Improving measured boot and TPM support in Dasharo
Published at November 28, 2024 · Michał Żygowski · 11 min read
An overview of recent improvements to TPM and measured boot support in open-source firmware, coreboot and Dasharo....
UEFI Secure Booting FreeBSD with Dasharo firmware
Published at November 14, 2024 · Filip Lewiński · 8 min read
This blogpost is a very brief introduction to the UEFI Secure Boot. It focuses on enabling Secure Boot on FreeBSD, on the example of a device running Dasharo firmware....
New Dasharo v0.9.0 Meteor Lake releases
Published at August 7, 2024 · Filip Gołaś · 8 min read
Dasharo v0.9.0 for 14th gen Intel Meteor Lake has just been released bringing numerous new features and improvements. Check out what's new!...
TrenchBoot Anti Evil Maid - Phase 4
Published at May 17, 2024 · Krystian Hebel · 7 min read
This blog post marks the completion of the next phase of TrenchBoot Anti Evil Maid project for Qubes OS. This time the project focused on AMD platforms, which is something that wasn't possible with the original solution based on tboot....
Categories: bootloader firmware hypervisor os-dev security
Implementing UEFI Secure Boot on MPL PIP4x
Published at April 18, 2024 · Paweł Langowski · 12 min read
This post explains how we tackled the problem of implementing UEFI Secure Boot on MPL's PIP platforms. The process included testing the platform's compatibility with Secure Boot and integrating automatic image signing into an existing Yocto layer....
Dasharo Compatible with MSI PRO Z690-A Release v1.1.3
Published at February 13, 2024 · Michał Żygowski · 11 min read
Discover the latest Dasharo v1.1.3 release bringing new features, many bug fixes, and compatibility with 14th generation Intel Core processors. Dive in to find out more....
Published at January 31, 2024 · Krystian Hebel · 7 min read
This post shows how we tested simple commands on TwPM, which is our attempt at making TPM more open....
TrenchBoot Anti Evil Maid - Phase 3
Published at January 12, 2024 · Krystian Hebel · 8 min read
This blog post marks completion of next phase of TrenchBoot Anti Evil Maid project for Qubes OS. Even though user experience didn't change too much, the implementation went through a major overhaul....
Categories: bootloader firmware hypervisor os-dev security
TrenchBoot Anti Evil Maid - Phase 2
Published at October 20, 2023 · Michał Żygowski · 10 min read
TrenchBoot Anti Evil Maid project for Qubes OS is progressing. With the addition of TPM 2.0 support, Anti Evil Maid gains much higher adoption and possibilities than ever before....
Categories: bootloader firmware hypervisor os-dev security
Dasharo Compatible with MSI PRO Z690-A Release v1.1.2
Published at September 8, 2023 · Piotr Król · 10 min read
Discover the latest Dasharo v1.1.2 release, designed with you in mind. Enjoy the freedom to personalize with the new logo customization feature, and flash open-source firmware safely with Flash BIOS recovery support. Its about making firmware both fun and secure. Dive in to find out more....
Optimizing SPI communication on STM32 MCUs: a comprehensive guide to high-frequency communication
Published at July 28, 2023 · Artur Kowalski · 22 min read
In this blog post, we delve into the fascinating world of Serial Peripheral Interface (SPI) on STM32 microcontrollers (MCUs). Specifically, we explore how SPI is utilized in TPM chips for communication with PC motherboards. We encounter the challenges of achieving high-frequency SPI communication, especially when operating as a slave, and the specific limitations of STM32L476 MCUs. The article further uncovers the limitations of existing approaches in platforms like Zephyr and STM32 HAL. We then embark on a journey to fix SPI issues, improve DMA performance, and optimize the firmware for high-speed SPI communication. Throughout the blog post, we provide in-depth technical insights and share valuable test results. Join us as we push the boundaries of SPI communication and unlock new possibilities in the world of microcontrollers....
Categories: firmware miscellaneous security
Fobnail Token - example use case
Published at May 19, 2023 · Krystian Hebel · 11 min read
This phase focused on using Fobnail in a real-life use case, namely using it to access LUKS2 decryption key if and only if the PCR measurements are valid...
