0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1329 Thanks! 1 00:00:20,810 --> 00:00:22,919 Talk is hacking with 2 00:00:22,920 --> 00:00:24,029 TPM. 3 00:00:24,030 --> 00:00:25,579 Don't ask what you can do for. 4 00:00:25,580 --> 00:00:27,719 Ms. Ask for the TPM can do 5 00:00:27,720 --> 00:00:29,129 for you. 6 00:00:29,130 --> 00:00:31,939 And it's a kind of introduction 7 00:00:31,940 --> 00:00:34,649 into TPM and what you can do with it. 8 00:00:34,650 --> 00:00:37,169 And your guest 9 00:00:37,170 --> 00:00:38,499 host is under. 10 00:00:38,500 --> 00:00:39,389 Yes. 11 00:00:39,390 --> 00:00:40,559 And here he is. 12 00:00:40,560 --> 00:00:41,809 Give a big applause, please. 13 00:00:41,810 --> 00:00:42,810 Thanks. 14 00:00:49,210 --> 00:00:50,469 Hi, everyone. 15 00:00:50,470 --> 00:00:51,470 Simon Dress. 16 00:00:52,570 --> 00:00:54,879 I'll be presenting some stuff on TPM. 17 00:00:54,880 --> 00:00:56,949 Does my guitar handle and also my getup 18 00:00:56,950 --> 00:00:58,149 namespace. We can find 19 00:00:59,170 --> 00:01:00,879 some of the stuff or see what I'm working 20 00:01:00,880 --> 00:01:03,159 on. And the most 21 00:01:03,160 --> 00:01:04,988 important resource for everything I'm 22 00:01:04,989 --> 00:01:07,149 talking about is this wobbling. 23 00:01:07,150 --> 00:01:08,589 But you're going to see it in the conclusions 24 00:01:08,590 --> 00:01:09,939 at the end again. 25 00:01:09,940 --> 00:01:11,829 So who am I? 26 00:01:11,830 --> 00:01:13,179 Some disclosure. 27 00:01:13,180 --> 00:01:15,159 I'm actually working on TPM. 28 00:01:15,160 --> 00:01:17,319 I'm being paid to work on TPM or 29 00:01:17,320 --> 00:01:19,539 I found someone willing to pay me to work 30 00:01:19,540 --> 00:01:20,829 on this stuff. 31 00:01:20,830 --> 00:01:23,169 And I'm also a member of the Trusted 32 00:01:23,170 --> 00:01:24,519 Computing Group, this industry 33 00:01:24,520 --> 00:01:26,439 consortium, doing all the specification 34 00:01:26,440 --> 00:01:27,699 stuff. 35 00:01:27,700 --> 00:01:29,919 However, I started 36 00:01:29,920 --> 00:01:32,079 working with TPM about like 13 37 00:01:32,080 --> 00:01:34,119 years ago when I was the one point two 38 00:01:34,120 --> 00:01:37,179 times. At that point, I was 39 00:01:37,180 --> 00:01:39,549 trying to get things working for me. 40 00:01:39,550 --> 00:01:41,679 And it didn't work out too 41 00:01:41,680 --> 00:01:43,949 nice because the software was kind of, 42 00:01:43,950 --> 00:01:46,209 you know, not too well maintained and 43 00:01:46,210 --> 00:01:48,189 the API was some kinds of a little 44 00:01:48,190 --> 00:01:49,869 hideous to work with. 45 00:01:49,870 --> 00:01:52,839 And so about five years ago, when 46 00:01:52,840 --> 00:01:55,569 the and while the the 47 00:01:55,570 --> 00:01:57,659 call for participants for working on it, 48 00:01:57,660 --> 00:01:59,439 he has us to came up. 49 00:01:59,440 --> 00:02:01,539 I well basically jumped 50 00:02:01,540 --> 00:02:04,269 into the rabbit hole right away of 51 00:02:04,270 --> 00:02:06,489 what specification writing, 52 00:02:06,490 --> 00:02:08,228 negotiating and what not. 53 00:02:08,229 --> 00:02:10,538 And TCG and also implementing this stuff 54 00:02:10,539 --> 00:02:12,879 and maintaining the stuff on GitHub later 55 00:02:12,880 --> 00:02:15,189 on becomes and 56 00:02:15,190 --> 00:02:17,829 the results of this endeavor want to 57 00:02:17,830 --> 00:02:18,830 present to you. 58 00:02:20,380 --> 00:02:22,539 So I'm gonna go through some some 59 00:02:22,540 --> 00:02:24,549 very minimal introductions to what teams 60 00:02:24,550 --> 00:02:26,829 are and then we're going to 61 00:02:26,830 --> 00:02:29,109 jump right in to those two topics 62 00:02:29,110 --> 00:02:31,209 of credential protection and 63 00:02:31,210 --> 00:02:33,729 some some early boot protections. 64 00:02:33,730 --> 00:02:35,739 And then just some minor information on 65 00:02:35,740 --> 00:02:37,179 how you can get started. 66 00:02:37,180 --> 00:02:38,379 Work on this yourself. 67 00:02:40,240 --> 00:02:41,709 And here comes the fun part. 68 00:02:41,710 --> 00:02:44,109 So for your amusement and my 69 00:02:44,110 --> 00:02:46,419 personal adrenaline rush at 70 00:02:46,420 --> 00:02:48,609 late at night, I opted to go for 71 00:02:48,610 --> 00:02:49,809 some live demos. 72 00:02:49,810 --> 00:02:51,549 So what I'm gonna be doing is I'll be 73 00:02:51,550 --> 00:02:53,949 going ahead and copying all this stuff, 74 00:02:53,950 --> 00:02:55,839 switching over into my trusted worth 75 00:02:55,840 --> 00:02:56,840 virtual machine here. 76 00:02:59,320 --> 00:03:00,609 And of course, it doesn't work right 77 00:03:00,610 --> 00:03:01,659 away. So. 78 00:03:04,500 --> 00:03:07,019 Yeah, I should have unlocked sudo first. 79 00:03:07,020 --> 00:03:09,119 Yeah. So I'll be doing some live demos 80 00:03:09,120 --> 00:03:10,120 every now and then. 81 00:03:11,700 --> 00:03:13,949 Please don't dust the Wi-Fi 82 00:03:13,950 --> 00:03:15,570 here. Otherwise, the presentation will. 83 00:03:16,960 --> 00:03:19,929 Get to a halt very quickly, okay. 84 00:03:19,930 --> 00:03:21,619 What are TPM? 85 00:03:21,620 --> 00:03:23,589 TPM is basically a security chip that 86 00:03:23,590 --> 00:03:24,909 soldered onto your main board. 87 00:03:26,230 --> 00:03:28,689 And thanks to Microsoft 88 00:03:28,690 --> 00:03:30,999 for giving TPM to mostly all of us 89 00:03:31,000 --> 00:03:33,309 basically for cheap, because 90 00:03:33,310 --> 00:03:35,079 thanks to the Microsoft logo program, 91 00:03:35,080 --> 00:03:37,389 every consumer, laptop, desktop, whatever 92 00:03:37,390 --> 00:03:39,459 nowadays has a TPM more 93 00:03:39,460 --> 00:03:41,589 or less. So 94 00:03:41,590 --> 00:03:42,610 why not make use of them? 95 00:03:43,720 --> 00:03:46,599 They are pretty high security 96 00:03:46,600 --> 00:03:48,789 security chips, I would say. 97 00:03:48,790 --> 00:03:50,439 There's like some assurance from come 98 00:03:50,440 --> 00:03:52,599 criteria certification which you can 99 00:03:52,600 --> 00:03:54,659 trust must not trust me 100 00:03:54,660 --> 00:03:55,669 trust. 101 00:03:55,670 --> 00:03:57,999 But every evidence counts, I guess. 102 00:03:58,000 --> 00:04:00,059 Of course there was some some TPM 103 00:04:00,060 --> 00:04:01,069 that failed. 104 00:04:01,070 --> 00:04:02,070 And 105 00:04:04,480 --> 00:04:06,729 Tanya and David just talked 106 00:04:06,730 --> 00:04:08,439 about it about two hours ago or three 107 00:04:08,440 --> 00:04:10,059 hours ago. So it was very interesting. 108 00:04:11,560 --> 00:04:12,609 And what it's capable of. 109 00:04:12,610 --> 00:04:14,859 It's capable of doing crypto, which 110 00:04:14,860 --> 00:04:16,569 is what we're going to be talking about. 111 00:04:16,570 --> 00:04:18,729 It's capable of doing some storage 112 00:04:18,730 --> 00:04:20,828 and it's capable of recording booth hash 113 00:04:20,829 --> 00:04:21,729 values. 114 00:04:21,730 --> 00:04:23,319 And that's basically all it can do. 115 00:04:23,320 --> 00:04:26,199 So it's a completely passive device. 116 00:04:26,200 --> 00:04:28,119 That's the most important part here. 117 00:04:28,120 --> 00:04:30,009 And on the right hand side, there you see 118 00:04:30,010 --> 00:04:32,589 some old one point two versions of a TPM. 119 00:04:32,590 --> 00:04:34,269 Nowadays, the CHIP package is actually a 120 00:04:34,270 --> 00:04:35,270 lot smaller. 121 00:04:37,520 --> 00:04:39,219 Our TPM is dangerous. 122 00:04:39,220 --> 00:04:41,459 I think we've hurt talks in the past 123 00:04:41,460 --> 00:04:43,629 at the Congress 124 00:04:43,630 --> 00:04:46,179 for both arguing for both sides. 125 00:04:46,180 --> 00:04:47,169 Keep Dems reputation. 126 00:04:47,170 --> 00:04:48,909 When it first got into the market, was 127 00:04:48,910 --> 00:04:51,339 this. These are these nasty evil 128 00:04:51,340 --> 00:04:52,329 DRM devices. 