TrenchBoot: Open Source DRTM. Landing Zone validation.

UPDATE: At time of releasing this blog post, we were missing TPM1.2 verification and kernel measurements requirements. It is done now. As a result, we have added/updated following sections:

  • Landing Zone update section with procedure how to update Landing Zone only;
  • Landing Zone section with explanation of extending PCRs by Landing Zone and kernel, so it should be easily distinguished;
  • Landing Zone section with check if LZ utilizes SHA1 algorithm when using TPM1.2 module requirement verification;
  • Changes in source code section with point to exact place in LZ’s code, where SHA1 algorithm is utilized;

In previous article I introduced project’s basics. I explained briefly what parts of system are necessary in DRTM and how to prepare them. Now, let’s try to build them, so you can enjoy having secure platform too. Also, we will verify first requirements which are already met in project.

Preparation

We are using PC Engines apu2 platform with coreboot and NixOS. Procedures which are presented further in article are done for that exact configuration. If you want to perform any operations step-by-step, I strongly recommend to use exactly the same setup.

At this stage, I assume you have already installed NixOS according to our instructions. If yes, then we can start process of enabling DRTM.

Quick reminder - boot flow

Before we execute essential part, I would like to pass through quick reminder. Don’t worry, I won’t give a lecture or bring unfamiliar concepts. I want to show you differences between platform without DRTM and with DRTM. It is presented in graphical form, so it will be easier to visualize it.

A normal boot process without DRTM enabled, typically looks like this:

boot without drtm

GRUB bootloader directly loads Linux kernel and whereby NixOS boots. As you know, by modifying GRUB, Linux kernel and adding special boot modules, we enable DRTM. Then, the boot process looks like this:

boot drtm

You can clearly see 3 additional elements, which are slaunch module, SKINIT and Landing Zone. Their functionality should be already known by you. Briefly, it is DRTM stage, when platform boots.

Now, when you can visualize differences, you will learn how to switch your platform from the first case to the second one. Let’s do it!

System customization - enabling DRTM

It is the first thing we need to do. Clean NixOS doesn’t meet all requirements. First of all, we want to replace default nixpkgs with our custom one. Second of all, as it doesn’t have all necessary packages installed by default, we want to add them.

Fortunately, customization of NixOS will demand its configuration update, but not entire system re-installation. Moreover, there is no need to install every single package manually. Of course, it still can be done if you wish. However, entire process of enabling DRTM is automated by us to minimize user’s effort. So much for the introduction - now we can finally run the procedure. Boot to NixOS and follow these steps:

  1. Install cachix

    cachix is binary cache hosting. It allows to store binary files, so there is no need to build them on your own. If it is not very useful for small builds, it is very handy for large ones e.g. Linux kernel binary.

    1

    nix-env -iA cachix -f https://cachix.org/api/v1/install

  2. Add 3mdeb cachix hosting as default.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

    $ cachix use 3mdeb
Cachix configuration written to /etc/nixos/cachix.nix.
Binary cache 3mdeb configuration written to /etc/nixos/cachix/3mdeb.nix.

To start using cachix add the following to your /etc/nixos/configuration.nix:

    imports = [ ./cachix.nix ];

Then run:

    $ sudo nixos-rebuild switch

  3. Meet above requirement by editing /etc/nixos/configuration.nix.

    Probably vim editor is not available at this stage. Instead of vim, you can use nano.

    1
2
3
4
5
6
7
8

    $ nano /etc/nixos/configuration.nix
(...)
imports =
[ # Include the results of the hardware scan.
  ./hardware-configuration.nix
  ./cachix.nix
];
(...)

    Don’t rebuild NixOS yet. It will be done later.

  4. Install git package.

    1

    nix-env -iA nixos.git

  5. Clone 3mdeb/nixpkgs repository.

    3mdeb nixpkgs contains additional packages compared with default NixOS nixpkgs, so everything is in one place. Most of all, there are:

    1. grub-tb - custom GRUB2 with slaunch module enabled;
    2. landing-zone - LZ without debug flag
    3. landing-zone-debug - LZ with debug
    4. linux-5.1 - custom Linux kernel with initrd
    1
2
3
4

    $ git clone https://github.com/3mdeb/nixpkgs.git -b trenchboot_support_2020.03
(...)
$ ls
nixpkgs

  6. Update (rebuild) NixOS.

    1

    sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs

    IMPORTANT: -I nixpkgs=~/nixpkgs flag is needful here! It replaces default nixpkgs with previously downloaded one. Make sure the directory is valid (we have it in home (~)). If you follow our instruction step-by-step, you have it also there.

