Mastodawn

BadAML exploits host-supplied ACPI tables to get arbitrary code execution inside confidential VMs. We reproduced the attack end-to-end against our stack and built an AML sandbox to stop it. I did a writeup on the original paper that published the attack, our reproducer, and our journey to fix it.

https://katexochen.aro.bz/posts/badaml/

#ConfidentialComputing #Security #Linux

Reproducing and mitigating BadAML

BadAML is an attack that exploits host-supplied ACPI tables to gain arbitrary code execution inside confidential VMs, bypassing their memory isolation guarantees. Working on Contrast, we reproduced the attack end-to-end against our stack and mitigated it with an AML sandbox that restricts bytecode execution to shared memory pages. On untrusted ground: Protecting guests with confidential computing Confidential Computing (CC) is a paradigm that aims to protect trusted workloads on an untrusted, remote platform. Using Trusted Execution Environments (TEEs) and their two basic primitives, memory isolation and remote attestation, it can secure a confidential workload in a hostile environment, protecting against a potentially malicious infrastructure provider1 or platform operator. Today, TEEs most commonly come in the form of confidential virtual machines (CVMs), which are isolated from the host and other VMs through a set of ISA extensions and chip properties provided by the CPU vendor (AMD SEV-SNP, Intel TDX, ..).

blog katexochen

Paul Meyer Mar 10

#Nix

Paul Meyer Feb 19

All Systems Go!Feb 19

📣 All Systems Go! is back in 2026! Same location, same dates.
We hope to see you 🫵 in 📍Berlin 📆 Sept 30-Oct 1 for 2 days of presentations, conversations and collaboration around foundational user-space Linux technologies.
More info here 👉 https://all-systems-go.io/
Follow to get notified when the CFP opens and 🎟️ tix go on sale.

All Systems Go!

Paul Meyer Feb 17

Jon Seager Feb 16

Today I published an update on the #Canonical supported #upki project, which brings browser-grade Public Key Infrastructure to Linux through the efficient #CRLite data format, with the core revocation engine now functional and available to test!

Beyond current progress, this post explores broader integration, performance, and future capabilities like Certificate Transparency enforcement and Merkle Tree.

This is all part of the effort to increase the resilience of #Ubuntu machines by default, but I hope it has a wider benefit on the Linux ecosystem going forward!

https://discourse.ubuntu.com/t/77063

#CertificateTransparency #PKI #Cryptography

An update on upki

Last year, I announced that Canonical had begun supporting the development of upki, a project that will bring browser-grade Public Key Infrastructure (PKI) to Linux. Since then, development has been moving at pace thanks to the tireless work of Dirkjan and Joe. In this post, I’ll explore the progress we’ve made, how you can try an early version, and where we’re going next. Architecture & Progress As a reminder, upki’s primary goal is to provide a reliable, privacy-preserving, and efficient cer...

Ubuntu Community Hub

Paul Meyer Feb 13

NixCon 2026 will take place in Kraków, Poland!
The SC approved the venue proposal: https://github.com/nixcon/nixcon-proposals/issues/6
#NixCon #NixCon2026 #Nix #NixOS

Paul Meyer Feb 9

Michael Stapelberg 🐧🐹😺Feb 6

PSA: Did you know that it’s **unsafe** to put code diffs into your commit messages?

Like https://github.com/i3/i3/pull/6564 for example

Such diffs will be applied by patch(1) (also git-am(1)) as part of the code change!

This is how a sleep(1) made it into i3 4.25-2 in Debian unstable.

Paul Meyer Feb 6

figsoda Feb 6

Just released nix-init 0.3.3! Here are all the changes:

# Changes

- Use finalAttrs pattern instead of rec
- Drop compatibility with nurl < 0.4

# Features

- Rust: fetchCargoVendor support
- Headless mode
- stdenvNoCC.mkDerivation support
- Automatically format with nixfmt if it's found
- Better license detection
- Rust: emit LIBGIT2_NO_VENDOR when needed
- Improve error messages

# Fixes

- Remove legacy darwin sdk
- Go: drop -w from default ldflags
- Prefix unstable versions with 0-
- fetchCrate now works correctly
- GitHub: sort tags
- Python: fully remove outdated behavior of adding wheel to dependencies
- Normalize homepage URLs
- More consistency with nixfmt formatting

https://github.com/nix-community/nix-init

GitHub - nix-community/nix-init: Generate Nix packages from URLs with hash prefetching, dependency inference, license detection, and more [maintainer=@figsoda]

Generate Nix packages from URLs with hash prefetching, dependency inference, license detection, and more [maintainer=@figsoda] - nix-community/nix-init

GitHub

Paul Meyer Jan 31

Our devroom this year is much larger than the years before, it's still full! Cool to see so many people are interested in NixOS.
#fosdem #nixos #nix