129 00:04:52,330 --> 00:04:53,669 They're going to remote control our 130 00:04:53,670 --> 00:04:54,769 pieces. 131 00:04:54,770 --> 00:04:57,189 As I said, they are completely passive. 132 00:04:57,190 --> 00:04:58,989 And what type games are in reality? 133 00:04:58,990 --> 00:05:00,369 First of all, they are an embedded 134 00:05:00,370 --> 00:05:01,389 smartcard. 135 00:05:01,390 --> 00:05:03,399 So you have some kind of secure element 136 00:05:05,050 --> 00:05:05,949 in your P.C. 137 00:05:05,950 --> 00:05:07,599 that you can leverage. 138 00:05:07,600 --> 00:05:09,459 And then there is this whole integrity 139 00:05:09,460 --> 00:05:11,470 reporting and attestation capabilities 140 00:05:12,760 --> 00:05:14,979 that go a little more into detail 141 00:05:14,980 --> 00:05:16,089 on later. 142 00:05:16,090 --> 00:05:18,189 But don't just take my word for 143 00:05:18,190 --> 00:05:20,679 it. Take Richard Stallman 144 00:05:20,680 --> 00:05:23,169 or Kanu for new foundations, word for it, 145 00:05:23,170 --> 00:05:25,239 because they concluded that the 146 00:05:25,240 --> 00:05:27,849 trusted platform module available for PCs 147 00:05:27,850 --> 00:05:30,189 is not dangerous and there is no reason 148 00:05:30,190 --> 00:05:31,899 not to include one in a computer or 149 00:05:31,900 --> 00:05:33,969 support in your system software. 150 00:05:33,970 --> 00:05:36,459 So I would call that 151 00:05:36,460 --> 00:05:38,559 Stallman approved and 152 00:05:38,560 --> 00:05:40,689 therefore why 153 00:05:40,690 --> 00:05:43,079 not just go ahead and use it? 154 00:05:43,080 --> 00:05:45,249 Right. But let's get into 155 00:05:45,250 --> 00:05:46,599 the meat of it. 156 00:05:46,600 --> 00:05:47,769 Credential protection. 157 00:05:47,770 --> 00:05:49,839 Who in here is using public 158 00:05:49,840 --> 00:05:52,989 key cryptography in one way or another? 159 00:05:52,990 --> 00:05:54,879 And yeah, I'm basically expecting all 160 00:05:54,880 --> 00:05:55,880 hands to raise. 161 00:05:57,650 --> 00:05:59,799 Who is using a smart card or a you'll 162 00:05:59,800 --> 00:06:01,749 be key or a TPM to predict their 163 00:06:01,750 --> 00:06:02,750 credentials? 164 00:06:03,560 --> 00:06:04,560 Okay. 165 00:06:05,020 --> 00:06:07,239 And who is optimized this process 166 00:06:07,240 --> 00:06:09,399 by just leaving the smart card in there 167 00:06:09,400 --> 00:06:11,559 or cutting parts of the smart card 168 00:06:11,560 --> 00:06:13,180 out and wrapping this with taser 169 00:06:14,260 --> 00:06:15,490 or using a unique nano? 170 00:06:16,840 --> 00:06:18,929 Okay. Those are only very few 171 00:06:18,930 --> 00:06:20,189 for you, few. 172 00:06:20,190 --> 00:06:22,319 Basically, this is the same 173 00:06:22,320 --> 00:06:24,379 assurance level of the day that the TPM 174 00:06:24,380 --> 00:06:25,769 is gonna give you as well. 175 00:06:25,770 --> 00:06:26,879 And for others. 176 00:06:26,880 --> 00:06:27,899 Well, smart cards. 177 00:06:30,600 --> 00:06:32,519 You can use the TPM instead to be more 178 00:06:32,520 --> 00:06:32,999 convenient. 179 00:06:33,000 --> 00:06:34,679 All of you who are not using smart cards 180 00:06:34,680 --> 00:06:35,969 but public key crypto. 181 00:06:35,970 --> 00:06:38,129 You should maybe consider using a TPM 182 00:06:38,130 --> 00:06:39,629 because you've got one already and you're 183 00:06:39,630 --> 00:06:41,370 paid for it. So why not use it? 184 00:06:43,390 --> 00:06:45,829 All right. What's the security 185 00:06:45,830 --> 00:06:48,349 idea of predicting credentials 186 00:06:48,350 --> 00:06:50,549 that comes with smart cards? 187 00:06:50,550 --> 00:06:52,189 A.P. Ms. 188 00:06:52,190 --> 00:06:53,190 Similarly. 189 00:06:53,870 --> 00:06:54,949 Basically, we want a. 190 00:06:57,000 --> 00:06:59,219 Divide down or authentication 191 00:06:59,220 --> 00:07:01,469 approach or authentication 192 00:07:01,470 --> 00:07:04,199 guarantees into a proof of possession 193 00:07:04,200 --> 00:07:05,549 and approve of knowledge. 194 00:07:05,550 --> 00:07:07,679 So we have two factors that are 195 00:07:07,680 --> 00:07:09,749 required or requested from us in 196 00:07:09,750 --> 00:07:11,849 order to authenticate the 197 00:07:11,850 --> 00:07:13,319 proof of knowledge is pretty 198 00:07:13,320 --> 00:07:15,059 straightforward. It's entering a 199 00:07:15,060 --> 00:07:17,219 password, entering a pin to unlock us my 200 00:07:17,220 --> 00:07:18,389 card, what not. 201 00:07:18,390 --> 00:07:20,059 And the proof of possession is the. 202 00:07:20,060 --> 00:07:20,989 The second factor. 203 00:07:20,990 --> 00:07:23,189 Well, what does this actually mean? 204 00:07:23,190 --> 00:07:25,769 Well, what you need in order to 205 00:07:25,770 --> 00:07:27,869 create a proof of possession is you need 206 00:07:27,870 --> 00:07:29,789 something that does not duplicate all or 207 00:07:29,790 --> 00:07:30,899 not colonial. 208 00:07:30,900 --> 00:07:32,839 So that's the primary feature of what the 209 00:07:32,840 --> 00:07:34,439 smartcard gives you. 210 00:07:34,440 --> 00:07:36,719 What, for example, a soft 211 00:07:36,720 --> 00:07:38,819 token or a public key 212 00:07:38,820 --> 00:07:40,049 hanging around on your own? 213 00:07:40,050 --> 00:07:42,179 Your heart just doesn't give you 214 00:07:42,180 --> 00:07:44,719 because you can just see it. 215 00:07:44,720 --> 00:07:47,039 Software, a 216 00:07:47,040 --> 00:07:49,199 soft token file and bring 217 00:07:49,200 --> 00:07:51,059 it to a different computer and have it 218 00:07:51,060 --> 00:07:53,819 run simultaneously on multiple computers. 219 00:07:53,820 --> 00:07:56,069 So by having something that's 220 00:07:56,070 --> 00:07:58,679 non duplicate, will you 221 00:07:58,680 --> 00:08:00,449 have something that can be in the 222 00:08:00,450 --> 00:08:02,489 possession of only one person at a single 223 00:08:02,490 --> 00:08:04,679 time and therefore you gain this 224 00:08:04,680 --> 00:08:07,109 extra security and this 225 00:08:07,110 --> 00:08:09,089 becomes especially important on every 226 00:08:09,090 --> 00:08:11,449 kind of hacker. Congress luck here 227 00:08:11,450 --> 00:08:12,749 or black hat or what not? 228 00:08:12,750 --> 00:08:14,699 Because people around those conferences 229 00:08:14,700 --> 00:08:16,499 seem to be very good at recording 230 00:08:16,500 --> 00:08:18,569 passwords from looking at you typing them 231 00:08:18,570 --> 00:08:19,929 into a keyboard. 232 00:08:19,930 --> 00:08:22,469 So this is definitely 233 00:08:22,470 --> 00:08:24,509 a good argument to have the second 234 00:08:24,510 --> 00:08:25,510 factor. 235 00:08:27,870 --> 00:08:30,089 So the proof of possession can, 236 00:08:30,090 --> 00:08:32,099 which is usually I like your smart card 237 00:08:32,100 --> 00:08:34,288 or your UBC Nano can 238 00:08:34,289 --> 00:08:36,509 be basically translated 239 00:08:36,510 --> 00:08:38,609 into, well, we have a proof of possession 240 00:08:38,610 --> 00:08:41,129 of my laptop that contains a TPM. 241 00:08:41,130 --> 00:08:43,168 So only if somebody has access to this 242 00:08:43,169 --> 00:08:45,179 laptop and knowledge of the pin. 243 00:08:45,180 --> 00:08:46,949 Those two factors allow them to 244 00:08:46,950 --> 00:08:49,049 authenticate in my name or in 245 00:08:49,050 --> 00:08:51,599 the name of this credential. 246 00:08:52,890 --> 00:08:54,359 Typically the question is, but what if 247 00:08:54,360 --> 00:08:55,859 you're hacked? Well, this is a problem 248 00:08:55,860 --> 00:08:57,419 for every kind of proof of possession 249 00:08:57,420 --> 00:08:58,469 means it's the same. 250 00:08:58,470 --> 00:09:00,629 If you have a smartcard in 251 00:09:00,630 --> 00:09:02,999 your and your smart card reader slot 252 00:09:05,160 --> 00:09:07,289 for the time that somebody 253 00:09:07,290 --> 00:09:10,289 is able to control your system. 