  7. Reboot platform.

    DRTM is not enabled yet! Boot to NixOS and finish configuration.

  8. Clone 3mdeb/nixos-trenchboot-configs repository.

    This repository contains all necessary NixOS configuration files in ready-to-use form, so there is no need to edit them by hand at this moment.

    1

    git clone https://github.com/3mdeb/nixos-trenchboot-configs.git

    List nixos-trenchboot-configs folder.

    1
2
3

    $ cd nixos-trenchboot-configs/
$ ls
configuration.nix  linux-5.1.nix  MANUAL.md  README.md  tb-config.nix

    Among listed files, most interesting one is configuration.nix. Customizing it saves time and work compared with tools and package manual installs. Manual work is good for small and fast builds. The more (and more significant) changes you want to do, the more efficient way is to re-build your NixOS system. That is done by editing configuration.nix file. As you already know, among others we want to rebuild Linux kernel, replace GRUB bootloader and install custom packages. That is why we decided to prepare new config and re-install NixOS.

    Let’s take a closer look at its content. Entire file is rather large, so the output will be truncated and only essential parts/lines will be mentioned.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

    $ cat configuration.nix

(...)
imports =
  [ # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./cachix.nix
    ./linux-5.1.nix
  ];
(...)
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.loader.grub.extraEntries = ''
  menuentry "NixOS - Secure Launch" {
  search --set=drive1 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac
  search --set=drive2 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac
    slaunch skinit
    slaunch_module ($drive2)/boot/lz_header
    linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM init=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4
    initrd ($drive2)/nix/store/zv2vl35xldkbss1y2fib1nifmw0yvick-initrd-linux-5.1.0/initrd
  }
'';

# OS utilities
environment.systemPackages = [
                               pkgs.pkg-config
                               pkgs.git
                               pkgs.gnumake
                               pkgs.autoconf
                               pkgs.automake
                               pkgs.gettext
                               pkgs.python
                               pkgs.m4
                               pkgs.libtool
                               pkgs.bison
                               pkgs.flex
                               pkgs.gcc
                               pkgs.gcc_multi
                               pkgs.libusb
                               pkgs.ncurses
                               pkgs.freetype
                               pkgs.qemu
                               pkgs.lvm2
                               pkgs.unifont
                               pkgs.fuse
                               pkgs.gnulib
                               pkgs.stdenv
                               pkgs.nasm
                               pkgs.binutils
                               pkgs.tpm2-tools
                               pkgs.tpm2-tss
                               pkgs.landing-zone
                               pkgs.landing-zone-debug
                               pkgs.grub-tb
                              ];

# Grub override
nixpkgs.config.packageOverrides = pkgs: { grub2 = pkgs.grub-tb; };

    Remarks:

    1. we import cachix service and custom linux 5.1 kernel to be built;
    2. adjust GRUB entries to boot slaunch and change directories of bzImage (Linux kernel) and initrd to custom ones;
    3. add all necessary system packages (i.a. landing-zone, landing-zone-debug and grub-tb);
    4. override default GRUB package with custom one;

  9. Copy all configuration files to /etc/nixos/ directory.

    1

    cp nixos-trenchboot-configs/*.nix /etc/nixos

  10. Update (re-build) system.

    1
2
3

    $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs
building Nix...
building the system configuration...

  11. Reboot platform.

    DRTM is not enabled yet. Choose "NixOs - Default" entry in GRUB menu.

  12. Install GRUB2-TrenchBoot to /dev/sdX.

    1

    grub-install /dev/sda

    Remember to choose proper device (disk) - in our case it is /dev/sda.

  13. Ensure that slaunch module is present in /boot/grub/i386-pc/.

    1
2

    $ ls /boot/grub/i386-pc | grep slaunch
slaunch.mod

  14. Find Landing Zone package in /nixos/store/.

    1
2
3
4
5

    $ ls /nix/store/ | grep landing-zone
5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv
6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv
dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0
zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0

    Package without -debug in its name and without .drv extension is what we are looking for.

  15. Copy lz_header.bin to /boot/ directory.

    1

    cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header

  16. Check /boot/grub/grub.cfg file and its NixOS - Default menu entry. Adjust /etc/nixos/configuration.nix and its boot.loader.grub.extraEntries line to have exactly the same directories included.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

    $ cat /boot/grub/grub.cfg
(...)
menuentry "NixOS - Default" {
search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixo
s-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=tt
yS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4
  initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
}
(...)

