New month, new update!
The start of this month was marked with FOSDEM! I held a talk about secure boot
and the tooling stuff I have written,
sbctl. It’s a tool to help you manage
secure boot keys and signing files. With help from
sbsigntools it also does
live enrollment of keys.
The talk went great (I think) and it was fun to see how FOSDEM pulled off the conference with matrix and jitsi. I gave me some inspiration for Arch Conf 2021 that I should try kick off some planning on.
The talk can be found here: https://fosdem.org/2021/schedule/event/firmware_itsblsg/
I also released the 0.1 of
sbctl and packaged it up for Arch Linux. I have
sorta been planning for a 1.0 release, but I work too slowly for it to happen in
a reasonable time frame. Doing a beta release allows people to package it and
better provide some testing releases to people.
On the other side of things there has been a Go 1.16 release. This means we we do a rebuild of all the packages to get any recent improvements from the compiler. The status can be found on our todo list. You might be wondering what the changes are. And it’s a bit complicated.
Arch has been building with the
pie buildmode for a while. This allowed us to
CGO_LDFLAGS and other cgo flags to pass linker commands. This lets us
utilize binary hardening options like stack canaries, full relro and fortify. It
turns out that the PIE build mode for the compiler always included the cgo
runtime when build with the external linker. This was fixed in Go 1.16 which
limits the usability of the
CGO_* flags for bypassing compiler flags in random
build systems upstreams have. Go doesn’t allow you to force cgo either (except
for an documented bug in the compiler).
Effectively this means binary hardening is getting more complicated again.
GOFLAGS is a Go compiler flag which should let you pass compiler and linker
flags during building. The problem is that
GOFLAGS has a broken parser which
doesn’t parse spaces that well. It also doesn’t help that multiple build systems
utilize the variable name for the command line flags itself. This makes it a
50/50 if you can use the env flag without breaking Makefiles upstreams provides.
That’s the gist of it but it’s annoying to say the least. I have been working on
a small patch to the go compiler that would enable full relro if possible which
would give us back some hardening abilities if we are able to specify
-buildmode=pie. But the situation is not really ideal.
Other then that I have packages up a few new packages. The most exciting has been GNU poke. It’s binary data editor and has it’s own domain specific language for working with formats. It allows you to edit and patch binary files with little fuzz. http://www.jemarch.net/poke
I have needed this since working with UEFI and Secure Boot stuff has been a lot of diffing hexdumps and looking at asn1parse output from openssl. This allows me to specify and programmatically check my data structures in an easier language then the manual code I have to write up for go.
Another interesting project is ImHex which is an complete editor. But the binary data parser language is more limited currently.
Some contributions for my UEFI and Secure Boot endeavours which I hope to upstream when more is done and I understand the language better. I’ll probably try write up a blog post on all of this whenever I’m done playing valheim :)
If you have questions, want to reach out or suggestions for these posts please
poke me on IRC as
Foxboron or email me on email@example.com.
Now rest of the post follows as usual :)
Package Updates to [community]
Package additions to [community]
Package removals from [community]
Potential new packages for
The security team has had a steady stream of advisories. This month we have published 43 of them. There are some mailing list issues for mailman, so if you want to find published advisories you might not find them through mailman and I’d much rather advice you to check the main website.
Cheers and see you next month!