Skip to content

Instantly share code, notes, and snippets.

@THS-on
THS-on / main.rs
Last active October 12, 2023 06:22
Example on how to protect a key using pcr policy using TSS rust bindings
use std::str::FromStr;
pub use tss_esapi::Error;
use tss_esapi::{
attributes::ObjectAttributesBuilder,
handles::PcrHandle,
interface_types::{
algorithm::{PublicAlgorithm, SymmetricMode},
ecc::EccCurve,
key_bits::AesKeyBits,
@THS-on
THS-on / README.md
Last active March 4, 2022 17:37
Keylime Push Model

Push Model for Keylime

Issue

Keylime currently operates on a pull basis which means that the tenant or verifier connect to the agent to collect attestation data. Therefore they need to know the IP and Port to connect to beforehand and this currently cannot change during attestation. This works fine in most virtualized environments where all the devices are in the same network, but not for edge devices or in BYOD contexts. There are workarounds using VPNs/overlay networking using OpenVPN, ZeroTier, Nebula etc. but none of them provide an ideal solution.

Actions that require connections to the agent

  • Identity quote: The purpose of the identity quote is to prove to the tenant that the NK (also called transport key) belongs to the same TPM as the agent. The NK is used for encrypting the U and V key during transport and is the also the key of mTLS certificate of the agent. The tenant uses this feature. This is also done to ensure that the agent behind that IP is still the same that registered by val
@THS-on
THS-on / README.md
Last active March 6, 2022 10:22
Non atomic qoutes for Keylime

Non atomic Quotes for attestation

Issue

A TPM contains multiple PCRs and can generate a signed quote over the concatenated hash of a selection of PCRs. The quote itself does not contain the values of the PCRs. If you want to have matching quote and PCR values most implementations (also Keylime) do the following trick:

  1. Read PCR values (8 at the time)
  2. Generate quote
  3. Read PCR values (8 at the time)
  4. Check if the PCR values from step 1. and 3. match, if not start with 1.
@THS-on
THS-on / auto_attach_filter.lua
Last active April 14, 2024 20:17
WirePlumber script to automatically attach a filter to a device
#!/usr/bin/wpexec
local mic_name = "alsa_input.usb-C-Media_Electronics_Inc._USB_Audio_Device-00.mono-fallback"
local filter_name = "rnnoise_source"
local link_props = {
["link.output.port"] = nil,
["link.input.port"] = nil,
["link.output.node"] = nil,
["link.input.node"] = nil
fsview & export PID=$(echo $!) && xdotool windowsize $(xdotool search --sync --pid $PID | tail -1) 100% 100%
@THS-on
THS-on / libinput.conf
Created July 11, 2017 19:50
libinput.conf for Lernstick
# This enables to-to-click and disables naturalscrolling in Mate, LXDE, XFCE and Enlightment
Section "InputClass"
Identifier "libinput touchpad catchall"
MatchIsTouchpad "on"
MatchDevicePath "/dev/input/event*"
Driver "libinput"
Option "Tapping" "on"
Option "NaturalScrolling" "false"
EndSection
@THS-on
THS-on / README.md
Last active May 14, 2017 13:01
README for lernstickWelcome

lernstickWelcome

HOWTO import this project into Netbeans

The best way to build lernstickWelcome is on the Lernstick itself, because all dependencies are already installed.

Install Netbeans on Lernstick

Go into the Welcome program and install Netbeans.

Import lernstickWelcome into Netbeans

[Desktop Entry]
Version=1.0
Name= Firefox Privat
Exec=/usr/lib/firefox/firefox --private-window %u
Icon=firefox
Terminal=false
Type=Application
@THS-on
THS-on / panel
Last active February 27, 2017 09:24
Lernstick Tweaks
# Please copy to /home/user/.config/lxpanel/LXDE/panels/panel
# lxpanel <profile> config file. Manually editing is not recommended.
# Use preference dialog in lxpanel to adjust config when you can.
Global {
edge=bottom
allign=left
margin=0
widthtype=percent
width=100
#!/bin/sh
# Created by THS
# Support for LXDE, Mate, Gnome, Cinnamon and XFCE
# Uses https://github.com/horst3180/arc-theme and https://github.com/dglava/arc-openbox
# Install arc-theme will be replaced in Debian 9
echo "Install Arc Theme"
echo 'deb http://download.opensuse.org/repositories/home:/Horst3180/Debian_8.0/ /' | sudo tee /etc/apt/sources.list.d/arc-theme.list
wget http://download.opensuse.org/repositories/home:Horst3180/Debian_8.0/Release.key
sudo apt-key add - < Release.key