    With grub.cfg content as above configuration.nix must have boot.loader.grub.extraEntriesline like this:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

    $ cat /etc/nixos/configuration.nix
  (...)
  boot.loader.grub.extraEntries = ''
  menuentry "NixOS - Secure Launch" {
    search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
    search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
    slaunch skinit
    slaunch_module ($drive2)/boot/lz_header
    linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4
    initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
  }
'';

    If there are differences in any of search --set=drive1..., search --set=drive2..., linux ($drive2)/nix/store... lines, edit configuration.nix content and copy those lines from grub.cfg menuentry "NixOS - Default". They must be exactly the same.

  17. Update system for the last time.

    1

    sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs

  18. Reboot platform.

During platform booting, in GRUB menu there should be at least "NixOS - Default" and "NixOS - Secure Launch" entries. First entry boots platform without DRTM. Second entry executes DRTM! Choose the second entry and see if platform boots successfully. If yes, you have secure platform with DRTM enabled.

Validation

You can still be suspicious, if it really works. And rightly so. In this section, I will show you, how to verify each component of the system to make you sure about its correctness. Also, I will present how we met first stage project’s requirement.

GRUB

There are two ways to validate if GRUB will load slaunch module and hence run SKINIT and LZ (DRTM).

Verify content of grub.cfg file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

$ cat /boot/grub/grub.cfg
menuentry "NixOS - Default" {
search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/zyb42vdhv4pqwwmi9szrvd88i92sb7zb-nix4
  initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
}

menuentry "NixOS - Secure Launch" {
  search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  slaunch skinit
  slaunch_module ($drive2)/boot/lz_header
  linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nix4
    initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
}

In “NixOS - Secure Launch” entry there must be slaunch skinit entry and slaunch_module ($drive2)/boot/lz_header which points to LZ.

Compare bootlog with DRTM and without DRTM

  1. Reboot platform. In GRUB menu choose "NixOS - Default" entry (without DRTM).

    Collect logs during boot to be able to verify them. Using dmesg command in NixOS doesn’t work because it doesn’t show pre-kernel stage logs! Correct bootlog is shown below.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

    early console in extract_kernel
input_data: 0x00000000023eb3b1
input_len: 0x0000000000424e94
output: 0x0000000001000000
output_len: 0x00000000017e7398
kernel_total_size: 0x000000000142c000
trampoline_32bit: 0x000000000009d000
booted via startup_32()
Physical KASLR using RDTSC...
Virtual KASLR using RDTSC...

Decompressing Linux... Parsing ELF... Performing relocations... done.
Booting the kernel.
[    0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/74
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

(...)

<<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>>

Run 'nixos-help' for the NixOS manual.

    Verification: As expected, bootloader executes Linux kernel directly. Platform booted without DRTM then.

  2. Reboot platform once again. In GRUB menu choose "NixOS - Secure Launch" entry.

    Once again, collect logs during boot to be able to verify them. Using dmesg command in NixOS doesn’t work, as in previous case. Correct bootlog is shown below.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

    grub_cmd_slaunch:122: check for manufacturer
grub_cmd_slaunch:126: check for cpuid
grub_cmd_slaunch:136: set slaunch
grub_cmd_slaunch_module:156: check argc
grub_cmd_slaunch_module:161: check relocator
grub_cmd_slaunch_module:170: open file
grub_cmd_slaunch_module:175: get size
grub_cmd_slaunch_module:180: allocate memory
grub_cmd_slaunch_module:192: addr: 0x100000
grub_cmd_slaunch_module:194: target: 0x100000
grub_cmd_slaunch_module:196: add module
grub_cmd_slaunch_module:205: read file
grub_cmd_slaunch_module:215: close file
grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000
grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000
grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel
input_data: 0x00000000023eb3b1
input_len: 0x0000000000424e94
output: 0x0000000001000000
output_len: 0x00000000017e7398
kernel_total_size: 0x000000000142c000
trampoline_32bit: 0x000000000009d000
booted via startup_32()
Physical KASLR using RDTSC...
Virtual KASLR using RDTSC...

Decompressing Linux... Parsing ELF... Performing relocations... done.
Booting the kernel.
[    0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

(...)

<<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>>

Run 'nixos-help' for the NixOS manual.

    Verification: As expected, before Linux kernel, there should be slaunch module executed. It proves that DRTM is enabled. There is no information about LZ execution because it is non-debug version.

