Re: [9fans] Solo factotum

[Skip Tavakkolian <skip.tavakkolian@gmail.com>]

To Ori's point, for such a factotum-on-a-stick to be as secure as
possible (the main point), you would need hardware support like
encrypted storage, trusted execution env, hardware root of trust
attestations all the way to the manufacturer, etc.

This level of security is crucial for trustworthy IoT (e.g. trusting
over-the-air updates), which is why some SoC's like Nordicsemi NRF52,
53, 54 and STMicroelectronics STM32L5, H5 have these capabilities.
Arm's Platform Security Architecture framework is a good resource for
considering all the ways that secrets can be compromised and how the
processor architecture can help mitigate them.

If doing embedded development isn't a showstopper, I think working out
how to embed factotum in a suitable device and figuring out the
mechanics of integrating it into the user environment would be a
useful experiment. There are inexpensive dev kits for NRF and STM soc.

On Tue, Dec 30, 2025 at 4:14 PM <ori@eigenstate.org> wrote:
>
> y'all are reinventing a TPM.
>
> Quoth sirjofri via 9fans <9fans@9fans.net>:
> > 30.12.2025 19:22:13 Dworkin Muller <dworkin@weaselfish.com>:
> > > Alternatively, just set it up as a secret store, like is done with
> > > terminals.  Not quite as elegant/cool, but perhaps more practical.
> >
> > In general, you're right. However the big difference (and why I think there's a solid use case for a factotum key) is that the machine that runs factotum has to be secure. If you have a terminal with its own factotum program, that's fine. The program is on a trusted machine. However, if your terminal boots off a fs, you have to trust the factotum program on that fs to not steal your keys when executed. If you run factotum in a remote session, you have to trust the server. If you have a single enclosed factotum key and no way for the host to download the secrets directly, then you can use it even on an untrusted machine.
> >
> > Sure, you still need a way to edit the keys. Maybe a specific mount access using an additional secret for editing or something similar could be invented.
> >
> > In any case, I think for a fully trusted environment you probably don't need a factotum key. I think the whole factotum and secstore stuff is built around this level of trust (you trust the grid). If you consider a public grid with multiple users and people who sign in as guests, I'd prefer to not have my secrets uploaded into the memory of a machine that I can't control myself, if possible. And people do set up grids like that. That's why I welcome experiments into that direction. Not to replace the current status quo, but to extend it in a compatible way for different use cases.
> >
> > sirjofri

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Ta60752663ff08448-M49d8a21810679e15bff7ef46
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription