Jan Lübbe on eLinux security

Jan Lübbe of Pengutronix e.K. gave a talk at ELCE’16 (Embedded Linux Conference Europe 2016) called: “Long-Term Maintenance, or How to (Mis-)Manage Embedded Systems for 10+ Years”.

“Hardware vendors don’t care about security or maintenance.”



OpenIoT Summit announced

The Linux Foundation has started a new conference, the OpenIoT Summit, April 4-6 in San Diego, California. Call for Papers is open, closes in a few days, Feburary 5th.


OpenIoT Summit is a technical event created to serve the unique needs of system architects, firmware developers, software developers and application developers in this emerging IoT ecosystem.

Amongst the buzzwords in their CfP’s Suggested Topics were: “Device and Firmware Management“, so maybe something interesting at this event. 🙂

Their CfP list of IoT frameworks/OSes:
AllJoyn, IoTivity, Linux, Soletta, Weave, Yocto Project, and Small, real-time OSes (e.g. Contiki, FreeRTOS, RIoT).


Clarification of Matthew Garrett’s Linux fork

Some irresponsible bloggers have been commenting about Matthew’s fork of Linux:


ZDNet has a story with comments from Matthew explaining things:

“I wouldn’t say I’m forking. I’d say that I’m doing my own development work away from LKML. Right now it’s got the securelevel work in it because that’s the only code I have that I feel is ready for public use, but it’ll pick up other bits of code that I’m working on as they become mature.”


I guess I look at Matthew’s fork is like the GRSecurity patch for Linux kernel: Matthew’s got the patchset that enables UEFI Secure Boot to be secure on Linux. I hope Tails, Qubes, and other security-minded distros use Matthew’s kernel, at least in builds for UEFI-based systems.

[One of the causes of the above issue is Linus having to deal with Microsoft as a CA. UEFI Forum could also deal with this by putting in place a CA that is not an OSV/OEM. OEMs could be making Linux-friendly sytsems, not just Windows- or Chrome boxes, where Linux is an afterthought second install, which is a lot harder to do with UEFI/Windows Secure Boot — and even Chrome Verified Boot. Linux Foundation could also be helping, by working with OEMs.]


Linux Foundation IT Security Policies: firmware guidance

A  few days ago, the Linux Foundation released new guidance for securing Linux systems. Since the Linux Foundation has mostly remote workers, there are currently 2 documents: one on hardening Linux Workstations, and one for secure group communications, the latter something like a CryptoParty Handbook. Here’s an excerpt of the Hardware/Firmware/Pre-OS section from the Workstation document:

Choosing the right hardware

We do not mandate that our admins use a specific vendor or a specific model, so this section addresses core considerations when choosing a work system.


    System supports SecureBoot (CRITICAL)
    System has no firewire, thunderbolt or ExpressCard ports (MODERATE)
    System has a TPM chip (LOW)



Despite its controversial nature, SecureBoot offers prevention against many attacks targeting workstations (Rootkits, “Evil Maid,” etc), without introducing too much extra hassle. It will not stop a truly dedicated attacker, plus there is a pretty high degree of certainty that state security agencies have ways to defeat it (probably by design), but having SecureBoot is better than having nothing at all. Alternatively, you may set up Anti Evil Maid which offers a more wholesome protection against the type of attacks that SecureBoot is supposed to prevent, but it will require more effort to set up and maintain.

Firewire, thunderbolt, and ExpressCard ports

Firewire is a standard that, by design, allows any connecting device full direct memory access to your system (see Wikipedia). Thunderbolt and ExpressCard are guilty of the same, though some later implementations of Thunderbolt attempt to limit the scope of memory access. It is best if the system you are getting has none of these ports, but it is not critical, as they usually can be turned off via UEFI or disabled in the kernel itself.

TPM Chip

Trusted Platform Module (TPM) is a crypto chip bundled with the motherboard separately from the core processor, which can be used for additional platform security (such as to store full-disk encryption keys), but is not normally used for day-to-day workstation operation. At best, this is a nice-to-have, unless you have a specific need to use TPM for your workstation security.

Pre-boot environment

This is a set of recommendations for your workstation before you even start with OS installation.


