At least for PCR 7, it's well specified and documented how the digest is generated. You can dump the component digests of a PCR using `tpm2_eventlog`, and I've written a tool that can be used to populate the requisite data structures for hashing.
Your edit is correct. The kernel and initramfs are exploited unmodified to boot a tampered root filesystem, which allows userspace tools to extract data from the TPM, as the PCRs used to protect data like the LUKS passphrase have not changed.
There's always an analog loophole. Even if the OS is unable to access the memory storing the decrypted data, you could always just plug the output of the machine into a capture card and capture the decrypted stream that way.
I suppose some monitors and TVs have "features" to cryptographically handshake with the GPU and ensure a secure link, but at some point the data must be decrypted and decoded to be displayed. This doesn't seem like much more than a speed bump for a motivated individual.
The end goal is DRM all the way to the screen. No capture cards will be allowed.
It's a cat and mouse game, but I wouldn't discount these efforts as a mere speed bump. Screen enforced DRM will make things much harder. A motivated individual with the right tools and hardware hacking know how may be able to jailbreak a screen to record stuff, but that's going to make things out of reach for most people.
It doesn't matter at all how out of reach it is for most people. As long as one kid in Russia can do it, the torrent is available for everyone in the world just as soon.
This has already been shown with videogame DRM like Denuvo. It's so hard to crack that only a handful of people know how, and yet they end up racing eachother so eagerly every time a new game comes out that it's usually done in under 24 hours. Unless you can beat "so secure that only a handful of people in the world can crack it" the situation will always be the same.
Denuvo has pulled back into the lead lately, it's taking a very long time for cracks to appear, if they ever do. For example Dragons Dogma 2 came out in March and still hasn't been cracked. Avatar: Frontiers of Pandora hasn't been cracked for a full year.
DD2 is a single player game, those generally don't maintain their active player counts forever. It peaked at 228,285 concurrent (not total) Steam players which are pretty good numbers.
Even if we do go by concurrent players, Black Myth Wukong had one of the biggest launches in Steams history with a peak concurrent of 2.4 million players, and that hasn't been cracked either after five months.
Apparently the people doing this kind of work have been disproportionately in Eastern Europe and what's going on in Ukraine has so disrupted that part of the world that they currently have bigger problems.
So then you're waiting for either that region to stabilize or demand for cracks to cause people somewhere else to get into the game, and in the interim you effectively have a temporary supply chain issue.
But it's hard to give credit for the ravages of war to the DRM pushers and it's not at all obvious that they've secured any kind of permanent advantage.
Not quite. The problem is that when you involve hardware, things are exponentially harder. When you tie it with content streaming, it's essentially a losing battle.
Hardware: makes cracking much much harder and out of reach for a lot of people. Even the people that can do it are going to be drastically slowed down due to this.
Streaming: means you can block specific device keys once you know they are compromised (the hacker managed to mod the TV to be able to record from it).
Back in the day when piracy was quite literally just copy and paste it was a very active scene.
But cracking Denuvo takes real skill- and there's no financial reward in it.
Back in the 90s bootleg DVDs and CD-ROMs had organised crime making money from it.
I took a cursory look at breaking it and it seems rather trivial in retrospect, just annoying at best since you have to rebuild the executable’s imports, relocations and section headers, along with removing the giant bloat sections that they add (seriously, when the main .text section of a game is 4MB, and then their extra obfuscation sections end up being over 250MB, something is ridiculously wrong.)
With how good modern screens are, and how good cameras are (and how easy both are to hack), you could always play back the video and capture the photons through the air.
There was something called Macrovision back in the VHS/DVD days that tried to defeat digital/analog conversion, and I'm sure visual techniques could be devised...
But I imagine someone with a good OLED and a good mirrorless camera (or even a cell phone nowadays) could make a pretty good 4K replication of any media that displays.
Probably would be better carefully tap into the signal lines to the LCD panel, and record and decode that data to then make a video. However if we assume that even the cable going to the panel is encrypted and the board on the panel is decrypting it. (although I have never messed with a panel like that). However it still has to got to drive the rows and columns of the display, so then data to column and row drivers is still in the open.
If we were to even assume the Column/Row drivers chips only accepted encrypted data they still have the individual traces coming out of them. The pitch of the traces is super tiny, but still possible to tap, but would be a massive pain, but still do able.
Although you can get devices that strip the encryption from an HDMI signal these days so it's kinda moot. So it's not exactly something anyone would need to do these days.
Especially when you add HDR to the mix, I think it's still extremely difficult to get a high quality screen recording, if only because it's so hard to get the exposure right.
You'd think so, but I've already run into a situation where DRM broke our screen capture for a live talk recording and I simply set up a camera to record the screen.
With a little bit of work (display a few calibration targets and build a quick and dirty LUT to match your display) you can get really convincing results.
