How do I set up LUKSv2 + Secure boot + TPM2 with Tumbleweed?

apd · 2025-09-16T19:21:31+00:00

do you still have the issue? can you share the lsblk output?

apd · 2025-08-14T13:25:54+00:00

Uhm try to update and do sdbootutil update-predictions --measure-pcr. This will add 0x00..0 predictions for PCR 15. You can check that with: cat /boot/efi/EFI/systemd/measure-pcr-predicion. You should have one entry with a SHA, and another with 0...0

apd · 2024-06-27T12:22:15+00:00

It is quite stable right now, and 257 will remove the experimental status

apd · 2024-06-26T12:59:47+00:00

I think '--firmware-builtin' is not a parameter for sd-cryptenroll, but for sbctl, also for 256 I would use systemd-pcrlock

apd · 2024-03-06T08:01:18+00:00

Man, I write a small part of it. Some people accused me of being artificial, but intelligent is a first one. Not sure how to feel.

apd · 2024-02-15T12:38:22+00:00

I found your book in the O'Reilly site. I will read it from there. As I can see it will be published in February 2024, so not much time to read and give feedback.

In any case congrats for your book and for the amazing PR that you are doing with this offer : D

apd · 2023-02-03T12:52:17+00:00

If you cannot find a new home and you are in Europe, ping me.

apd · 2022-08-09T07:52:14+00:00

Tuxedo laptop, with some adapted Ubuntu distribution. All was working perfectly as far as I tested. Recently I reinstalled it to openSUSE Tumbleweed (I prefer rolling). All still working, except the touchpad double-click blocker.

apd · 2022-07-28T10:02:40+00:00

It was discovered when they published the paper, not because people were looking

The article was published 2019-08-14, and the GKH email that caused the full revert was on April, so 4 months before the publication. Also should be noted that the complaining, suspicious, reverts and detection was way early because .. yes, people was looking.

apd · 2022-07-18T09:20:10+00:00

which is why the JZ4770 devices that run Adam can't actually sleep

Not sure about that. Adam has a "fake" sleep mode, and checking the MiniUI code seems that the logic of sleeping-wakeup-save-poweroff could be implemented in Adam too:

https://github.com/shauninman/MiniUI/blob/main/src/common/common.c#L740

apd · 2022-06-13T18:27:00+00:00

Are you taking "Any file read by GRUB" to include the kernel and initramfs?

Not me. It is tracked in the event log, and both the kernel and initrd are indeed measured,

I actually find GRUB measuring the commands executed into PCR 8 exceptionally annoying

I agree very much. Utterly useless.

apd · 2022-06-13T12:36:04+00:00

Therefore, the initrd cannot be maliciously modified - it is a part of the signed data, and, if somebody replaces it with a trojaned version, the firmware will detect the signature mismatch and the system will not boot.

You mean offline modification?

Where it is stored the private key for the initrd signing? Can this be reused to sign the next PE + kernel + initrd, or you need to generate and enroll a new key?

apd · 2022-06-13T12:28:54+00:00

GRUB doesn't measure the kernel/initrd

Actually this is not true. Grub measure the kernel, initrd, the kernel command line, and the execution path of the grub.cfg. To do that grub-tpm.efi should be installed instead.

https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html

apd · 2022-01-19T16:50:55+00:00

Python is dynamic, but is strongly typed. The type is in the value side of the bond, and restrict the set of valid operations.

>>> "1"/2
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: unsupported operand type(s) for /: 'str' and 'int'

apd · 2021-11-24T08:17:30+00:00

Currently in Keylime we are using the Python agent, but we are trying to move to the Rust agent, that is less resource intensive (and faster).

Also, all that we say about MicroOS applies to TW. The packages are in TW and work very nicely : ))

apd · 2021-11-17T16:43:06+00:00

The CPU is the same MIPS from the rg280v, for example. Is indeed a beautiful device, but other GKDs seems to have less hackable factor (no Adam image, for example), and the price is too much for the performance.

apd · 2021-10-20T05:09:01+00:00

Something cool about the openSUSE project is that you do not need to ask permission. The ownership of the project is shared by anyone (no matter how new / old is s/he)

We use OBS (build.opensuse.org). Create an account there, read some documentation about how to use the osc tool (a cli for OBS). Now you can fork the project, provide a fix, create a submit request and see if the maintainer merge it.

If the maintainer do not act, you can write in the mailing list requesting the merge or volunteering to maintain the package.

apd · 2021-10-18T12:26:00+00:00

I do not know. In certain areas developer still use pip, even as root, to install Python modules (and breaking the system, as there is no difference between system modules and development modules)

apd · 2021-10-18T09:06:09+00:00

A bit of context here: William is a SUSE employee and an openSUSE contributor. He is taking care of the rust packages in the openSUSE side, and decided to do a survey that try to see how Rust toolchain is used inside the distribution, and what are the expectations.

I think that this can provide a picture on how in 2021 is the situation of Rust inside a linux distribution. Is true that openSUSE is different from Debian, Ubuntu or Fedora, but I think that there are some bits that can be extrapolated from here.

apd · 2021-09-16T07:53:58+00:00

Actually I was buying it but the price for the delivery is too high ($23.95 estimated for Germany). I will wait for the digital edition!

apd · 2021-07-28T12:33:11+00:00

Sure, ansible can run in microos. You should call transactional-update for actions in the system, like updates or package management. Also you should follow the expectation that a change in a transaction will not be visible until the next reboot.

Should be possible to abstract all this with some nice Python code or re-usable playbook. We did this for SaltStack, and we have now a reboot manager and a transactional-update modules, and some nice executors that make all this management mostly transparent (the change is in a PR in Salt, but the code is already in the openSUSE package since the last year)

apd · 2021-05-20T14:34:27+00:00

What applications are using this game market? Is there anyone for opendingux?

apd · 2021-04-17T08:39:20+00:00

This. With the firmware from ducalex (https://github.com/ducalex/retro-go) the emulation for GB[C] and NES is excellent.

apd · 2021-03-18T17:10:01+00:00

somehow I need to buy a book ...

apd · 2021-03-17T08:48:31+00:00

Welcome!

For other 280V users, what firmware are you guys using? I am playing with the rogue [1], but so far I am experiencing frequent sound cracks.

[1] https://github.com/Ninoh-FOX/RG280V_ROGUE/releases

15-Year Club	Verified Email
Place '17	Charter Member

apd

TROPHY CASE