254 00:09:10,290 --> 00:09:13,109 They are able to more or less 255 00:09:13,110 --> 00:09:15,299 use your credential as well. 256 00:09:15,300 --> 00:09:16,889 But there's two differences. 257 00:09:16,890 --> 00:09:19,589 It's temporally bound to the 258 00:09:19,590 --> 00:09:22,019 amount of time that your hacked. 259 00:09:22,020 --> 00:09:24,179 So if you clean up your system, you can 260 00:09:24,180 --> 00:09:25,709 continue working normally again 261 00:09:25,710 --> 00:09:26,819 afterwards. 262 00:09:26,820 --> 00:09:28,889 And there's the second thing 263 00:09:28,890 --> 00:09:30,929 there is no chance for an attack such as 264 00:09:30,930 --> 00:09:33,149 Heartbleed, where people would 265 00:09:33,150 --> 00:09:35,399 because not every not every exploit 266 00:09:35,400 --> 00:09:37,139 is capable of gaining like full 267 00:09:37,140 --> 00:09:39,239 privileges. Sometimes exploits like 268 00:09:39,240 --> 00:09:41,489 Heartbleed are only able to dump certain 269 00:09:41,490 --> 00:09:43,619 memory pages out where 270 00:09:43,620 --> 00:09:45,779 maybe your key was living and then 271 00:09:45,780 --> 00:09:46,769 you're screwed. 272 00:09:46,770 --> 00:09:48,419 You don't have that problem is the key is 273 00:09:48,420 --> 00:09:50,699 not known to the computer, to 274 00:09:50,700 --> 00:09:52,769 the CPE you never stored in RAM or on 275 00:09:52,770 --> 00:09:53,770 disk. 276 00:09:54,470 --> 00:09:56,010 All right, demo time. 277 00:09:57,030 --> 00:09:59,129 How can you actually implement or 278 00:09:59,130 --> 00:10:01,259 how can you make use of these credential 279 00:10:01,260 --> 00:10:02,579 protections? 280 00:10:02,580 --> 00:10:04,949 The simplest way to do so is with 281 00:10:04,950 --> 00:10:07,319 the TPM to TSX 282 00:10:07,320 --> 00:10:08,320 engine 283 00:10:09,390 --> 00:10:12,179 from the TPM to software project. 284 00:10:12,180 --> 00:10:13,559 I probably should have mentioned that 285 00:10:13,560 --> 00:10:15,629 here. So that was 286 00:10:15,630 --> 00:10:18,209 one of the softwares that 287 00:10:18,210 --> 00:10:19,169 we installed earlier. 288 00:10:19,170 --> 00:10:20,609 And actually, they did install. 289 00:10:20,610 --> 00:10:22,079 That's very nice. 290 00:10:22,080 --> 00:10:23,080 All right. 291 00:10:24,330 --> 00:10:25,440 In order to use that, 292 00:10:26,610 --> 00:10:28,739 all you need is these, I don't 293 00:10:28,740 --> 00:10:30,569 know, three commands. 294 00:10:30,570 --> 00:10:32,129 And therefore, I just want to show them 295 00:10:32,130 --> 00:10:33,720 to you real quick, by the way. 296 00:10:35,020 --> 00:10:36,020 No. 297 00:10:39,590 --> 00:10:41,479 I'm not using a TPM simulator, I just 298 00:10:41,480 --> 00:10:43,099 wanted to show that I'm using an actual 299 00:10:43,100 --> 00:10:44,719 hardware TPM. 300 00:10:44,720 --> 00:10:46,789 I just forwarded it to the retro machine 301 00:10:46,790 --> 00:10:48,509 for fun and glory. 302 00:10:48,510 --> 00:10:49,510 All right. 303 00:10:58,020 --> 00:10:59,490 Virtual desktops, twittering. 304 00:11:04,180 --> 00:11:05,629 All right. 305 00:11:05,630 --> 00:11:08,119 So what we're going to do first is 306 00:11:08,120 --> 00:11:11,209 we are realizing 307 00:11:11,210 --> 00:11:12,299 now it's working. 308 00:11:12,300 --> 00:11:14,389 We are generating a key using that for 309 00:11:14,390 --> 00:11:16,459 the TPM and 310 00:11:16,460 --> 00:11:18,229 the next command is then we're gonna 311 00:11:18,230 --> 00:11:19,699 generate a self signed certificate. 312 00:11:19,700 --> 00:11:21,589 And as you can see, for those of you 313 00:11:21,590 --> 00:11:23,149 who've worked with open houses in the 314 00:11:23,150 --> 00:11:24,589 past, the first command is a custom 315 00:11:24,590 --> 00:11:26,329 command of the software. 316 00:11:26,330 --> 00:11:28,219 The second command is just a regular open 317 00:11:28,220 --> 00:11:30,259 SSL. Create a self signed certificate 318 00:11:30,260 --> 00:11:32,779 command with some mentioning 319 00:11:32,780 --> 00:11:35,029 of the engine and mentioning that we have 320 00:11:35,030 --> 00:11:37,159 a key form that comes 321 00:11:37,160 --> 00:11:39,109 from the engine and that's basically it. 322 00:11:39,110 --> 00:11:41,480 So we're gonna go ahead and take that 323 00:11:43,310 --> 00:11:44,510 posted in here as well. 324 00:11:46,050 --> 00:11:47,379 Now with from Austria. 325 00:11:47,380 --> 00:11:48,579 Now what? 326 00:11:48,580 --> 00:11:49,909 Who cares? 327 00:11:49,910 --> 00:11:50,910 All right. 328 00:11:54,130 --> 00:11:56,379 And now we have curl, 329 00:11:56,380 --> 00:11:58,509 and Curl is actually capable 330 00:11:58,510 --> 00:11:59,510 of 331 00:12:00,760 --> 00:12:02,249 connecting us. 332 00:12:02,250 --> 00:12:03,250 Well, come on. 333 00:12:04,510 --> 00:12:05,510 I should have brought a mouse. 334 00:12:07,670 --> 00:12:09,849 So Curl is capable of 335 00:12:09,850 --> 00:12:12,279 making use of to 336 00:12:12,280 --> 00:12:15,009 open us all engines and 337 00:12:15,010 --> 00:12:17,139 don't get irritated 338 00:12:17,140 --> 00:12:19,809 by the dash dash insecure gear that 339 00:12:19,810 --> 00:12:21,939 I'm running a an engine server 340 00:12:21,940 --> 00:12:24,189 right now on the host system 341 00:12:24,190 --> 00:12:25,229 from the virtual machine. 342 00:12:25,230 --> 00:12:28,089 Now I'm using Curl to authenticate 343 00:12:28,090 --> 00:12:30,369 using client certificate 344 00:12:30,370 --> 00:12:31,409 authentication. 345 00:12:31,410 --> 00:12:33,519 We are told us and I guess everybody 346 00:12:33,520 --> 00:12:35,919 knows what that means to talk to 347 00:12:35,920 --> 00:12:36,920 the engine. 348 00:12:37,750 --> 00:12:39,939 And as you can see is 349 00:12:39,940 --> 00:12:40,869 the website. 350 00:12:40,870 --> 00:12:43,089 And first time I execute 351 00:12:43,090 --> 00:12:44,709 the command, I couldn't quite believe it 352 00:12:44,710 --> 00:12:46,869 because it was so fast and I thought 353 00:12:46,870 --> 00:12:48,759 I made a mistake or something. 354 00:12:48,760 --> 00:12:50,829 So just to verify to all 355 00:12:50,830 --> 00:12:51,830 of you, 356 00:12:53,380 --> 00:12:55,509 I'll be enabling trace logging. 357 00:12:55,510 --> 00:12:56,949 And then we see that we have a bunch of 358 00:12:56,950 --> 00:12:59,169 communication happening with a TPM. 359 00:12:59,170 --> 00:13:01,269 So we actually are using the TPM 360 00:13:01,270 --> 00:13:03,159 to do client side authentication to the 361 00:13:03,160 --> 00:13:04,160 server. 362 00:13:10,390 --> 00:13:11,390 Thanks. 363 00:13:12,190 --> 00:13:13,190 Next thing. 364 00:13:14,620 --> 00:13:16,839 So this is what so first of all, why I'm 365 00:13:16,840 --> 00:13:18,789 doing this. I'm, of course, doing this to 366 00:13:18,790 --> 00:13:19,739 scratch my own interests. 367 00:13:19,740 --> 00:13:21,829 So I want to be using 368 00:13:21,830 --> 00:13:23,919 TPM as at home maybe for 369 00:13:23,920 --> 00:13:26,049 like simple bash script based 370 00:13:26,050 --> 00:13:27,009 stuff. 371 00:13:27,010 --> 00:13:28,689 And whenever you're doing a bash script, 372 00:13:28,690 --> 00:13:29,949 you don't want to put your passwords in 373 00:13:29,950 --> 00:13:31,459 there, because when you push them to get 374 00:13:31,460 --> 00:13:33,189 up, other people will download them and 375 00:13:33,190 --> 00:13:34,190 use your passwords. 376 00:13:36,280 --> 00:13:38,739 Yes. So that's 377 00:13:38,740 --> 00:13:40,329 another advantage of these. 378 00:13:40,330 --> 00:13:41,649 And the second thing I want to be doing 379 00:13:41,650 --> 00:13:43,899 at home. I have some Web server facing 380 00:13:43,900 --> 00:13:45,459 the Internet. That's basically a reverse 381 00:13:45,460 --> 00:13:47,649 proxy on engine X that forwards 382 00:13:47,650 --> 00:13:49,569 stuff to almost distant and auto print 383 00:13:49,570 --> 00:13:50,949 and whatnot. 