DebConf, Debian’s annual conference is happening in Cape Town, South Africa. Even if you aren’t in Cape Town this week, the DebConf event team is very good at providing postconference video archives, look for them to be available shortly.
Amongst the many interesting presentations, here’s a few firmware-related presentations to look forward to:
Secure Boot BOF
Secure Boot is a UEFI feature that prevents unsigned boot code from being loaded. Assuming the bootloader checks the signature on the kernel, and the kernel checks the signature on code it itself loads, this chain of trust can be extended quite far into the running system. Unfortunately, the only signing key that is trusted by most implementations is held by Microsoft.
There are 2 major reasons for supporting Secure Boot in Debian:
* some computers now ship with Secure Boot enabled by default, making it harder to install Debian;
* while not perfect, it is a technology that can be used to make Debian user safer.
The plan the Ben (bwh) has been hatching is as follows:
* a minimalistic shim bootloader is signed by Microsoft;
* the shim load a bootloader that was properly signed by Debian (in the long run, ftpmaster@; right now, it’s bwh’s signing key);
* the bootloader loads a kernel signed by Debian;
* the kernel only accepts to load code signed by Debian (securelevel = 1).
The signing process itself uses signature packages, so as not to keep signing keys on the buildds or break reproducibility.
* no dependency on Microsoft, once the shim is signed (and it should need fixes very seldom);
* robust process that can take advantage of reproducible builds;
* gives reasonable guarantees that the running kernel is a legitimate one;
* trusting only Debian (as opposed to anything Microsoft signs) can easily be achieved by shipping a Debian-signed shim and having the user put the Debian key as the only trusted one.
* doesn’t protect the userspace (yet!);
* still vulnerable to somebody with a kernel exploit (but this doesn’t grant persistence) or who can get a bootloader signed by Microsoft.
Help us, fellow Debian hackers! You are our only hope.
Secure Boot for Debian Linux
Three years after a “Plan of action” for Secure Boot support, we’ve had another release without it and there are still many changes required. What is left to do and how will we finish it in time for “stretch”?
Using LAVA for Debian
How to use LAVA to provide test support on real hardware which can be remote or local to the user.
* publish local tests from your desk to support testing packages like u-boot.
* install lava-dispatcher on a machine on your LAN and publish local tests for everyone to view and analyse
* run CI on the Linux kernel packages on hardware – ramdisk, NFS and SATA media
* test DI on real hardware (typically ARM).
* publish local tests of VM images, including live images, and potentially run tests on VM images where appropriate hardware is available.
* run server-client tests on relevant hardware which cannot be easily performed in sbuild or single VM instances.
* support for VLAN testing is available although unlikely to be via lava.debian.net itself.
* support for Debian SSO for account creation.
* XMLRPC and REST API interfaces.
Debugging the IoT
Bdale Garbee Bernelle Verster Andy Simpkins
Panel discussion, aimed at the general public and more technical participants alike. The panel will discuss the open hardware movement, and how it fits in with Smart Homes. It will highlight and discuss the futurology, trends, and challenges. Challenges include security, the role of big vendors, the requirement for a more powerful platform, competing interests and the role of industrial providers. The panel will be hosted by Bernelle Verster, and panelists include Andy Simpkins and others. (Please get in touch if you want to be on the panel too).
Debian on ARM devices
This talk will cover Debian on ARM devices, including NAS devices, development boards and other devices. The talk will briefly explain how the installer works on ARM from the point of view of a user. It will then cover in detail how Debian on ARM is different to Debian on x86 devices and what infrastructure we created in Debian to support a wide range of ARM devices, such as flash-kernel. Some supported platforms and devices will be covered as well.