overview for Archaeopteryx

6

Quickstart in Full Disk Encryption with TPM and YaST2 (news.opensuse.org)

submitted 12 hours ago by [email protected] to c/[email protected]

0 comments fedilink

This is a quick start guide for Full Disk Encryption with TPM or FIDO2 and YaST2 on openSUSE Tumbleweed. It focuses on the few steps to install openSUSE Tumbleweed with YaST2 and using Full Disk Encryption secured by a TPM2 chip and measured boot or a FIDO2 key.

Hardware Requirement:

UEFI Firmware
TPM2 Chip or FIDO2 key which supports the hmac-secret extension
2GB Memory

Installation of openSUSE MicroOS

There is an own Quickstart for openSUSE MicroOS

Installation of openSUSE Tumbleweed

Boot installation media

Follow the workflow until "Suggested Partitioning":
- Partitioning: Select "Guided Setup" and "Enable Disk Encryption", keep the other defaults
Continue Installation until "Installation Settings":
- Booting:
  - Change Boot Loader Type from "GRUB2 for EFI" to "Systemd Boot", ignore "Systemd-boot support is work in progress" and continue
- Software:
  - Install additional tmp2.0-tools, tpm2-0-tss and libtss2-tcti-device0
Finish Installation

Finish FDE Setup

Boot new system

Enter passphrase to unlock disk during boot
Login
Enroll system:
- With TPM2 chip: sdbootutil enroll --method tpm2
- With FIDO2 key: sdbootutil enroll --method fido2

Optional, but recommended:

Upgrade your LUKS key derivation function (do that for every encrypted device listed in /etc/crypttab):

        # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id
        # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id

Adjusting kernel boot parameters

The configuration file for kernel command line options is /etc/kernel/cmdline.

After editing this file, call sdbootutil update-all-entries to update the bootloader configuration. If that option does not exist yet or does not work, a workaround is: sdbootutil remove-all-kernels && sdbootutil add-all-kernels.

Re-enrollment

If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2.

If you have a recovery PIN:

  # sdbootutil --ask-pin update-predictions

If you don't have the recovery PIN, you can set one with this steps:

  # sdbootutil unenroll --method=tpm2
  # PIN=<new recovery PIN> sdbootutil enroll --method=tpm2

Virtual Machines

If your machine is a VM, it is recommended to remove the "0" from the FDE_SEAL_PCR_LIST variable in /etc/sysconfig/fde-tools. An update of the hypervisor can change PCR0. Since such an update is not visible inside the VM, the PCR values cannot be updated. As result, the disk cannot be decrypted automatically at the next boot, the recovery key needs to be entered and a manual re-enrollment is necessary.

Next Steps

The next steps will be:

Support grub2-BLS (grub2 following the Boot Loader Specification)
Add support to the installers (YaST2 and Agama)
Make this the default if a TPM2 chip is present

Any help is welcome!

Further Documentation

3

New Key for Security Devel Project (lists.opensuse.org)

submitted 3 days ago by [email protected] to c/[email protected]

0 comments fedilink

The "security" development project is switched to a 4096bit RSA key.

New key fingerprint:

Type : GPG public key

User ID : security OBS Project <[email protected]>

Algorithm : rsa

Key size : 4096

Expires : 2026-12-02 13:27:55

Fingerprint : f9fa 0223 b56b 116c 3637 37ef 5da5 7bdd 6dd7 85ca

Why are there no *mainstream* forks of OpenSuse? by Archaeopteryx in c/[email protected]

[-] [email protected] 9 points 5 days ago

I totally agree with you. openSUSE Tumbleweed is IMHO the most stable rolling release distro out there.

Arch and some of its derivatives are also nice but still not as stable or polished as Tumbleweed.

Israel considering plan to ethnically cleanse northern Gaza: Report by Archaeopteryx in c/[email protected]

[+] [email protected] -23 points 5 days ago

So much bullshit in so little text... Again a “news” site that quotes a report from another site but doesn't link to it (probably so most readers don't read the real article). The CNN article says nothing about a plan to “ethnically cleanse northern Gaza” (this is typical Hamas press bullshit). Israel simply wants the civilian population remaining in the Netzarim Corridor to withdraw from the area so they are not longer in line of fire. And it is not an official plan but a plan of a group of retired Israeli military generals. Here is the link to CNN: https://edition.cnn.com/2024/09/22/middleeast/netanyahu-gaza-hamas-expulsions-plan-intl/index.html

And regarding MEE (Wikipedia):

According to its critics, Middle East Eye began forming in London in 2013 as the Islamist influence of Al Jazeera began to wane; several Al Jazeera journalists subsequently joined the project. Jonathan Powell, a senior executive at Al Jazeera, was a consultant ahead of its launch and registered the website's domain names. Bassasso, a Kuwait-born Palestinian living in London, was the sole director of Middle East Eye's parent company, M.E.E. Limited. Bassasso was a former director for the Hamas-controlled Al-Quds TV.[1,2] David Hearst denied that Bessasso was the owner of the news site but refrained from divulging the real owner.

