kyle.rankin (Kyle Rankin)
User

Projects

User does not belong to any projects.
User Since
Jan 16 2018, 6:03 PM (83 w, 4 d)

Recent Activity

Jun 19 2019

kyle.rankin added a comment to T753: Resume from Suspend-to-disk (hibernation) fails with encrypted swap.

Yes, this is by design for extra security, as well as adding the convenience of not having to enter in unlock passphrases two different times at boot (once for /, once for swap). The downside is that it removes the ability to resume from hibernate.

Jun 19 2019, 3:24 PM · Restricted Project

Apr 23 2019

kyle.rankin added a comment to T694: Automatically lock the screen when Librem Key is removed.

That's because of the 'su $user' command that's in there. Root doesn't have to type the user's password but a regular user (even the same user) does.

Apr 23 2019, 10:44 PM
kyle.rankin added a comment to T694: Automatically lock the screen when Librem Key is removed.

Yes, ENV{ID_VENDOR} is what we'd want, as ID_VENDOR is being set in an environment variable that gets passed along to these udev rules. I was just flagging that in your udevadm output it had set ID_VENDOR (via ATTRS{ID_VENDOR}) to Nitrokey.

Apr 23 2019, 10:00 PM
kyle.rankin added a comment to T694: Automatically lock the screen when Librem Key is removed.

Based on this:

Apr 23 2019, 8:54 PM
kyle.rankin added a comment to T694: Automatically lock the screen when Librem Key is removed.

So to get this straight, the udev rule works with your particular Librem Key on one laptop but not another? I wonder if for some reason the ID_VENDOR value changed from "Nitrokey" to something else in newer revisions of the Librem Key.

Apr 23 2019, 7:52 PM

Feb 26 2019

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

To me this ticket should be closed, as we have achieved the initial goal (packaging the equivalent of gpg-encrypted-root into PureOS).

Feb 26 2019, 7:00 PM · Restricted Project

Feb 14 2019

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

The cryptsetup-initramfs package has a README on configuring gnupg-sc, but I've found it's not entirely accurate and is too focused on configuring a *new* and non-root disk.

Feb 14 2019, 1:31 PM · Restricted Project
kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

Just confirming that we can close this ticket.

Feb 14 2019, 12:59 PM · Restricted Project

Feb 11 2019

kyle.rankin added a comment to T678: Pipe key not working on Librem13v3 DE (German) keyboard layout.

This particular ticket is about the German keyboard layout issue where the pipe key does work, but sends an incorrect signal, not about the unrelated UK keyboard issue where the key does not send a signal at all.

Feb 11 2019, 4:23 PM · Restricted Project
kyle.rankin added a comment to T678: Pipe key not working on Librem13v3 DE (German) keyboard layout.

It's not a firmware problem exactly. The keyboard is a *different* layout than the default US/UK/DE layout, it's a variant. In the US case it's a US alternate international layout. If you dig down into the keyboard options and set it to that, the pipe key works, however during an install everyone naturally picks the default US keyboard layout (or UK or DE, depending on the device) and almost every key works as expected except the pipe key.

Feb 11 2019, 3:16 PM · Restricted Project

Feb 7 2019

kyle.rankin created T694: Automatically lock the screen when Librem Key is removed.
Feb 7 2019, 7:26 PM

Jan 22 2019

kyle.rankin added a comment to T683: Update systemd pipe key fix to include Librem 13v4.

My apologies, I have no idea where I got that number. I reviewed my own hand-edited file and it says "backslash"

Jan 22 2019, 7:06 PM
kyle.rankin added a comment to T683: Update systemd pipe key fix to include Librem 13v4.

This is the value I used and tested, and it's the value that we used for the other entries that were already in the file. If we were to change it for this case, we should also change it for the other, previous Librem 13 entries.

Jan 22 2019, 3:47 PM

Jan 21 2019

kyle.rankin added a comment to T683: Update systemd pipe key fix to include Librem 13v4.