    UEFI boot mode is used (not legacy BIOS) (CRITICAL)
    Password is required to enter UEFI configuration (CRITICAL)
    SecureBoot is enabled (CRITICAL)
    UEFI-level password is required to boot the system (LOW)


UEFI and SecureBoot

UEFI, with all its warts, offers a lot of goodies that legacy BIOS doesn’t, such as SecureBoot. Most modern systems come with UEFI mode on by default.

Make sure a strong password is required to enter UEFI configuration mode. Pay attention, as many manufacturers quietly limit the length of the password you are allowed to use, so you may need to choose high-entropy short passwords vs. long passphrases (see below for more on passphrases).

Depending on the Linux distribution you decide to use, you may or may not have to jump through additional hoops in order to import your distribution’s SecureBoot key that would allow you to boot the distro. Many distributions have partnered with Microsoft to sign their released kernels with a key that is already recognized by most system manufacturers, therefore saving you the trouble of having to deal with key importing.

As an extra measure, before someone is allowed to even get to the boot partition and try some badness there, let’s make them enter a password. This password should be different from your UEFI management password, in order to prevent shoulder-surfing. If you shut down and start a lot, you may choose to not bother with this, as you will already have to enter a LUKS passphrase and this will save you a few extra keystrokes.

Full information:




PS: The Linux Foundation also just started a Core Infrastructure Initiative, which has security implications, which I’ve got to find out more on, and will blog on later.


Linux Security Summit 2015 proceedings available

As part of LinuxCon North America, the Linux Security Summit recently finished, and presentations are now available (I omitted the few talks which had no presentations from below list):

* Keynote: Giant Bags of Mostly Water – Securing your IT Infrastructure by Securing your Team, Konstantin Ryabitsev, Linux Foundation
* CC3: An Identity Attested Linux Security Supervisor Architecture, Greg Wettstein, IDfusion
* SELinux in Android Lollipop and Android M, Stephen Smalley, NSA
* Discussion: Rethinking Audit, Paul Moore, Red Hat
* Assembling Secure OS Images, Elena Reshetova, Intel
* Linux and Mobile Device Encryption, Paul Lawrence, Mike Halcrow, Google
* Discussion: Core Infrastructure Initiative, Emily Ratliff, Linux Foundation
* Security Framework for Constraining Application Privileges, Lukasz Wojciechowski, Samsung
* IMA/EVM: Real Applications for Embedded Networking Systems, Petko Manolov, Konsulko Group, Mark Baushke, Juniper Networks
* Ioctl Command Whitelisting in SELinux, Jeffrey Vander Stoep, Google
* IMA/EVM on Android Device, Dmitry Kasatkin, Huawei Technologies
* Subsystem Update: Smack, Casey Schaufler, Intel
* Subsystem Update: AppArmor, John Johansen, Canonical
* Subsystem Update: Integrity, Mimi Zohar, IBM
* Subsystem Update: SELinux, Paul Moore, Red Hat
* Subsystem Update: Capabilities, Serge Hallyn, Canonical
* Subsystem Update: Seccomp, Kees Cook, Google
* Discussion: LSM Stacking Next Steps, Casey Schaufler, Intel




The Embedded Linux Conference Europe (ELCE) is happening in October. There’s a set of UEFI talks happening at the event:

UEFI Forum Update and Open Source Community Benefits, Mark Doran

Learn about the recent UEFI Forum activities and the continued adoption of UEFI technology. To ensure greater transparency and participation from the open source community, the Forum has decided to allow for public review of all specification drafts. Find out more about this new offering and other benefits to being involved in firmware standards development by attending this session.   

What Linux Developers Need to Know About Recent UEFI Spec Advances, Jeff Bobzin

Users of modern client and server systems are demanding strong security and enhanced reliability. Many large distros have asked for automated installation of a local secure boot profile. The UEFI Forum has responded with the new Audit Mode specified in the UEFI specification, v2.5, offering new capabilities, enhanced system integrity, OS recovery and firmware update processes. Attend this session to find out more about the current plans and testing schedules of the new sample code and features.