384 00:13:50,950 --> 00:13:53,049 And I want to enable this 385 00:13:53,050 --> 00:13:55,299 thing to store its credentials 386 00:13:55,300 --> 00:13:56,739 safely and securely as well. 387 00:13:56,740 --> 00:13:58,599 So the next and the next half, it doesn't 388 00:14:00,130 --> 00:14:02,229 ruin everything for me. 389 00:14:02,230 --> 00:14:04,419 And for engine 390 00:14:04,420 --> 00:14:06,069 X, it's actually pretty simple to do 391 00:14:06,070 --> 00:14:07,070 that. 392 00:14:11,990 --> 00:14:14,059 If we look unto these sides enabled 393 00:14:14,060 --> 00:14:16,179 here, it's basically just the 394 00:14:16,180 --> 00:14:17,379 default side. 395 00:14:17,380 --> 00:14:19,479 We see that we had to post in 396 00:14:19,480 --> 00:14:21,609 the US a certificate under the SS 397 00:14:21,610 --> 00:14:22,749 certificate key. 398 00:14:22,750 --> 00:14:24,609 You can use this keyword engine. 399 00:14:24,610 --> 00:14:26,619 So hopefully you never stole your key and 400 00:14:26,620 --> 00:14:28,239 a file called Engine because that's gonna 401 00:14:28,240 --> 00:14:29,529 be a problem. 402 00:14:29,530 --> 00:14:31,599 And we point to the TPM Twitty as 403 00:14:31,600 --> 00:14:32,799 s engine. 404 00:14:32,800 --> 00:14:34,929 And because of some hideous 405 00:14:34,930 --> 00:14:37,119 bug in engine 406 00:14:37,120 --> 00:14:39,189 X that people on the Engine X forum have 407 00:14:39,190 --> 00:14:41,319 been talking about but 408 00:14:41,320 --> 00:14:43,689 didn't find a good solution to fix it. 409 00:14:43,690 --> 00:14:45,209 We also have to specify the engine a 410 00:14:45,210 --> 00:14:46,239 second time over here. 411 00:14:47,680 --> 00:14:49,809 So once we have all of that, we can 412 00:14:49,810 --> 00:14:50,810 just. 413 00:14:53,410 --> 00:14:54,410 Restart. 414 00:15:00,760 --> 00:15:02,859 We can just restart engine X 415 00:15:02,860 --> 00:15:04,899 and this time we're gonna turn it around, 416 00:15:04,900 --> 00:15:07,659 so I'm gonna go ahead and take 417 00:15:07,660 --> 00:15:09,789 my trust to a Web server 418 00:15:09,790 --> 00:15:10,929 on the host system. 419 00:15:10,930 --> 00:15:13,199 Try to connect to that thing 420 00:15:13,200 --> 00:15:14,200 and. 421 00:15:14,820 --> 00:15:16,299 Yeah. Because it's a service and 422 00:15:16,300 --> 00:15:17,409 certificate, of course. 423 00:15:17,410 --> 00:15:18,879 We don't trust you right away. 424 00:15:18,880 --> 00:15:21,099 But we just used the 425 00:15:21,100 --> 00:15:22,899 TPM in order to authenticate that here. 426 00:15:22,900 --> 00:15:24,369 That's connection from the server side as 427 00:15:24,370 --> 00:15:26,499 well. So we've both sites that we can now 428 00:15:26,500 --> 00:15:27,500 start scripting. 429 00:15:29,090 --> 00:15:30,090 Go. 430 00:15:30,820 --> 00:15:31,820 Go. 431 00:15:34,030 --> 00:15:36,119 All right, so that's the 432 00:15:36,120 --> 00:15:37,889 easiest way to get started when you're 433 00:15:37,890 --> 00:15:40,169 trying to integrate PMS into any of your 434 00:15:40,170 --> 00:15:42,449 daily bash routines or whatnot. 435 00:15:42,450 --> 00:15:44,669 The next a little more complex 436 00:15:44,670 --> 00:15:45,929 way to do things is peak. 437 00:15:45,930 --> 00:15:47,669 AC is eleven. So Peak AC is 11. 438 00:15:47,670 --> 00:15:49,829 Is this standardized API by 439 00:15:49,830 --> 00:15:51,389 the open group? 440 00:15:51,390 --> 00:15:52,390 That 441 00:15:53,460 --> 00:15:55,799 is what Firefox uses in order to talk 442 00:15:55,800 --> 00:15:58,409 to smart cards, for example. 443 00:15:58,410 --> 00:16:00,689 And of course, we're also working 444 00:16:00,690 --> 00:16:02,789 on or the this 445 00:16:02,790 --> 00:16:04,709 like this community is also working on 446 00:16:04,710 --> 00:16:05,789 something for that. 447 00:16:05,790 --> 00:16:07,319 We even have a maintainer sitting here in 448 00:16:07,320 --> 00:16:08,320 the room 449 00:16:09,510 --> 00:16:10,979 calling you out there. 450 00:16:10,980 --> 00:16:13,079 All right. And we're currently in the 451 00:16:13,080 --> 00:16:15,689 wondered oh, our C zero face 452 00:16:15,690 --> 00:16:17,789 for this thing, which is also the reason 453 00:16:17,790 --> 00:16:20,099 why there is some 454 00:16:20,100 --> 00:16:22,289 weirdness that this is the setup 455 00:16:22,290 --> 00:16:24,349 tools don't install whenever 456 00:16:24,350 --> 00:16:25,799 you call, make, install. 457 00:16:25,800 --> 00:16:27,679 So if you're trying to, like rerun this 458 00:16:27,680 --> 00:16:29,879 stuff from home based 459 00:16:29,880 --> 00:16:32,219 on these slides, note that this 460 00:16:32,220 --> 00:16:34,529 is a path into the checked 461 00:16:34,530 --> 00:16:36,629 out. Good repository for the TPM 462 00:16:36,630 --> 00:16:37,859 to Pete tool. 463 00:16:37,860 --> 00:16:39,299 And the only thing that actually gets 464 00:16:39,300 --> 00:16:41,459 installed is the library that Pixie 465 00:16:41,460 --> 00:16:43,019 has. Eleven libraries that's later on 466 00:16:43,020 --> 00:16:43,949 used. 467 00:16:43,950 --> 00:16:45,659 So anyways, we're taking these few 468 00:16:45,660 --> 00:16:46,709 commands here. 469 00:16:46,710 --> 00:16:48,449 And basically what we're doing is we're 470 00:16:48,450 --> 00:16:50,339 initializing first of all, we're setting 471 00:16:50,340 --> 00:16:52,049 some python past stuff and stuff like 472 00:16:52,050 --> 00:16:52,979 that. 473 00:16:52,980 --> 00:16:55,559 We're pointing to storing the 474 00:16:55,560 --> 00:16:58,209 database under and under home. 475 00:16:58,210 --> 00:17:00,479 We're initializing the database adding 476 00:17:00,480 --> 00:17:02,369 a token which is basically creating a new 477 00:17:02,370 --> 00:17:04,529 smart card out of nothing. 478 00:17:04,530 --> 00:17:05,550 And then we're adding a key. 479 00:17:08,460 --> 00:17:09,719 All right. 480 00:17:09,720 --> 00:17:10,979 Let's see, is that running as well? 481 00:17:15,880 --> 00:17:16,880 Looks good. 482 00:17:23,619 --> 00:17:24,759 And there we have it. 483 00:17:24,760 --> 00:17:27,368 We just generated the smartcard with this 484 00:17:27,369 --> 00:17:29,559 random what not smart card idea 485 00:17:29,560 --> 00:17:31,279 that you don't really have to care about. 486 00:17:31,280 --> 00:17:32,989 Well, what the cool thing is about this 487 00:17:32,990 --> 00:17:34,809 and why while I'm actually going into 488 00:17:34,810 --> 00:17:36,909 this problem as I want to use that in 489 00:17:36,910 --> 00:17:39,759 order to authenticate the SS H 490 00:17:39,760 --> 00:17:41,829 because I don't know how many of 491 00:17:41,830 --> 00:17:44,829 you are using SS H client 492 00:17:44,830 --> 00:17:46,479 authentication using public keys. 493 00:17:48,760 --> 00:17:50,819 That's basically almost everyone. 494 00:17:50,820 --> 00:17:51,949 That's cool. 495 00:17:51,950 --> 00:17:53,119 Heck, Congress. 496 00:17:53,120 --> 00:17:54,120 So. 497 00:17:54,600 --> 00:17:57,009 And who of you is not protecting 498 00:17:57,010 --> 00:17:59,199 their key with a password, but using 499 00:17:59,200 --> 00:18:00,819 an empty password for that? 500 00:18:04,120 --> 00:18:06,049 All right. For all of you, this might be 501 00:18:06,050 --> 00:18:07,050 interesting. 502 00:18:10,010 --> 00:18:12,289 So we're gonna do is we're gonna call S 503 00:18:12,290 --> 00:18:14,579 H Ki Jen and what is, uh, what 504 00:18:14,580 --> 00:18:17,089 is going to be doing is it's gonna 505 00:18:17,090 --> 00:18:18,090 just 506 00:18:20,300 --> 00:18:22,669 generate an S H key and you're probably 507 00:18:22,670 --> 00:18:23,959 all seeing this. 508 00:18:23,960 --> 00:18:26,479 So I'm going ahead and copying 509 00:18:26,480 --> 00:18:28,549 this and going 510 00:18:28,550 --> 00:18:30,619 into my host machine. 