Does openBmc support chain of trust for secure booting? - openbmc

I am using AST2600 which supports HW root of trust to verify u-boot-spl.bin. I'd like to know if I can configure openBMC to build a secure u-boot-spl.bin image that will verify u-boot.bin, which will in turn verify kernel image.

Related

what the solution Creating project app .. -flutter

enter image description here
I dont't know, i try
This is because your system has internet connection protected with invalid or self-signed certificate.
Easy solution - check your system time, maybe wrong date.
If not, and you are using Windows, check if your system has self-signed certificate. You can try to install valid SSL root certificates (if it has) or use parameter DART_VM_OPTIONS=--root-certs-file=<your_cert>
In Linux certs also can be outdated, fresh certificates usually in system repo, just update your system.
At last, check your internet connection - if you using some type of proxi or firewall (or antivirus with built-in firewall) you can face this error.
Try to connect to internet directly or with different provider.

How to use application's client certificate with Charles?

Trying to investigate private APIs on apps installed on my Android, I've noticed most modern apps use custom client certificate meaning with the trusted root certificate installed on the Android, Charles still cannot monitor the traffic because the server would reject the handshake from Charles. I imagine either I will need a different tool for the traffic monitoring or I will need to direct Charles to use some custom certificate file embedded in the app itself.
You need that certificate file at hand (I don't know if and how you can extract it from application).
You also need to know the passphrase (password) for that certificate. Charles will ask it when you connect to selected host for 1st time.
Then just use latest Charles (tested on version 4.2.1) menu Proxy -> SSL Proxying Settings, tab Client Certificates and add certificate (PKCS#12 key file) for selected host and port.

Charles iphone proxy

I am trying to sniff traffic from some of my apps on the iphone.
I have charles installed. and i have installed the certificate on the iphone as instructed in charles (and i enabled the certificate on the iphone) + changes proxy to direct trafik from iphone to my computer through charles.
Everything works, i am getting trafik from the phone inside charles.
My problem is, all https called are failing for me. if i enable SSL proxy on a certain domain (let's take *.facebook.com for example) all requests give me a Failure SSL: Unrecognized SSL message, plaintext connection?.
It does not matter which app or which connection i try, i get the same error..
can anyone help me
Starting from iOS 10.3 SSL trust for the certificate has to be turned on manually for the manually installed certificate profiles in iOS so go to Settings > General > About > Certificate Trust Settings. Under Enable full trust for root certificates turn on trust for the certificate.]]
Here is the link to apple documentation

Ansible winrm_server_cert_validation HTTPS security

I am using Ansible on a Linux computer connecting to a windows 8.1 embedded computer. It's able to connect with username and password over the HTTPS port 5986, but I need to specify the option:
ansible_winrm_server_cert_validation=ignore
The ansible documentation specifies:
The following is necessary for Python 2.7.9+ (or any older Python that
has backported SSLContext, eg, Python 2.7.5 on RHEL7) when using
default WinRM self-signed certificates:
The windows computer has an SSL listener that was configured with Self-SignedCertificates from the powershell script:
https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1
My question is that if I'm ignoring server cert validation, does that compromise the encryption that HTTPS is supposed to provide? or is server cert validation just a separate process of HTTPS?
Thanks
Yes, if you ignore certificate validation as recommended in the default Ansible config for WinRM, your connection is not secure - someone can spoof the target server using a man in the middle (MITM) attack on the HTTPS connection. (There should really be a security warning in the Ansible docs.)
The best alternative seems to be NTLM/Negotiate authentication, instead of HTTPS, removing the need for an SSL certificate. Your Ansible control machine will need to be able to authenticate over NTLM as a Windows user, just like using an SMB file share.
You will need pywinrm 0.2.0 or higher for NTLM/Negotiate support.
Useful links
Why NTLM/Negotiate for WinRM - background on why it's good to avoid the complex setup to install SSL certificates by using NTLM (Ruby based but still useful)
Example Ansible setup for NTLM
More complete Ansible setup including NTLM
Certificate validation is a separate process than encryption. The communication will be encrypted. You can read more on the issues with self-signed certificates but the high level is you remove any way for Ansible to validate who exactly is on the other side of the connection an open your self to a man in the middle attack that HTTPS usually protects you from.

Perl LWP SSL connection: certificate verify fails

My application requires LWP under SSL, but I can't seem to get it to connect properly without receiving an error.
certificate verify failed)LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at C:/Perl/site/lib/LWP/Protocol/http.pm line 51.
Whenever I load up the website in FireFox on my server, I receive
This connection is untrusted (Technical error: sec_error_unknown_issuer)
Whenever I load it up in Chrome, it verifies absolutely fine.
I can load the page up in FireFox and Chrome on my computer and receive no SSL verification errors at all.
I have no clue what is different between my PC and my server; they're both using the exact same FireFox versions so I'm not sure why it wouldn't verify properly on there.
I've tried workarounds by putting in $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0 in the Perl script but it seems to throw the same exact error still.
This is the script I'm using to test HTTPS
Does anyone know any solution to this or any workaround?
I've tried workarounds by putting in $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0
As the name of the option implies it cares only about disabling the check of the hostname against the certificate. It does not disable the validation of the certificate chain.
Whenever I load up the website in FireFox on my server, I receive ...
Since you get validation errors with Firefox and LWP but not with Chrome, Chrome has probably an additional CA as trusted which they others don't have.
From your code it looks like that you are using Windows and from my understanding Firefox comes with its own CA store, LWP uses Mozilla::CA (which contains the CAs usually shipped with Firefox) but Chrome uses the system CA store. Thus there is probably a CA in the system store which Firefox and LWP don't know about.
While it might be that there is some special esoteric CA which is known to the default Windows CA store but not to Firefox, it is more likely that you are behind some SSL inspecting firewall and that the administrators added the necessary proxy certificate to Windows CA store but not to Firefox or LWP's store. I would suggest you check the certificate chain inside the Chrome browser and look at the top (builtin) certificate.
If you consider the CA trusted you might export it and import it into Firefox. You might also make LWP use this CA by saving it in PEM format and then set the PERL_LWP_SSL_CA_PATH environment variable to point to the saved file or use the SSL_ca_path option in the ssl_opts setting to make LWP use this CA certificate for validation.
If this explanation does not lead to a solution please provide more details about the target URL you are trying to access and the network setup you have, especially if there is a SSL intercepting proxy or firewall. Please provide also information about the version of LWP you are using, because there changed a lot with version 6.