TrenchBoot AEM gains support for UEFI installations
Published at June 10, 2025 · Krystian Hebel · 13 min read
A feature craved by many is finally here. AEM can now be used with Qubes OS installed under UEFI. Oh, and some automated testing. But mostly UEFI....
Categories: bootloader firmware hypervisor os-dev security
TrenchBoot Anti Evil Maid - Phase 4
Published at May 17, 2024 · Krystian Hebel · 7 min read
This blog post marks the completion of the next phase of TrenchBoot Anti Evil Maid project for Qubes OS. This time the project focused on AMD platforms, which is something that wasn't possible with the original solution based on tboot....
Categories: bootloader firmware hypervisor os-dev security
TrenchBoot Anti Evil Maid - Phase 3
Published at January 12, 2024 · Krystian Hebel · 8 min read
This blog post marks completion of next phase of TrenchBoot Anti Evil Maid project for Qubes OS. Even though user experience didn't change too much, the implementation went through a major overhaul....
Categories: bootloader firmware hypervisor os-dev security
TrenchBoot Anti Evil Maid - Phase 2
Published at October 20, 2023 · Michał Żygowski · 10 min read
TrenchBoot Anti Evil Maid project for Qubes OS is progressing. With the addition of TPM 2.0 support, Anti Evil Maid gains much higher adoption and possibilities than ever before....
Categories: bootloader firmware hypervisor os-dev security
TrenchBoot Anti Evil Maid for Qubes OS
Published at January 31, 2023 · Michał Żygowski · 14 min read
Qubes OS Anti Evil Maid (AEM) software heavily depends on the availability of the DRTM technologies to prevent the Evil Maid attacks. However, the project has not evolved much since the beginning of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode (BIOS). In the post we show how existing solution can be replaced with TrenchBoot and how one can install it on the Qubes OS. Also the post will also briefly explain how TrenchBoot opens the door for future TPM 2.0 and UEFI support for AEM....
Categories: bootloader firmware hypervisor os-dev security
Infrastructure for Xen development and debugging
Published at July 4, 2022 · Piotr Król · Norbert Kamiński · 5 min read
Back in 2018 at OSFC, we've presented AMD IOMMU enabling for PC Engines apuX (GX-412TC) platforms. Our hypervisor of choice was Xen and we used it to verify the PCI pass-through feature. Unfortunately, the booting process was not exactly stable. In this article, you can check how to prepare infrastructure for Xen development and debugging...
Published at June 23, 2022 · Tomasz Żyjewski · 7 min read
The Fobnail Token is an open-source hardware USB device that helps to determine the integrity of the system. The purpose of this blog post is to present the development progress of this project. During this phase, we focused on researching OS for hosting Fobnail Attester...
Categories: security
Trenchboot: Xen hypervisor support for the TrenchBoot
Published at October 15, 2020 · Norbert Kamiński · Marek Kasiewicz · 4 min read
In this blog post, we will describe the development of the Xen hypervisor support for TrenchBoot....
TrenchBoot: Open Source DRTM. Multiboot2 support.
Published at September 7, 2020 · Krystian Hebel · 11 min read
This month we will show that not only Linux kernel can be started by TrenchBoot. We also did some drastic changes to the bootloader data format, so if you try to redo some older posts in the future and they do not seem to work, this is probably the place to look for hints....
Easy way to stay secure - XEN on the PC Engines apu2
Published at February 5, 2020 · Norbert Kamiński · 3 min read
Xen Project creates a software system that allows the execution of multiple virtual guest operating systems simultaneously on a single physical machine. In this case, it is a PC Engines apu2 platform....
Categories: manufacturing os-dev security
pfSense firewall boot process optimization under Xen hypervisor. Part 2
Published at December 13, 2019 · Piotr Kleinschmidt · 10 min read
In previous article we introduce our implementation of pfSense under Xen. Now, we want to show how you can improve boot process and reduce virtualized pfSense boot time to minimum....
pfSense firewall boot process optimization under Xen hypervisor. Part 1
Published at November 6, 2019 · Piotr Kleinschmidt · 5 min read
Running applications in Virtual Machines is not a trivial task. We made such pfSense firewall implementation. That article is an introduction about what we made and what actual goals we set to improve its performance....
RTE for automated kernel deployment and everyday use
Published at October 3, 2018 · Piotr Król · 9 min read
We continue our effort to enable IOMMU and as side effect I have to play with various technologies to exercise reliable development environment which base on RTE. In this blog post I would like to present semi-automated technique to debug firmware, Xen and Linux kernel. The goal is to have set of tools that help in enabling various features in Debian-based dom0. We would like: update Linux kernel which is exposed over HTTP server update rootfs provided through NFS I will use following components:...
Xen HVM guests on PC Engines apu2
Published at August 16, 2018 · Piotr Król · 15 min read
Continuing blog post series around Xen and IOMMU enabling in coreboot we are reaching a point in which some features seem to work correctly on top of recent patch series in firmware. What we can do at this point is PCI passthrough to guest VMs. Previously trying that on Xen caused problems: random hangs firmware cause Linux kernel booting issues (hang during boot) IOMMU disabled - unable to use PCI passthrough Now we can see something like that in dom0:...
How to boot Xen over PXE and NFS on PC Engines apu2
Published at July 18, 2018 · Piotr Król · 9 min read
From time to time we face requests to correctly enable support for various Xen features on PC Engines apu2 platform. Doing that requires firmware modification, which 3mdeb is responsible for. Xen have very interesting requirements from firmware development perspective. Modern x86 have a bunch of features that support virtualization in hardware. Those features were described in Xen FAQ. It happens that most requesting were IOMMU and SR-IOV. First, give the ability to dedicate PCI device to given VM and second enables so-called Virtual Functions, what means on a physical device (e....
.png){kind=small}