Yes, this should go upstream like with the parent issue. I have tested this fix against my Librem 13 v4.

Jan 21 2019, 5:13 PM
kyle.rankin created T683: Update systemd pipe key fix to include Librem 13v4.
Jan 21 2019, 4:12 PM
kyle.rankin added a comment to T431: Keyboard layout unable to recognize pipe on Librem 13v2,3 Librem 15 US devices.

If it's better to open a new ticket than comment on this one that's fine, but having all the context of this ticket is useful. We now have a Librem 13v4 and so need to modify the same systemd files to add:

Jan 21 2019, 1:49 PM

Dec 5 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

It probably makes sense to keep this open until the package shows up in PureOS (having it in Debian is nice, but not sufficient). Once it makes its way into PureOS then sure, close the ticket.

Dec 5 2018, 3:47 PM · Restricted Project

Nov 29 2018

kyle.rankin added a comment to T641: Cryptsetup-helper logs encryption password.

In the mean time could you add a task that erases/truncates /var/log/auth.log after that script runs?

Nov 29 2018, 11:20 PM · Restricted Project
kyle.rankin created T641: Cryptsetup-helper logs encryption password.
Nov 29 2018, 9:34 PM · Restricted Project

Nov 21 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

Thanks for the update. Let's leave this ticket open to track the work in bringing the updated cryptsetup package into PureOS. Once that package exists in PureOS we can close this ticket.

Nov 21 2018, 7:01 PM · Restricted Project

Oct 23 2018

kyle.rankin updated subscribers of T347: Make it easy to start Tor Browser Bundle.

I want TB to be packaged by PureOS and installed by default on PureOS unless there is some Free Software licensing issue that would prevent this (I don't believe there is).

Oct 23 2018, 9:30 PM · Restricted Project

Sep 27 2018

kyle.rankin added a comment to T315: Enable vboot.

We do not need or want it. Specifically the problem with systems like vboot (and why we went with Heads instead) is that we do not want to require that the BIOS pass a signature check against a key that we control. We want the user to be able to flash with a custom BIOS if they so choose, even if we haven't blessed it with our signature.

Sep 27 2018, 10:11 PM · Librem Coreboot

Sep 25 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

Sweet! So, what's the timeline look like for me to be able to test this on something?

Sep 25 2018, 1:19 PM · Restricted Project

Sep 11 2018

kyle.rankin added a comment to T486: Pipe key producing # on Librem 13 v2, v3 UK and DE model devices.

@mladen.pejakovic so far we don't have anyone in-house who is able to re-create this specific problem but clearly you are getting some kind of support request that motivated you to file this ticket.

Sep 11 2018, 6:47 PM
kyle.rankin added a comment to T486: Pipe key producing # on Librem 13 v2, v3 UK and DE model devices.

@jonas.smedegaard are you able to recreate the problem listed in this ticket with your Librem 13 UK?

Sep 11 2018, 4:31 PM

Sep 10 2018

kyle.rankin added a comment to T486: Pipe key producing # on Librem 13 v2, v3 UK and DE model devices.

This is why I'm trying to narrow everything down to specifically which models are having the specific issue referenced in this ticket. Today I've gotten two different explanations:

Sep 10 2018, 8:07 PM
kyle.rankin added a comment to T486: Pipe key producing # on Librem 13 v2, v3 UK and DE model devices.

@chris.lamb Since you have a UK model, could you please apply the patch @mladen.pejakovic is referencing above and see if you can recreate this regression?

Sep 10 2018, 6:04 PM
kyle.rankin updated subscribers of T486: Pipe key producing # on Librem 13 v2, v3 UK and DE model devices.

@mladen.pejakovic and @chris.lamb (cc @todd )

Sep 10 2018, 4:34 PM

Aug 31 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

Hi @chris.lamb I just wanted to check in on the progress with this. Looking at the official bug it looks like things have stalled a bit but maybe there are other things happening behind the scenes with people working on packaging that I'm not aware of.

