00:00.18 | kerio | hm, does the omap3 in the neo900 have accelerated AES? |
00:00.29 | kerio | apparently it's only in "high security" omap3s |
00:00.32 | DocScrutinizer05 | check the OMAP3 TRM |
00:01.09 | DocScrutinizer05 | iirc it's available to user only in GP devices, in HS devices it's available to TrustZone only |
00:04.19 | DocScrutinizer05 | ask freemangordon he's far more savvy than me about that stuff |
00:05.03 | DocScrutinizer05 | I never really looked into it since I can't do anything about it anyway |
00:05.36 | DocScrutinizer05 | I'm using a FM3730 GP device and that's it |
00:05.40 | DocScrutinizer05 | DM* |
00:06.05 | DocScrutinizer05 | couldn't get a HS device even if I wanted |
00:07.32 | DocScrutinizer05 | and if I could, I wouldn't know the root key of M-Shield aka TrustZone aka security monitor |
00:08.43 | kerio | hold on, it's not specified by the vendor? :o |
00:08.45 | DocScrutinizer05 | I don't even know if e.g. Nokia flashes those keys at own factory or gets then preflashed from TI |
00:10.38 | DocScrutinizer05 | I only know there's a key in a untouchable ROM in SoC and you can't read it out and neither do you know the secret key to that non-public "pubkey" |
00:11.30 | DocScrutinizer05 | and your bootloader needs to be signed by the secret key |
00:11.42 | kerio | a private public key? the fuck |
00:11.58 | DocScrutinizer05 | an unreadable pubkey |
00:12.28 | DocScrutinizer05 | only available to TrustZone |
00:13.13 | DocScrutinizer05 | and TrustZone firmware checks the bootloader signature with that pubkey |
00:13.58 | DocScrutinizer05 | bootloader in turn is supposed to check the kernel's signature and so on |
00:14.11 | kerio | yeah but surely if you're buying the chips you can decide which key that is |
00:14.28 | DocScrutinizer05 | I'm not sure about that |
00:14.46 | kerio | yeah but surely if you're paying enough money you can decide which key that is |
00:15.13 | DocScrutinizer05 | you can hand a key to TI to let them program it to the ROM, I guess |
00:15.28 | kerio | isn't it efuses? |
00:15.38 | DocScrutinizer05 | prolly it is, dunno for sure |
00:15.49 | kerio | leave it open for the user to shoot themselves in the foot with |
00:15.56 | DocScrutinizer05 | yeah |
00:16.08 | DocScrutinizer05 | possible, I simply dunno |
00:16.24 | kerio | step 1) generate private key and public key |
00:16.33 | kerio | step 2) burn public key onto chip and enable trusted boot |
00:16.43 | kerio | step 3) lose private key because the hard disk crashed or something |
00:17.21 | DocScrutinizer05 | I wouldn't be surprised if exactly this happened to N900 |
00:17.29 | kerio | with the repos? |
00:17.44 | DocScrutinizer05 | so nokia couldn't update the xloader code anymore |
00:17.49 | kerio | oh for the bootloader |
00:17.59 | kerio | at least xloader is quite flexible in what it chainloads :> |
00:18.25 | DocScrutinizer05 | N900 xloader doesn't enforce chain of trust though. I.E. it doesn't check signature of NOLO |
00:18.56 | kerio | you can basically just treat xloader as a second stage ROMBL right |
00:19.02 | DocScrutinizer05 | evidence: you can hack NOLO |
00:19.13 | DocScrutinizer05 | right |
00:19.49 | DocScrutinizer05 | N900 *is* a HS device (3430) |
00:20.29 | kerio | so we should have accelerated AES P: |
00:20.32 | DocScrutinizer05 | N9 is a HS device (3630) |
00:21.12 | DocScrutinizer05 | no, afaik and iirc only TZ can access AES accel on HS devices |
00:21.56 | DocScrutinizer05 | another question is if the monitor in TZ allows userland acces to AES via monitor as proxy |
00:22.37 | DocScrutinizer05 | such stuff gets configured in xloader afaik |