[1] https://www.thenationalnews.com/uae/new-london-connection-to-islamists-1.648408

[2] https://www.aei.org/foreign-and-defense-policy/middle-east/qatars-other-covert-media-arm/

I am not sure if I would trust a website which does not provide any information about ownership, funding, or has a director who worked for the Hamas which is designated as a terrorist group by a lot of countries. Nobody has to agree how Israel handles the situation, but also nobody should simply believe everything that is written on the Internet. War is bad and I think most of us can't even imagine how bad and cruel war can be. Websites like MEE play a big part in creating even more hatred and suffering in this conflict through false information.

This week in Plasma: polishing like mad by Archaeopteryx in c/[email protected]

[-] [email protected] 1 points 6 days ago

I am still missing the sub-folders feature in the application menu. I hope that someday a developer shows mercy and bring back that feature.

This week in Plasma: polishing like mad by Archaeopteryx in c/[email protected]

[-] [email protected] 1 points 6 days ago

I just use Kritas Image Split feature. But it would be nice to download a widescreen picture and just set it as a background for all monitors. We need to wait until someone will implement that feature.

Auckland Town Hall ~1910 by Archaeopteryx in c/[email protected]

[-] [email protected] 1 points 1 week ago

On the right side there are power lines but I am not sure if the thin cables on the left are power lines. They are very thin. Maybe phone lines or telegraph cables.

Auckland Town Hall ~1910 by Archaeopteryx in c/[email protected]

[-] [email protected] 3 points 1 week ago

Yeah. On my phone it looks also more like water than just a wet road.

... but also I presume road building techniques have come a long way in the last 100 years.

That's what I find so fascinating about old photos. You can see how quickly technology has developed in 100 years. And the development is progressing faster and faster every year.

Python 3.13 RC2, with and without GIL by Archaeopteryx in c/[email protected]

[-] [email protected] 3 points 1 week ago

Yeah. Totally agree :).

10

Python 3.13 RC2, with and without GIL (news.opensuse.org)

submitted 1 week ago by [email protected] to c/[email protected]

2 comments fedilink

Python 3.13 RC2 is now available in Tumbleweed. This new version of the Python interpreter will be released in October 2024.

There is a lot of changes and new features in 3.13, but we're also bringing exiting experimental features in Tumbleweed.

Experimental JIT compiler

The default (python313) build has the flag --enable-experimental-jit=yes-off. This means that if you want to use this experimental JIT you can enable with an environment variable:

$ PYTHON_JIT=1 python3.13

You can find more information about the JIT compiler and how it can improve performance in PEP-744.

Free threaded CPython (no GIL)

With this new version of Python interpreter, there is an option to build without the famous Global Interpreter Lock, aka GIL. This is a really experimental feature, but why not have this on Tumbleweed? So we decided to build also this new version with a new package python313-nogil.

This new package is an isolated interpreter, so you can install without conflicts with python313. The package is building with the --disable-gil option and it provides the /usr/bin/python3.13t binary. It uses by default /usr/lib/python3.13t/site-packages for third-party libs so, with the default configuration, it won't use any python 3.13 module.

This means that now you can use threading.Thread in the Python interpreter, and it will be actual threads so, at the end using threads with python3.13t, interpreter should be a lot faster.

There's no packages for this interpreter in Tumbleweed, at this moment. So if you want to use third party libraries you should use virtualenv and pip for that:

$ python3.13t -m venv free-threaded-env
$ source free-threaded-env/bin/activate
(free-threaded-env) $ pip install requests
(free-threaded-env) $ python3
Python 3.13.0rc2 experimental free-threading build (main, Sep 07 2024, 16:06:06) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys; sys._is_gil_enabled()
False

Auckland Town Hall ~1910 by Archaeopteryx in c/[email protected]

[-] [email protected] 3 points 1 week ago* (last edited 1 week ago)

To me it looks a bit like a wet and worn out bitumen road after heavy rain.

Most streets built before the early 1900s in NZ were made of macadam, which was highly suitable for horse-drawn vehicles. However, with the rise of motor traffic in the 1920s, many areas had to seek more durable options for road surfacing. The most frequently used material became asphalt or bitumen, which gained widespread use starting in the 1920s.

Source: https://teara.govt.nz/en/streets-and-lighting/print