Simulator: IPhone 4-inch Retina iOS7
Programming in Objective-C
3D Effects in development based on OpenGL ES
R,G,W represent 3 kinds of 3D effects
FPS: 45~60
And, yes, it's the first prototype of my idea of iOS app.
Monday, November 25, 2013
[Cocos2D/3D] (2) My First Cocos2D/3D Project
My First Cocos2D/3D Project
Simulator: IPhone 4-inch Retina iOS7
Programming in Objective-C
3D Effects in development based on OpenGL ES
R,G,W represent 3 kinds of 3D effects
FPS: 45~60
And, yes, it's the first prototype of my idea of iOS app.
Simulator: IPhone 4-inch Retina iOS7
Programming in Objective-C
3D Effects in development based on OpenGL ES
R,G,W represent 3 kinds of 3D effects
FPS: 45~60
And, yes, it's the first prototype of my idea of iOS app.
Wednesday, November 6, 2013
[x86] (8) How to Customize Signature for Secure Boot using OpenSSL
It's the day we talk about how to customize your signature for notorious secure boot using open source software completely no painless. It's also 100% confirmed by OpenSSL, the software we could trust ain't like those hijacked by specified OS vendor.
Great, shall we begin?
----------------------------------------------------------------------------------------------------------------
(1) Download and Install OpenSSL wherever you like.
(2) Crate your own Certificate Authority on your console:
(a) Set Directory of openssl.cfg (openssl.cnf),
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
set OPENSSL_CONF=C:\
copy openssl.cnf openssl.cfg
(b) Generate 2048 RSA Private Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl genrsa -out mephisto_cert\ca_privkey.key 2048
(c) Generate Public PK Key by Private PK Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl rsa -in mephisto_cert\ca_privkey.key -pubout > mephisto_cert\ca_public.key
(d) Generate the self-signed digital certification of CA --> ca.crt
openssl req -new -x509 -days 8000 -key mephisto_cert\ca_privkey.key -out mephisto_cert\ca.crt -sha256 -config ..\conf\openssl.cnf
(3) Generate KEK by Private Key of PK
(a) Build directory storing KEK CSR, CRT, Private Key.
md mephisto_svn_server_cert
(b) Generate Private Key + Public Key for KEK
openssl genrsa -out mephisto_svn_server_cert\svn_server_privkey.key 2048
openssl rsa -in mephisto_svn_server_cert\svn_server_privkey.key -pubout > mephisto_svn_server_cert\svn_server_public.key
(c) Produce CSR application document for PK
openssl req -new -out mephisto_svn_server_cert\svn_server.csr -key mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf
(d) Build directory for CA(KEK)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (KEK) for PK
openssl ca -in mephisto_svn_server_cert\svn_server.csr -out mephisto_svn_server_cert\svn_server.crt -cert mephisto_cert\ca.crt -keyfile mephisto_cert\ca_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
(4) Generate db by Private Key of KEK
(a) Build directory storing db CSR, CRT, Private Key
md mephisto_db_cert
(b) Generate Private Key + Public Key of db
openssl genrsa -out mephisto_db_server_cert\db_privkey.key 2048
openssl rsa -in mephisto_db_cert\db_privkey.key -pubout > mephisto_db_cert\db_public.key
(c) Produce CSR application document for KEK
openssl req -new -out mephisto_db_cert\db.csr -key mephisto_db_cert\db_privkey.key -config ..\conf\openssl.cnf
(d) Build directory storing CA(db)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (db) for KEK
openssl ca -in mephisto_db_cert\db.csr -out mephisto_db_cert\db.crt -cert mephisto_svn_server_cert\svn_server.crt -keyfile mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
----------------------------------------------------------------------------------------------------------------
There you go, totally original material shared by myself to help anyone would like to escape the control from OS vendor. If anyone's interested, some of you might find my signature (Mephisto.Lai@X.com) embedded in your official desktop or notebook products...
Anyway, leave me questions, suggestions or comments, thanks!
Great, shall we begin?
----------------------------------------------------------------------------------------------------------------
(1) Download and Install OpenSSL wherever you like.