00:24.12 | DocScrutinizer05 | in ARM you basically can configure every subsystem to belong to either TZ or userland (incl kernel) or even share between the two, e.g RAM a few pages for TZ only, the rest for userland (and TZ too of course) |
00:25.25 | DocScrutinizer05 | the whole ARM architecture has an own "address line" for TZ |
00:26.22 | DocScrutinizer05 | I honestly only had a cursory look into all this |
00:29.04 | kerio | alright, openssl HEAD does 37MB/s of chacha20-poly1305 on my sheevaplug |
00:29.11 | DocScrutinizer05 | I had to mess with a IP called "mailbox" or "postbox" (PB503?) of ARM, and there I leearned it's consisting of N FIFOs which can get accessed by both cores of a dualcore, and M of those FIFOs (for M<N) can get assigned to secure mode exclusively |
00:29.14 | kerio | (marvell kirkwood) |
00:31.01 | DocScrutinizer05 | http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.kui0062a/rlarm_ar_mbx_using.htm |
00:32.28 | kerio | dear lord, i'm only getting 8MB/s for aes 256 gcm |
00:35.28 | kerio | my lappy gets 1.7 and 2.5GB/s, respectively |
00:35.43 | DocScrutinizer05 | aaah I guessd this been it PrimeCell PL320 http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.kui0062a/rlarm_ar_mbx_using.htm |
00:36.04 | DocScrutinizer05 | dang |
00:36.22 | DocScrutinizer05 | http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0306b/CHDHJBBJ.html |
00:37.13 | DocScrutinizer05 | http://infocenter.arm.com/help/topic/com.arm.doc.ddi0306b/index.html even |
00:45.22 | DocScrutinizer05 | wow that's annoying again how the public datasheet for PL320 doesn't seem to even mention TrustZone and secure mode at all |
00:46.08 | DocScrutinizer05 | I had access to the confidential HS specs, you won't find those in public |
00:58.07 | DocScrutinizer05 | anyway http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/ch02s02s01.html |
01:02.47 | DocScrutinizer05 | >> The security of the system is achieved by partitioning all of the SoCâs hardware and software resources so that they exist in one of two worlds - the Secure world for the security subsystem, and the Normal world for everything else. Hardware logic present in the TrustZone-enabled AMBA3 AXITM bus fabric ensures that no Secure world resources can be accessed by the Normal world components, enabling a strong security perimeter to be |
01:02.49 | DocScrutinizer05 | built between the two.<< |
01:10.01 | DocScrutinizer05 | >> The addition of the NS bit to the bus transactions, and to any cache tags in the system, can be viewed as providing a 33rd address bit. There is a 32-bit physical address space for Secure transactions and a 32-bit physical address space for Non-secure transactions.<< |
01:12.18 | DocScrutinizer05 | so AES might exist in both HS and GP devices, but the question is whether it's mapped to Secure or Non-secure address |
01:12.42 | DocScrutinizer05 | afaik it's mapped to Secure only on HS devices |
01:13.36 | DocScrutinizer05 | IOW it might be available to "Normal world" on GP devices |
01:14.27 | DocScrutinizer05 | ROMBOOT and stuff like keys is always mapped to Secure |
01:15.20 | DocScrutinizer05 | my uneducated guess |
01:21.15 | *** join/#maemo-ssu LauRoman|Alt (~LauRoman@5-14-92-160.residential.rdsnet.ro) |
01:24.02 | DocScrutinizer05 | on NovaThor everything in R&D ran in Secure mode, so it was quite messy to build and _sign_ a new image to flash to the devel boards |
01:25.02 | DocScrutinizer05 | the signature server was located at some northern country and signing took quite a while |
03:32.31 | *** join/#maemo-ssu DocScrutinizer05 (~saturn@openmoko/engineers/joerg) |
04:28.26 | *** join/#maemo-ssu chainsawbike (~chainsawb@unaffiliated/chainsawbike) |