Categories: security
TrenchBoot Anti Evil Maid for Qubes OS
Published at January 31, 2023 · Michał Żygowski · 14 min read
Qubes OS Anti Evil Maid (AEM) software heavily depends on the availability of the DRTM technologies to prevent the Evil Maid attacks. However, the project has not evolved much since the beginning of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode (BIOS). In the post we show how existing solution can be replaced with TrenchBoot and how one can install it on the Qubes OS. Also the post will also briefly explain how TrenchBoot opens the door for future TPM 2.0 and UEFI support for AEM....
Categories: bootloader firmware hypervisor os-dev security
Infrastructure for Xen development and debugging
Published at July 4, 2022 · Piotr Król · Norbert Kamiński · 5 min read
Back in 2018 at OSFC, we've presented AMD IOMMU enabling for PC Engines apuX (GX-412TC) platforms. Our hypervisor of choice was Xen and we used it to verify the PCI pass-through feature. Unfortunately, the booting process was not exactly stable. In this article, you can check how to prepare infrastructure for Xen development and debugging...
Published at June 23, 2022 · Tomasz Żyjewski · 7 min read
The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. During this phase, we focused on researching OS for hosting Fobnail Attester...
Categories: security
Fobnail Token - Fobnail provisioning
Published at May 25, 2022 · Krystian Hebel · 9 min read
This phase is about provisioning Fobnail Token itself. The closing point of that process is creating a certificate for Token that can be used later after attestation succeeds...
Categories: security
Fobnail Token - platform attestation
Published at April 6, 2022 · Artur Kowalski · Krystian Hebel · 6 min read
The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. This phase was focused on attestation....
Fobnail Token - platform provisioning
Published at March 21, 2022 · Krystian Hebel · 7 min read
The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. This phase was focused on platform provisioning....
A new source of trust for your platform - Dasharo with Intel TXT support
Published at March 17, 2022 · Michał Żygowski · 9 min read
Do you trust the firmware on your system? No? Then this post is a must-read for you. Get to know what Intel Trusted Execution Technology (TXT) is and how it may help you securely measure and attest your operating system and software running on your machine. You will also hear about open-source implementation of Intel TXT for Ivy Bridge/Sandy Bridge platforms including Dell OptiPlex 7010 / 9010....
KGPE-D16 open-source firmware status
Published at February 3, 2022 · Michał Żygowski · 6 min read
This post covers the struggles and efforts behind the revival of KGPE-D16. Something that community was waiting for a long time. With Dasharo firmware the platform obtained a new life and sees a new daylight with more security features and improvements....
Fobnail Token - developing communication method that meets the CHARRA requirements
Published at December 15, 2021 · Tomasz Żyjewski · 4 min read
The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. During the last phase, we managed to implement the communication method that will be used between verifier and attester....
Increasing the security of iMX platforms - JTAG fusing
Published at December 14, 2021 · Michał Kotyla · 9 min read
JTAG helps a lot of engineers during product development. It also may be helpful for adversaries. We tell you why and how to increase JTAG security in your product...
Categories: manufacturing security
Enabling Secure Boot on RockChip SoCs
Published at December 3, 2021 · Artur Kowalski · 9 min read
RockChip Secure Boot is an essential security feature that helps tablet, PC, streaming media TV box, and IoT solution vendors secure their devices against malware infecting the firmware. In the following post, we will tell a story about enabling Secure Boot on the RK32xx family, but the lesson learned can be used on other models...
Fobnail vs other boot security projects
Published at October 28, 2021 · Michał Żygowski · 11 min read
Have you ever thought about securing the boot process of your computer? No? This post will compare the available open source boot process hardening projects and explain the importance of signing and protection the software/operating system you launch. You will also get to know how the boot process may be secured even further and with the incoming Fobnail security token....
Published at October 8, 2021 · Michał Kopeć · 5 min read
An introduction to TPMs. Let's explore the differences between common implementations of TPMs and how they might matter to you....