Landing Zone

As we mentioned in previous article, measurements are done by Landing Zone and Linux kernel as well. LZ extends only PCR17, kernel extends only PCR18. It’s important to distinguish those two values. If kernel doesn’t make measurements, there should be only 00000... in PCR18. In requirements verification procedures (presented later), you can notice, that regardless of using TPM2.0 or TPM1.2 module, PCR17 and PCR18 are both filled with non-zero values. It proves that both LZ and kernel takes measurements.

There are few aspects which can be verified in LZ. We will focus on those three:

  • check if LZ utilizes SHA256 algorithm when using TPM2.0 module
  • check if LZ utilizes SHA1 algorithm when using TPM1.2 module
  • check if LZ debug option can be enabled

Before moving to validation procedures, update necessary Trenchboot packages to have all latest changes applied.

  1. Pull trenchboot_support_2020.06 branch from 3mdeb/nixpkgs repository.

    1
2
3

    cd ~/nixpkgs/
git checkout trenchboot_support_2020.04
git pull

  2. Rebuild NixOS.

    1

    sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs

check if LZ utilizes SHA256 algorithm when using TPM2.0 module

  1. If not already booted to "NixOS - Secure Launch", reboot platform and boot to NixOS via "NixOS - Secure Launch" entry in GRUB menu.

  2. Run tpm2_pcrread command.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

    $ tpm2_pcrread
sha1:
  0 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275
  1 : 0xFE4F0F826A15FA9E426722AAE12731508D84110D
  2 : 0x53DE584DCEF03F6A7DAC1A240A835893896F218D
  3 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275
  4 : 0x017A3DE82F4A1B77FC33A903FEF6AD27EE92BE04
  5 : 0x46DF69CCCFB08DE09E8BC2E8FAAD8D4F942FDD85
  6 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275
  7 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275
  8 : 0x0000000000000000000000000000000000000000
  9 : 0x0000000000000000000000000000000000000000
  10: 0x0000000000000000000000000000000000000000
  11: 0x0000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000
  13: 0x0000000000000000000000000000000000000000
  14: 0x0000000000000000000000000000000000000000
  15: 0x0000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000
  17: 0xD425110792179753635626B3FAB43E8F657026E2
  18: 0x0000000000000000000000000000000000000000
  19: 0x0000000000000000000000000000000000000000
  20: 0x0000000000000000000000000000000000000000
  21: 0x0000000000000000000000000000000000000000
  22: 0x0000000000000000000000000000000000000000
  23: 0x0000000000000000000000000000000000000000
sha256:
  0 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72
  1 : 0xF4CE533757FFD1AA737A15D0D6804CAFEBE9FF2B507C696709557E72E49FFD34
  2 : 0xFA8791BB6BCE8EBF4AD7B516ADFBBB9B2F1499A8876E2C909135AEBDCCA2D84C
  3 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72
  4 : 0x94855A1DF928211EAB2000178968B4B630B9BAC53B4C34177EE5224E9AAF2304
  5 : 0x9DEEEAA62816FDC5BB53C83AEDE49BAD1F92A7DABC35A9548253A3B9D535574A
  6 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72
  7 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72
  8 : 0x0000000000000000000000000000000000000000000000000000000000000000
  9 : 0x0000000000000000000000000000000000000000000000000000000000000000
  10: 0x0000000000000000000000000000000000000000000000000000000000000000
  11: 0x0000000000000000000000000000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000000000000000000000000000
  13: 0x0000000000000000000000000000000000000000000000000000000000000000
  14: 0x0000000000000000000000000000000000000000000000000000000000000000
  15: 0x0000000000000000000000000000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000000000000000000000000000
  17: 0x7392BE6CD449323115D11BBC97AF4CB2ADAD25B9CF52D0861F87934FEEA7B03E
  18: 0x47D99FC5D85B202479E2D5473224E144B51759EE1F34BBFE8073134E72A073E3
  19: 0x0000000000000000000000000000000000000000000000000000000000000000
  20: 0x0000000000000000000000000000000000000000000000000000000000000000
  21: 0x0000000000000000000000000000000000000000000000000000000000000000
  22: 0x0000000000000000000000000000000000000000000000000000000000000000
  23: 0x0000000000000000000000000000000000000000000000000000000000000000

  3. Run extend_all.sh script from landing-zone package.

    This script simulates what should be extended into PCR17 by SKINIT, LZ and kernel during platform booting. It extends both SHA256 and SHA1 values. However, expected result is valid only for SHA256 if used with TPM2.0 device.