04:39.53 | *** join/#maemo-ssu enyc (~enyc@muddle.enyc.org.uk) |
08:00.20 | *** join/#maemo-ssu Pali (~pali@Maemo/community/contributor/Pali) |
08:44.30 | *** join/#maemo-ssu futpib (~futpib@37.113.234.62) |
09:47.13 | *** join/#maemo-ssu M4rtinK (~M4rtinK@77.48.149.46) |
11:14.53 | *** join/#maemo-ssu trx (ns-team@devbin/founder/trx) |
12:38.58 | *** join/#maemo-ssu Wizzup (~Wizzup@a82-161-36-93.adsl.xs4all.nl) |
12:51.04 | *** join/#maemo-ssu Wizzup (~Wizzup@a82-161-36-93.adsl.xs4all.nl) |
13:01.22 | *** join/#maemo-ssu Wizzup (~Wizzup@a82-161-36-93.adsl.xs4all.nl) |
13:31.21 | merlin1991 | re n9 |
13:31.47 | merlin1991 | I love how the warning tells you about flashing even though there were no images / tools normally available |
13:31.50 | merlin1991 | but |
13:32.07 | merlin1991 | you can just sideload a .deb that patches /etc/hosts and aegis will keep still |
14:29.20 | *** join/#maemo-ssu hashcore (~hashcore@unaffiliated/hashcore) |
14:54.07 | *** join/#maemo-ssu ente (capybara@hindenburg.barfooze.de) |
14:54.07 | *** join/#maemo-ssu ente (capybara@unaffiliated/ente) |
15:03.26 | *** join/#maemo-ssu freemangordon1 (~ivo@46.249.74.23) |
16:05.07 | *** join/#maemo-ssu freemangordon (~ivo@46.249.74.23) |
16:19.52 | *** join/#maemo-ssu LauRoman (~LauRoman@5-14-92-160.residential.rdsnet.ro) |
17:31.20 | merlin1991 | anyone on -stable in here? |
17:33.06 | merlin1991 | ffs the screen on my -stable device is dead |
18:07.06 | bencoh | I'm on stable, why? |
18:07.19 | bencoh | (well, a slightly patched stable, but...) |
18:07.26 | bencoh | merlin1991: ^ |
18:08.38 | merlin1991 | I'm preparing a new release |
18:09.04 | merlin1991 | and would prefer that to sit around for a day or so before pushing it into the main repo |
18:09.13 | merlin1991 | sit around and test ofc :) |
18:10.16 | bencoh | do we have a stable-next repo? |
18:10.29 | merlin1991 | yes :) |
18:10.59 | merlin1991 | you can add it with http://cdnm.at/~christian/maemo/cssu/stable-testing-enabler_0.1_all.deb |
18:12.02 | merlin1991 | Pali: ping |
18:12.11 | Pali | merlin1991: pong |
18:12.20 | merlin1991 | Pali: why did we update e2fsprogs? |
18:12.30 | Pali | do not remember :-) |
18:12.32 | bencoh | merlin1991: pasting the repo url would make it simpler ;) |
18:12.36 | Pali | can look into git |
18:12.45 | merlin1991 | well it is just update to upstream version x |
18:12.53 | merlin1991 | +patches to make it build for maemo |
18:12.56 | merlin1991 | not why though |
18:13.09 | merlin1991 | bencoh: the enabler throws in the key aswell ;) |
18:13.18 | Pali | merlin1991: I think kerio reported some bug |
18:13.22 | kerio | i what |
18:13.23 | merlin1991 | and adds it as a system catalogue with proper priority |
18:13.39 | Pali | kerio: wasnt you who found some bug in maemo fsck? |
18:13.47 | merlin1991 | gonna grep channel logs |
18:14.03 | Pali | I think that fsck needs lot of RAM or something like that |
18:14.50 | *** join/#maemo-ssu M4rtinK (~M4rtinK@ip-37-188-238-84.eurotel.cz) |
18:17.06 | Pali | http://mg.pov.lt/maemo-ssu-irclog/%23maemo-ssu.2013-05-07.log.html#t2013-05-07T23:30:50 |
18:17.33 | Pali | 2013-05-07 23:30 <kerio> btw, we should upgrade e2fsprogs |
18:17.37 | Pali | so really kerio :P |
18:17.39 | kerio | yeah but |
18:17.52 | kerio | ...it took you 3 years to upgrade e2fsprogs? |
18:18.21 | Pali | not me, but merlin1991 |
18:18.41 | merlin1991 | last stable release 2014 :/ |
18:18.46 | merlin1991 | hangs head in shame |
18:19.17 | merlin1991 | last testing release was only a year ago |
18:32.35 | Pali | merlin1991: I forgot to build new HAM for cssu-devel... |
18:32.41 | Pali | updated debian/changelog is in git now |