(2) Crate your own Certificate Authority on your console:
(a) Set Directory of openssl.cfg (openssl.cnf),
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
set OPENSSL_CONF=C:\
copy openssl.cnf openssl.cfg
(b) Generate 2048 RSA Private Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl genrsa -out mephisto_cert\ca_privkey.key 2048
(c) Generate Public PK Key by Private PK Key
C:\Program Files\CollabNet\Subversion Server\httpd\bin>
openssl rsa -in mephisto_cert\ca_privkey.key -pubout > mephisto_cert\ca_public.key
(d) Generate the self-signed digital certification of CA --> ca.crt
openssl req -new -x509 -days 8000 -key mephisto_cert\ca_privkey.key -out mephisto_cert\ca.crt -sha256 -config ..\conf\openssl.cnf
(3) Generate KEK by Private Key of PK
(a) Build directory storing KEK CSR, CRT, Private Key.
md mephisto_svn_server_cert
(b) Generate Private Key + Public Key for KEK
openssl genrsa -out mephisto_svn_server_cert\svn_server_privkey.key 2048
openssl rsa -in mephisto_svn_server_cert\svn_server_privkey.key -pubout > mephisto_svn_server_cert\svn_server_public.key
(c) Produce CSR application document for PK
openssl req -new -out mephisto_svn_server_cert\svn_server.csr -key mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf
(d) Build directory for CA(KEK)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (KEK) for PK
openssl ca -in mephisto_svn_server_cert\svn_server.csr -out mephisto_svn_server_cert\svn_server.crt -cert mephisto_cert\ca.crt -keyfile mephisto_cert\ca_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
(4) Generate db by Private Key of KEK
(a) Build directory storing db CSR, CRT, Private Key
md mephisto_db_cert
(b) Generate Private Key + Public Key of db
openssl genrsa -out mephisto_db_server_cert\db_privkey.key 2048
openssl rsa -in mephisto_db_cert\db_privkey.key -pubout > mephisto_db_cert\db_public.key
(c) Produce CSR application document for KEK
openssl req -new -out mephisto_db_cert\db.csr -key mephisto_db_cert\db_privkey.key -config ..\conf\openssl.cnf
(d) Build directory storing CA(db)
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\newcerts\
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\index.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\temp.txt (filled with "01")
C:\Program Files\CollabNet\Subversion Server\httpd\bin\DemoCA\serial (Rename temp.txt ro serial)
(e) Produce Digital Certification (db) for KEK
openssl ca -in mephisto_db_cert\db.csr -out mephisto_db_cert\db.crt -cert mephisto_svn_server_cert\svn_server.crt -keyfile mephisto_svn_server_cert\svn_server_privkey.key -config ..\conf\openssl.cnf -days 8000 -md sha256
----------------------------------------------------------------------------------------------------------------
There you go, totally original material shared by myself to help anyone would like to escape the control from OS vendor. If anyone's interested, some of you might find my signature (Mephisto.Lai@X.com) embedded in your official desktop or notebook products...
Anyway, leave me questions, suggestions or comments, thanks!
Monday, November 4, 2013
[x86] (6) Secure WMI based on SSL Handshaking Between Application and Embedded Controller
The idea is simple, application must handshake with EC through SSL to prove it's identity to gain permission to use certain WMI, otherwise the EC will block the request or even shut the system down shown as below.
Great! I believe you got the idea, if you're not, you may do a little study of SSL as well since it's open standard drafted by legendary Netscape. Following is the detailed flow of handshaking, note that only after the handshaking is done, the security of transmission between application and EC is ensured. The blue square "AES Secured" indicates it.
Here's detailed flow how the secure transmission between application and EC, they're extremely trivial if you do take a look on SSL standard...not for lazy bones!
This method is not perfect but simply convincing since it's built on the giant's shoulder...
Any questions, suggestions or comments, please let me know, thanks a lot!
[Cocos2D/3D] (1) Preliminary
New label for my new work! Actually I have been working on Cocos2D/ 3D engine survey for a while, so it's time to setup a new label of posts that I would update my latest status on it. As the open sourced game develop engine, their community shows great support to all indie programmers, totally love that. My current status as follows:
(1) Be able to read Object-C codes.
(2) Be able to read the Cocos2D/ 3D hierarchy, which is important since it provide great interface between 2D and 3D objects.
(1) Be able to read Object-C codes.
(2) Be able to read the Cocos2D/ 3D hierarchy, which is important since it provide great interface between 2D and 3D objects.
