 Okay, good. So I'm sorry. Oh wait, I know I hear my son's There's I want to talk about community matters first and some general topics and then about some features and how they tie together for for secure properties of the machine. So there are things that don't change and people change those and I mean you some of you know probably but not everybody knows that Then our pottering has moved to Microsoft. So That's Surprising in some ways, but also in other ways not surprising because right now the system the community has two full-time people from Microsoft working on top stream a bunch of Red Hat people Then people from Facebook then some some I guess that other people are not working full-time, but there's also other volunteers and so on so the community has spread a lot and In some ways, this is healthy So system D is about system D and if you put a capital D there at the end you make us cry And and there's always work to be done. I put up the stats from today and we have well, seventeen hundred eighteen hundred or seventeen hundred issues and half is bar, half is RIPs And I will also talk about this at the end, but in general as always we are looking for help because Well, there's just too many too many things to do In Fedora, there is one friend twenty eight open issues But that's mostly because Fedora will out-of-close issues when For all the leases so so we lose a bunch of bugs this way there would be more I guess and And there is well a hundred bugs that need to be to be triaged and looked into and so on And we kind of keep out Keep creating releases And the last five releases have been like on as Well, not a regular schedule, but there's some variance. We would like to do it every two months It comes out like well, you can see here Not more than half a year usually The number of commits like is fifteen hundred to two thousand commits also a bit but I'm really proud of this column here the number of contributors it varies, but it's Very healthy number We also have apart from those many leases we Do point releases like two four seven one two four seven two four seven three with backwards I think that we're two four seven twelve for something that right now and Those point releases are the the way that system D Goes into distributions And 252 is being prepared. We have just took 1000 patches, but we we plan to make an RC release So and then maybe in a month from now, they'll be release and well Features have releases releases have features, but sometimes they lose features and I want to talk about two things that are going away, so Split user is this Well, there's two aspects to it. One is that you have Some binaries in slash been and slash has been and some binaries in slash user slash been and slash user slash has been and That's I mean the location is split, but there's the other aspect is when you mount This last user Subdirectory, so we have required that it's always mounted For a while, so we can mount it in the energy and then when you put into the real system, you must have both Slash bin and slash user bin otherwise things won't work But we did the fact that you have the split was supported and we looked for every configuration file into places and every binary into places And so on and this is this is going away in about a year, so I mean we are waiting for the for Debian bookworm to Go away and then we remove this functionality So I mean it doesn't matter for for people from Fedora or well, but it matters from for people from Debian and Gen2 and maybe some other projects and another interesting one is C Groups V1 we want to drop for the old C Group hierarchy Well, I used V1 by default and V2 optionally well, nine uses V2 by default and V1 optionally and Well, if we drop it upstream then who knows what will happen in around 10 but This this code is it's very The V1 code is very complicated and you would like to just get rid of it to simplify our life So those are features that are being removed and I'll talk about features so there's this something called credential mechanism in system V and Initially this was used for first the idea wasn't for example you have a Certificate for TLS for the web server and This will be handled as a credential or some some some key material passwords stuff like that So has the name but now it's used for configuration and other stuff So so the name is kind of obsolete so don't get confused by it. So we have some some data and Instead of passing it directly to Putting in a non-location of disk we kind of abstract this we take take it put in a file but in a like a shared directory and or some other place which I'll talk about later and Then we configure the unit file for the service to say that it should It needs the credential called data Or some other name and then the manager looks in this shared directory or some other places and passes the credential to the service and the service gets an environment variable that tells it where to look and opens File or something that looks like a file there Well, I mean this sounds Not useful on its own and it's not useful on its own, but we this is Generic mechanism is extended in various ways. So in particular particular this storage part Is that you can put things in a file, but you can for example Create a pipe and then the manager will connect to this pipe. It's like a unique socket Push the name of the the Credential to be delivered and then something else from the other end must deliver this credential So for example, you can implement a service that would pull credentials Over the network first from somewhere else There's a mechanism to take credentials and pass them through layers. So for example, it was if we have virtualization we could have Credential on the host and then the host manager takes this credential and passes it to the Container manager service the container manager service takes the credential and passes it to the to the container and the container in the container the container System D takes the credential and passes the unit and then the unit unit makes use of it. So I mean data is being passed And there's like support for doing this for the Virtual machine boundary between the host and the the virtual machine via some QM was Few more stuff You can also pass credentials on the command line and you can also and the bootloader can pass credentials to the running system So there's like a plenty different mechanisms, but in the end for the service. It doesn't matter. It gets I mean It's all abstracted away by by the manager and then this file a Is Not stored on this it's stored in memory and ideally it's actually stored on memory that is not even swappable So it's not tempFS. It's ramFS so that Well, you