samedi 2 février 2013

Secure Boot on openSUSE talk at FOSDEM cancelled

Hi folks,

for those of you who are attending FOSDEM this year and were planning to attend my talk about Secure Boot on openSUSE on Sunday, I'm sorry to announce I had to cancel my travel to Brussels (and my talk) for family reasons.

Since my slides were already written, I thought I could still share them with you Feel free to ask questions / comments on this blog post.

vendredi 23 novembre 2012

Secure Boot on openSUSE, a battleplan

At openSUSE Conference in Prague last month, we had a BoF about Secure Boot, where I describe the various tasks which are needed to ensure openSUSE can support Secure Boot. They are listed on my slides, but I thought it would be more useful to describe them here.

Before we begin, if you need some refresh about Secure Boot, I suggest the blog posts from Olaf Kirch and Vojtěch Pavlík on SUSE Blog (overview, details and approach to it) and of course, all the war stories of Matthew Garrett on this topic ;)

To have openSUSE installable (and runnable) on a Secure Boot enabled system, without any additional user intervention (like adding your own key in UEFI firmware or disabling Secure Boot), we need to do the following to the distribution :

  • to the kernel (many of those features are in 3.7 or in upcoming 3.8):
    • convert the kernel as a EFI executable (it will be used to store kernel signature)
    • UEFI variable access
    • UEFI clock support (nice to have)
    • UEFI getvideomode (if we want flicker-free boot)
    • UEFI reboot (we already have 4 other way to reboot a system, why not add yet another one ;)
    • KMS drivers (for old chipsets like Matrox, AST).
    • sign main kernel
    • sign all in-tree kernel modules
    • generate a private/public key pair to be used out of tree modules
    • add Secure Boot support in KExec / KDump and Xen (optional)
    • disable hibernation in Secure Boot mode (or have a secure way to save / restore suspended system)
    • add signature check in kernel
  • to bootloader:
    • package shim loader
    • modify grub2 so it uses shim loader to check kernel signature at boot
  • to Build Service:
    • to be able to build external kernel modules (think KMP) using the private/public key generated at kernel build
    • but do not allow this key to be used for any random KMP build (otherwise, you defeat the purpose of signing the module)
  • to userspace tools:
    • package xf86-video-modesettings, for graphics chipset with non-accelerated KMS drivers
    • add support for signature check in modutils / kmod
    • package tools to sign kernel / modules
    • package tools to manage UEFI variables and keys
  • to the installer / DVD image
    • maybe display some warnings about installing a system in Secure Boot mode (not 100% sure we should do this)
    • maybe signing the initial installer (and make sure it can't load non-signed modules)
    • ensure the DVD image has shim + grub2 as bootloader when booting on UEFI system
  • and we also need to do the signing part:
    • if we want Secure Boot to be transparent to users, we need our shim loader to be signed by the authority handling UEFI key, ie Microsoft
    • this requires some legal paperwork (getting MS developer account, getting a Authenticode certificate, etc..), some obligation (making sure you can't circumvent Secure Boot once Linux is booted) and once it is done, sending shim loader to be signed by MS and package the result.
As you can see, this is a lot of work but I think we will be able to have everything in order for next openSUSE release !

mardi 20 novembre 2012

systemd (and dracut) in next openSUSE

Some weeks ago, I had the pleasure to do a talk at the openSUSE conference in Prague, about systemd (its current state in openSUSE and what we plan for the future) and dracut (mkinitrd replacement).

For those of you who didn't attend the conference, you can watch my talk on YouTube or (thanks to openSUSE awesome video team for the recording):

And you can even get my slides ;)

lundi 30 juillet 2012

My hackweek8 project: dracut

Now that SUSE Hackweek 8 is over, here is recap of my own project and how it went:

I've worked on dracut (a mkinitrd replacement), to see if it works nicely on openSUSE (with the hope to replace the three different initrd we have in openSUSE, main one created by mkinitrd, the one used by YaST installer and a third one in kiwi).