511 00:18:30,620 --> 00:18:31,759 And here I'm gonna 512 00:18:32,900 --> 00:18:35,119 edit the authorized keys and 513 00:18:35,120 --> 00:18:36,589 I'll add this key. 514 00:18:36,590 --> 00:18:37,590 That's all. 515 00:18:39,020 --> 00:18:41,159 And going back to the virtual machine. 516 00:18:41,160 --> 00:18:42,160 Oh yeah. 517 00:18:43,640 --> 00:18:45,199 Virtual desktop inside of a virtual 518 00:18:45,200 --> 00:18:46,200 desktop. 519 00:18:47,650 --> 00:18:48,650 I put on my right. 520 00:18:51,040 --> 00:18:53,519 All right. And then we can log in using 521 00:18:53,520 --> 00:18:55,039 as H. 522 00:18:55,040 --> 00:18:56,040 And 523 00:18:57,700 --> 00:18:59,179 this should also be working now. 524 00:18:59,180 --> 00:19:01,009 And here we asked for the pin for the 525 00:19:01,010 --> 00:19:03,199 smart card that I originally called 526 00:19:03,200 --> 00:19:05,449 label, which probably can find 527 00:19:05,450 --> 00:19:06,450 a better name for that. 528 00:19:08,540 --> 00:19:09,749 And now I'm in. 529 00:19:09,750 --> 00:19:10,750 So it's working as well. 530 00:19:17,390 --> 00:19:19,729 But to make things even cooler, 531 00:19:19,730 --> 00:19:21,589 what else do we use as a stage for? 532 00:19:21,590 --> 00:19:23,689 Well, we use it, or at least I use 533 00:19:23,690 --> 00:19:24,649 it. 534 00:19:24,650 --> 00:19:27,319 Forget get together with SDH. 535 00:19:27,320 --> 00:19:29,509 So we'll go ahead, take 536 00:19:29,510 --> 00:19:32,749 this key again and 537 00:19:32,750 --> 00:19:34,549 we're gonna head over to get up. 538 00:19:34,550 --> 00:19:35,929 And this is my GitHub account. 539 00:19:38,030 --> 00:19:39,079 Now it gets interesting. 540 00:19:43,560 --> 00:19:46,169 So I'm adding this as a turkey. 541 00:19:46,170 --> 00:19:48,119 And yes, I'm storing passwords. 542 00:19:52,110 --> 00:19:53,609 They don't have climbed out and declined 543 00:19:53,610 --> 00:19:55,280 cert authentication with us for that. 544 00:19:57,840 --> 00:19:59,219 So the thing we're doing here is 545 00:19:59,220 --> 00:20:02,009 basically I'm creating this 546 00:20:02,010 --> 00:20:04,039 awesome Shell script that contains off an 547 00:20:04,040 --> 00:20:05,829 SS agent location with the. 548 00:20:05,830 --> 00:20:08,069 It's eleven library and 549 00:20:08,070 --> 00:20:10,219 then we're exporting that under the get 550 00:20:10,220 --> 00:20:11,639 on those classes each environment 551 00:20:11,640 --> 00:20:13,709 variable, which means that instead of 552 00:20:13,710 --> 00:20:14,710 this h 553 00:20:15,850 --> 00:20:18,149 get just gonna be calling our new 554 00:20:18,150 --> 00:20:19,709 H thing. 555 00:20:19,710 --> 00:20:21,929 And this then translates to the 556 00:20:24,140 --> 00:20:26,279 two invoking the P cases eleven 557 00:20:26,280 --> 00:20:27,280 provider. 558 00:20:27,870 --> 00:20:28,870 So 559 00:20:30,240 --> 00:20:31,240 let's go ahead and clone. 560 00:20:32,850 --> 00:20:35,109 And here we have the TPM 561 00:20:35,110 --> 00:20:36,839 invocation again. 562 00:20:36,840 --> 00:20:38,789 And a lot more TPM and vacation. 563 00:20:38,790 --> 00:20:40,199 And we are. 564 00:20:40,200 --> 00:20:42,419 And we can now even go ahead 565 00:20:42,420 --> 00:20:43,859 and check out the brand. 566 00:20:43,860 --> 00:20:45,689 I think I've used this in my tests. 567 00:20:45,690 --> 00:20:47,759 I'm just gonna call it 568 00:20:47,760 --> 00:20:48,760 now. 569 00:20:50,420 --> 00:20:51,420 No. 570 00:20:52,650 --> 00:20:53,650 Of course. 571 00:20:58,130 --> 00:20:59,240 Check out the new branch. 572 00:21:00,320 --> 00:21:02,099 Good. Push origin. 573 00:21:10,960 --> 00:21:12,859 And it's pushed and you can just go 574 00:21:12,860 --> 00:21:14,749 ahead. Go to my namespace on GitHub and 575 00:21:14,750 --> 00:21:17,239 you should be seeing this awesome TPM 576 00:21:17,240 --> 00:21:19,190 authenticated brand push over there. 577 00:21:26,820 --> 00:21:27,820 All right. 578 00:21:28,110 --> 00:21:29,569 As I said, this is RC 0. 579 00:21:29,570 --> 00:21:31,439 Hopefully there's gonna be a few hiccups 580 00:21:31,440 --> 00:21:32,819 and bugs that we're gonna fix before the 581 00:21:32,820 --> 00:21:33,869 final release, but 582 00:21:35,310 --> 00:21:37,649 looks kind of usable, I would say. 583 00:21:37,650 --> 00:21:38,699 All right. Coming to the next thing, 584 00:21:38,700 --> 00:21:40,319 which is highly work in progress. 585 00:21:41,880 --> 00:21:44,009 So basically this 586 00:21:44,010 --> 00:21:45,569 is about bit locker for Linux. 587 00:21:45,570 --> 00:21:46,709 And I've written this. 588 00:21:46,710 --> 00:21:48,359 I don't know. I think more than a year 589 00:21:48,360 --> 00:21:50,849 ago and there was a merch request 590 00:21:50,850 --> 00:21:52,829 on the crypt set up upstream and 591 00:21:53,970 --> 00:21:56,099 all were basically re architecting the 592 00:21:56,100 --> 00:21:58,229 whole thing. But I just thought for 593 00:21:58,230 --> 00:22:00,719 fun and glory what I would bring this 594 00:22:00,720 --> 00:22:03,169 work that I did back in the days. 595 00:22:03,170 --> 00:22:05,399 So what this is doing 596 00:22:05,400 --> 00:22:07,619 so for Lux and 597 00:22:07,620 --> 00:22:09,749 Crypt Setup, the idea is you have 598 00:22:09,750 --> 00:22:11,219 a volume key that the whole volume is 599 00:22:11,220 --> 00:22:12,899 encrypted with and then you have multiple 600 00:22:12,900 --> 00:22:14,969 key slots that are stored in the Lux 601 00:22:14,970 --> 00:22:17,219 header of the partition where this 602 00:22:17,220 --> 00:22:19,409 volume key is encrypted, usually 603 00:22:19,410 --> 00:22:21,509 with a key that 604 00:22:21,510 --> 00:22:23,099 is derived from the password you're 605 00:22:23,100 --> 00:22:24,209 entering. 606 00:22:24,210 --> 00:22:26,309 And this then looks like 607 00:22:26,310 --> 00:22:27,929 the thing we see here in the middle where 608 00:22:27,930 --> 00:22:29,669 we have key slot zero of this type and 609 00:22:29,670 --> 00:22:31,769 whatnot. And so what I did back 610 00:22:31,770 --> 00:22:33,779 then was I extend that these. 611 00:22:33,780 --> 00:22:34,979 Yeah. This is based on. 612 00:22:34,980 --> 00:22:37,049 So if you're using Lux at least in 613 00:22:37,050 --> 00:22:39,199 a new on disk form and you have to use 614 00:22:39,200 --> 00:22:41,309 on your petition headers which is 615 00:22:41,310 --> 00:22:42,809 kind of awesome actually to extend 616 00:22:44,280 --> 00:22:46,619 made my life a lot easier at the time. 617 00:22:46,620 --> 00:22:48,209 So we have there a key slot. 618 00:22:48,210 --> 00:22:50,669 So something like that. 619 00:22:50,670 --> 00:22:52,829 And what we do is we 620 00:22:52,830 --> 00:22:54,929 take the volume key and we use one 621 00:22:54,930 --> 00:22:56,639 of the Ms. 622 00:22:56,640 --> 00:22:58,859 Nonvolatile memory spaces and 623 00:22:58,860 --> 00:23:00,659 we just store the volume key directly in 624 00:23:00,660 --> 00:23:02,140 there. And so there's 625 00:23:03,390 --> 00:23:05,339 nothing else we need to do. 626 00:23:05,340 --> 00:23:08,009 And then what we do on for the 627 00:23:08,010 --> 00:23:09,689 on this format, for the Lux headers, 628 00:23:09,690 --> 00:23:10,979 we're just storing some metadata. 629 00:23:10,980 --> 00:23:11,980 For example, 630 00:23:13,410 --> 00:23:15,209 what the envy index number is that we 631 00:23:15,210 --> 00:23:16,210 store the stuff under. 632 00:23:17,150 --> 00:23:19,289 All right. So demo time again. 