Morten Linderud

ACME device attestation, smallstep and pkcs11: attezt

Sat, 21 Mar 2026 22:00:00 +0000

For my personal home infrastructure I’ve been using step-ca to have an internal ACME server for issuing TLS certificates for my .home.arpa domain. I also intended to use this to sign ssh certificates so I could simplify my SSH key setup.

And i really like hardware bound keys.

They solve a very concrete problem where even if someone can extract a signing key from your system, they are effectively useless without access to the hardware they where bound to. This hardware could be something like a yubikey, or another FIDO device. But in 2026 most of our machines have a Trusted Platform Module (TPM) that functions as a free hardware enclave we can use to secure our keys with.

Personal infrastructure setup 2026

Mon, 19 Jan 2026 23:00:00 +0200

While starting this post I realized I have been maintaining personal infrastructure for over a decade!

Most of the things I’ve self-hosted is been for personal uses. Email server, a blog, an IRC server, image hosting, RSS reader and so on. All of these things has all been a bit all over the place and never properly streamlined. Some has been in containers, some has just been flat files with a nginx service in front and some has been a random installed Debian package from somewhere I just forgot.

Self-hosting DNS for no fun, but a little profit!

Tue, 18 Nov 2025 23:00:00 +0200

After Gandi was bought up and started taking extortion level prices for their domains I’ve been looking for an excuse to migrate registrar. Last week I decided to bite the bullet and move to Porkbun as I have another domain renewal coming up. However after setting up an account and paying for the transfer for 4 domains, I realized their DNS services are provided by Cloudflare!

I personally do not use Cloudflare, and stay far away from all of their products for various reasons. And with this weeks outage I was quite happy I stick with that decision 😅.

Easter hack: terraform-provider-openwrt

Fri, 18 Apr 2025 14:00:00 +0200

April is usualy tax season for most people in Norway, and as I got some “money back on the skætt” I wound up purchasing an OpenWrt One to replace my 13-14 year old Asus router. I’ve been meaning to learn a bit more about networking in general and getting an OpenWrt router seemed like a fun project.

Last year I bought a Beryl AX from GL-Inet as I was travelling for a few weeks. It’s a qute smol travel router that runs a fork of OpenWrt. But during a recent conference it was reset and I realized I did not have a backup of any configuration files for the device. Oops!

SSH CA with device and identity attestation: ssh-tpm-ca-authority

Sat, 31 Aug 2024 18:00:00 +0200

The past year I have been hacking around on tools utilizing TPMs, and one of the features I have been interested to learn more about is the device attestation features.

After being a bit inspired by some ideas from people at work, the hackerspace and toots on mastodon, I figure out a SSH certificate authority would be a cool small project to hack on. Last year I wrote an SSH agent with TPM bound keys so this would nicely fit into the existing tooling.

NixOS is not reproducible

Tue, 02 Apr 2024 19:21:08 +0200

Okay, sorry for the clickbait.

NixOS is not reproducible according to the Reproducible Builds definition.

I keep reading people making this claim repeatedly on orange-site, even LWN.net made a similar claim when writing about Nix and Guix earlier this week.¹ Along with their recently launched wiki.

So, what is the Reproducible Builds definition?²

When is a build reproducible?

A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

Stream to chromecast with resolved, vlc and bash

Sat, 06 Jan 2024 20:59:20 +0200

Chromecast is one of those devices I just generally use a lot. They are small practical and enables me to stream video or music to my TV from multiple devices. But it also requires you to have a supported browser or video player. This is obviously a bit boring.

There has been multiple command line chromecast streamers through the years. But their ffmpeg usage has been shoddy at best with no hardware decoding support and usually quite bad implementations.

Store ssh keys inside the TPM: ssh-tpm-agent

Wed, 04 Oct 2023 19:00:00 +0200

After writing age-plugin-tpm a friend of mine at the hackerspace was super excited to finally have easy file encryption with TPM sealed keys, all without having to rely on gnupg. “This is great!” he said.

“I wish I could have my SSH keys sealed in a TPM just as easily”.

We should have left it at that.

I shouldn’t have replied with a random assortment of facts like “I know google/go-tpm now”, or “but Go has a ssh-agent protocol implementation” followed-up with “Filippo has already implemented yubikey-agent, it can’t be that hard”. So I wound up writing a new ssh agent.

Store age identities inside the TPM: age-plugin-tpm

Mon, 17 Jul 2023 18:00:00 +0200

The past year I have been trying to learn more about the Trusted Platform Module (TPM). This is a small device found on most modern laptops that has several cool security features like key creation, sealing and attestation, however I have been struggling to find a small project where I can learn more about it.