    To properly execute script, first find correct directory to bzImage and initrd. Best way to find exact directories is to see "NixOS - Secure Launch" entry in /boot/grub/grub.cfg:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

    $ cat /boot/grub/grub.cfg
(...)
menuentry "NixOS - Secure Launch" {
  search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f
  slaunch skinit
  slaunch_module ($drive2)/boot/lz_header
  linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nix4
    initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
}
(...)

    /nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage is directory to Linux kernel. /nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd is directory to initrd.

  4. Go to /nix/store/ and run below command:

    1
2
3
4
5
6

    $ cd /nix/store
$ ls | grep landing-zone
5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv
6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv
dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0
zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0

    Hash before -landing-zone-1.0 is dependent on built version and might be different in yours. Choose non-debug version from above results.

  5. Go to /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 directory.

    1

    cd /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0

  6. Execute ./extend_all.sh script.

    Usage is ./extend_all.sh <directory-to-bzImage> <directory-to-initrd>

    It must be executed inside directory containing currently used (debug or non-debug) version of lz_header.bin. You should already be in this directory after previous step. Directories to bzImage and initrd we found in step 3.

    1
2
3

    ./extend_all.sh /nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage /nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd
d91e7f685bcae20f84308eafe46f02eea8fcc90c  SHA1
7392be6cd449323115d11bbc97af4cb2adad25b9cf52d0861f87934feea7b03e  SHA256

    Compare SHA256 value with PCR17 content checked previously with tpm2_pcrread output. If DRTM is enabled and executes properly, they should be the same. It proves that LZ code utilizes SHA256 algorithm during measurements.

check if LZ utilizes SHA1 algorithm when using TPM1.2 module

  1. If not already booted to "NixOS - Secure Launch", reboot platform and boot to NixOS via "NixOS - Secure Launch" entry in GRUB menu.

  2. Update landing-zone package to have support for TPM1.2.

    1
2
3

    cd ~/nixpkgs
git checkout tpm12_support
nix-build -A landing-zone

  3. Go to /nix/store/ directory and search for newly build landing-zone package.

    1
2
3
4
5
6

    $ cd /nix/store
$ ls | grep landing-zone
5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0
l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv
lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0
mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv

    We are looking for entry without -debug and .drv extension. In this particular example, it is 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0.

  4. Copy lz_header.bin from above directory to /boot directory.

    1

    cp /nix/store/5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header

  5. Reboot platform to apply changes.

  6. Check PCR values of TPM1.2 module.

    Notice, that tpm2_tools is not compatible with TPM1.2 module, so it won’t work!

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

    # cat /sys/class/tpm/tpm0/pcrs
PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-01: 40 9C 01 12 67 A9 37 5E BF 5A 5C 43 C6 96 FE 25 AD 0F 02 3B
PCR-02: B2 2A 53 5A C8 0C CA 8A 49 AD 1A D8 77 29 82 6F 49 2D 53 7E
PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-04: 01 7A 3D E8 2F 4A 1B 77 FC 33 A9 03 FE F6 AD 27 EE 92 BE 04
PCR-05: 37 0C 7F 87 39 AF DC E7 1F EB 67 FE 83 B2 47 6F D7 B5 59 CD
PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75
PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-17: AD CA 0E DC CD A7 EF 26 71 27 51 42 BE C2 E3 95 BF 37 3F 02
PCR-18: EF F6 CC FC 57 41 36 4A DF 29 68 E5 50 81 E8 AF AD 72 B4 7B
PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  7. Execute steps 3-6 from check if LZ utilizes SHA256 algorithm when using TPM2.0 module instruction.

    1
2
3

    ./extend_all.sh /nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage /nix/store/n9wj42p2kvm84rxr7bwh8qjxmawa447k-initrd-linux-5.5.3/initrd
adca0edccda7ef2671275142bec2e395bf373f02  SHA1
b06f177d3fe280bd0bb1cc24ad54930d953751ee028f461a4d352959d10f9fd0  SHA256

    Compare SHA1 value with PCR17 content checked previously with /sys/class/tpm/tpm0/pcrs output. If DRTM is enabled and executes properly, they should be the same. It proves that LZ code utilizes SHA1 algorithm during measurements.

    It is ok, if your PCRs values aren’t exactly the same as in above logs. Since writing this instruction, some changes were most probably added to LZ. Therefore, make sure to always compare values between script and command output on your local machine, rather than with above logs.