633 00:23:22,400 --> 00:23:23,400 And. 634 00:23:31,140 --> 00:23:33,299 So this is the crypt at up branch that I 635 00:23:33,300 --> 00:23:36,329 checked out and we'll be 636 00:23:36,330 --> 00:23:37,450 compiling this life. 637 00:23:40,770 --> 00:23:43,319 In the meantime, maybe one more note, 638 00:23:43,320 --> 00:23:45,449 so the operating system or running 639 00:23:45,450 --> 00:23:47,039 there in the virtual machine is just a 640 00:23:47,040 --> 00:23:49,019 standard open to installation. 641 00:23:49,020 --> 00:23:51,329 And I just 642 00:23:51,330 --> 00:23:53,879 chose disk encryption and EL VM 643 00:23:53,880 --> 00:23:56,129 during the open to whatever 644 00:23:56,130 --> 00:23:57,130 set up. 645 00:23:57,720 --> 00:23:59,459 Wizard and 646 00:24:00,510 --> 00:24:01,799 however, unfortunately, that's still 647 00:24:01,800 --> 00:24:03,989 using the luxe one on this 648 00:24:03,990 --> 00:24:04,709 schoolmate. 649 00:24:04,710 --> 00:24:06,099 So what you have to do from the install 650 00:24:06,100 --> 00:24:07,559 media if you want to do that is you have 651 00:24:07,560 --> 00:24:10,109 to call this crypt set up convert 652 00:24:10,110 --> 00:24:12,239 that converts the lux one to Lux to 653 00:24:12,240 --> 00:24:14,879 format header and 654 00:24:14,880 --> 00:24:17,019 then you should be ready to go. 655 00:24:17,020 --> 00:24:19,169 All right. So yeah, we 656 00:24:19,170 --> 00:24:20,699 compiled. We installed. 657 00:24:20,700 --> 00:24:22,069 Now we're updating the inner drama for 658 00:24:22,070 --> 00:24:24,449 us, just replacing 659 00:24:24,450 --> 00:24:25,919 Crypt stuff. Who doesn't do that all the 660 00:24:25,920 --> 00:24:26,920 time? 661 00:24:27,750 --> 00:24:29,909 And the next 662 00:24:29,910 --> 00:24:30,869 commander we're running. 663 00:24:30,870 --> 00:24:32,579 And you will see that the only difference 664 00:24:32,580 --> 00:24:33,949 in the command is we're adding a dash 665 00:24:33,950 --> 00:24:35,579 dash TPM here, which 666 00:24:37,500 --> 00:24:40,019 calls all to using a TPM 667 00:24:40,020 --> 00:24:41,020 slot for that. 668 00:24:41,940 --> 00:24:44,609 And we're entering an existing password. 669 00:24:46,680 --> 00:24:48,749 We're entering a new password. 670 00:24:48,750 --> 00:24:50,399 And this new password is then used for 671 00:24:50,400 --> 00:24:51,630 the TPM to authenticate. 672 00:24:54,010 --> 00:24:55,010 And 673 00:24:56,370 --> 00:24:58,649 we only have five minutes, so I'll just 674 00:24:58,650 --> 00:24:59,879 skip right ahead. 675 00:24:59,880 --> 00:25:01,079 So this is now all set up. 676 00:25:01,080 --> 00:25:02,849 And on the next reboot, the system is 677 00:25:02,850 --> 00:25:03,850 going to ask me 678 00:25:05,190 --> 00:25:07,569 for the TPM based password. 679 00:25:07,570 --> 00:25:10,529 And now let's let's let's 680 00:25:10,530 --> 00:25:11,530 let's see at this. 681 00:25:14,520 --> 00:25:16,539 So what we see here is this second piece 682 00:25:16,540 --> 00:25:17,910 thought just now of TPM to type. 683 00:25:19,490 --> 00:25:20,490 All right. 684 00:25:29,350 --> 00:25:31,329 One more thing I want to present for 685 00:25:31,330 --> 00:25:32,589 early boot is integrity. 686 00:25:32,590 --> 00:25:34,329 Checking this based on what Miss Yuko 687 00:25:34,330 --> 00:25:36,809 talked about at the CDC as 32 688 00:25:36,810 --> 00:25:37,839 C three. 689 00:25:37,840 --> 00:25:40,419 And this is the link to his 690 00:25:40,420 --> 00:25:43,059 talk. You should definitely go watch it. 691 00:25:43,060 --> 00:25:45,189 So this is about verifying the 692 00:25:45,190 --> 00:25:47,409 integrity of your early boot by 693 00:25:47,410 --> 00:25:49,239 sharing a secret between your TPM and 694 00:25:49,240 --> 00:25:50,349 your smartphone. 695 00:25:50,350 --> 00:25:52,839 And yeah, I'm just. 696 00:25:52,840 --> 00:25:54,159 I just did a reemployment Haitian. 697 00:25:54,160 --> 00:25:55,629 I'm gonna showcase that as well. 698 00:25:55,630 --> 00:25:57,729 So in preparation for that, it's time 699 00:25:57,730 --> 00:25:59,829 for all of you to get 700 00:25:59,830 --> 00:26:02,109 out your smartphones and open your free 701 00:26:02,110 --> 00:26:03,700 OTP app or your Google 702 00:26:05,440 --> 00:26:07,359 Google Authenticator so you can verify 703 00:26:07,360 --> 00:26:09,429 that everything works as 704 00:26:09,430 --> 00:26:10,430 intended. 705 00:26:13,240 --> 00:26:14,919 And this one I actually pretty compiled, 706 00:26:16,360 --> 00:26:17,889 by the way. If there's somebody in the 707 00:26:17,890 --> 00:26:20,029 audience who is good at GTA, hey, Guido 708 00:26:20,030 --> 00:26:22,389 Design, please come talk to me after 709 00:26:22,390 --> 00:26:23,889 because that was my attempt at doing 710 00:26:23,890 --> 00:26:25,119 this. 711 00:26:25,120 --> 00:26:27,519 All right. We're gonna be protecting. 712 00:26:29,280 --> 00:26:31,649 By binding through to peace Yas 0 713 00:26:31,650 --> 00:26:33,869 through 7 and this is gonna 714 00:26:33,870 --> 00:26:36,149 basically validate on each boot 715 00:26:36,150 --> 00:26:39,299 that these PCR values 716 00:26:39,300 --> 00:26:41,159 were the same that they are right now 717 00:26:41,160 --> 00:26:43,169 when we are trusting the system. 718 00:26:43,170 --> 00:26:44,849 So that means if you have a kernel update 719 00:26:44,850 --> 00:26:46,589 or you update you in it already 720 00:26:46,590 --> 00:26:48,449 afterwards, there's gonna be different 721 00:26:48,450 --> 00:26:49,739 PCR values. 722 00:26:49,740 --> 00:26:51,209 So you will have to go through this 723 00:26:51,210 --> 00:26:52,139 process again. 724 00:26:52,140 --> 00:26:54,299 So everybody has scanned this hopefully 725 00:26:54,300 --> 00:26:56,369 into their free OTP or 726 00:26:56,370 --> 00:26:58,199 Google Authenticator. 727 00:26:58,200 --> 00:27:00,359 Then we can go ahead and we can actually 728 00:27:00,360 --> 00:27:02,549 start rebooting the 729 00:27:02,550 --> 00:27:03,550 system. 730 00:27:06,460 --> 00:27:07,619 And hopefully this works now 731 00:27:09,390 --> 00:27:11,129 because the most complicated part about 732 00:27:11,130 --> 00:27:13,499 all of these demos was actual actually 733 00:27:13,500 --> 00:27:15,689 mode setting for Plymouth between 734 00:27:15,690 --> 00:27:17,339 grub and plumbers. 735 00:27:17,340 --> 00:27:18,340 Believe it or not. 736 00:27:19,770 --> 00:27:21,419 All right. And there is this number which 737 00:27:21,420 --> 00:27:22,919 is very large and on the screen. 738 00:27:22,920 --> 00:27:25,169 So it was 8 2 8 6 8 739 00:27:25,170 --> 00:27:26,250 8. Was that correct? 740 00:27:27,990 --> 00:27:30,159 Awesome. Applause. 741 00:27:30,160 --> 00:27:32,149 Applause. 742 00:27:32,150 --> 00:27:33,949 And the second thing I'm doing now is 743 00:27:33,950 --> 00:27:36,079 instead of the highly secure 744 00:27:36,080 --> 00:27:38,179 password. Andreas, I'm typing in 1, 2, 745 00:27:38,180 --> 00:27:39,180 3, 4. 746 00:27:39,950 --> 00:27:42,289 You have to believe me, which is the TPM 747 00:27:42,290 --> 00:27:43,290 password. 748 00:27:44,390 --> 00:27:46,699 And it's actually booting through using 749 00:27:46,700 --> 00:27:48,469 the TPM here, which is. 750 00:27:49,820 --> 00:27:51,529 Come on. There it is. 751 00:27:51,530 --> 00:27:52,969 So that also worked with Lux. 752 00:27:54,260 --> 00:27:55,260 All right. 753 00:27:57,110 --> 00:27:58,519 I hope this gave you some some 754 00:27:58,520 --> 00:28:00,619 impressions of what you can do with 755 00:28:00,620 --> 00:28:02,959 PMS today already. 756 00:28:02,960 --> 00:28:04,759 If you want to get started, joining the 757 00:28:04,760 --> 00:28:06,769 effort, joining to hack on stuff. 758 00:28:06,770 --> 00:28:08,449 This Web site up there is like our 759 00:28:08,450 --> 00:28:10,009 community page. 760 00:28:10,010 --> 00:28:12,169 Well, we have a get her 761 00:28:12,170 --> 00:28:13,759 so you can come talk to us. 762 00:28:13,760 --> 00:28:15,439 Talk to me. Talk to the other devils. 