## What kind of “actions” can a TPM2 policy authorize?

I’ve been instructed to use the state of our system’s TPM’s PCR registers to prevent the system we’re working on from booting if one of the PCR registers is different from what we expect. In service of that goal, I’m reading over this article: https://threat.tevora.com/secure-boot-tpm-2/

there is a paragraph near the middle that reads:

TPM2 has the ability to create policies based off of PCRs: If the PCR contents do not match expectations, the policy will not authorize the action.

What kind of actions are they talking about here? And what would be the immediate ramifications if the action was not authorized?

Some background: Before today, I was under the impression that the principle trick of the TPM was to encrypt or decrypt data using a key that the TPM holds securely. Now this article suggests that the TPM can also (two different functions) encrypt or decrypt data based on the current state of its’ PCR registers… this seems similar enough to my previous understanding that I can believe it.

If my understanding is correct, I can see how this would be useful to our project’s goals; encrypt a blob of data that is critical to the success of the boot (say… the kernel*) with the state of the PCR registers while the PCR registers are in a known-trustworthy state (i.e. while known-trustworthy software is loaded). If software that writes different PCR registers replaces the known-trustworthy software, then the kernel blob won’t decrypt properly, and execution “halts”. Presumably there are ways to handle this halting gracefully, like Bitlocker or LUKS; I imagine if I just encrypted executable code and then decrypted it with the wrong key, it would produce gibberish, and the machine would do unexpected things rather than halt gracefully when running that gibberish.

A co-worker has taken the position that there’s a simpler way; that a TPM can permit or refuse an action directly… so, like, it halts the processor or something, I guess? He doesn’t express himself very well, and when I tried to summarize his position he told me I got it wrong, so… I’m deliberately keeping the details of his position scant. Suffice it to say, my understanding of what a TPM does wouldn’t allow for what he describes…

You could interpret the two sentences from the article as supporting his position, or mine, depending on what actions it is possible to ask the TPM to authorize, and what the immediate consequences ramifications of the TPM denying you the authorization to do something. Does anyone here have an opinion?

*…how would I “encrypt the kernel”, exactly? :-p

## Under what kind of oralces are \$P\$ and \$NP\$ equivalent?

How strong have the oracles needed to be for these two classes to be proven equivalent with respect to them?

For instance: is $$P^H$$ = $$NP^H$$ (ie. is $$P$$ equipped with an oracle to solve the halting problem equivalent to $$NP$$ equipped with an oracle to solve the halting problem)?

From Theodore Baker, John Gill, and Robert Solovay. Relativization of the P=?NP problem. Siam Journal of Computing, 4:432-442, 1975 [219] we know $$NP^A =P^A$$ for their oracle A (which is a decision algorithm for a PSPACE complete problem).

If the oracle can perform an infinite amount of computation and return back the result in one step are these classes equal with respect to an oracle of this type? How about weaker ones? What is the weakest oracle we know of where $$P$$ and $$NP$$ are equal with respect to it?

An answer I’m looking for is something like: $$P^O$$=$$NP^O$$ with respect to an oracle O and any oracle more powerful than it.

## What kind of protection does an electron sandbox provide?

How does an electron sandbox work? What kind of protections does it provide? Signal for example now runs by default with `--no-sandbox`. Should I be taking extra precautions when running signal?

## What kind of terrain is allowed for Mirage Arcane?

The spell mirage arcane is problematic in that much is left undefined, or unclear. It is a 7th level spell, so its powers are unexpectedly great. Nonetheless, there must be some limitations to the spell. I’m specifically interested in the type of terrain that the local one can be changed to.

Jeremy Crawford once unofficially tweeted that targets could drown in an imaginary lake, or fall off an imaginary cliff, so we can assume that spawning a lake in the middle of nowhere isn’t too far-fetched.

The mirage arcane spell gives you tremendous latitude in how you make the affected terrain look and feel. The altered terrain can even hurt someone. You could drown in the spell’s illusory lake, for example, or fall off an illusory cliff.

1. Can extraplanar terrain be used? Places like the Elemental Plane of Fire are inherently dangerous to humans. Could you use Mirage Arcane to summon typical terrain from that plane, like a sea of fire (for example)?

