Thoughts dereferenced from the scratchpad noise.

Porting Dasharo to ASRock Rack SPC741D8/2L2T

Published at December 2, 2025 · Michał Kopeć · 12 min read

This is a post about the process of porting Dasharo to a modern Intel-based server platform. Join me to learn how a coreboot port is integrated into Dasharo and enhanced with Dasharo features....

Categories: firmware

Stop dreading NIS2: Unlock your firmware digital sovereignty with Zarhus.

Published at November 28, 2025 · Kamil Aronowski · 12 min read

The NIS2 Directive marks a new era of mandatory cyber risk management and accountability, with a focus on supply chain integrity. Today, we'll discover how Zarhus empowers you to master NIS2 compliance effortlessly, so you can take back control, secure your digital sovereignty, and focus on what truly matters - YOUR way....

Categories: firmware security

The Dasharo Path to HSI-3

Published at November 27, 2025 · Sergii Dmytruk · 20 min read

Dasharo on MeteorLake NovaCustom laptops has reached HSI-3. This took extending support for Intel BootGuard in coreboot and combining TPM event logs of coreboot and EDK II....

Categories: firmware security

Dasharo Tools Suite: the story about scalability and stability, roadmap

Published at November 24, 2025 · Daniil Klimuk · 33 min read

Check out latest DTS upatest and roadmap. I will start from intro to DTS and the feature that are coming to it: hardware attestation, Chain of Trust and Root of Trust provisioning and verification, new hardware support. Then the brand new DTS E2E testing methodology, that help us maintain and further develop DTS, will be introduced and explained in details....

Categories: app-dev firmware miscellaneous os-dev

Gigabyte MZ33-AR1 Porting Update: ACPI and bugfixes

Published at November 5, 2025 · Michał Żygowski · 29 min read

In this blog post we will explain the effort of porting platform-specific ACPI code and show the extent of bugfixes required to run operating systems without issues on AMD Turin server platform, the Gigabyte MZ33-AR1....

Categories: firmware

Context-Based Auth.: Identify host by environment

Published at October 24, 2025 · Mateusz Kusiak · 13 min read

Geofencing - a mechanism that allows limiting various types of access to a specific area. To do so, often GPS or cellular information utilized. The issue is, stationary computers and laptops often lack needed hardware. …but what if we could use just the wifi-chips embedded in those devices to achieve even more secure result?...

Categories: iot miscellaneous security

Qubes OS Summit 2025 in Berlin: From R4.3 Features to Qubes Air Architecture

Published at October 20, 2025 · Piotr Król · 22 min read

Qubes OS Summit 2025 took place September 26-28 in Berlin, bringing together the community for talks on R4.3 updates, GUI improvements, infrastructure advances, and Qubes Air architecture. The event featured contributions from the Dasharo ecosystem including server firmware foundations, NovaCustom updates, UEFI Secure Boot progress, and TrenchBoot compatibility work. Day three hackathon focused on practical implementation including the Dasharo Patchqueue Initiative with XenServer expertise....

Categories: firmware os-dev security

Gigabyte MZ33-AR1 Porting Update: PCIe Init, BMC KVM Validation, and HCL Improvements

Published at October 10, 2025 · Michał Żygowski · Mateusz Kusiak · 22 min read

Another post about the Gigabyte MZ33-AR1 porting effort progress. This time, we add definitions for PCI Express initialization, and validate BMC KVM VGA and keyboard. Also, improvements to HCL reporting and data dumping on AMD systems have been made....

Categories: firmware

Deploying a Zephyr Wi-Fi DHCP client application on the CROSSCON Hypervisor

Published at October 2, 2025 · Mateusz Kusiak · Daniil Klimuk · Paweł Langowski · 18 min read

This blog post will show off CROSSCON Hypervisor virtualization on ARM MCU's by diving deep into the process of launching Zephyr application inside CROSSCON Hypervisor's virtual machine....

Categories: security virtualization

AMD PSP blob analysis on Gigabyte MZ33-AR1 Turin system

Published at September 12, 2025 · Michał Żygowski · 14 min read

The blog post describes the analysis of PSP blobs on Gigabyte. MZ33-AR1. The analysis covers various aspects of stitching AMD firmware BIOS images and how a support for stitching Turin blobs was developed in coreboot....

Categories: firmware

Mapping and initializing USB and SATA ports on Gigabyte MZ33-AR1

Published at September 12, 2025 · Michał Żygowski · 26 min read

As the Gigabyte MZ33-AR1 porting effort progresses, coreboot has to add definitions for I/O bus initialization, such as SATA, USB and PCI Express. If you are curious how it is done on an AMD Turin-based system, read till the end....