[x86] (5) Talking about the Working Model of OEM and ODM on RSA Keys Manufacture
If you're not familiar with "Security Boot", "Boot Guard" or "BIOS Guard" stuffs, you might find this subject quite boring. In case that, I think the better way is to explain it as usual sarcasm style.
Previous features I mentioned are designed or claimed for better security integration on platform, it's like a series of locks that you might only pass with right identity. For example, assume as following scene:
Lock: blocks the boot flow unless the right key is accepted.
Right Keys: Can only manufactured by OS vendor and OEM/ ODM (OEM has the right to decide to use only OEM key or both of OEM and ODM keys)
Since right keys can only manufactured by OS vendor, OEM or ODM, here's the funny question: What if the right is leaked, who should be responsible for it?
Well, four kinds of situation:
(1) OS vendor's key leaked: No doubt that OS vendor should be responsible for it since none can access the key but their self, right?
(2) Only OEM Key used and it's leaked: Of course it's OEM's fault, however, if this method is used, OEM should maintain a safe server allowing ODM to upload the signature file to be signed by OEM's internal private key and download from the server. Guess what? Some OEM takes the effort quickly but some just take other methods...
(3) Only ODM key used and it's leaked: Of course it's ODM's fault, however, every one would blame it on OEM. If any bad things happen, ha ha, some poor engineer would be kicked out. Don't worry about the supervisor, they always find the way out.
(4) OEM and ODM keys used and one leaked: Why we need this method? Why not only OEM key used? Well, it's because some OEM's too lazy to build the safe server responsible for ODM's signature, but still wanna ensure which ODM leaks their key and make sure ODM wouldn't produce other non-official keys. Oh man, it's really complicated, right? More to that, what if OEM or ODM would like to change or testify their own keys in the same BIOS code-base? There we need the compile switch provided by IBV to determine if the OEM/ ODM keys changed or not in current compile time. It's complicated, however, once built, it's easy to use to OEM or ODM, and lazy OEM doesn't have to own the safe server. How lazy and brilliant. By the way, I'm the guy worldwide first figured out this working model to satisfy the lazy OEM supervisor...
Finally, based on the experience I shared previously. I realize there are two ways to work in OEM:
(1) To Follow and get SLAPPED by supervisor.
-> Advantage: Keep your job well and stable.
-> Disadvantage: Get slapped all the time.
(2) To Create and get FIRED by supervisor.
-> Advantage: Be creative to flexible working models to satisfy various needs.
-> Disadvantage: Be creative is bitching and jealous supervisor finds excuse to fire you someday.
Any way, it's been cool to share some experience with you, if you find any questions, suggestions or comments, please give me some feed-backs, thanks a lot!
Previous features I mentioned are designed or claimed for better security integration on platform, it's like a series of locks that you might only pass with right identity. For example, assume as following scene:
Lock: blocks the boot flow unless the right key is accepted.
Right Keys: Can only manufactured by OS vendor and OEM/ ODM (OEM has the right to decide to use only OEM key or both of OEM and ODM keys)
Since right keys can only manufactured by OS vendor, OEM or ODM, here's the funny question: What if the right is leaked, who should be responsible for it?
Well, four kinds of situation:
(1) OS vendor's key leaked: No doubt that OS vendor should be responsible for it since none can access the key but their self, right?
(2) Only OEM Key used and it's leaked: Of course it's OEM's fault, however, if this method is used, OEM should maintain a safe server allowing ODM to upload the signature file to be signed by OEM's internal private key and download from the server. Guess what? Some OEM takes the effort quickly but some just take other methods...
(3) Only ODM key used and it's leaked: Of course it's ODM's fault, however, every one would blame it on OEM. If any bad things happen, ha ha, some poor engineer would be kicked out. Don't worry about the supervisor, they always find the way out.
(4) OEM and ODM keys used and one leaked: Why we need this method? Why not only OEM key used? Well, it's because some OEM's too lazy to build the safe server responsible for ODM's signature, but still wanna ensure which ODM leaks their key and make sure ODM wouldn't produce other non-official keys. Oh man, it's really complicated, right? More to that, what if OEM or ODM would like to change or testify their own keys in the same BIOS code-base? There we need the compile switch provided by IBV to determine if the OEM/ ODM keys changed or not in current compile time. It's complicated, however, once built, it's easy to use to OEM or ODM, and lazy OEM doesn't have to own the safe server. How lazy and brilliant. By the way, I'm the guy worldwide first figured out this working model to satisfy the lazy OEM supervisor...
