| GitHub | https://github.com/katexochen |
Recordings of OC3 2026 (Open Confidential Computing Conference) are now available:
https://www.youtube.com/playlist?list=PLEhAl3D5WVvSqGrHPmtH9aHly3n2bwkYk
BadAML exploits host-supplied ACPI tables to get arbitrary code execution inside confidential VMs. We reproduced the attack end-to-end against our stack and built an AML sandbox to stop it. I did a writeup on the original paper that published the attack, our reproducer, and our journey to fix it.
BadAML is an attack that exploits host-supplied ACPI tables to gain arbitrary code execution inside confidential VMs, bypassing their memory isolation guarantees. Working on Contrast, we reproduced the attack end-to-end against our stack and mitigated it with an AML sandbox that restricts bytecode execution to shared memory pages. On untrusted ground: Protecting guests with confidential computing Confidential Computing (CC) is a paradigm that aims to protect trusted workloads on an untrusted, remote platform. Using Trusted Execution Environments (TEEs) and their two basic primitives, memory isolation and remote attestation, it can secure a confidential workload in a hostile environment, protecting against a potentially malicious infrastructure provider1 or platform operator. Today, TEEs most commonly come in the form of confidential virtual machines (CVMs), which are isolated from the host and other VMs through a set of ISA extensions and chip properties provided by the CPU vendor (AMD SEV-SNP, Intel TDX, ..).
Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!
Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.
This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!
Last year, I announced that Canonical had begun supporting the development of upki, a project that will bring browser-grade Public Key Infrastructure (PKI) to Linux. Since then, development has been moving at pace thanks to the tireless work of Dirkjan and Joe. In this post, I’ll explore the progress we’ve made, how you can try an early version, and where we’re going next. Architecture & Progress As a reminder, upki’s primary goal is to provide a reliable, privacy-preserving, and efficient cer...
PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?
Like https://github.com/i3/i3/pull/6564 for example
Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!
This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.
Just released nix-init 0.3.3! Here are all the changes:
# Changes
- Use finalAttrs pattern instead of rec
- Drop compatibility with nurl < 0.4
# Features
- Rust: fetchCargoVendor support
- Headless mode
- stdenvNoCC.mkDerivation support
- Automatically format with nixfmt if it's found
- Better license detection
- Rust: emit LIBGIT2_NO_VENDOR when needed
- Improve error messages
# Fixes
- Remove legacy darwin sdk
- Go: drop -w from default ldflags
- Prefix unstable versions with 0-
- fetchCrate now works correctly
- GitHub: sort tags
- Python: fully remove outdated behavior of adding wheel to dependencies
- Normalize homepage URLs
- More consistency with nixfmt formatting
Generate Nix packages from URLs with hash prefetching, dependency inference, license detection, and more [maintainer=@figsoda] - nix-community/nix-init
The NixOS devroom is live! If you aren't at FOSDEM, you can follow the stream online: https://matrix.to/#/#2026-nix-and-nixos:fosdem.org
All Systems Go!
Jon Seager
Michael Stapelberg 🐧🐹😺
figsoda