Leonard Cohnen

@[email protected]
20 Followers
97 Following
36 Posts
Golang | eBPF | Networking | Cloud | Confidential Computing
InfoSec M.Sc. from Ruhr Uni Bochum
GitHubhttps://github.com/3u13r
Show threadLeonard CohnenJan 14

@chandlerc I've also learned to distrust it. I only use it if I know that it exists. If it still cannot find it, then I press "." to start the in-browser VSCode thing and use the search there.

But this is quite resource heavy, especially if you don't close your tabs. So one might as well clone it directly.

Not sure if https://sourcegraph.com/search is better at this.

Search Public Code

Search across 2 million+ open source repositories for free. Powered by Sourcegraph Code Search.

Show threadLeonard CohnenSep 24
@G33KatWork I cannot test this/research this right now, but if the bridge driver supports native XDP then you should be able to redirect it in XDP, I think.
Show threadLeonard CohnenDec 12, 2024
@maldr0id I cannot find nossl.com, do you mean neverssl.com? That's created by Colm MacCárthaigh https://twitter.com/colmmacc/status/790598606000533504 But yeah such a website is a life saver sometimes.
Colm MacCárthaigh (@colmmacc) on X

After using wifi in 3 airports and 4 planes this weekend, I've created https://t.co/D2lIJuCQvr to make logging on a little bit easier.

X (formerly Twitter)
Leonard CohnenOct 6, 2024
@h4sh @HeNeArXn I mean TEEs on desktop end devices is kinda hard, because SGX is only available on Xeons and even Intel TDX and AMD SEV are only available on server hardware. So there is no tech on desktops to even use client side TEEs. ARM has TrustZone and CCA though.
Leonard CohnenAug 31, 2024
Paul MeyerAug 31, 2024

#ReproducibleBuilds bug of the week:

We noticed our rootfs wouldn't reproduce between systems with different file systems. Diffing two rootfs tarballs led us to a diff in packed certificate bundle files.

All packages installed by the rpm-based package manager were pinned by hash, so how could these files differ? We noticed that the total file length was the same, so we assumed an ordering problem. Looking into the SPEC file of the ca-certificates package, we saw that these files were generated in a post install hook with p11-kit.

Checking the code, we noticed that p11-kit would get the certs files using readdir(). But the order in which readdir() returns files is undefined! (and likely depends on the inode numbers of the fs)

So here is our fix, sorting the input files by paths to extract a reproducible bundle output: https://github.com/p11-glue/p11-kit/pull/656

#Linux #RPM

token: sort paths for reproducible extract by katexochen · Pull Request #656 · p11-glue/p11-kit

There is no defined order in which readdir will return the entries of a directory. In practice, order can depend on inode number or similar. If we run p11-kit on different files systems with simila...

GitHub
Leonard CohnenAug 18, 2024
jellyAug 18, 2024
Looked into creating reproducible images with mkosi https://vdwaa.nl/mkosi-reproducible-images.html#mkosi-reproducible-images
#mkosi #systemd #archlinux
Investigating creating reproducible images with mkosi

I've blogged before about creating vagrant images using mkosi as part of an investigation to move image creation to mkosi but also as I will be giving a talk at All Systems Go about Arch Linux images mkosi and reproducibility. With reproducible images in this article I mean that anyone …

Jelly's blog
Leonard CohnenAug 7, 2024
Paul MeyerAug 7, 2024

Can you pull a container image with a known good digest from an untrusted registry?

It depends. Following the OCI distribution spec, a client is not required to validate the digest. Instead, the registry can send a header with another hash algorithm, and the client must validate using algo and hash from the header. A malicious registry can deliver both malicious manifests and blobs to a spec conform client.

Docker & containerd seem to check the digest as one might expect, many other clients don't.

My colleague @burger is proposing to tighten the spec and require clients to verify the digest if present: https://github.com/opencontainers/distribution-spec/issues/549

#container #security #OCI #containerd #Docker #Kubernetes #infosec

proposal: tighten digest verification requirements for clients · Issue #549 · opencontainers/distribution-spec

The use case Suppose I have a release workflow that builds reproducible container images, for example using Bazel or Nix image builders. Reproducibility guarantees that I can rebuild the image from...

GitHub
Leonard CohnenJun 22, 2024
I don't need AI to be sentient. I need AI to create good looking TikZ drawings.
Leonard CohnenMay 22, 2024
Paul MeyerMay 22, 2024

We just released what I've been working on for the past months: Contrast, a tool for managing Confidential Containers at scale.

https://github.com/edgelesssys/contrast by @edgelesssystems

Seamlessly integrating with managed #Kubernetes, it offers a fully verifiable software stack. Using Confidential Computing, it allows running sensitive workloads in the public cloud with robust security, safeguarding against the cloud provider. Contrast also features a drop-in, attestation-based service mesh solution to secure inter-deployment communication.

#Cloud #Security #ConfidentialComputing #Azure

GitHub - edgelesssys/contrast: Deploy and manage confidential containers on Kubernetes

Deploy and manage confidential containers on Kubernetes - edgelesssys/contrast

GitHub
Leonard CohnenMay 7, 2024
Paul MeyerMay 7, 2024

Next Nix(OS) Learning Group Bochum meetup is around the corner, and we have an exiting new location!

2024/05/14, 18:00
at @daslabor

Learn how to use Nix as build system or discover the power of declarative system configuration!

Full annoncement (de): https://wiki.das-labor.org/w/Veranstaltung/6._Nix(OS)_Learning_Group_Meetup

#Nix #NixOS

6. Nix(OS) Learning Group Meetup – LaborWiki