Check if LZ debug option can be enabled

  1. Boot NixOS and go to /nix/store/ directory.

    1

    cd /nix/store/

  2. Find landing-zone package (without debug).

    1
2
3
4
5

    $ ls /nix/store/ | grep landing-zone
5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv
6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv
dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0
zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0

    We are looking for entry without -debug and .drv extension. In this particular example, it is zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0.

  3. Copy lz_header.bin from above directory to /boot directory.

    1

    cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header

  4. Reboot platform and choose "NixOS - Secure Launch" entry in GRUB.

    Collect logs during boot to be able to verify them. Using dmesg command in NixOS doesn’t work because it doesn’t show pre-kernel stage logs. Correct bootlog is shown below.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

    grub_cmd_slaunch:122: check for manufacturer
grub_cmd_slaunch:126: check for cpuid
grub_cmd_slaunch:136: set slaunch
grub_cmd_slaunch_module:156: check argc
grub_cmd_slaunch_module:161: check relocator
grub_cmd_slaunch_module:170: open file
grub_cmd_slaunch_module:175: get size
grub_cmd_slaunch_module:180: allocate memory
grub_cmd_slaunch_module:192: addr: 0x100000
grub_cmd_slaunch_module:194: target: 0x100000
grub_cmd_slaunch_module:196: add module
grub_cmd_slaunch_module:205: read file
grub_cmd_slaunch_module:215: close file
grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000
grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000
grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel
input_data: 0x00000000023eb3b1
input_len: 0x0000000000424e94
output: 0x0000000001000000
output_len: 0x00000000017e7398
kernel_total_size: 0x000000000142c000
trampoline_32bit: 0x000000000009d000
booted via startup_32()
Physical KASLR using RDTSC...
Virtual KASLR using RDTSC...

Decompressing Linux... Parsing ELF... Performing relocations... done.
Booting the kernel.
[    0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'

(...)

<<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>>

Run 'nixos-help' for the NixOS manual.

    Verification: We have chosen lz_header (LZ) without debug. Above log is correct example for such case. Pre-kernel logs are limited to minimum.

  5. Go to /nix/store/ directory.

    1

    cd /nix/store/

  6. Find landing-zone package (with debug).

    1
2
3

    $ ls /nix/store/ | grep landing-zone-debug
6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv
dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0

    dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 is directory we are looking for.

  7. Copy lz_header.bin from above directory to /boot directory.

    1

    cp /nix/store/dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header

  8. Reboot platform and choose "NixOS - Secure Launch" entry in GRUB.

    Once again, collect logs during boot to be able to verify them. Using dmesg command in NixOS doesn’t work, as in previous case. Correct bootlog is shown below.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