Finally, based on the experience I shared previously. I realize there are two ways to work in OEM:
(1) To Follow and get SLAPPED by supervisor.
-> Advantage: Keep your job well and stable.
-> Disadvantage: Get slapped all the time.
(2) To Create and get FIRED by supervisor.
-> Advantage: Be creative to flexible working models to satisfy various needs.
-> Disadvantage: Be creative is bitching and jealous supervisor finds excuse to fire you someday.
Any way, it's been cool to share some experience with you, if you find any questions, suggestions or comments, please give me some feed-backs, thanks a lot!
Friday, November 1, 2013
[x86] (4) Security Features Diagram
End of the Friday already? Great, let's give a sneaky shot on old x86 based security features. I'll explain those stuffs later and let you guys have great weekend first.
Leave me any questions, suggestions and comments as you need, thanks!
Thursday, October 31, 2013
[x86] (3) UEFI BIOS Dynamic and Static Analyzer
Say, let's see something new today, it's about an idea that none never support it or take it serious but me. UEFI is the BIOS standard highly promoted by Intel...and forced everyone to do so. However, BIOS is an old industry that experienced engineers tend to use traditional debug methods such as break-points. That's what I called single debug view as following diagram.
This kind of debug view is fine when you're dealing with annoying OEM customer or Project Leader urging for issue report. Yeah, just do it and attach all your records from POST code/ debug message from PCH or EC serial out/ break-point insight from IBV or Intel's online debug monitors. However, you're looking at one issue at a time. Or you're looking at two or three issues at the same time, but you're still using single debug view.
As the engineer of one project, you should be fine with single debug view. As the BIOS leader or Feature leader, you might face multiple projects ongoing in the same time and all those projects binding with second/ third source
So my idea was to create analyze view based on automatic calculation in build time and run-time. With this analyze view, you may control multiple projects at the same time without manual efforts on each project's inspection. More to that, you could create a golden template based on the vendor's reference board to control all your projects. All analyze view reports are generated automatically, no more schedule losing control.
I really love this diagram, it explains how automatic framework collecting data in build-time and run-time to create analyze view.
It's the representation example of analyze view, it's easy to gain the benefit of free and open source diagram automation generator.
See the event schedule mentioned in previously diagram? That overcomes the late initialization/ wake-up issues as well, how I love this.
How thousands of Taiwan BIOS RD still doing their jobs like this...It's not a joke, man.
How it really works and helps us from try and error.
Too shay I still have bad news about this UEFI BIOS Dynamic and Static Analyzer, which is, UEFI is not welcome to future world since x86 members (Vendors, OEM, ODM) are mainly focus on making their own money. Even UEFI is supposed to be open, people tend to doubt it and pay attention to other standards.
Finally, welcome to give me any questions, suggestions or comments, thanks!
[x86] (2) Post Mortem: ACPI/ SCI/ Q Event
Before we back to the Future world full of mobile and smart devices, let's take a look on those old bones from yesterday world...however, as the latest news I know, there are still a huge bunch of Taiwan engineers devoted their self to the x86 based, nearly dead PC and NB markets and refuse to wake up. It's really sucks that our human nature tends to follow, not to lead. Anyway, pretend you're visiting the x86 museum....with my sarcasm introduce.
Long long time ago, there is a power saving standard called APM, the main idea is that any devices besides the CPU might notify CPU through SMI (software or hardware wired) that CPU would run the power state modify routine written in BIOS code. SMIs can't be scheduled well since it's nothing to do with OS that the system would halt while CPU's dealing with SMIs.
Well, it sucks to be so technique. Let's do it over again, CPU is a poor cook, only dealing one customer's order at one time. However, there are a bunch of crazy supervisors, they could interrupt cooker's job in the name of SMI. So the poor cook got customer complaint and supervisor take it as their huge contribution as management level.
Boring questions you guys must know the answers.
More boring history.
ACPI's so complicated...Really? The main idea is as simple as the poor cook example in APM.
I really like this page that I draw before, however it's too detailed on ACPI events. If anyone's interested, I would append the explanation as demand.
This is my favorite page that I update it several times! Too bad it's still detailed, but I would point one thing take-away, ACPI is like the poor cook in previously example, hires one sexy waitress (that is Operating System!) to assist the order schedule including the non-sense requests from stupid supervisors. The SMI requests mentioned previously are now replaced by SCI requests.