763 00:28:17,690 --> 00:28:19,639 You can have a look at those two header 764 00:28:19,640 --> 00:28:21,409 files, which are the most important ones 765 00:28:21,410 --> 00:28:24,079 right now. So the happy is rather new. 766 00:28:24,080 --> 00:28:26,299 We just released it or just merged 767 00:28:26,300 --> 00:28:28,259 it into master. 768 00:28:28,260 --> 00:28:30,019 I think one week ago. 769 00:28:30,020 --> 00:28:31,489 So go ahead. 770 00:28:31,490 --> 00:28:33,229 Have a look at that. Tested thoroughly. 771 00:28:34,340 --> 00:28:35,359 Have a look at the 772 00:28:37,520 --> 00:28:39,289 at the tools. 773 00:28:39,290 --> 00:28:41,539 The all the tools that start with TPM to 774 00:28:41,540 --> 00:28:43,789 underscore basically 1 2 1 murals 775 00:28:43,790 --> 00:28:46,849 of ISP or users and 776 00:28:46,850 --> 00:28:48,919 all tools prefix TSX 777 00:28:48,920 --> 00:28:52,039 to underscore our 1 to 1 flappy mappings. 778 00:28:52,040 --> 00:28:53,749 And here's one more protip. 779 00:28:53,750 --> 00:28:55,939 When you're developing and 780 00:28:55,940 --> 00:28:58,189 something randomly fails, all of a sudden 781 00:28:58,190 --> 00:29:00,499 it's usually has to do with TPM resource 782 00:29:00,500 --> 00:29:02,779 exhaustion and this 783 00:29:02,780 --> 00:29:04,989 command down there frees up the TPM and 784 00:29:04,990 --> 00:29:06,649 final RAM again so you can continue 785 00:29:06,650 --> 00:29:07,650 working. 786 00:29:08,210 --> 00:29:09,210 All right. 787 00:29:09,590 --> 00:29:10,590 Thank you. 788 00:29:17,120 --> 00:29:18,379 Thank you. 789 00:29:18,380 --> 00:29:19,449 Thank you. 790 00:29:19,450 --> 00:29:21,919 Yes. And it's Question 791 00:29:21,920 --> 00:29:23,719 Time. 792 00:29:23,720 --> 00:29:26,059 We have questions from the Internet 793 00:29:26,060 --> 00:29:29,059 and we asked questions here in Clark. 794 00:29:29,060 --> 00:29:30,060 And 795 00:29:32,280 --> 00:29:33,229 look at it. 796 00:29:33,230 --> 00:29:35,819 You two have the same shirt 797 00:29:35,820 --> 00:29:38,689 and very nice shirt, recent extension. 798 00:29:38,690 --> 00:29:41,359 So maybe we start with 799 00:29:41,360 --> 00:29:42,470 number four, please. 800 00:29:44,330 --> 00:29:46,519 OK, so let's say you 801 00:29:46,520 --> 00:29:49,579 have your encryption keys in the TPM 802 00:29:49,580 --> 00:29:51,589 and your federal government is somehow 803 00:29:51,590 --> 00:29:53,989 influencing the event after TPM. 804 00:29:53,990 --> 00:29:56,059 So there could be maybe some way to 805 00:29:56,060 --> 00:29:57,079 get the encryption keys. 806 00:29:57,080 --> 00:29:58,409 So this is not a good approach. 807 00:29:58,410 --> 00:30:00,659 So it would be nicer to enter your party, 808 00:30:00,660 --> 00:30:02,539 your big fat man's heart to get your 809 00:30:02,540 --> 00:30:04,639 keys. And they are ex auto of some 810 00:30:04,640 --> 00:30:06,499 other kids that are in the TPM. 811 00:30:06,500 --> 00:30:08,309 And so you need to have both, too. 812 00:30:08,310 --> 00:30:11,149 So it could decrypt your look stuff. 813 00:30:11,150 --> 00:30:13,439 So this should be bait like this. 814 00:30:13,440 --> 00:30:16,009 So you could not that say, uh, 815 00:30:16,010 --> 00:30:18,079 say the person tortured the person 816 00:30:18,080 --> 00:30:20,689 and try to decrypt the 817 00:30:20,690 --> 00:30:22,759 data on another computer because it has a 818 00:30:22,760 --> 00:30:25,039 different TPM profile to secret. 819 00:30:25,040 --> 00:30:27,049 So you should have you two factor 820 00:30:27,050 --> 00:30:29,329 authentication not having the keys 821 00:30:29,330 --> 00:30:31,520 in the TPM because I would not trust it. 822 00:30:32,630 --> 00:30:34,639 OK. Depending on your paranoia level. 823 00:30:34,640 --> 00:30:36,109 But that's definitely a nice idea. 824 00:30:37,310 --> 00:30:38,310 Thank you. 825 00:30:39,950 --> 00:30:42,139 Only having questions, please. 826 00:30:42,140 --> 00:30:44,159 No comments. 827 00:30:44,160 --> 00:30:46,399 No questions. 828 00:30:46,400 --> 00:30:47,400 That's the rule 829 00:30:48,890 --> 00:30:49,890 number two. 830 00:30:50,720 --> 00:30:53,109 I have to use windows, which is encrypted 831 00:30:53,110 --> 00:30:55,699 to Pit Locker and no second petition. 832 00:30:55,700 --> 00:30:57,799 How likely is it to 833 00:30:57,800 --> 00:30:59,899 accidentally destroy any credentials 834 00:30:59,900 --> 00:31:01,969 for Pit Locker when working with these 835 00:31:01,970 --> 00:31:02,970 tools? 836 00:31:04,250 --> 00:31:06,019 Well, that highly depends on which tools 837 00:31:06,020 --> 00:31:07,130 are using for which purpose. 838 00:31:08,480 --> 00:31:11,089 The tools that I used here 839 00:31:11,090 --> 00:31:13,749 and everything that I showed does not 840 00:31:13,750 --> 00:31:16,159 install president keys. 841 00:31:16,160 --> 00:31:17,379 I think actually P.K. 842 00:31:17,380 --> 00:31:19,579 says 11 is installing a persistent Q So 843 00:31:19,580 --> 00:31:21,769 that drained some of your resources and 844 00:31:21,770 --> 00:31:23,839 also the crypt set up stuff and 845 00:31:23,840 --> 00:31:26,449 the TTP stuff consume some envy space. 846 00:31:26,450 --> 00:31:28,759 And depending on how much of the 847 00:31:28,760 --> 00:31:30,889 team's resources Windows wants 848 00:31:30,890 --> 00:31:33,169 to claim for itself, you could run into 849 00:31:33,170 --> 00:31:34,519 a resource exhaustion there. 850 00:31:35,870 --> 00:31:37,969 But other than that, there's there is no 851 00:31:37,970 --> 00:31:40,039 keys that these tools or the demos 852 00:31:40,040 --> 00:31:41,869 I showed would be deleting. 853 00:31:41,870 --> 00:31:43,999 So you can just go ahead and use 854 00:31:44,000 --> 00:31:45,000 those. 855 00:31:47,000 --> 00:31:48,000 Okay. Thank you. 856 00:31:49,070 --> 00:31:50,719 Maybe we'll have a question from the 857 00:31:50,720 --> 00:31:52,230 Internet. Yes. Signal engine. 858 00:31:53,960 --> 00:31:56,109 Yeah. Other hardware tokens like Uber 859 00:31:56,110 --> 00:31:57,829 Key, for example, they might have a 860 00:31:57,830 --> 00:31:59,989 button that you need to press in order 861 00:31:59,990 --> 00:32:02,119 to have some kind of proof of presence 862 00:32:02,120 --> 00:32:04,189 so that software cannot use it in the 863 00:32:04,190 --> 00:32:06,339 background without you knowing it. 864 00:32:06,340 --> 00:32:07,660 How to do that with the TPM? 865 00:32:09,470 --> 00:32:10,470 Currently not. 866 00:32:11,390 --> 00:32:13,609 But I am hoping or I have been hoping 867 00:32:13,610 --> 00:32:15,769 for a TPM with an embedded LCD 868 00:32:15,770 --> 00:32:17,059 for 10 years now. 869 00:32:18,320 --> 00:32:20,299 More will more likely. 870 00:32:20,300 --> 00:32:22,149 Maybe we'll see some GPI. 871 00:32:22,150 --> 00:32:24,109 Oh, and able to TPM at some point in the 872 00:32:24,110 --> 00:32:25,099 future. 873 00:32:25,100 --> 00:32:26,569 And depending on what we can do with 874 00:32:26,570 --> 00:32:28,939 those, we might be able to include this 875 00:32:28,940 --> 00:32:31,069 or similar features 876 00:32:31,070 --> 00:32:32,089 in there. 877 00:32:32,090 --> 00:32:34,489 But so far I think 878 00:32:34,490 --> 00:32:36,259 there's only been research prototypes. 879 00:32:36,260 --> 00:32:38,729 I have once implemented a TPM online 880 00:32:38,730 --> 00:32:40,190 cortex. I'm sorry myself 881 00:32:41,420 --> 00:32:42,949 in order to demonstrate that the 882 00:32:42,950 --> 00:32:45,079 usefulness of GPI all coming right out 883 00:32:45,080 --> 00:32:46,099 of the TPM. 884 00:32:46,100 --> 00:32:47,959 But I would need to be developed first. 885 00:32:50,150 --> 00:32:51,929 Okay. Thank you. 886 00:32:51,930 --> 00:32:54,029 And number five, please. 887 00:32:54,030 --> 00:32:55,030 Yeah. Hi. 888 00:32:55,460 --> 00:32:56,509 Can you implement? 