Yocto Project and its components as the Reference OS for Dasharo
Published at April 22, 2021 · Maciej Pijanowski · 4 min read
Let's dive into the most frequently asked questions regarding Dasharo products based on Yocto Project - this blog post will answer what is Yocto and what are the reasons for choosing such a solution...
The backdoor to your firmware 2
Published at March 25, 2021 · Anastazja Lapanova · 6 min read
Firmware vulnerabilities in the light of recent attacks as a backdoor of the firmware - part 2...
Published at March 12, 2021 · Anastazja Lapanova · 5 min read
Firmware vulnerabilities in the light of recent attacks as a backdoor of the firmware...
Published at February 18, 2021 · Piotr Konkol · Kamila Banecka · 5 min read
Pros and cons of automated testing and the process of performing transparent validation....
FOSDEM 2021 – Open Source Firmware BMC and Bootloader devroom
Published at February 2, 2021 · Kamila Banecka · 4 min read
Thoughts around FOSDEM 2021 and 2020...
What is IOMMU and how it can be used?
Published at January 13, 2021 · Marek Kasiewicz · 6 min read
Welcome to a new blogpost series dedicated to IOMMU. In this article, you can read what IOMMU is and find out if its use may be beneficial for you....
Thoughts around OSFC 2020 – day 1
Published at December 21, 2020 · Kamila Banecka · Piotr Król · 6 min read
Lets share some thoughts that evolved during the OSFC 2020 talks and send kudos to many people who made this conference happen....
Proof of concept implementation of RATS attestation for the TrenchBoot
Published at December 14, 2020 · Norbert Kamiński · 9 min read
This blog post will describe the concept of the IETF Remote Attestation Procedures (RATS) and implementation of CHAllenge-Response based Remote Attestation (CHARRA) with TPM 2.0 for TrenchBoot....
Application Security as an Every Developer's Responsibility
Published at November 13, 2020 · Piotr Nowosławski · 7 min read
The issue of web application security is becoming more and more popular. Currently, not only large organizations and corporations but also smaller businesses are forced by progress to transfer some of their activities to the Internet....
Categories: app-dev development security
Published at November 2, 2020 · Kamila Banecka · 5 min read
GRUB mini–summit 2020. This year we cannot miss this opportunity to meet again and face the new challenges of GRUB/GRUB2. So,dear reader, feel invited to look at GRUB with a magnifying glass....
Trenchboot: Xen hypervisor support for the TrenchBoot
Published at October 15, 2020 · Norbert Kamiński · Marek Kasiewicz · 4 min read
In this blog post, we will describe the development of the Xen hypervisor support for TrenchBoot....
Reasonably secure way to update your system firmware
Published at September 18, 2020 · Norbert Kamiński · 3 min read
As you may know from the previous blog post, the qubes-fwupd is the wrapper that allows you to update the firmware of your devices in the Qubes OS. This time I will briefly describe the new features, whereby you will securely update your system firmware....
TrenchBoot: Open Source DRTM. Multiboot2 support.
Published at September 7, 2020 · Krystian Hebel · 11 min read
This month we will show that not only Linux kernel can be started by TrenchBoot. We also did some drastic changes to the bootloader data format, so if you try to redo some older posts in the future and they do not seem to work, this is probably the place to look for hints....
Booting coreboot on Intel Comet Lake S RVP8
Published at August 31, 2020 · Michał Żygowski · 10 min read
This blog post shows the procedure of building coreboot for a Comet Lake S platform. Also it describes problems occurred when building and booting the image. As a bonus, few tips and tricks will be shown how to fix/workaround these kind of problems....
TrenchBoot: Open Source DRTM. TPM event log all the way.
Published at August 13, 2020 · Krystian Hebel · 12 min read
We extended the TPM event log support to the Linux kernel. It is now possible to print all of the PCR extend operations performed and compare the hashes with files to see if anything is wrong....
Secure Application – Best coding practices
Published at July 23, 2020 · Malwina Mika · 7 min read
When building an application, we must assume that it will be exposed to attackers at all times and may be misused by ordinary recipients. The danger of the first group seems obvious, but what kind of risk a standard user brings?...