Huh, boring power states. Can you image that all those years go by and still the general users got confused on all those damn S3/S4/S5/S0/Hibernate/Fast-Start-Up/ Connected-Stand-By things... No one really sees what are they doing and they didn't even recognize it...wow!
More Reference...
More questions... make it stop!
Good trip of old stuff, right? I had devoted a lot time and efforts on it, but now I realize that I shouldn't only learn for the job and money, or there goes the consequences that most things you know became the yesterday's ashes. At least I wake up now, ha ha.
Any questions, suggestions or comments, please show me some support, thanks!
Long long time ago, there is a power saving standard called APM, the main idea is that any devices besides the CPU might notify CPU through SMI (software or hardware wired) that CPU would run the power state modify routine written in BIOS code. SMIs can't be scheduled well since it's nothing to do with OS that the system would halt while CPU's dealing with SMIs.
Well, it sucks to be so technique. Let's do it over again, CPU is a poor cook, only dealing one customer's order at one time. However, there are a bunch of crazy supervisors, they could interrupt cooker's job in the name of SMI. So the poor cook got customer complaint and supervisor take it as their huge contribution as management level.
Boring questions you guys must know the answers.
More boring history.
ACPI's so complicated...Really? The main idea is as simple as the poor cook example in APM.
I really like this page that I draw before, however it's too detailed on ACPI events. If anyone's interested, I would append the explanation as demand.
This is my favorite page that I update it several times! Too bad it's still detailed, but I would point one thing take-away, ACPI is like the poor cook in previously example, hires one sexy waitress (that is Operating System!) to assist the order schedule including the non-sense requests from stupid supervisors. The SMI requests mentioned previously are now replaced by SCI requests.
Huh, boring power states. Can you image that all those years go by and still the general users got confused on all those damn S3/S4/S5/S0/Hibernate/Fast-Start-Up/ Connected-Stand-By things... No one really sees what are they doing and they didn't even recognize it...wow!
More Reference...
More questions... make it stop!
Good trip of old stuff, right? I had devoted a lot time and efforts on it, but now I realize that I shouldn't only learn for the job and money, or there goes the consequences that most things you know became the yesterday's ashes. At least I wake up now, ha ha.
Any questions, suggestions or comments, please show me some support, thanks!
Wednesday, October 30, 2013
[x86] (1) Preliminary
1.5 Year as DELL Commercial NB ODM BIOS RD in Foxconn
0.5 Year as DELL Commercial NB IBV BIOS RD in American Megatrends inc
1.5 Year as NB BIOS Security Features RD Leader (see my digital signature on various projects) in worldwide PC/NB OEM
I spend my first 3.5 years career life as a full time NB BIOS RD crossing OEM/ODM/IBV, and I now feel like I shall share all my experience and knowledge that some might not do so. I hope the upcoming footprints I revealed would help others to better understand the BIOS industry and it would be my career marks as well.
Feel free to ask me any questions whatever how technical it would be, such as "What is the main purpose of Security Boot/ TPM/ HSM/ Trusted Chain/ Measure Boot/ BIOS Guard/ Boot Guard?" Any confusing security features involved in NB/ BIOS, I could give you all-you-can-eat answers full of sarcasm. :)
Anyway, it's just the official beginning of my blog life, cheers and wish me luck. I'm ready to share and learn new stuff as a pure indie engineer now.
0.5 Year as DELL Commercial NB IBV BIOS RD in American Megatrends inc
1.5 Year as NB BIOS Security Features RD Leader (see my digital signature on various projects) in worldwide PC/NB OEM
I spend my first 3.5 years career life as a full time NB BIOS RD crossing OEM/ODM/IBV, and I now feel like I shall share all my experience and knowledge that some might not do so. I hope the upcoming footprints I revealed would help others to better understand the BIOS industry and it would be my career marks as well.
Feel free to ask me any questions whatever how technical it would be, such as "What is the main purpose of Security Boot/ TPM/ HSM/ Trusted Chain/ Measure Boot/ BIOS Guard/ Boot Guard?" Any confusing security features involved in NB/ BIOS, I could give you all-you-can-eat answers full of sarcasm. :)
Anyway, it's just the official beginning of my blog life, cheers and wish me luck. I'm ready to share and learn new stuff as a pure indie engineer now.
Subscribe to:
Posts (Atom)