LUV Shack: An automated Linux kernel and UEFI firmware testing infrastructure, Matt Fleming

The Linux UEFI Validation (LUV) Project was created out of necessity. Prior to it, there was no way to validate the interaction of the Linux kernel and UEFI firmware at all stages of the boot process and all levels of the software stack. At Intel, the LUV project is used to check for regressions and bugs in both eh Linux kernel and EDK2-based firmware. They affectionately refer to this testing farm as the LUV shack. This talk will cover the LUV shack architecture and validation processes.

The Move from iPXE to Boot from HTTP, Dong Wei

iPXE relies on Legacy BIOS which is currently is deployed by most of the world’s ISPs. As a result, the majority of x86 servers are unable to update and move to a more secure firmware platform using UEFI. Fortunately, there is a solution. Replacing iPXE with the new BOOT from HTTP mechanism will help us get there. Attend this session to learn more.

UEFI Development in an Open Source Ecosystem, Michael Krau, Vincent Zimmer

Open source development around UEFI technology continues to progress with improved community hosting, communications and source control methodologies. These community efforts create valuable opportunities to integrate firmware functions into distros. Most prevalent UEFI tools available today center on chain of trust security via Secure Boot and Intel® Platform Trust Technology (PTT) tools. This session will address the status of these and other tools. Attendees will have the opportunity to share feedback as well as recommendations for future open UEFI development resources and processes.

UEFI aside, there’s many other presentations that look interesting, for example:

Isn’t it Ironic? The Bare Metal Cloud – Devananda van der Veen, HP
Developing Electronics Using OSS Tools – Attila Kinali
How to Boot Linux in One Second – Jan Altenberg, linutronix GmbH
Reprogrammable Hardware Support for Linux – Alan Tull, Altera
Measuring and Reducing Crosstalk Between Virtual Machines – Alexander Komarov, Intel
Introducing the Industrial IO Subsystem: The Home of Sensor Drivers – Daniel Baluta, Intel
Order at Last: The New U-Boot Driver Model Architecture – Simon Glass, Google
Suspend/Resume at the Speed of Light – Len Brown, Intel
The Shiny New l2C Slave Framework – Wolfram Sang
Using seccomp to Limit the Kernel Attack Surface – Michael Kerrisk
Tracing Virtual Machines From the Host with trace-cmd virt-server – Steven Rostedt, Red Hat
Are today’s FOSS Security Practices Robust Enough in the Cloud Era – Lars Kurth, Citrix
Security within Iotivity – Sachin Agrawal, Intel
Creating Open Hardware Tools – David Anders, Intel
The Devil Wears RPM: Continuous Security Integration – Ikey Doherty, Intel
Building the J-Core CPU as Open Hardware: Disruptive Open Source Principles Applied to Hardware and Software – Jeff Dionne, Smart Energy Instruments
How Do Debuggers (Really) Work – Pawel Moll, ARM
Make your Own USB device and Driver with Ease! – Krzysztof Opasiak, Samsung
Debugging the Linux Kernel with GDB – Peter Griffin, Linaro



Linux Foundation: combining Yocto with Debian

The CE Workgroup of the Linux Foundation occasionally does bids for research or work for related projects. One of the projects they’re interested in is supporting meta-Debian, a Yocto project that integrates with Debian. Earlier this week Tim Bird, Architecture Group Chair, CE Workgroup of the Linux Foundation, announced their proposals, exerpted here to focus on the Debian/Yocto project:

The CE Workgroup of the Linux Foundation occasionally solicits contractors for projects they are considering.  The following projects is currently under consideration for funding this year, and the CE Workgroup would be interested in hearing from you if you would like to work on them (and be paid for it!) For a while now, CEWG has been studying the feasibility of combining the Yocto Project with Debian, to create a system for using the Debian distribution for embedded projects.  The first proposal above, intends to solicit (paid) contributions to extending CEWGs project to more hardware and to include more libraries in the target distribution. If you are interested and are willing to get paid to work on this (producing or enhancing open source software to benefit the entire embedded industry), then please contact Tim Bird.


For the full announcement, see posting by Tim Bird. I’ve excerpting Tim’s announcement to only mention the meta-Debian project: he also mentioned two other projects, see the full announcement for details on those.


IMO, it would be nice to have Intel contributing to Debian in this way, providing Yocto-based vendors with more opportunities to use Debian, and helping Debian with embedded BSP (and hopefully some QA).

A bit of background on meta-debian, and some related projects: