8 19 2021
This is my last GSoC blog post. And the purpose of writing this blog post is to share the work I have completed during the past 10 weeks of Google Summer of Code 2021.
The current implementation of libsecret's file backend uses an encryption key derived from the user's login password. Security wise this not an ideal situation. Because, the entire security of the file backend relies on the user's login password (single point of failure). This situation can be improved if the keys are protected/generated by hardware. A Trusted Platform Module (TPM) is a cryptographic hardware security module (a microcontroller) that's present on modern consumer notebooks. The proposed work involves extending current libsecret file backend design to work with a TPM.
GSoC project status: Completed
.
Main repository: https://gitlab.gnome.org/GNOME/libsecret/
Read-only mirror: https://github.com/GNOME/libsecret
Project update talk: https://youtu.be/DjmL5YbcPEQ?t=6178
Slides: {static}/slides/libsecret-project-update-by-Dhanuka.pdf
Toy project: https://github.com/dnuka/tpmsecret
Merge Requests list: https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests?scope=all&state=merged&author_username=dhanuka
Blog posts:
The following section summarize all of the merge requests I have created. You can find more information on them using the attached links.
merged:
Enable TPM emulator in CI
This is my very first merge request directly related to the GSoC project. This enables the TPM emulator inside the CI environment. This is required for testing purposes.
merged:
Add --allow-root flag to tpm2-abrmd CI script
Related to the above merge request. This fixes an issue related to the TPM emulator execution inside the CI.
merged:
Add TPM2 API and its implementations to egg
This is my most import work during the GSoC. This merge request defines the public TPM2 API for libsecret and adds its implementations to the incubation area (\egg directory). You can read more about this from my project update blog post.
merged:
TPM2: Fix primary key generation in decrypting
During the integration task we have discovered a bug related to primary key generation when there is no primary key present. So, this MR fixes that issue.
merged:
Add TPM2 integration to secret file backend
This is the integration task. This merge request uses the newly define TPM2 API to extend the libsecret's file backend to use an encryption key derived from a TPM.
merged:
Fix deprecated-declaration warnings
This merge request fixes the existing deprecated-declarations
warnings generated during the libsecret build
process.
merged:
Remove autotools config file
This merge request removes a left over autotools
configuration file.
merged:
Enable static analyzer in CI
Enables two static code analyzers: clang-analyzer
and cppcheck
inside the CI environment.
merged:
Fix issues flagged by static analyzers
Related to the above merge request. This merge request fixes the issues flagged by clang-analyzer
, cppcheck
static analyzers.
merged:
Add bash-completion for secret-tool
This merge request adds the bash-completion
to secret-tool
.
merged:
Add meson option to override default bashcompdir
Related to the above merge request. This merge request adds a new meson
option to disable installation of completion files into the system location.
merged:
Trivial Fix: removes a comment
I have many things to say. So, I'll start with the internship experience,
During my internship period I was able to accomplish many things. Completion of the project 11 days before the deadline is at the top. Honestly, I'm not a coding genius or anything. I was able to do this because, of my mentors Daiki Ueno and Anderson Sasaki. They both have dedicated an enormous amount of their time every single day to help with my questions. Yes, every single day. They even helped me to prepare for my very first presentation. As a student from an online peer learning based university (UoPeople) I don't get to learn from a professor/instructor. Talking with my GSoC mentors was the closest professor, student experience I ever had. So, I'm truly grateful for their support and guidance. I couldn't have done any of these without their guidance. Also, I would very much like to thank, upstream TSS developers for helping me out with all things related to TPMs. And thank you GNOME GSoC admins.
As for the things I have learned during the internship,
In my early stage of the internship, I knew nothing about libsecret, computer security, cryptography or TPMs. I just knew some C programming. So, I had to learn everything related to the project while contributing. Very recently I got to learn about C memory issues/memory leaks. Finding memory leaks and fixing them was a fun experience. I don't get why many engineers complains about them everyday on Hacker News :) Also, I got to learn about the aspects of a software engineering job. Like how/when they work and what's their day to day workflow is like, code reviews ... Overall, I think it's more than fair to say that I have learned a great deal of many things from my GSoC internship.
So, If you're a someone who's thinking about applying for the next iteration of GSoC. Go ahead, it will most certainly will make a huge impact on you. I guarantee it.