It was good enough for the moon landing. The video feed from Apollo 11 was some special format that was specially decoded onto a particular monitor. There was a camera pointed at the screen to rebroadcast the feed globally.
Yeah, I guess it really depends on what your standards are. It's certainly getting better but I have trouble imagining anyone would consider this a good solution. At minimum, if this was what pirates had to resort to, then I would think the DRM has done it's job, in that it very significantly degraded video quality for the pirates.
I'd imagine they do this via huge (non-consumer level) cameras as well as by professional editors and graders who spend countless hours on the process.
But that doesn't really contradict your point. I don't know. I've never seen a good screen recording but I don't download pirated films so perhaps I've never seen an instance of someone really trying to get it right.
The cameras you can buy used for a couple thousand dollars have essentially the same sensors as huge cinema cameras, if not better in this application assuming you'll take stills.
Professional editors and color graders have to lower the dynamic range, because there is basically nothing that can get as bright as, say, the sun, and because basically no display can sustain peak brightness over the screen, which introduces an EOTF transfer curves, reducing the peak brightness and thus dynamic range.
You're right about pirated films, but that's because they're typically recorded in a run of the mill cinema while it's playing, not in controlled conditions in front of a carefully calibrated screen-camera combination taking a photograph of every frame.
Although it can only trip on certain devices or media players (mainly Blu-ray players, including PS3 onwards), I did read an idea that suggested Cinavia being placed inside an OS's kernel in a secure enclave to make it system-wide.
> The end goal is DRM all the way to the screen. No capture cards will be allowed.
Sure, but the closer you get to the eye ball, the bigger the loophole is.
It's not common anymore, but _way_ back in the day, some releases were made *in the projection booth* with a semi-pro camera on a tripod pointed at the screen. (look for old NFO files with `TS` or `TeleSync` in them to get an idea of when this was common-ish)
The analogue loophole will remain open until there's a HDMI to optical nerve technology that we're all forced to get at birth.
> The analogue loophole will remain open until there's a HDMI to optical nerve technology that we're all forced to get at birth.
This is kind of a pointless tangent, but you might not have to go that far. It's probably hard to get a recording of the Apple Vision Pro for instance.
> It's probably hard to get a recording of the Apple Vision Pro for instance.
I hadn't actually thought about that! For 99.995% of my time on this earth, "screen" meant "flat, glass, viewed from some distance". I guess it's time to spend some time thinking about what new ways to exploit the analogue loophole are...
I wonder which part would be harder: designing something to fool the "am I on a head? Where are the eye balls looking?" bits or the optics needed to re-combine the stereo?
Likely not an issue. Convincing consumers to strap a brick to their face has proven to be a persistent challenge, which even Apple has not been able to overcome. However, there is also a nontrivial percentage of the population who medically cannot use VR/AR. This population is large enough that there is a market for "2D Glasses" for removing 3D effects from movies in cinemas. Releasing a title as a VR exclusive means excluding this population from your sales figures entirely.
Yes, this is why I called it "kind of a pointless tangent". :)
However, the reason I think it's only "kind of" pointless... it is in fact true that as far as I know, there is no way to pirate any of the "immersive" TV shows Apple has released. You can't watch them on any other VR headset, or even watch some 2D version on a flat screen.
Which means there are videos out there in the world right now which are immune from the analog loophole, at least as far as I know. It's a very small subset of all the content that has been produced, and it will stay that way, but it does exist.
And no one I know was ever happy about accidentally downloading a telesync release. They were at best a stopgap for the FOMO crowd before a proper dvdrip inevtiably took their spot on the trackers. Yes you can make an actually high quality analog hole rip but it takes much more effort.
There are many USB capture dongles with chips that ignore DRM, easily available for cheap at popular online stores. Nobody has to go as far as jailbreaking screens.
In this case the piracy model might change into something like the software cracking scene where groups with specialized skills and equipment would be the ones doing the uploading. Regular people wouldn't be able to make copies with a capture card to send to their friends but popular films and shows would definitely still be released by those groups.
There is no analogue loophole, that's like 15 years behind the curve. Cinavia closed that a long time ago and meant that licensed devices like Bluray players, even TVs, can detect cammed recordings even those cammed in movie theatres.
Of course you can try to play them with hardware that doesn't follow the rules. But there's a finite number of vendors, so that isn't necessarily easy.
It doesn't detect the act of recording live, it detects that a piece of media was obtained via recording. So, you can still point a camera at the screen and obtain a video file without any disruption to the original signal. However, that file won't play properly on Cinavia-enabled devices.
It's not clear to me how widely Cinavia is actually deployed. The Wikipedia article hasn't really been updated in over a decade, and that's where I'm getting my info from.
