | 22:19 | |
| *** japa-fi has quit IRC | 22:25 | |
| *** japa-fi has joined #maemo | 22:37 | |
| *** BCMM has joined #maemo | 22:37 | |
| *** atk has quit IRC | 22:40 | |
| *** atk has joined #maemo | 22:40 | |
| *** xorly| has joined #maemo | 22:44 | |
| bencoh | DocScrutinizer05: ? | 22:55 |
| *** xorly| has quit IRC | 22:55 | |
| *** xorly has joined #maemo | 22:55 | |
| bencoh | I only said that the only way to "garantee" "security" would be to keep a chain of signed software, from 1st-stage bootloader (checked by hw) to kernel/initrd | 22:56 |
| Pali | and who will have signing keys? | 22:58 |
| Pali | how will be distributed (to HW)? | 22:58 |
| Pali | and who will be able to change them? | 22:58 |
| bencoh | Pali: on n900, we just cant do it :) | 22:59 |
| KotCzarny | or just attach some explosives and trigger anything suspicious | 22:59 |
| Pali | who is responsible for security audit of that HW signature verification code? | 22:59 |
| Pali | and how to replace them if security problem will be found? | 22:59 |
| Pali | it is not about n900, those are general questions for any phone | 23:00 |
| bencoh | Pali: device vendor | 23:00 |
| Pali | I say that if owner of phone does not have all above in his own control, then there is no real security | 23:01 |
| bencoh | indeed, and that's exactly what happened with n900 :) | 23:03 |
| KotCzarny | its still leaps and bounds better than most of the phones today | 23:04 |
| Sicelo | true ... i have taken ownership of my dad's old SGS4 - the hardware is nice (processor, ram, display) - but the OS just leaves a lot to be desired. i feel boxed in :( | 23:09 |
| KotCzarny | port maemo to it ;) | 23:16 |
| Sicelo | haha .. the Replicant team seems to have had significant problems porting to it .. | 23:41 |
| Sicelo | so you can already see the chances for Maemo | 23:42 |
| Sicelo | CM works good apparently | 23:42 |
Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!