Fortunately, I was not alone working on dracut for openSUSE. Thomas Renniger had started packaging dracut for openSUSE and I was able to reuse his work and improve it. Moreover, Mike Gorse uses his hackweek to also improve dracut (adding support for CIFS for instance).

  • Day 1:
    • modified my own grub2 configuration to add a additional dracut menu entry (hard coded atm)
    • succesfully booted a 12.2 VM with dracut image !
  • Day 2:
    • discussed with upstream if they would accept "compatibility" patches to team dracut about openSUSE / SLE own initrd command line and got no as an answer, because they don't want to maintain compability cruft on their own side.
    • worked on a separate module which is able to convert at boot time SUSE initrd commands into dracut one (when they are available). Works fine for "shell=1" "linuxrc=trace" and "sysrq". Upstream proposed to review the module for mistake when we are done with it
    • asked upstream if they were interested in "sysrq" feature for dracut. No response yet
    • worked on separate journal (reiserfs / XFS). Need to create VM to test it and ask upstream if they want to integrate it
  • Day 3:
    • got trenn cflags patch merged upstream
    • continue digging into dracut internals
    • journaldev is working on boot command line (tested with XFS)
    • need improvement to configure initrd with system fstab value, when available and try to use a more generic term (root.journaldev)
  • Day 4:
    • subscribed to initramfs mailing list
    • got my first patch merged upstream (journaldev support)
    • added cmdline support for mduuid and isci (TargetAddress / TargetPort / TargetName), untested (don't have the right setup)
    • ran test suite, found some issues: some in dracut upstream (fixed immediatly by upstream), some in our package (fixed mdadm and device-mapper to not call blkid binary but use udev builtin-blkid, will be faster and we save some fork ;)
  • Day 5:
    • sr mdadm and device-mapper fixes
    • tried to get all test suite to pass
      • some fixes were made to dracut, with more test passing
      • still getting issue with network based test (NFS, iSCSI, etc..). Partially working (DHCP server is working now in test suite), partially not (impossible to mount stuff in server test image, getting "EUID=1000" for root, even when booting the image with init=/bin/sh .. No clue to fix that and upstream never got this issue either, if you have an idea, I'm all ears..)

In short, this hackweek worked well for me, even if I didn't finished all I wanted to do. I'll make sure everything is pushed in Factory soon, so we could try (maybe) to switch openSUSE 12.3 to dracut.

mardi 23 août 2011

GNOME 3.0 Live image release 1.5.0 available

Hi all,
Geeko from the inside
I just push a new GNOME 3.0 live image labelled as 1.5.0 (yes, I forgot to push 1.4.0 after I built it, so we are at 1.5.0 now ;)

No big changes, it is based on GNOME 3.0.2 + some additional fixes.

As always, it can be downloaded from

For people interested, here are some download hits (it doesn't include SUSE Studio appliance nor promo dvd which is also available from GNOME ftp) :

on GNOME 3.0 release day : 4526 hits
April :  145904 hits
May : 46551 hits
June : 24747 hits
July : 23611 hits
August (from 1 to 15) : 13063 hits

Enjoy !

jeudi 4 août 2011

Map for Desktop Summit 2011

I've cooked with other people from #gnomefr channel a Google Map with the various useful addresses for Desktop Summit 2011.

It is available here, you can also get KML file or import this map in your favorite software (for Android users, I suggest using Locus Free which can download offline OpenStreetMap data and merge our map on it, no roaming data needed !).

mercredi 3 août 2011

Berlin, Berlin

I've just finish slides for my talk From GIT to your custom OS image which will be on Sunday 7 August 15:10 - 15:40 at Rm3038. I'll explain how GNOME 3 Live images were built and how you can easily do the same for your project.

I'll also be on openSUSE booth and helping for Football event which is sponsored by

See you in Berlin !