.png){kind=small}
TrenchBoot: Open Source DRTM. TPM event log all the way.
Published at August 13, 2020 · 12 min read
We extended the TPM event log support to the Linux kernel. It is now possible to print all of the PCR extend operations performed and compare the hashes with files to see if anything is wrong....
DEV and IOMMU: a story of two DMA protection mechanisms
Published at July 3, 2020 · 12 min read
Both DEV and IOMMU can help with protection against malicious DMA. This post roughly describes the difference between those two, as well as the impact they have on each other in the context of TrenchBoot...
Starting TrenchBoot's Landing Zone from iPXE
Published at June 1, 2020 · 10 min read
In this article we present support for starting Landing Zone from another bootloader: iPXE. It may not be as featureful as GRUB2, but it has enough juice to start DRTM using images obtained from a remote server...
Trying to fix ESXi 6.7.0 boot issue, part one
Published at March 4, 2020 · 14 min read
First mentions that updated versions of VMware's ESXi 6.7.0 installer doesn't start on PC Engines platforms come from the beginning of 2019. Older versions of ESXi worked fine. 'Shutting down firmware services...' is the last line printed before hang or reboot....
Published at January 23, 2020 · 14 min read
After long break, this is the third post in the hypervisor series. We will see how VMX helps with virtualization of restricted instructions and how Bareflank allows for implementation of handlers for them. At the end we will show how to write and add our own handler....
Categories: firmware
How L4 Genode hypervisor stands against proprietary RTOS solution
Published at January 10, 2020 · 5 min read
A microkernel is a minimal computer operating system kernel which provides no operating system services at all, only the mechanisms needed to implement such services. A concept is tolerated inside the μ-kernel only if moving it outside the kernel would prevent the implementation of the system’s required functionality. In this article we will show our considerations on using L4 microkernels on VM....
Categories: os-dev
Published at May 22, 2019 · 3 min read
Recently we made sure that every build of PC Engines' firmware is built in a reproducible manner. This short post shows what exactly does it mean and why this should be important to firmware developers....
Categories: firmware
Building and running Bareflank
Published at May 15, 2019 · 13 min read
In this second post of a series, we will build and start our first hypervisor. It won't do much just yet, but it is good to get known with its build system....
Categories: firmware
5 terms every hypervisor developer should know
Published at April 30, 2019 · 11 min read
This is the first post of a series about developing bare-metal hypervisors. It introduces to Intel's VMX technology, describes interactions between a virtual machine and a hypervisor as well as gives some insight on the control structures required. This post should give some theoretical knowledge base required for the next ones, in which we will implement a basic hypervisor....
Categories: firmware
How to mitigate ROCA TPM vulnerability?
Published at April 17, 2019 · 10 min read
ROCA vulnerability was discovered (October 2017) in a software library, RSALib, provided by Infineon Technologies. That library is also used in TPM modules. When this vulnerability is present, a pair of prime numbers used for generating RSA keys is chosen from a small subset of all available prime numbers. This results in a great loss of entropy. Details and exact numbers can be found here. UPDATE 2021-10-20: provided new link for TPM firmware updates (old one was no longer working), added info about patch for openssl-1....