Aug 31 2018, 5:08 PM · Restricted Project

Aug 13 2018

kyle.rankin assigned T327: Package OpenSnitch to chris.lamb.
Aug 13 2018, 4:29 PM · Restricted Project
kyle.rankin added a comment to T327: Package OpenSnitch.

Sorry, by "upstreaming" I meant "get packaged into Debian." At the time I wrote this in February I was hoping we could get this into PureOS relatively quickly and had assumed that getting this packaged into PureOS would be faster than into Debian so I wanted to do the fast thing first if it was indeed faster.

Aug 13 2018, 4:29 PM · Restricted Project

Jul 9 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

The point about it just being a shell script is valid. I would be perfectly fine with including this script (or a similar forked script) directly into cryptsetup-initramfs, especially if that helps speed the process along.

Jul 9 2018, 4:24 PM · Restricted Project

Jul 5 2018

kyle.rankin added a comment to T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.

Just checking in on the status of this ticket. We are not yet at a place where this is blocking other activity but will be within another week or two.

Jul 5 2018, 7:54 PM · Restricted Project

Jun 27 2018

kyle.rankin added a comment to T499: German keyboard settings don't take in initial setup.

This problem seems to specifically point to the installer not changing its own active locale during the install process, but merely setting the default locale for the install on disk.

Jun 27 2018, 9:10 PM · Restricted Project

Jun 1 2018

kyle.rankin closed T439: Keys #~ and /: not working on Librem 13v3 UK and Librem 15v3 UK devices as "Resolved".

This issue has been resolved.

Jun 1 2018, 8:36 PM

May 31 2018

kyle.rankin created T462: Package "gpg-encrypted-root" (or equivalent) in PureOS.
May 31 2018, 8:15 PM · Restricted Project

Apr 6 2018

kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

Hmmm it worked the second time around... on the VM. Going to test on bare metal now.

Apr 6 2018, 9:12 PM
kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

Sorry, I mean the "Install PureOS" application that runs within the Gnome desktop crashed. By crash I mean the installer application disappeared. I will see how repeatable it all is.

Apr 6 2018, 8:44 PM
kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

I've had this application crash for me both when testing in a VM (at that point at the disk encryption password section) and also when trying directly on bare metal Librem 13v2, when trying to connect to wifi.

Apr 6 2018, 7:29 PM

Apr 3 2018

kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

It would be possible after the fact to even go as far as to reformat the swap partition to be a non-LUKS volume and treat it as regular unencrypted swap, if you wanted, but as @mak mentioned, it would be better to keep it as encrypted, but as a different kind of persistent encryption.

Apr 3 2018, 4:13 PM

Apr 2 2018

kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

Or if the attacker happens to read the contents of swap while the system is running. Since it isn't overwritten at each boot, it's possible imaging swap while the system is running would reveal old secrets that weren't securely wiped.

Apr 2 2018, 10:31 PM
kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

You make a good point. In this case it's a security tradeoff because suspend-to-disk creates a security vulnerability since secrets that were in RAM only (disk decryption keys, passwords) could be written to disk and potentially be recoverable.

Apr 2 2018, 9:53 PM
kyle.rankin added a comment to T365: PureOS Live image, installer and OEM experience rework.

The swap partition should be encrypted with a random LUKS key like in a standard Debian install instead of via a key file. It's a feature that encrypted swap is blown away each reboot.

Apr 2 2018, 8:06 PM

Mar 7 2018

kyle.rankin added a comment to T298: HDMI output limited to 1080p.

@netnut404 If you are willing to use X instead of Wayland, you can switch to that and follow my steps above to generate modelines for the resolutions you want.

Mar 7 2018, 8:08 PM

Feb 14 2018

kyle.rankin created T327: Package OpenSnitch.
Feb 14 2018, 5:18 PM · Restricted Project

Feb 13 2018

kyle.rankin added a comment to T320: Can't create VM from Debian 9 ISO in Boxes.

I tried the setcap command but still got the same error on PureOS.

