Krystian Hebel

Firmware Engineer interested mostly in things omitted from documentation. Jack of all trades, master of none.

Social media profiles

Check GitHub profile


Articles (19)


Fobnail Token - example use case

Published at May 19, 2023 ·  11 min read

This phase focused on using Fobnail in a real-life use case, namely using it to access LUKS2 decryption key if and only if the PCR measurements are valid...

Categories: security

Fobnail Token - Fobnail provisioning

Published at May 25, 2022 ·  9 min read

This phase is about provisioning Fobnail Token itself. The closing point of that process is creating a certificate for Token that can be used later after attestation succeeds...

Categories: security

Talos II - second CPU support and test automation

Published at April 15, 2022 ·  5 min read

Another post about our adventures with porting coreboot for Talos II. This phase focused on enabling second CPU and its internal devices. We also expanded our test suite....

Categories: firmware

Fobnail Token - platform attestation

Published at April 6, 2022 ·  6 min read

The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. This phase was focused on attestation....

Categories: firmware security

Fobnail Token - platform provisioning

Published at March 21, 2022 ·  7 min read

The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. This phase was focused on platform provisioning....

Categories: firmware security

Current status of coreboot and Heads ports for Talos II

Published at February 16, 2022 ·  8 min read

This post summarizes our current progress on making first coreboot port for POWER platform, including Heads as a payload. It will also show how You can test it without having to flash firmware to PNOR....

Categories: firmware

coreboot port for OpenPOWER - why bother?

Published at December 31, 2020 ·  9 min read

You may have heard by now that we are working on coreboot port for Talos II. OpenPOWER already has, nomen omen, open source firmware, so one may ask why bother? We will try to answer that question....

Categories: firmware

TrenchBoot: Open Source DRTM. Multiboot2 support.

Published at September 7, 2020 ·  11 min read

This month we will show that not only Linux kernel can be started by TrenchBoot. We also did some drastic changes to the bootloader data format, so if you try to redo some older posts in the future and they do not seem to work, this is probably the place to look for hints....

Categories: firmware security

TrenchBoot: Open Source DRTM. TPM event log all the way.

Published at August 13, 2020 ·  12 min read

We extended the TPM event log support to the Linux kernel. It is now possible to print all of the PCR extend operations performed and compare the hashes with files to see if anything is wrong....

Categories: firmware security

DEV and IOMMU: a story of two DMA protection mechanisms

Published at July 3, 2020 ·  12 min read

Both DEV and IOMMU can help with protection against malicious DMA. This post roughly describes the difference between those two, as well as the impact they have on each other in the context of TrenchBoot...

Categories: firmware security