Categories: app-dev development security
Project status of the fwupd/LVFS support for Qubes OS
Published at July 14, 2020 · Norbert Kamiński · 5 min read
During the QubesOS minisummit, I have presented the initial status of the fwupd/LVFS support for the Qubes OS. Now it is time to share some more information about the progress....
DEV and IOMMU: a story of two DMA protection mechanisms
Published at July 3, 2020 · Krystian Hebel · 12 min read
Both DEV and IOMMU can help with protection against malicious DMA. This post roughly describes the difference between those two, as well as the impact they have on each other in the context of TrenchBoot...
TrenchBoot: Open Source DRTM. GRUB's new features and TPM event log.
Published at July 3, 2020 · Piotr Kleinschmidt · 16 min read
This blog post will show you what features we have added to GRUB and why they are useful from user's point of view. Also, there will be shown how to utilize TPM event logs and hence debug DRTM....
Qubes OS & 3mdeb 'minisummit' 2020 summation
Published at June 17, 2020 · Kamila Banecka · 8 min read
The second Qubes OS & 3mdeb minisummit is ahead of us. We had gone through four evenings of topics devoted to Qubes OS, so it is time for broad summation of the event....
Categories: firmware miscellaneous security
Starting TrenchBoot's Landing Zone from iPXE
Published at June 1, 2020 · Krystian Hebel · 10 min read
In this article we present support for starting Landing Zone from another bootloader: iPXE. It may not be as featureful as GRUB2, but it has enough juice to start DRTM using images obtained from a remote server...
Qubes OS and 3mdeb 'minisummit' 2020
Published at May 15, 2020 · Kamila Banecka · 5 min read
Once again, we will meet on QubesOs & 3mdeb minisummit 2020 discussing #QubesOS, #firmware, #coreboot, #security and #TPM related topics. All the event details are presented in the following blog post....
Categories: firmware miscellaneous security
Installing TrenchBoot in UEFI environments
Published at May 6, 2020 · Michał Żygowski · 17 min read
This blog post will show you how to install NixOS on UEFI platforms and how to install TrenchBoot on them....
User friendly tutorial for enabling HTTPS support in iPXE
Published at May 6, 2020 · Michał Żygowski · 5 min read
This article will show you how to replace old HTTP with much safer HTTPS when booting platforms/computers over network. You will read how to quickly incorporate open-source network booting solution based on coreboot and iPXE projects to your daily life....
TrenchBoot: Open Source DRTM. CI/CD system.
Published at May 5, 2020 · Piotr Kleinschmidt · 6 min read
How to improve development and validation process in our project? Automation? Of course! Let us introduce our CI/CD system. Find out how it actually works and what advantages it has....
TrenchBoot: Open Source DRTM. DRTM update and meta-trenchboot implementation
Published at April 30, 2020 · Piotr Kleinschmidt · 11 min read
Another release brings new updates in our Open Source DRTM project. Except for code changes, we have prepared our custom Linux image with DRTM. Also we set up CI/CD system for automation build and test. Read this article if you want to find out more details....
TrenchBoot: Open Source DRTM. Landing Zone validation.
Published at April 3, 2020 · Piotr Kleinschmidt · 25 min read
When you already know what is TrenchBoot, what is DRTM and how we enable it on AMD processors, we can move on to practice. I will show you how to configure all components and verify first of project's requirements....
TrenchBoot - Open Source DRTM for AMD processors. Project's basics.
Published at March 31, 2020 · Piotr Kleinschmidt · 11 min read
This is the first blog post of TrenchBoot series. It will introduce you to the project, its structure and environment. Additionally the reader will find out more about each component, how to setup the environment and configure the build....
Open Source DRTM with TrenchBoot for AMD processors. Introduction.
Published at March 28, 2020 · Piotr Kleinschmidt · 4 min read
This article starts an entire series of articles related to title project. By reading this blog post, you will find out why we have started such project and who is supporting us. Also, we bring you closer to main concept and goals....
