Debian 10 released, with Secure Boot

[…]The UEFI (“Unified Extensible Firmware Interface”) support first introduced in Debian 7 (code name “wheezy”) continues to be greatly improved in Debian 10 “buster”. Secure Boot support is included in this release for amd64, i386 and arm64 architectures and should work out of the box on most Secure Boot-enabled machines. This means users should no longer need to disable Secure Boot support in the firmware configuration.[…]

Hmm, above URL generates an error on the resulting page, but the MARC and Mail-Archive links work, the latter rendered better. The Debian page also wrongly points to the now-dead GMane site, two Debian bugs that need to get fixed…

GRUB2 security changes in Fedora

[…]Include Grub’s “verify,” “cryptodisk,” “luks” and <others here> modules in grubx64.efi of the ‘grub2-efi-x64’ package.  Users utilising secure boot functionality on the UEFI platform cannot insert modules that aren’t in grubx64.efi. Paradoxically, this means that security-conscious users cannot use grub’s verify module, or employ (near) full disk encryption using cryptodisk and luks. The security benefits of signature verification would reach more users if Fedora automated it by incorporating the process into grub2-mkconfig. For the long-term, to grant flexibility with grub2 modules on secure boot instances, it may be advisable to sign the .mod files in the ‘grub2-efi-x64-modules’ package, modify grub2-mkconfig (or -install) to copy the necessary modules into the EFI partition when required by the user’s configuration and then allow inserting of signed modules in secure boot instances.[…]


Open Source Firmware track at LinuxFestNorthWest 2019 is the annual Linux conference for Washington state and the Pacific NorthWest area. This year, there’s an “Open Source Firmware” track, for the first time.

UEFI Boot for Mere Mortals
Why Open Source is Critical For Platform Firmware
Defending Out-of-Band Management Attacks
Network Boot in a Zero-Trust Environment
Open-Source Host Firmware Directions
The Fight for a Secure Linux BIOS… Past, Present and Future

LFNW logo

mXtract: Linux-based tool that analyses and dumps memory

mXtract is an opensource linux based tool that analyses and dumps memory. Its developed as an offensive pentration testing tool which can be used to scan memory for private keys, ips, and passwords using regexes. Remember your results are only as good as your regexes.[…]


Comparing Linux distribution’s hardening schemes

In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, CentOS and RHEL 6.10 & 7 distributions, as well as the Ubuntu 14.04, 12.04, and 18.04 LTS distributions. Our findings confirm that even basic hardening schemes, such as stack canaries and position independent code, are not fully adopted. The situation is even worse when it comes to other compiler protections like stack clash hardening, which recently came into the spotlight due to last month’s systemd vulnerabilities. However, not all is hopeless.[…]

Fedora: Flicker Free Boot

Fedora 30 now contains all changes changes for a fully Flicker Free Boot. Last week a new version of plymouth landed which implements the new theme for this and also includes a much improved offline-updates experience, following this design. At boot the display will seamlessly transit from the firmware boot-splash into the new plymouth theme, which uses the firmware boot-splash as background[…]

How to Debug the Linux Kernel with QEMU and Libvirt

[…In this article, we explain how you can debug your Linux kernel and its modules during runtime. This article will be useful for Linux kernel developers who want to speed up the time to market of their software.[…]

Evolution of the x86 context switch in Linux

While researching archaic facts about the 80386 hardware context switch last weekend, I remembered that early versions of the Linux kernel relied on it. I was promptly sidetracked for hours reading code I hadn’t seen in years. This weekend, I’ve decided to write down the journey to consolidate all the nuggets of fun stuff I discovered along the way.

Linux x86 context switch Troubleshooting hardware problems in Linux

[…]The following tips should make it quicker and easier to troubleshoot hardware in Linux. Many different things can cause problems with Linux hardware; before you start trying to diagnose them, it’s smart to learn about the most common issues and where you’re most likely to find them.[…]

build-anywhere: Create highly portable ELF binaries using the build-anywhere toolchain

This post describes the basic requirements for compiling highly portable ELF binaries. Essentially using a newer Linux distro like Ubuntu 18.10 to build complex projects that run on older distros like CentOS 6. The details are limited to C/C++ projects and to x86_64 architectures. The low-level solution is to use a C++ runtime that requires only glibc 2.13+ runtime linkage and link all third-party libraries as well as the compiler runtime and C++ implementation statically. Do not make a “fully static” binary. You will most likely find a glibc newer than 2.13 on every Linux distribution released since 2011. The high-level solution is to use the build-anywhere scripts to build a easy-to-use toolchain and set compiler flags.[…]

GPU-pass-through-compatibility-check: Automatically set up a Linux system for PCI pass-through and check if it is compatible

This project consists of 3 parts.
1) A script ( that automatically checks to what extend a computer is compatible with GPU pass-through in its given configuration.
2) A script ( that automatically installs and configures your system for GPU pass-through (Only tested on fresh installs of Fedora 28 x64 with Gnome, booted in UEFI mode!)
3) Instructions on how to create a bootable Linux USB stick that automatically runs the script when you boot from it without any user interaction required.

example output

ALT Linux adds packages for UEFI keys and certs

This package contains ALT Linux UEFI SB CA certificate corresponding to the private key that is now used to sign ALT Linux UEFI bootloaders to cope with UEFI SecureBoot regime (aka “Restricted Boot”). This can be enrolled by the user so that ALT shim and subsequent bootloaders are accepted by firmware without Microsoft’s certificates.

PS: ALT Linux Rescue includes an EFI System Partition (ESP) with a few tools, and a boot option to go into UEFI or Linux.

LinuxFlaw: collection of hundreds of Linux vulnerabilities

As the above Twitter thread shows, see-also:

CVE-2017-1000112: Linux Kernel Runtime Guard (LKRG) bypass

This is a proof-of-concept local root exploit for the vulnerability in the UFO Linux kernel implementation CVE-2017-1000112.


Defensive Security: Playing with Linux Kernel Runtime Guard (LKRG)