However, the detection and enforcement can theoretically be done by any device or software that has access to the audio signal. The monitor, the GPU, the playback software, the operating system, etc. could each individually decide not to play the file, making it not work. Some of those can be bypassed in various ways, some can't. But instead of computers, there are smartphones, commercial media players/receivers, and televisions/projectors, which seem the most likely places to target for enforcement, and those would affect most people.
Nevertheless, I do wonder how real this actually is. Again from the decade-old Wikipedia article, it seems like Cinavia was meant to target both recording devices and playback devices. However, the Aurora theater shooting happened not long before the article stopped getting meaningful updates, and I wonder if public safety concerns stalled its deployment. Also, the article mentions that people were finding ways to remove or neuter the signal. I also didn't encounter any problems with what I assume to be protected media (a 4K movie and a 1080p TV show), either recording my screen with my Android phone, nor with playing it back on that phone and with VLC on my Windows computer with an nVidia graphics card.
In practice, only licensed Blu-ray players (hardware and software) implement Cinavia. While there was an idea/fear that an OS can implement Cinavia system-wide, that did not happen (yet).
Depends who makes your computer, phone or TV and the licensing etc. The tech is perfectly capable of stopping that. The device detects the Cinavia watermark and simply silences the audio after a few minutes.
I don't know whether streamers use it but it was widely deployed in the era when movie piracy revolved around making pirated Blurays. For instance the PS3 would silence the audio on a burned Bluray that had a theatre or TV cammed title protected by Cinavia on it.
A lot of this is about catching the fat head though. People who play videos using some hacked up VLC on Linux don't bother the studios, they're long tail and don't make a revenue impact. They're after the ordinary people who want to watch pirated stuff on a regular home cinema system.
Yeah, but pirate groups are getting the original streaming service's compression without re-encoding (so-called "WEB-DL"), even of 4k content. There's a weaker link somewhere.
WV L1 Keys/ PR SL 3000 keys require breaking into the TEE to steal those decryption keys.
Ever wondered why netflix 4k web-dls take a while for less popular shows?
Netfliy monitors these more tightly apparently and blacklist keys that are used to download. Then the group needs to buy some new device, the old one is burned.
I think there's some kind of watermarking going on, so once a rip is released to the public they can trace it back to which device keys were used to decrypt it.
Watermarking would require a separate version of each encoded file for each target device, which is not amenable to efficient CDN-ing.
It's quite easy to grab the encrypted media files, as they go over the wire - do this from two devices and compare what you get. (you don't need to strip the DRM to see if the two files are identical)
They wouldn't necessarily need to serve different data to each client when they control the whole playback stack, they could get clever by including duplicate frame data with subtle differences and making each device key only able to decrypt one of the variants. Repeat that throughout a show to add additional bits to the signature until it's uniquely identifiable.
But they don't control the playback stack, once the attacker has the keys. The attacker brings their own stack, decrypting the data with their own software.
Watermarking was a problem when Widevine L1 was first introduced. Pirates seem to have found a way to scrub the watermark from their releases. Either that or someone is burning a _lot_ of cash on playback hardware judging from the rate of 4K WEB-DL releases.
It doesn't need to be a lot - just replaced in the same cadence as the latency from initial broadcast to key revocation. Even if it's all in-house in Netflix and the watermark sufficient to identify the specific device key not all releases are made instantly after being made available on the platform, it still has to be downloaded, verified, watermark extracted before the key can be revoked.
If that's just a total of a single day, 365 cheap netflix devices per year certainly isn't out of the question, especially with the number of people involved in the many ripping groups.
Depending on the bit size of a watermark, device-based watermarking should be easy to defeat using a quorum of devices to agree on bit values. It should only take around log2(n) attackers to remove an n-bit watermark.
Features like this are why I prefer using QEMU directly rather than an abstraction like libvirt on top of QEMU.
Graphical interfaces like virt-manager are nice at first, but I don't need an abstraction on top of multiple hypervisors to make them all look superficially the same, because they're not. Eventually the abstraction breaks down and gets in the way.
I need the ability to use the full capability of QEMU. I'll write a shell script to manage the complexity of the arguments. At least I don't have to deal with XML, validation, and struggling with enabling the options I want that are only supported by one specific emulator, which libvirt doesn't support, because it's not common to all of the backends.
I like it that libvirt integrates with firewalld. libvirt via virt-manager also provides you with quick options for dns.
My fear is that this would be a lot of wrangling with qemu before I get there. I am not fond of virt-manager, the UI is clunky, but for setting up a machine it is really helpful.
Personally I'm very lazy, so I just make a virtual bridge and force QEMU to use it for everything; putting all my VMs on my local network.
I totally understand that not everyone can do this, which is why I asked the question, I'd be interested in exploring how you would prefer the network topology to look like.