once you reboot the machine the data is completely gone in this file well This is useful if the this data is stored encrypted so We kind of complicated this previous picture. We have some data. We Encrypted we put it in storage just before and then here the manager takes care of decrypting the blog before passing it to the service and This encryption is not well It's done in two ways It can be encrypted via with a key that is stored in the file on the system so Basically, this means that you need what I mean if you if you lose this file then all the credentials become Undecryptable, but that's not so useful. It's used kind of as a callback And then we also encrypt the credentials with TPM So this means that you can take a I don't like this this certificate Store it on the machine and if you take the disk out of the machine you cannot Decrypt this copy So This provides pretty nice security features So did like this upper path is mostly for to provide support for instance, we don't have TPMs and By default, they both both files are needed. So We try to make it I Mean as secure as possible given specific hardware and This this credential mechanism is integrated in units in various ways. So you can start units only if you have credential you can Pass Credentials use credentials to configure Certain services. So, for example, you can System this is user service which runs during early boot will look for certain credentials and create users And the temp files service will also create and use use credentials as Configuration so this mechanism in particular allows you to create users and files on this with arbitrary contents based on Well data that is stored some externally outside of the machine and All right, I mean the common thing here is that we Try to make use of the Hardware features of that are supposed to provide security So you can bind arbitrary credential data to to the local machine When you have a file system and kept it with locks it can also be bound bound to the TPM This makes in a way Linux behave more like windows because you can suddenly say that well the descent is encrypted, but if you are putting a specific system then you can Open up the disk without Decrypt the disk without typing in the full password, but using some of the story in the DPM and System E is We I mean to actually make use of those those things you need to measure things so so for example like The kernel the Entity that we are putting and other the configuration into PCR so that those measurements are then used for policies to build Decryption policies or that it acts as policies and System D has been growing I mean doing more measurements so that you can make this more useful and And there's a nice tool that kind of helps with this It's called system D measure And it will be new in version 252. So basically you say, okay, if I have a specific Kernel binary with a specific integer D and a specific set of configuration files because this all matters then after This machine is booted. We expect that the Sha 512 PCR Number 11 will have some Some value and then we can for example say that if PCR 11 has this this value then we allow Access to certain passwords or certain certificates or something like that without an Additional Verification So So we have those those features for for for data access, but To actually make use of this we need to rework how How the machine boots how also how interdies are built? and I just want to talk about some some some general concept of implementation details. So Right now we kind of build the interd based on files on this and we want to move towards taking rpms and So using pristine files that haven't been Haven't gone through the for the local file system and possibly have been modified in any way and Also to stop doing modifications We want to reuse the binaries that are used in the real system in the interd without Local tweaks And then Once we have that we can kind of move towards using generic interd. So everybody has the same interd But this is blocked by by the requirement to have local configuration I mean if everybody has the same interd then how do you specify? The the name of the root partition So we we have we need local configuration and this local configuration can be passed through the credential mechanism and Doing it this way allows us to for example say that the The circle configuration must must be signed and must be bound to the local machine so This is like the well semi long-term plan the long-term plan is to move building of an interd into the central build system So right now we build a kernel we build kernel modules We sign the kernel and send the kernel modules put them in packages, but Once we start doing this with the interd's We we build them centrally we save time on the local machines We can sign the Interd's like just like we signed the kernel and then once we have that we can verify the interd's using the same Key that is keys are that are used to check that the kernel that is being booted has been signed And There's there's a tool that implements this I will not not that works towards this and it's kind of like a That's that kind of replaces track with but we and I'm trying to say that Dracot will be places. It's another attempt things. It's called MKI site interd. So it builds Interd images from our pms. There's a link if you if you want to take a look And so I mean, I think this is all pretty interesting It's also not entirely clear where all of this will go because we have like with the PCRs we do some measurements, but Which measurements will be useful? What things should be should be added? This is this hasn't really been decided yet. Nobody knows for sure and System D upstream is a nice place to get involved. We have lots of external contributors System D in Fedora also needs help and New features need to be added to MKI site interd and also to track would so I'm just those are all places that that are looking for contributors and I know questions So right now if you enable secure good on Fedora It's not verifying in it are D or is it the way that we use this shim? shim layer to like So so verified locally. So the shim layer Is generally used so that you Microsoft holds this this this key that is used to sign shim and shim changes reality So they they do it like every well less than once a year and then shim is used to sign keys for for the For the kernels and this gives us like a way to change the kernels faster without getting Microsoft involved But in general Only the kernel and the modules are being verified not the interd. Of course, it's very easy to replace the interd So this is this is very leaky now this is with the Like the pre installed keys you can do