889 00:32:56,510 --> 00:32:58,749 Did you ever sort of second factor 890 00:32:58,750 --> 00:33:00,919 or if you do two and 891 00:33:00,920 --> 00:33:02,990 half years. Do you plan to do it? 892 00:33:05,900 --> 00:33:08,209 Yes and no. You can 893 00:33:08,210 --> 00:33:10,759 implement parts of Fido 894 00:33:10,760 --> 00:33:12,589 using a VPN, which is the basic crypto 895 00:33:12,590 --> 00:33:14,899 operation. However, Fido also includes 896 00:33:14,900 --> 00:33:17,179 custom data form ups that are usually 897 00:33:17,180 --> 00:33:18,980 also handled in the Fido token 898 00:33:20,120 --> 00:33:22,729 where you have some counters 899 00:33:22,730 --> 00:33:24,259 that you're incrementing something like 900 00:33:24,260 --> 00:33:26,599 that which the TPM does not store 901 00:33:26,600 --> 00:33:28,399 internally because the TPM doesn't know 902 00:33:28,400 --> 00:33:30,109 about vital data structures and vise 903 00:33:30,110 --> 00:33:31,339 versa. 904 00:33:31,340 --> 00:33:33,169 However, for Fido too, I think there was 905 00:33:33,170 --> 00:33:36,079 this TPM attestation 906 00:33:36,080 --> 00:33:38,209 mode, but that 907 00:33:38,210 --> 00:33:40,249 would need to be implemented by someone. 908 00:33:40,250 --> 00:33:42,619 So if you want to start 909 00:33:42,620 --> 00:33:44,719 working on that, please come talk to 910 00:33:44,720 --> 00:33:46,849 me or I'll gladly 911 00:33:46,850 --> 00:33:47,850 be of help. 912 00:33:49,520 --> 00:33:50,869 So there's a lot to do. 913 00:33:50,870 --> 00:33:53,179 And yes. 914 00:33:53,180 --> 00:33:55,219 So if any of you are searching for 915 00:33:55,220 --> 00:33:57,319 something to do, you can just 916 00:33:57,320 --> 00:33:59,479 go ahead and look at this 917 00:33:59,480 --> 00:34:00,949 getup i o community page. 918 00:34:00,950 --> 00:34:03,349 If you go to the software, 919 00:34:03,350 --> 00:34:05,719 tap at the top and you scroll down, 920 00:34:05,720 --> 00:34:07,579 there is a list of programs. 921 00:34:07,580 --> 00:34:09,379 So we start with programs that already 922 00:34:09,380 --> 00:34:11,269 have TPM support them that we have an 923 00:34:11,270 --> 00:34:13,698 even longer list of programs that we wish 924 00:34:13,699 --> 00:34:15,049 had TPM support. 925 00:34:15,050 --> 00:34:17,519 So. There's also other things like 926 00:34:17,520 --> 00:34:19,638 vibe off and or what, crypto okay, 927 00:34:19,639 --> 00:34:21,499 I or what not? 928 00:34:21,500 --> 00:34:23,569 Well, I would love to see more TPM 929 00:34:23,570 --> 00:34:25,979 support or even as simple as G.P.S.. 930 00:34:27,120 --> 00:34:29,899 Yeah, okay. 931 00:34:29,900 --> 00:34:31,529 Number two, please. 932 00:34:31,530 --> 00:34:33,738 I mean, how many 933 00:34:33,739 --> 00:34:35,988 different keys or smart 934 00:34:35,989 --> 00:34:38,029 cards can you story in a TPM? 935 00:34:38,030 --> 00:34:40,279 Is it just one or can you save more 936 00:34:40,280 --> 00:34:41,280 in there? 937 00:34:41,600 --> 00:34:43,999 The nice thing is that the 938 00:34:44,000 --> 00:34:46,069 principal concept of a TPM is that the 939 00:34:46,070 --> 00:34:48,019 TPM store is only very few keys. 940 00:34:49,310 --> 00:34:51,408 Usually it's just one in this case, 941 00:34:51,409 --> 00:34:53,359 and all the other keys are then encrypted 942 00:34:53,360 --> 00:34:55,428 with this key and stored on disk on 943 00:34:55,429 --> 00:34:57,659 hard disk. So with us, Casey, 944 00:34:57,660 --> 00:34:59,269 11 that we have here. 945 00:34:59,270 --> 00:35:01,339 You can have as many keys of 946 00:35:01,340 --> 00:35:03,409 you have hard disk space available 947 00:35:03,410 --> 00:35:05,459 or as many keys as askew. 948 00:35:05,460 --> 00:35:07,229 Light will allow you to store it in a 949 00:35:07,230 --> 00:35:08,959 database with reasonable search terms. 950 00:35:08,960 --> 00:35:11,089 I would say thank 951 00:35:11,090 --> 00:35:12,090 you. 952 00:35:12,350 --> 00:35:13,689 Number four, please. 953 00:35:13,690 --> 00:35:16,219 Hi. Thank you for the presentation. 954 00:35:16,220 --> 00:35:18,379 I have a question related to 955 00:35:18,380 --> 00:35:19,999 kernel upgrades. 956 00:35:20,000 --> 00:35:22,129 If I upgrade my kernel, 957 00:35:22,130 --> 00:35:24,049 is there a way I can measure what the 958 00:35:24,050 --> 00:35:26,419 kernel will be 959 00:35:26,420 --> 00:35:28,739 on the next boot and tell my 960 00:35:28,740 --> 00:35:30,889 JPM that just resealed the 961 00:35:30,890 --> 00:35:33,139 currently sealed keys with 962 00:35:33,140 --> 00:35:35,239 the future PCR values that 963 00:35:35,240 --> 00:35:37,489 it should expect on the next boot? 964 00:35:37,490 --> 00:35:39,019 In theory, absolutely. 965 00:35:39,020 --> 00:35:41,569 Yes, that's totally simple. 966 00:35:41,570 --> 00:35:43,249 So a researcher will tell you this is not 967 00:35:43,250 --> 00:35:44,269 a challenge. 968 00:35:44,270 --> 00:35:45,949 The engineer is gonna tell you, well, 969 00:35:45,950 --> 00:35:47,689 this was kind of a problem. 970 00:35:47,690 --> 00:35:50,089 And the problem 971 00:35:50,090 --> 00:35:51,709 is that you somehow need to know the 972 00:35:51,710 --> 00:35:54,169 reference values beforehand 973 00:35:54,170 --> 00:35:55,669 and then you have to recalculate the 974 00:35:55,670 --> 00:35:57,229 whole measurement chain that went into 975 00:35:57,230 --> 00:35:59,329 that. And so this is a 976 00:35:59,330 --> 00:36:00,710 question of reference, 977 00:36:02,090 --> 00:36:03,469 reference, integrity, measurement, 978 00:36:03,470 --> 00:36:05,809 distribution, that there was 979 00:36:05,810 --> 00:36:07,339 also a track at the Lenox Promise 980 00:36:07,340 --> 00:36:09,229 conference tackling this problem. 981 00:36:09,230 --> 00:36:11,899 So this is mainly an infrastructure 982 00:36:11,900 --> 00:36:14,119 problem rather 983 00:36:14,120 --> 00:36:16,249 than an actual problem of 984 00:36:16,250 --> 00:36:18,319 the TPM or 985 00:36:18,320 --> 00:36:19,610 the TPM based software. 986 00:36:21,000 --> 00:36:22,189 Okay. Thank you. 987 00:36:22,190 --> 00:36:23,619 So we just have one more minute. 988 00:36:23,620 --> 00:36:25,189 I'm very sorry. We can't take any 989 00:36:25,190 --> 00:36:27,379 questions more in the room, but I'll have 990 00:36:27,380 --> 00:36:29,869 one last question from the Internet. 991 00:36:29,870 --> 00:36:32,089 Yeah. If I don't trust the TPM and my 992 00:36:32,090 --> 00:36:34,009 machine. Can I just sold it in a 993 00:36:34,010 --> 00:36:35,719 different one from a more trustworthy 994 00:36:35,720 --> 00:36:37,489 winder? Are they compatible in that 995 00:36:37,490 --> 00:36:38,490 sense? 996 00:36:39,730 --> 00:36:41,269 Yes. As far as I know, they have a 997 00:36:41,270 --> 00:36:43,469 compatible pin out and a compatible 998 00:36:43,470 --> 00:36:44,479 SBI protocol. 999 00:36:44,480 --> 00:36:46,549 And that's the nice thing 1000 00:36:46,550 --> 00:36:48,709 about standardization is that they 1001 00:36:48,710 --> 00:36:49,710 are compatible. 1002 00:36:50,930 --> 00:36:52,189 So sure. 1003 00:36:52,190 --> 00:36:53,190 Go ahead. 1004 00:36:53,750 --> 00:36:56,409 Except for maybe into PTT 1005 00:36:56,410 --> 00:36:58,579 FTB MS. That run and the management 1006 00:36:58,580 --> 00:36:59,580 engine. 1007 00:37:00,050 --> 00:37:02,359 Those of course if you sold those out 1008 00:37:02,360 --> 00:37:04,100 you won't have any IO anymore. 1009 00:37:06,230 --> 00:37:08,209 Okay. Thank you so much. 1010 00:37:08,210 --> 00:37:10,099 If you want to get in touch with Andreas, 1011 00:37:10,100 --> 00:37:11,209 go to the website. 1012 00:37:11,210 --> 00:37:12,769 You've seen it before. 1013 00:37:12,770 --> 00:37:14,989 And thank you for now. 1014 00:37:14,990 --> 00:37:17,119 And maybe another applause for one. 1015 00:37:18,340 --> 00:37:19,340 I.