    grub_cmd_slaunch:122: check for manufacturer
grub_cmd_slaunch:126: check for cpuid
grub_cmd_slaunch:136: set slaunch
grub_cmd_slaunch_module:156: check argc
grub_cmd_slaunch_module:161: check relocator
grub_cmd_slaunch_module:170: open file
grub_cmd_slaunch_module:175: get size
grub_cmd_slaunch_module:180: allocate memory
grub_cmd_slaunch_module:192: addr: 0x100000
grub_cmd_slaunch_module:194: target: 0x100000
grub_cmd_slaunch_module:196: add module
grub_cmd_slaunch_module:205: read file
grub_cmd_slaunch_module:215: close file
grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000
grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000
grub_slaunch_boot_skinit:43: params: 0xcfe7746sl_stub_entry_offset:
0x00000000014318a8: d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000000014318b8: 23 02 00 00 00 00 00 00 00 00 00 00 66 66 2e 0f   #...........ff..
0x00000000014318c8: 1f 84 00 00 00 00 00 90 fa fc 8d a5 c4 9c 43 00   ..............C.
0x00000000014318d8: 01 ad 72 6c 43 00 0f 01 95 70 6c 43 00 b8 10 00   ..rlC....plC....
0x00000000014318e8: 00 00 8e d8 8e c0 8e e0 8e e8 8e d0 8d 85 fe 18   ................
0x00000000014318f8: 43 00 6a 08 50 cb b9 1b 00 00 00 0f 32 a9 00 01   C.j.P.......2...
0x0000000001431908: 00 00 75 02 0f 0b bf 01 00 00 00 31 c0 0f a2 81   ..u........1....
0x0000000001431918: fb 47 65 6e 75 0f 85 82 00 00 00 81 fa 69 6e 65   .Genu........ine
0x0000000001431928: 49 75 7a 81 f9 6e 74 65 6c 75 72 bf 02 00 00 00   Iuz..ntelur.....
0x0000000001431938: c7 85 b0 6c 43 00 02 00 00 00 ff 85 bc 6c 43 00   ...lC........lC.
0x0000000001431948: 31 db b8 07 00 00 00 0f 37 8d 85 5c 19 43 00 9c   1.......7..\.C..
0x0000000001431958: 6a 08 50 cf c7 05 30 00 d2 fe 00 00 00 00 c7 05   j.P...0.........
0x0000000001431968: 08 00 d2 fe ff ff ff ff a1 00 03 d2 fe 8b 08 8d   ................
0x0000000001431978: 44 08 08 8b 70 04 89 a8 34 02 00 00 8b b8 3c 02   D...p...4.....<.
0x0000000001431988: 00 00 89 bd c0 6c 43 00 50 56 e8 e9 00 00 00 5e   .....lC.PV.....^
0x0000000001431998: e8 c3 01 00 00 5f e8 5d 01 00 00 eb 0e c7 85 b0   ....._.]........
shasum calculated:
0x00000000001001b0: ed a5 f1 9e 28 0e d8 b3 5a de bc b6 e7 15 c8 de   ....(...Z.......
0x00000000001001c0: 1f bb 2c aa f2 8a af c8 a0 2f d3 60 d5 d0 78 a1   ..,....../.`..x.
PCR extended
pm_kernel_entry:
0x00000000010001d0: 8d ab 30 fe ff ff e9 f5 16 43 00 00 00 00 00 00   ..0......C......
0x00000000010001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
...
0x0000000001000200: 31 c0 8e d8 8e c0 8e d0 8e e0 8e e8 48 8d 2d ed   1...........H.-.
0x0000000001000210: fd ff ff 8b 86 30 02 00 00 ff c8 48 01 c5 48 f7   .....0.....H..H.
0x0000000001000220: d0 48 21 c5 48 81 fd 00 00 00 01 7d 07 48 c7 c5   .H!.H......}.H..
0x0000000001000230: 00 00 00 01 8b 9e 60 02 00 00 81 eb 00 60 46 00   ......`......`F.
0x0000000001000240: 48 01 eb 48 8d a3 40 de 44 00 48 31 c0 e8 00 00   H..H..@.D.H1....
0x0000000001000250: 00 00 5f 48 81 ef 52 02 00 00 e8 3e 50 42 00 48   .._H..R....>PB.H
0x0000000001000260: 8d 05 e4 68 43 00 48 89 05 d5 68 43 00 0f 01 15   ...hC.H...hC....
0x0000000001000270: cc 68 43 00 56 48 89 f7 e8 b3 a9 42 00 5e 48 89   .hC.VH.....B.^H.
0x0000000001000280: c1 48 8d 3d 0c 00 00 00 6a 08 48 8d 80 00 10 00   .H.=....j.H.....
0x0000000001000290: 00 50 48 cb 48 8d a3 40 de 44 00 56 48 8d bb 00   .PH.H..@.D.VH...
0x00000000010002a0: 50 46 00 e8 c8 ab 42 00 5e 6a 00 9d e8 00 00 00   PF....B.^j......
0x00000000010002b0: 00 58 48 2d b1 02 00 00 48 89 df e8 dd 4f 42 00   .XH-....H....OB.
0x00000000010002c0: 56 48 8d 35 70 9b 43 00 48 8d bb 38 9e 43 00 48   VH.5p.C.H..8.C.H
zero_page:
0x000000000008a000: 00 0d 00 80 00 00 03 50 00 00 00 00 00 00 19 01   .......P........
0x000000000008a010: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000000000008a020: 3f a3 00 10 00 00 00 00 00 00 00 00 00 00 00 00   ?...............
0x000000000008a030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
...
0x000000000008a0d0: 00 00 00 00 00 00 00 00 00 a0 10 00 00 00 00 00   ................
0x000000000008a0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
...
lz_base:
0x0000000000100000: d4 01 00 d0 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000000100010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
...
0x0000000000100060: 19 19 10 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000000100070: b0 00 10 00 00 00 00 00 40 00 00 00 aa f3 e2 dc   ........@.......
0x0000000000100080: 00 29 10 00 00 00 00 00 1a 13 e2 aa 1d af ab 59   .).............Y
0x0000000000100090: cc 8e 1e 1c 68 42 f8 12 28 01 10 00 00 00 00 00   ....hB..(.......
0x00000000001000a0: b3 e1 3a e9 08 00 00 00 58 01 10 00 00 00 00 00   ..:.....X.......
0x00000000001000b0: 4b 88 d2 cb 27 91 a5 53 bb 49 64 ae 32 40 a6 ce   K...'..S.Id.2@..
0x00000000001000c0: aa a1 96 a1 e6 b4 6c df 8e b7 83 ee 2c 13 aa 8f   ......l.....,...
0x00000000001000d0: 98 5a cb bb b0 64 34 b3 5f 8c 20 28 a7 52 64 06   .Z...d4._. (.Rd.
0x00000000001000e0: d1 b4 50 95 e6 2b 8f b2 4d 33 a4 80 ca e5 7d 48   ..P..+..M3....}H
0x00000000001000f0: 30 01 10 00 00 00 00 00 b0 01 10 00 00 00 00 00   0...............
early console in extract_kernel
input_data: 0x00000000023eb3b1
input_len: 0x0000000000424e94
output: 0x0000000001000000
output_len: 0x00000000017e7398
kernel_total_size: 0x000000000142c000
trampoline_32bit: 0x000000000009d000
booted via startup_32()
Physical KASLR using RDTSC...
Virtual KASLR using RDTSC...