18:33.42 | Pali | anyway current cssu-devel HAM (2.2.74) should be released |
18:35.41 | merlin1991 | what did you change on top of what is in -devel? |
18:38.27 | Pali | 1) fix doing SSU update :-) 2) notification configuration via /etc/hildon-application-manager/settings 3) fix notification key for provider 4) /proc/cpuinfo |
18:39.00 | bencoh | cpuinfo? |
18:39.13 | Pali | that is for upstream kernel |
18:39.18 | bencoh | ah |
18:40.05 | Pali | merlin1991: anyway, in cssu-devel is also missing jonwil's update for maemo-security-certman |
18:40.10 | Pali | where are new certificates |
18:41.16 | Pali | also in cssu-devel is missing new alarmd |
18:41.38 | Pali | also fmtx-middleware |
18:42.24 | Pali | and for hildon-application manager: there are backported PR1.3 changes |
18:42.35 | Pali | because those were not part of HAM cssu version :-( |
18:43.06 | Pali | hm... also hildon-welcome is not updated in cssu-devel |
18:43.14 | Pali | and also initrd-progs |
18:43.21 | Pali | and also mce |
18:43.32 | Pali | and thats all |
18:43.59 | merlin1991 | feel free to push the packages you changed into cssu-devel |
18:44.08 | Pali | merlin1991: now when you are building packages, can you build also those for cssu-devel? |
18:44.21 | Pali | no idea which changes are mine |
18:44.29 | Pali | this is from cssu-state script |
18:44.33 | merlin1991 | I don't want to push any half done changes :/ |
18:44.47 | merlin1991 | meh building evolution-data-server kills all the dependencies in scratchbox |
18:45.05 | Pali | once debian/changelog is increased changes are done/ready for cssu-devel |
18:45.21 | merlin1991 | because it wants libdb4.2 which conflicts with libdb1 |
18:45.51 | Pali | ah :-( |
18:46.09 | Pali | anyway, when releasing git changes, check also my cssu-state script from https://github.com/community-ssu/cssu-state |
18:46.34 | merlin1991 | I used it to get my overview what I copy from testing -> stable |
18:58.26 | *** join/#maemo-ssu futpib (~futpib@37.113.234.62) |
19:08.52 | *** join/#maemo-ssu M4rtinK (~M4rtinK@ip-37-188-133-248.eurotel.cz) |
19:30.51 | merlin1991 | hm glib2 doesn't build |
20:29.22 | *** join/#maemo-ssu M4rtinK (~M4rtinK@ip-78-102-146-111.net.upcbroadband.cz) |
21:37.41 | merlin1991 | freemangordon: ping |
22:34.18 | merlin1991 | FFS |
22:34.27 | merlin1991 | there is a autotools / libtool fuckup somewhere |
22:34.34 | merlin1991 | it builds fine in the vm |
22:34.39 | merlin1991 | but not in my scratchbox |
22:36.45 | merlin1991 | and the best part is, that with my sb it fails in the last step when it checks for symbol changes |
22:37.03 | merlin1991 | somehow my build exports more symbols and one symbol moves to another library in the package! |
23:06.54 | *** join/#maemo-ssu infobot (ibot@rikers.org) |
23:06.54 | *** topic/#maemo-ssu is Maemo Community Seamless Software Update "CSSU" channel, http://wiki.maemo.org/Community_SSU | Known bugs: http://j.mp/communityssu-bugs | Channel logs: http://mg.pov.lt/maemo-ssu-irclog/ | Sources: https://github.com/community-ssu | Latest version: Testing(2015-04-11): 21.2011.38-1Tmaemo11; Stable(2014-09-03): 21.2011.38-1Smaemo7 |
23:06.54 | *** mode/#maemo-ssu [+v infobot] by ChanServ |
23:34.20 | *** join/#maemo-ssu infobot (ibot@rikers.org) |
23:34.20 | *** topic/#maemo-ssu is Maemo Community Seamless Software Update "CSSU" channel, http://wiki.maemo.org/Community_SSU | Known bugs: http://j.mp/communityssu-bugs | Channel logs: http://mg.pov.lt/maemo-ssu-irclog/ | Sources: https://github.com/community-ssu | Latest version: Testing(2015-04-11): 21.2011.38-1Tmaemo11; Stable(2014-09-03): 21.2011.38-1Smaemo7 |
23:34.20 | *** mode/#maemo-ssu [+v infobot] by ChanServ |