Security

Infrastructure for Xen development and debugging

Published at July 4, 2022 · Piotr Król · Norbert Kamiński ·  5 min read

Back in 2018 at OSFC, we've presented AMD IOMMU enabling for PC Engines apuX (GX-412TC) platforms. Our hypervisor of choice was Xen and we used it to verify the PCI pass-through feature. Unfortunately, the booting process was not exactly stable. In this article, you can check how to prepare infrastructure for Xen development and debugging...

Categories: firmware os-dev security


Minimal OS for Fobnail

Published at June 23, 2022 · Tomasz Żyjewski ·  7 min read

The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. During this phase, we focused on researching OS for hosting Fobnail Attester...

Categories: security


Fobnail Token - Fobnail provisioning

Published at May 25, 2022 · Krystian Hebel ·  9 min read

This phase is about provisioning Fobnail Token itself. The closing point of that process is creating a certificate for Token that can be used later after attestation succeeds...

Categories: security



Fobnail Token - platform provisioning

Published at March 21, 2022 · Krystian Hebel ·  7 min read

The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. This phase was focused on platform provisioning....

Categories: firmware security


A new source of trust for your platform - Dasharo with Intel TXT support

Published at March 17, 2022 · Michał Żygowski ·  9 min read

Do you trust the firmware on your system? No? Then this post is a must-read for you. Get to know what Intel Trusted Execution Technology (TXT) is and how it may help you securely measure and attest your operating system and software running on your machine. You will also hear about open-source implementation of Intel TXT for Ivy Bridge/Sandy Bridge platforms including Dell OptiPlex 7010 / 9010....

Categories: firmware security


KGPE-D16 open-source firmware status

Published at February 3, 2022 · Michał Żygowski ·  6 min read

This post covers the struggles and efforts behind the revival of KGPE-D16. Something that community was waiting for a long time. With Dasharo firmware the platform obtained a new life and sees a new daylight with more security features and improvements....

Categories: firmware security




Enabling Secure Boot on RockChip SoCs

Published at December 3, 2021 · Artur Kowalski ·  9 min read

RockChip Secure Boot is an essential security feature that helps tablet, PC, streaming media TV box, and IoT solution vendors secure their devices against malware infecting the firmware. In the following post, we will tell a story about enabling Secure Boot on the RK32xx family, but the lesson learned can be used on other models...

Categories: firmware security


Fobnail vs other boot security projects

Published at October 28, 2021 · Michał Żygowski ·  11 min read

Have you ever thought about securing the boot process of your computer? No? This post will compare the available open source boot process hardening projects and explain the importance of signing and protection the software/operating system you launch. You will also get to know how the boot process may be secured even further and with the incoming Fobnail security token....

Categories: firmware security


fTPM vs dTPM

Published at October 8, 2021 · Michał Kopeć ·  5 min read

An introduction to TPMs. Let's explore the differences between common implementations of TPMs and how they might matter to you....

Categories: security










GRUB mini–summit 2020

Published at November 2, 2020 · Kamila Banecka ·  5 min read

GRUB mini–summit 2020. This year we cannot miss this opportunity to meet again and face the new challenges of GRUB/GRUB2. So,dear reader, feel invited to look at GRUB with a magnifying glass....

Categories: firmware os-dev security




TrenchBoot: Open Source DRTM. Multiboot2 support.

Published at September 7, 2020 · Krystian Hebel ·  11 min read

This month we will show that not only Linux kernel can be started by TrenchBoot. We also did some drastic changes to the bootloader data format, so if you try to redo some older posts in the future and they do not seem to work, this is probably the place to look for hints....

Categories: firmware security


Booting coreboot on Intel Comet Lake S RVP8

Published at August 31, 2020 · Michał Żygowski ·  10 min read

This blog post shows the procedure of building coreboot for a Comet Lake S platform. Also it describes problems occurred when building and booting the image. As a bonus, few tips and tricks will be shown how to fix/workaround these kind of problems....

Categories: firmware security


















Boot Guard - pre-execution firmware verification on Protectli FW6

Published at February 21, 2020 · Michał Żygowski ·  9 min read

This post will not describe how to guard your shoes. However, will definitely introduce you to Boot Guard feature present on Intel processors which allows firmware verification before the first instruction executes. One may call it pre-execution firmware verification. The post will also show you how Boot Guard can work well with coreboot based firmware on an example of Protectli FW6....

Categories: firmware security


GRUB2 and 3mdeb minisummit 2019

Published at February 19, 2020 · Piotr Król ·  7 min read

In December 2019 we had pleasure to meet Daniel Kiper #GRUB2 maintanaer in 3mdeb office in Gdańsk. We dicussed various #GRUB2, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post in form of presentations and videos....

Categories: firmware os-dev security




Qubes OS and 3mdeb 'minisummit' 2019

Published at August 7, 2019 · Piotr Król ·  8 min read

In May we had pleasure to meet Marek Marczykowski-Górecki #QubesOS Project Lead in 3mdeb office in Gdańsk. We dicussed various #QubesOS, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post....

Categories: firmware os-dev security



Meltdown and Spectre on PC Engines apu2

Published at May 29, 2019 · Michał Żygowski ·  9 min read

As a continuation the Meltdown and Spectre blog post, this post present the vulnerability status and mitigation with microcode update on PC Engines apu2. Read the post and get to know the open source tools for vulnerability and mitigation checks, as well as exploiting proof of concepts....

Categories: firmware security


USB Sniffing With OpenVizsla

Published at April 24, 2019 · Łukasz Wcisło ·  11 min read

OpenVizsla allows to passively monitor the communication between a USB host and USB peripheral. It is a tool for developers working with USB and especially those who are using USB in embedded designs. We have tested its possible use cases and see it is really valuable, and has a lot of potential for further development....

Categories: miscellaneous security


How to mitigate ROCA TPM vulnerability?

Published at April 17, 2019 · Krystian Hebel ·  10 min read

ROCA vulnerability was discovered (October 2017) in a software library, RSALib, provided by Infineon Technologies. That library is also used in TPM modules. When this vulnerability is present, a pair of prime numbers used for generating RSA keys is chosen from a small subset of all available prime numbers. This results in a great loss of entropy. Details and exact numbers can be found here. UPDATE 2021-10-20: provided new link for TPM firmware updates (old one was no longer working), added info about patch for openssl-1....

Categories: firmware security


Meltdown and spectre. What are they and what they are not?

Published at March 20, 2019 · Michał Żygowski ·  6 min read

Meltdown and Spectre At the turn of the year 2017 and 2018, the world of security and computing has shaken. It was the time when we first heard about vulnerabilities that affect almost every modern processor (mainly x86 architecture) manufactured during the last 20 years. They have been named as Meltdown and Spectre and belong to one family of flaws caused by speculative execution. In this post, I will describe what they are and how they are threatening the users of modern machines....

Categories: security