Linux Plumbers Conference 2020

Session

System Boot and Security MC

27 Aug 2020, 07:00

263. Introduction

27/08/2020, 07:00

129. Secure boot without UEFI: booting VMs on Power(PC)

Daniel Axtens (IBM)

27/08/2020, 07:10

Much of the Secure and Trusted Boot ecosystem is built around UEFI. However, not all platforms implement UEFI, including IBM's Power machines.

In this talk, I present a proposal for secure boot of virtual machines on Power. This is an important use case, as many Power machines ship with a firmware hypervisor, and all user workloads run as virtual machines or "Logical Partitions" (LPARs).
...

62. System Firmware and Device Firmware Updates using Unified Extensible Firmware Interface (UEFI) Capsules

Harry Hsiung (Intel)

27/08/2020, 07:35

Firmware is responsible for low-level platform initialization, establishing root-of-trust, and loading the operating system (OS). Signed UEFI Capsules define an OS-agnostic process for verified firmware updates, utilizing the root-of-trust established by firmware. The open source FmpDevicePkg in TianoCore provides a simple method to update system firmware images and device firmware images...

84. ASI: Efficiently Mitigating Speculative Execution Attacks with Address Space Isolation

Dr Ofir Weisse (Google)

27/08/2020, 08:10

Speculative execution attacks, such as L1TF, MDS, LVI pose significant security risk to hypervisors and VMs. A complete mitigation for these attacks requires very frequent flushing of buffers (e.g., L1D cache) and halting of sibling cores. The performance cost of such mitigations is unacceptable in realistic scenarios. We are developing a high-performance security-enhancing mechanism to...

125. LinuxBoot Ready is not ready: making linuxboot systems work

ronald minnich (Google)

27/08/2020, 08:35

A broad collection of companies are now using LinuxBoot for their firmware. They are still running into kexec issues involving drivers that don't correctly shut down, start up, or still need the BIOS to set magic, undocumented bits.

We have to be able to mark drivers and associated code as "LinuxBoot Ready." This might be done in Kconfig with an option that would only present those drivers...

128. Native Booting using NVMe over Ethernet Fabrics

Doug Farley (Dell EMC), Lenny Szubowicz (Red Hat)

27/08/2020, 09:00

NVMe over Fabrics™ (NVMe-oF™) lacks a native capability for boot from Ethernet. We will Introduce a joint model to address boot from NVMe-oF/TCP, its impact to the kernel and the entire ecosystem, and collect feedback from the Linux community. This architectural model is being designed for standardization by the appropriate committees (e.g., NVM Express™ or UEFI™ Forum).

143. A Ridiculously Short Intro into Device Attestation

Mr Dimitar Tomov (DesignFirst), Mr Ian Oliver (Nokia Bell Labs)

27/08/2020, 09:35

A Ridiculously Short Intro into Device Attestation

Dimitar Tomov, Design First, ES
Ian Oliver, Nokia Bell Labs, FI

Very practical look at how to use a TPM and perform device attestation. A system can have trusted qualities instead of being 100% trusted. Cross-referencing different types of attestation data can provide evidence for trusted qualities. The decision of whether a device is...

130. Advanced Applications of DRTM with TrenchBoot SecureLaunch for Linux

Daniel Smith (Apertus Solutions, LLC)

27/08/2020, 10:00

The TrenchBoot Project has put forth an RFC for adding direct support to Linux for x86 DRTM. Many people are familiar with the early launch capability implemented by Intel's tboot, but there has also been academic work on live relaunch, e.g. Jon McCune's Flicker. SecureLaunch was designed to support a range of launch integrity capabilities. This discussion will review a subset of solutions...

124. Passing and retrieving information from bootloader and firmware

Mr Daniel Kiper (Oracle), Mr Michał Żygowski (3mdeb Embedded Systems Consulting)

27/08/2020, 10:25

Each operating system relies on the information exposed to it by the firmware. It consists of various data like memory map, device structure (either ACPI or devicetree), firmware version, vendor, etc. But passing information from operating system bootloader has been neglected for many years. In this presentation, we will mainly focus on retrieving information from firmware and bootloader by...