< Home

GSoC 21: GNOME/libsecret project update

8 9 2021

I have a plenty of stuff to talk about. But, first let's talk about my GSoC project update.

Project update:

As of now I'm two weeks away from GSoC final project evaluation deadline (August 23rd). So, I'm a bit late for the project update blog post. A quick reminder, my project is to integrate Trusted platform module (TPM) support into GNOME/libsecret. I'm happy to report that 95% of the work are completed and integration is the only part that remains.

Recently, I gave my very first talk regarding the very same topic; libsecret project update. You can find it from here. As well as the slides from here if you're interested.

My work is focused on libsecret's local storage (file-backend). Which is a new feature that allows a user to store secrets in a file. Current libsecret file-backend design support two options to encrypt the secrets/passwords inside the file database (a file). Option one is only for test purposes. And option two is using the user's login password to encrypt the file database. This design has a single point of failure. If the user's login password get compromised, then the contents of the file database get compromised too. This situation could be improved if the password is protected by hardware. So, that's when a TPM comes into play. A TPM is a physical hardware security module that performs everyday cryptographic needs. To simply put, my work is to add a third option to libsecret's file-backend design that adds TPM support. With this in place, if an attacker needs to get hold of your secrets, then they must have physical access to your computer system. In most cases this an impossible situation.

There are three APIs (API levels based on the abstraction) to work with a TPM. For our specific needs, we have decided to work with the TSS Enhanced System API (ESAPI).

The following is the proposed public API,

EggTpm2Context *egg_tpm2_initialize               (GError **);
void           egg_tpm2_finalize                  (EggTpm2Context *);
GBytes         *egg_tpm2_generate_master_password (EggTpm2Context *,
                                                   GError **);
GBytes         *egg_tpm2_decrypt_master_password  (EggTpm2Context *,
                                                   GBytes *,
                                                   GError **);             

Don't worry about egg_ prefix. It means the API and its implementations are in the incubation area. A place where newest/proposed features get included until they become a part of the official libsecret API or other GNOME libraries. Folks who have access to a TPM can test out these new changes by building from the source.

Lessons learned:

In my early days of the internship, I have struggled a lot. Due to lack of TPM learning and API resources. I was at a stage where I couldn't even write a single line of code for days. That's when my mentors suggested to work on a toy project. It was a huge success. So, when you're stuck with a complicated project, work on a minimal toy project.

Always work with a design doc (a simple diagram). A design doc is a simple diagram that showcase what needs to implemented. It doesn't have to be long or a fancy one. Just include enough information to get started and update as you move forward.

Apart from programming language proficiency. Git proficiency is a must. A lot of day to day programming related stress could be avoided if you're proficient in Git. So, learn Git thoroughly.

Remember to include your contact information in your presentation slides.

Stay tuned for my last GSoC blog post.