Let’s say, you need to monitor a website for changes and you really don’t have a lot of time to set things up. Also solving the problem with money using services, such as changedetection.io or visualping.io, have failed you, because their accesses are probably filtered out.| x86.lol
It’s FOSDEM time! I have fond memories of the Microkernel and Component-based OS devroom in particular. It’s a fun meetup of extremely skilled low-level software engineers. This year I cannot attend, so it’s a good time to ramble reflect on it.| x86.lol
This post shows you how to use CETuser shadow stacks on Linux. CET is a hardening technology that mitigates typical memory unsafety issues on x86. This post will not explain this security feature. If you don’t know what CET is, this post is probably not for you. For general advice on hardening C/C++, check out these guidelines. Back to CET shadow stacks. Recent distros, such as NixOS 24.05 and Fedora 40, satisfy all the software requirements. If you’re not on one of these distros, you nee...| x86.lol
In my last post, we built whole disk images for embedded systems using Nix. This approach is well suited for RISC-V or ARM systems, but you probably don’t have a powerful build box for this architecture. You wouldn’t want to build a Linux kernel for hours on a RISC-V single-board computer praying that you don’t run out of RAM… In this blog post, we will use the same NixOS configuration to cross-compile system images for x86, RISC-V and ARM from our powerful x86 build server. Let’s g...| x86.lol
This blog post is a continuation of my previous posts about Confidential Computing.| x86.lol
In the RISC-V architecture, you have excellent support for embedding information into code by choosing compressed or uncompressed instructions. While being a typical RISC with fixed 32-bit instruction length, RISC-V allows certain common instructions to be encoded as compressed 16-bit instructions to improve code density. Each compressed instruction has a functionally identical 32-bit cousin. If you are interested in how that is used to embed information into a binary, you can check out my x8...| x86.lol
Recently, I’ve noticed strange hangs of KVM VMs on a custom VMM. As it fits the topic of this blog, I thought I make the issue more googleable. Until we dive into the issue, we have to set the scene a bit. The Scene Consider that we want to run a KVM vCPU on Linux, but we want it to unconditionally exit after 1ms regardless of what the guest does. To achieve this, we can create a CLOCK_MONOTONIC timer with timer_create that sends a signal to the thread that runs the vCPU (via SIGEV_THREAD_I...| x86.lol
This post is a continuation of my previous post about Intel TDX. It’s worth a read before reading this post. As before, I’m not going to introduce TDX itself. If you need a refresher, Intel has good overview material available.| x86.lol
This post discusses my personal opinion of Intel’s Trust Domain Extensions (TDX). This instruction set extension is Intel’s latest attempt at implementing a Trusted Execution Environment (TEE).| x86.lol
Secure Boot protects a system from an attacker that compromises the boot flow. For example, without Secure Boot it is easy to replace the code that reads your disk encryption password and store it somewhere where the attacker can pick it up later. So ideally you want Secure Boot to be enabled to limit the code that runs on your system to what is supposed to run there.| x86.lol
If you are confused about the different security technologies in modern Intel CPUs, you have come to the right place. I’m going to attempt to give a really brief overview. This is not an in-detail hardcore technical discussion. The goal is just to give a brief informal overview what problem each technology solves.| x86.lol
When you build software for embedded devices (your Wi-Fi router or home automation setup on your Raspberry Pi), there is always the question how to build these images and how to update them. What I want is:| x86.lol