2. Do acid lakes, toxic bogs, and active volcano calderas count as terrain? I’m inclined to say that if one can drown in an illusory lake, then surely one can melt in an illusory acid lake. The toxic bog though, it’s more debatable if its terrain components are the deadly ones. And I’m not sure if a big lake of lava is terrain.

3. Does the allowed terrain depend on location? Perhaps summoning a lake of lava in the middle of a calm meadow is a bit extreme (then again, perhaps not for a 7th level spell). However, surely if one were to use this spell in a volcanic landscape, then it would be appropriate?

## What kind of data can be monitored/intercepted/altered by the VPN service provider?

As you may know, Virtual Private Network or VPN is a system to create an encrypted tunnel between two computers on the internet, on one end is the VPN client, and on the other end is the VPN server. Everything the client does on the internet can be monitored by the VPN server, which will otherwise be monitored by the ISP and/or the government.

The question is, what kind of data can a VPN server log or monitor? Can the VPN service provider monitor or intercept the full length of the transmitted data, or are they able to do so for some part of it? Also, can they alter and re-transmit the data as it passes through the VPN server?

This question came to my mind after reading some articles warning about VPNs that log and sell user data to third parties. How do I know that the provider isn’t doing such thing?

## Does this kind of USB “port knocking” exist?

For security reasons in public spaces administrators choose to disable the USB interfaces.

Is there a possibility for having something like port knocking on disabled/sleeping USB interfaces?

Port knocking in this case would be a detection of a specific kind of device (basically from `lsusb` information) and ideally some kind of special file inside of a USB pen drive.

Ideally, it would also require multiple USB pen drives with multiple password files.

Would is be a secure method to unlock the USB interfaces for administrators and administrators only?

## Is breaking illusions like Phantasmal Force a kind of metagaming?

If I cast phantasmal force on an NPC to make him think a creature has jumped onto his back and is trying to strangle him, assuming he fails his initial roll, why would he use an investigate action?

Would it be that he suspects he is the target of an illusion? Would he know that investigating it would get rid of it?

Phantasmal Force also takes place during the player’s turn, so he still has his turn, but it seems like he would probably use his actual turn attempting to get rid of what’s attacking him, or if it’s say, a monster standing in front of him, he might attack it with his weapon. Would you count attacking or attempting to defeat it as an investigation roll, or does it specifically have to be that he is investigating it?

I can’t see many reasons why your average person would actually stop and study a monster. If it were an actual monster that jumped on his back, or an actual skeleton that was summoned to fight him, he wouldn’t investigate, he’d just try to attack. So I’m a bit confused about the investigation part, unless one of his friends shouts ‘the monster isn’t real, look closely’, but then they’d have to know he was fighting a monster and not just confused.

For the sake of roleplay, is it considered normal for anyone affected to simply make an investigation check each turn to attempt to end the illusion? Or is it considered normal for them to suffer during the player’s turn a monster on their back trying to strangle them, and on their own turn, perform some unrelated action like attacking a player with their sword while ignoring the effect?

## C or Python for cybersecurity of all kind? [closed]

What if a person say that I don’t want to be the drake of all trades. I just want to learn one language to be a cybersecurity professional that it can do anything from hardware to software to anything related to internet. Writing script all kind of stuff. Which language either Python or C will be the one and complete choice? Difficulty does not matter. I know that cybersecurity is not all about programming.

## Which kind of attacks could be done on CoAP protocol?

I’m a student and I’m studying the security of the CoAP protocol. So, thinking on the attack-surface my thought was about internal attacks (i.e inside the network) and the external attack (i.e. outside the network). Regarding them, considering the scenario without encryption (i.e. without DTLS) there could be done attacks like sniffing packets. So, I was also wondering which kind of other attacks can be done?

## Is there any WordPress plugin that can achieve this kind of design?

I know wix can do this but the cost is steep so I use WordPress hosting but just as the title says, Is there any WordPress plugin that can achieve this kind of design for a t-shirt store page on my blog?

I want this to be on a separate page by itself with just t-shirt designs and call to action. Any help with this is appreciated. and is posting an image like this okay to help out.