local builds and sign them locally and do local enrollment of Whatever keys you want and then this all doesn't matter because you you can sign your unit are the locally, but like the The usual path is that the interd and they cannot sign by the by Transitively by the pre installed Microsoft key and the interd is not verified But in short like if you are using secure boot And you also have encrypted all route and you think you are safe You are not because you still have partition which is always unencrypted and there is the entire you just started And it's not verified at all. So basically anyone can pull up your hard drive replace your entire you if something else and That's one So basically the secure boot the UEFI verifies the shim layer, right? Because that's signed by Microsoft and then the shim verifies the kernel why So so we signed the kernel in Koji why cannot why is It's built locally on your machine and you don't have the designing key Yeah, why why do I don't have it because it's protected in a wall Infrastructure and nobody can access it, right? We cannot so even for Fedora You would have to replace the keys with your own keys to sign it locally Yeah, that's a Thing about that in a Trump FL or in party is stored at an unencrypted boot partition Technically starts a boot a boot boot loader thing you technically can have boot loader which supports encryption I don't know if that's use. I don't know but I know that there was a proposal of packing curl in it already and Curl Parameters into one file which would be signed and that would be verified and if the verification failed The system would refuse booting. So yes so this is called unified kernels and That we want to do that, but you can only do that if you have the interd at the time where you are Combining those things. So if the interd's are built in Koji Along with the after the kernel then you can you can put them together and sign this but I Mean you cannot do the signature before you have the Interd and Encrypted to the first part encryption of the full disc gives you some protection. I mean it Doesn't give you that doesn't protect against everything, but it actually I mean it gives you very good properties not Well, you know So I don't want to say that this is I mean, this is not something that we usually use but it's Also a useful approach Okay, so and actually this is what cloud renders are pushing every now because this is unsolved problem like encryption of Signatures on any Darby's so they are sort of sidestepping this problem by trying to push people to have everything encrypted including boot and they propose Microsoft propose a set of patches to grab to grab to I mean to to essentially do lacks Decryption in in graph, but for example this pushes a lot of responsibility onto the bootloader and I don't know like if you want to have Okay, if you have just this one one password that you type in that's Okay, but what if you I don't know we want to have like some boot recovery and stuff adding all that logic into the Bootloader is complicated. We want to keep it in the user space Yeah, so first one addition to the input encryption Basically, how we now see the food is encryption in Linux is that it only protects your data If you ever lose the system and recover it afterwards You cannot use it again because it can be corrupted basically because the internet is is not encrypted So if this happens you need to wipe the data and start over So that's how full encryption the fullest encryption now works in Linux protecting you about some problems and my question about the Was yeah, if you generate in it are the enclosure sign it that's okay But if you allow them adding some configuration, I assume using it are the overlay Then you have the problem with the entire the overlay. You can still the attacker still can do that And that's cannot be signed. So how do you protect about this? Yes, I Think we spoke about it once and one of possible solution It's actually limit what's in the overlay to make sure that only configuration part of that you can't include any binaries Or basically any code that can be started But yeah, that's a question like ideally the machine should be configured in a way that you don't need any configuration like for example laptop I think it's possible like if you Follow you set up your partition correctly. They have for the correct labels that you don't need any configuration So one thing that you can certainly do is you can Also build Extensions like for example, you want to have an internet but also want to have any interd with SSHD and networking so We have a mechanism to combine those like to add issues to the interd and those additions would also Could also be built centrally and also signed in the same way as the interd and then the The bootloader would verify the interd and in the interd System be would verify those extensions before using them So for code actually there is I mean it's not fully implemented But but like the conceptually it's it's no more to do but for the configuration Well, at least what what happens is that you can Decryption of the data to the configuration measurements so that If somebody changes a configuration that it won't decrypt your data It So the machine will generally not work, which is probably better than it booting and working but yeah, it's I mean verifying that the configuration is as you wanted it Without some external entity that assesses is well hard Thanks. I should question about the credential store. So who would be target user for that? Well So there's couple of uses like you you have I know TLS certificates This is like an obvious use We want to allow users to log in for recovery using user passwords in the interd when someone you cannot put the machine But we don't want to take those Passwords from the disk which is probably encrypted and put them in Slash boot unencrypted, but if we encrypt them using this way then they are pretty safe Also Like for for configuration Partition stuff and maybe like the network configuration for machines that need network root FS The mechanism is general. I think that other users will pop up too I'm not sure about that Isn't it used by putmen these days because I think the original request for this feature actually came from like our Container team that they wanted to pass something into all the containers But I don't know it That was where the original idea came from I was actually thinking that Kubernetes could actually use it because it has like form of secrets They are stored in in the file system. So like this could be a good mechanism to encrypt them and only available for like certain ports Okay, so Thank you, and I think we are all the time You