Feb 13 2018, 6:12 PM

Feb 6 2018

kyle.rankin added a comment to T320: Can't create VM from Debian 9 ISO in Boxes.

More debug info:

Feb 6 2018, 8:14 PM
kyle.rankin added a comment to T320: Can't create VM from Debian 9 ISO in Boxes.

I added more logging and tried again. here are the (sanitized) results:

Feb 6 2018, 8:08 PM
kyle.rankin added a comment to T320: Can't create VM from Debian 9 ISO in Boxes.

I've uploaded virsh capabilities output as well

Feb 6 2018, 7:57 PM
kyle.rankin added a comment to T320: Can't create VM from Debian 9 ISO in Boxes.

When you attempt to start a pureos live cd image in Boxes, you will get the following error in the terminal:

Feb 6 2018, 7:54 PM

Feb 5 2018

kyle.rankin removed a project from T177: Test/Implement fwupd support: Restricted Project.

After discussion, removing the PureOS tags as we don't want to risk tainting PureOS with the remaining proprietary software in our coreboot firmware. This project will remain on the coreboot side.

Feb 5 2018, 8:14 PM · Librem Coreboot
kyle.rankin added a project to T177: Test/Implement fwupd support: Restricted Project.

Given most of the work for this is not coreboot work, but PureOS work integrating an existing firmware image (which we'd treat as a binary blob) with fwupd, I don't know that this is really a coreboot project as much as a PureOS project.

Feb 5 2018, 6:41 PM · Librem Coreboot

Jan 26 2018

kyle.rankin added a comment to T247: purebrowser: Choice of user-agent string lack a policy.

I prefer and would advocate for option 2 because it instructs sites that (mistakenly or not) use browser versions to determine how to behave that PureBrowser is most compatible with a particular version of Firefox (which it is, having been almost entirely derived from that browser, with some modifications), while also informing the site that the browser is not in fact Firefox, but something else.

Jan 26 2018, 6:02 PM · Restricted Project
kyle.rankin added a comment to T308: PureBrowser incompatible with user-agent sniffing at tails.boum.org.

Before the ticket is closed for good, could you provide a User Agent string workaround (if that would work, otherwise some other workaround) so we have steps to present to another user who runs into this or similar problems?

Jan 26 2018, 5:39 PM · Restricted Project

Jan 25 2018

kyle.rankin added a comment to T298: HDMI output limited to 1080p.

From what I've read on https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/EDID/HOWTO.txt the kernel only includes EDIDs up to 1920x1080:

Jan 25 2018, 7:55 PM

Jan 24 2018

kyle.rankin added a comment to T298: HDMI output limited to 1080p.

I was able to get a Librem 13v2 to output at 2560x1440 by switching to GNOME on Xorg at the GDM login prompt for my user and using the steps from here to generate a custom modeline.

Jan 24 2018, 11:34 PM

Jan 23 2018

kyle.rankin added a comment to T298: HDMI output limited to 1080p.

The Ubuntu 14.04 Live disk was able to see the full suite of resolutions from my external monitor up to 3840x2160 @ 30hz and 2560x1440 @ 60hz. It uses the 3.19.0-25-generic kernel so perhaps we are seeing some regression with Skylake on more recent 4.x kernels.

Jan 23 2018, 10:25 PM
kyle.rankin added a comment to T298: HDMI output limited to 1080p.

I've tested this so far with a few other Live disks including Tails (4.14.12-2 kernel), Fedora 27 (4.13.9-300.fc27.x86_64), Ubuntu 17.10 (4.13.0-21) and Ubuntu 16.04 (4.10.0-28-generic). All of those live disks had the same 1080p limitation.

Jan 23 2018, 10:10 PM
kyle.rankin created T308: PureBrowser incompatible with user-agent sniffing at tails.boum.org.
Jan 23 2018, 10:06 PM · Restricted Project

Jan 16 2018

kyle.rankin created T298: HDMI output limited to 1080p.
Jan 16 2018, 7:12 PM