Decompressing Linux... Parsing ELF... Performing relocations... done.
Booting the kernel.
[    0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/14
[    0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
(...)

    Verification: As you can see, debug output is more verbose than previous one. It has additional information about e.g. LZ, zero page etc. Above procedure proves that LZ is available in debug and non-debug version. Both can be easily adopted by user in NixOS. However, we recommend to use non-debug one.

Changes in source code

Above requirements can be inspected in source code of above components too. I give references to exact places (repository and files), where to find this features.

  1. LZ can be built with and without debug flag; by default it is non-debug build.

    Repository: TrenchBoot/landing-zone - tag v0.3.0

    Files:

    1. Makefile
    2. main.c

  2. LZ code utilizes SHA256 algorithm during measurements with TPM2.0.

    Repository: TrenchBoot/landing-zone - tag v0.3.0

    Files:

    1. sha256.c

  3. LZ code utilizes SHA1 algorithm during measurements with TPM1.2.

    Repository: 3mdeb/landing-zone - branch tpm12_fix

    Files:

    1. sha1sum.c

  4. LZ implementation of TPM interface cover both TPM2.0 and TPM1.2 and use appropriate SHA algorithm.

    Repository: TrenchBoot/landing-zone - tag v0.3.0

    Files:

    1. main.c

  5. Linux kernel utilizes SHA256 during measurements.

    Repository: 3mdeb/linux-stable

    Files:

    1. arch/x86/boot/compressed/sl_main.c

Summary

With theoretical knowledge and now also practice you should be able to enable DRTM on your platform and verify its operations. Further development will bring more features. Each of them will be presented in similar way. Each of them also will be verifiable by you. So stay tuned and follow our social media for more information!

If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to book a call with us or drop us email to contact<at>3mdeb<dot>com. If you are interested in similar content feel free to sign up for our newsletter

Piotr Kleinschmidt
Junior Firmware Engineer interested mostly in the embedded world and automatics. Likes when things work his way, but if there is an issue to debug and analysis - he faces it.

Donate


Search


Recent posts

UEFI Secure Booting FreeBSD with Dasharo firmware

New Dasharo v0.9.0 Meteor Lake releases

Getting started with Hardkernel ODROID H4+

TrenchBoot Anti Evil Maid - Phase 4

Implementing UEFI Secure Boot on MPL PIP4x


Top authors


Related posts

New Dasharo v0.9.0 Meteor Lake releases

Getting started with Hardkernel ODROID H4+

Dasharo Compatible with MSI PRO Z690-A Release v1.1.3

Diving deep into Linux DRM bridge chaining

Upgrading your gears with liquid cooling

Optimizing Firmware Updates: Dasharo Firmware Update Mode for NovaCustom Laptops

TrenchBoot Anti Evil Maid - Phase 2


Archives

2024 (9)
2023 (12)
2022 (14)
2021 (25)
2020 (44)
2019 (26)
2018 (16)
2017 (12)
2016 (10)
2015 (8)
2014 (6)
2013 (14)
2012 (24)

Popular tags

linux coreboot embedded open-source trenchboot xen productivity toolchain tpm apu yocto qubesos uefi arm hypervisor qemu rte virtualization dasharo debian Show more