Boot Guard - pre-execution firmware verification on Protectli FW6
Published at February 21, 2020 · Michał Żygowski · 9 min read
This post will not describe how to guard your shoes. However, will definitely introduce you to Boot Guard feature present on Intel processors which allows firmware verification before the first instruction executes. One may call it pre-execution firmware verification. The post will also show you how Boot Guard can work well with coreboot based firmware on an example of Protectli FW6....
GRUB2 and 3mdeb minisummit 2019
Published at February 19, 2020 · Piotr Król · 7 min read
In December 2019 we had pleasure to meet Daniel Kiper #GRUB2 maintanaer in 3mdeb office in Gdańsk. We discussed various #GRUB2, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post in form of presentations and videos....
Easy way to stay secure - XEN on the PC Engines apu2
Published at February 5, 2020 · Norbert Kamiński · 3 min read
Xen Project creates a software system that allows the execution of multiple virtual guest operating systems simultaneously on a single physical machine. In this case, it is a PC Engines apu2 platform....
Categories: manufacturing os-dev security
Platform Security Summit 2019 impressions. Part 1
Published at October 22, 2019 · Piotr Król · Łukasz Wcisło · 5 min read
We are happy to announce that 3mdeb representation took part in Platform Security Summit 2019. In the next weeks we are going to briefly refer what took our attention and enclose the course of this conference....
Categories: miscellaneous security
Qubes OS and 3mdeb 'minisummit' 2019
Published at August 7, 2019 · Piotr Król · 8 min read
In May we had pleasure to meet Marek Marczykowski-Górecki #QubesOS Project Lead in 3mdeb office in Gdańsk. We discussed various #QubesOS, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post....
How to safely update your firmware - fwupd and LVFS to the rescue!
Published at July 11, 2019 · Artur Raglis · 7 min read
Many people come out of the mistaken belief that changing the firmware is a very complicated task and fears that they can "brick" their platform or personal computer. Others do not know where to find matching updates. There is a simple answer - meet fwupd with LVFS....
Meltdown and Spectre on PC Engines apu2
Published at May 29, 2019 · Michał Żygowski · 9 min read
As a continuation the Meltdown and Spectre blog post, this post present the vulnerability status and mitigation with microcode update on PC Engines apu2. Read the post and get to know the open source tools for vulnerability and mitigation checks, as well as exploiting proof of concepts....
Published at April 24, 2019 · Łukasz Wcisło · 11 min read
OpenVizsla allows to passively monitor the communication between a USB host and USB peripheral. It is a tool for developers working with USB and especially those who are using USB in embedded designs. We have tested its possible use cases and see it is really valuable, and has a lot of potential for further development....
Categories: miscellaneous security
How to mitigate ROCA TPM vulnerability?
Published at April 17, 2019 · Krystian Hebel · 10 min read
ROCA vulnerability was discovered (October 2017) in a software library, RSALib, provided by Infineon Technologies. That library is also used in TPM modules. When this vulnerability is present, a pair of prime numbers used for generating RSA keys is chosen from a small subset of all available prime numbers. This results in a great loss of entropy. Details and exact numbers can be found here. UPDATE 2021-10-20: provided new link for TPM firmware updates (old one was no longer working), added info about patch for openssl-1....
Meltdown and spectre. What are they and what they are not?
Published at March 20, 2019 · Michał Żygowski · 6 min read
Meltdown and Spectre At the turn of the year 2017 and 2018, the world of security and computing has shaken. It was the time when we first heard about vulnerabilities that affect almost every modern processor (mainly x86 architecture) manufactured during the last 20 years. They have been named as Meltdown and Spectre and belong to one family of flaws caused by speculative execution. In this post, I will describe what they are and how they are threatening the users of modern machines....
Categories: security
Failure of ECC508A crypto coprocessor initial triage with SAM G55 Xplained Pro Evaluation Kit
Published at November 24, 2016 · Piotr Król · 7 min read
Some time ago (around August 2016) embedded community media were hit with hype around simplified flow for AWS IoT provisioning (1, 2, 3). I’m personally very interested in all categories related to those news: IoT - is 3mdeb business core and despite this term was largely abused these days, we just love to build connected embedded devices. Building this kind of devices is inherently related with firmware deployment, provisioning and update problems....
.png){kind=small}