Categories: firmware

ram-wipe: Further analysis

Published at August 27, 2025 · Kamil Aronowski · 12 min read

The `init_on_free` Linux option ensures rigorous security by instantly zeroing out memory upon deallocation. In this follow-up, we build on our prior ram-wipe experiments to rigorously evaluate if `init_on_free` can serve as a robust safeguard, perhaps supplanting existing, less comprehensive memory wiping solutions....

Categories: firmware security

Porting Gigabyte MZ33-AR1 server board with AMD Turin CPU to coreboot

Published at August 7, 2025 · Michał Żygowski · 20 min read

The blog post describes effort made to port a modern AMD server board to coreboot. The target is Gigabyte MZ33-AR1 supporting newest AMD EPYC server processor family Turin and OpenSIL....

Categories: firmware

ZarhusBMC: The second encounter - Porting OpenBMC to X11SSH part II

Published at July 31, 2025 · Mateusz Kusiak · 14 min read

In this blog post we share current progress of ZarhusBMC and porting OpenBMC to the x11ssh platform. We also give some insides on the caveats that come with preparing configuration for proprietary platform....

Categories: firmware miscellaneous os-dev

Securing embedded Linux: Secure Boot, encryption and A/B updates with Yocto

Published at July 25, 2025 · Michał Iwanicki · 28 min read

Generating UKI files, encrypting and decrypting rootfs in initramfs, A/B OTA updates with meta-otab and swupdate....

Categories: os-dev security

Booting EDK2 on Odroid M2

Published at July 17, 2025 · Michał Kopeć · 8 min read

EDK II is quickly becoming a big player in the ARM firmware space. In this blog post I will be exploring the process of porting EDK II to a new platform and the current state of this UEFI implementation on ARM based platforms....

Categories: firmware

TrenchBoot AEM gains support for UEFI installations

Published at June 10, 2025 · Krystian Hebel · 13 min read

A feature craved by many is finally here. AEM can now be used with Qubes OS installed under UEFI. Oh, and some automated testing. But mostly UEFI....

Categories: bootloader firmware hypervisor os-dev security

Automating Firmware Security: CI for DBX and Microcode Updates in Dasharo

Published at May 29, 2025 · Michał Kopeć · 10 min read

Microcode and DBX are critical components in establishing the security of your platform. This blog post will discuss how Dasharo automates their updates, making our firmware more transparent and your platform more secure....

Categories: firmware security

ram-wipe against RAM attacks

Published at May 20, 2025 · Daniil Klimuk · 30 min read

This post will introduce some of the very popular attacks that target electronic devices - the RAM attacks, but the main topic will be the verification of ram-wipe software solution protection from the attacks....

Categories: security

ZarhusBMC: The Beginning - Porting OpenBMC to the X11SSH Platform

Published at April 28, 2025 · Mateusz Kusiak · 12 min read

Reclaim your server! Can you trust a machine that runs unauditable code on a BMC? OpenBMC can solve this. This blog post is a summary of what it takes to build OpenBMC for an unsupported platform...

Categories: firmware os-dev

Enabling Secure Boot on ODROID M1 (RK3568B)

Published at April 22, 2025 · Michał Iwanicki · 14 min read

This blog post describes how to enable Secure Boot on ODROID-M1(RK3568B). Read how to write hash of public key to OTP memory, how to sign loader and how to build signed U-Boot with enabled signature verification....

Categories: firmware security

Cache timing attacks: testing whether your system is susceptible

Published at April 18, 2025 · Michał Iwanicki · 13 min read

Post will explain basic workings of cache and cache timing attacks. We will also explore possible ways how to test whether system we are using is susceptible to more common cache timing attacks....

Categories: security

CROSSCON, its Hypervisor, and Zarhus

Published at April 10, 2025 · Wiktor Grzywacz · 19 min read

Learn about CROSSCON, how it's hypervisor works, and why running Zarhus on top of it streamlines development and testing on the RPi4....

Categories: firmware security virtualization

Conclusions from RAM data remanence tests

Published at February 20, 2025 · Maciej Pijanowski · Krystian Hebel · 3 min read

A practical summary from the two previous blog posts presenting results of RAM data remanence tests....

Categories: firmware miscellaneous

Research of RAM data remanence times, part 2

Published at January 24, 2025 · Krystian Hebel · 16 min read

Continuing from where we left off, we've run the same tests on different hardware, both platforms and memory modules. This blog post skips all the theory and description of how the measurements were obtained, please read the previous one if you're interested in these details....

Categories: miscellaneous

Archive 2025

Donate

Search

Recent posts

Porting Dasharo to ASRock Rack SPC741D8/2L2T

Stop dreading NIS2: Unlock your firmware digital sovereignty with Zarhus.

The Dasharo Path to HSI-3

Dasharo Tools Suite: the story about scalability and stability, roadmap

Gigabyte MZ33-AR1 Porting Update: ACPI and bugfixes

Top authors

Archives

Popular tags