Having a virtual network on a machine would mean having a dns/dhcp server (I think dnsmasq can actually do both by itself) for ease of use, but I think I could give you a 5 line bash script that could do basically what you want easily, depending on what it is you want.
The normal "internal" network topology ends up giving you an outbound NAT to the local network (to, eventually, get onto the internet) which, I personally really dislike.
> I'd be interested in exploring how you would prefer the network topology to look like.
I tried to highly restrict my virtual machine with just an allow list (works via firewalld), and at the same time allowing the vm to query the (physical) LAN for dns-sd.
Tbh, I could not get the latter to work directly. I ended up letting my host function as an dns-sd reflector.
> virtual bridge
Does that work with wlan? libvirt creates a bridge, but with or without NAT it could not let the vm participate like a normal LAN-client. I thought it was a limitation of wireless lan bridging.
It's possible to create a custom network for libvirt, but you have to add a static route to in the router for the other hosts in your LAN to see the VMs.
Using virsh, you can dump the default network with net-dumpxml, which is the default bridge libvirt creates, modify it and create another network. Add the modified file with net-create (non-persistent) or net-define.
This way the VMs can participate in the LAN and, at the same time, the LAN can see your VMs. Works with wifi and doesn't depend on having workarounds for bridging wifi and ethernet. Debian has a wiki entry on how to bridge with a wireless nic [0] but I don't think it's worth the trouble.
I'm excited to try this device out with Arch and Waydroid. It seems perfect for a number of tasks, being small and light enough to pack anywhere, while having a full keyboard and the ability to convert to a tablet.
I've always wanted something like this for reading recipes and watching videos while cooking, learning and doing new home improvement projects, researching electrical code, auto repair, etc. Kind of like a larger, more useful "phone" that's not as impractical to carry around as a mid-size laptop. It also seems like a nice rig to pack for on-call.
The beefy Zen 5 chip options and top end specs are icing on the cake. I hope GPD doesn't botch any important bits.
I used the original Pocket for oncall, and whilst it was indeed very handy, the keyboard was not comfortable at all for any moderate or long-term use. The issue is that its size puts it in a weird no-man's land - it's a bit too big to thumb-type like you'd do on a phone, and a bit too small to type with all your fingers, like on a regular keyboard. As a result, you end up awkwardly pecking at the keyboard with one or two fingers.
I think the GPD Win Max (10") is a much more practical device - it's just about big enough to type with all your fingers, and if you want something more pocketable, then the GPD Win Mini (7") is small enough to thumb-type whilst holding the device in your hands.
Given that one of the main reasons to use a Pocket over a regular tablet/phone is the keyboard, I think it's an important aspect that you shouldn't gloss over. It's unfortunate that none of the reviews I've seen of the Pocket series mentions this.
I have the smaller Gpd game console like with v small keyboard hiding and win max 2 the 10”. I always use the 10”. Just got a win 13” dual screen and hence not going to try the keyboard of this. I think win max 10” is ideal to pack with my iPad in a very small swing back.
I suspect very much my next upgrade is win max 2025 if it is available precisely because of portable, readable (old man) and typeable. But tbh the 13” keyboard is so much better it is very hard to use these unless absolutely necessary. But cannot carry a 13”.
The problem with coil guns in particular is the ferrous slug is drawn to the center of the magnetic field. The field has to be collapsed at the right time to avoid sapping velocity from the slug, counterproductively.
Many designs that achieve respectable velocities use a multi-stage coil, which requires precise timing for each magnetic field, a lot of power, and high current capability. Generally, that means large batteries for a power source and large capacitors to feed the coils, which becomes heavy and expensive.
Even rifle variants rarely make more energy than a .22 LR, a feat which is easily overshadowed by air guns several hundred years old.
The energy density and expense of capacitors, along with the efficiency of the electromagnetic coils makes them impractical.
Coil/rail guns that achieve velocities comparable to real firearms are actually quite loud, as the air is compressed and superheated in front of the projectile, which creates a report at the muzzle. However, most man portable variants are limited to around the energy of a .22 LR. Even air guns are more powerful and practical.
As an example of a weapon that's practical yet not portable, take a look at the Navy's 155mm rail gun. https://youtu.be/O2QqOvFMG_A
It would have to be, CS2 is the fourth major installment in the Counter-Strike franchise.
Then again, all kinds of companies take liberties with naming including numbers. Look at Windows 7 (12th major release), Windows 10 (successor to Windows 8), the game Battlefield 2 (third in the series), Battlefield 3 (three games after BF2), Battlefield 1 (after the release of BF4), etc.
The issue is not removing old pipes, but even getting access to install new pipes. This typically means opening up walls and floors, and patching the resulting holes after it's done.
https://github.com/balena-os/tcgtool
reply