To my surprised I learned a couple of months ago that nobody has written a TPM plugin for age!

Golang crypto/ecdh and the TPM

Mon, 24 Apr 2023 20:00:00 +0200

I have lately been trying to learn more about the Trusted Platform Module (TPM) as they are capable of key creation and sealing secrets in a secure manner. They are common hardware these days and make for a reasonable ways to store secrets.

age is a file encryption/decryption tool from Filippo Valsorda which a lot of people have been using to replace GnuPG for things like password-store. It has a few plugins doing things like storing keys on Yubikey, Trezor hardware wallets or the Apple Secure Enclave, however it doesn’t have a TPM plugin. I saw the opportunity to write something that is capable of utilizing the TPM.

My FOSS work update

Sun, 01 Jan 2023 00:00:00 +0200

I stopped writing monthly status updates in April 2021, so I thought it was time for a summary of stuff I have been working on.

Arch Linux

debug packages
git migration

pacman

verify
debug packages
debugedit

Golang

reproducible builds
build id (maybe)
delve and debuginfod

misc changes?

oslohack:22

FOSDEM presentation

coredumpctl, delve and debug packages for Go

Sat, 19 Nov 2022 19:00:00 +0200

I have spent a fair amount of time hacking on debug packages the past two years. This work resulted in Arch Linux announcing the public debuginfod server which allows users to download symbols and source code to debug software running on their system.

With this service users don’t need to figure out what the debug packages are called, installing them and maybe removing it afterwards. It also saves a fair amount of data you need to download. Generally just a great service with a good list of supported clients.

Monitoring the kernel.org Transparency Log for a year

Sat, 16 Apr 2022 00:00:00 +0200

Lets prefix this with: I really love Transparency Logs!

It’s a fairly simple concept: If you hash elements together in a binary tree, you can validate and verify if elements are present on a tree by hashing a couple of elements. This is what is commonly known as a Merkle tree.

I forget the math, but if you have a tree with a million items, you would only really need less than 10 hashes (I think) to figure out what the hash of the top node would be. This allows you to easily audit and verify the tree is internally consistent. If you compare this to something like git, which people often mistake for a Merkle tree, you would need to effectively replay a million commits to figure out if the last commit hash is actually correct or not.

Streaming the Steam Deck to OBS

Sat, 26 Mar 2022 14:07:41 +0100

Valve was kind enough to send Steam Deck devkits to Arch Linux maintainers and developers which gave us an opportunity to mess around with the device.

Personally I find it a bit fun to mess around with video streaming, thus one of the first things I wanted to try figure out was how I could stream the gamemode on the Steam Deck. Installing the OBS flatpak and adding it to the menu doesn’t actually work so we sadly have to be a bit more clever.

mkinitcpio v31 and UEFI stubs

Sun, 22 Aug 2021 00:00:00 +0200

A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub.

The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53

This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot.

The Boot Process

For the past decade most computers have two ways to boot. The legacy BIOS mode and UEFI which is suppose to replace it. It frankly does a lot of things, but one of the more interesting aspects is that the Linux kernel is a valid MS DOS binary. If you read out the two first bytes you will see MZ.

FOSS Activities in April 2021

Wed, 05 May 2021 21:00:00 +0200

Yo!

Hope people have had a lovely spring. This month has passed quickly! I have put off writing the monthly post because I was busy with a weekend project.

My master thesis was about how to apply transparency logs and reproducible builds to give package rebuilders the ability to produce tamper evident logs. This is handy since any one package build can easily be proven to be part of the log, and you can very easily fill inn the history from one point in time to another by hashing files in the correct order.

FOSS Activities in March 2021

Fri, 02 Apr 2021 14:00:00 +0200

Yoooo!

Another month has passed which means another status update.

The python2 removal has been steady and several packages has been removed this month. Currently a query for python2 on archweb returns 139 matches. At the start of the month it was around 160-170. Progress!

I have suggested we remove checkdepends on python2 packages to ease the cleanup of dependency cycles. The response has been lukewarm at best so we’ll see how that progresses. Hopefully more is being removed in the upcoming months.

Simplifying and securing the boot process

Thu, 01 Apr 2021 00:00:00 +0200

One of the few things I have been excited about the past year is usable cryptography. We have a lot of neat things these days with hardware tokens, the Trusted Platform Module (TPM) and Secure Boot. But the tooling around these things are bad and hard to use for a while now which is why I got super excited when I saw Lennart Poettering wrote about the upcoming systemd-cryptenroll. It allows one to easily utilize the TPM or FIDO key for unlocking your encrypted partition.

FOSS Activities in February 2021

Mon, 01 Mar 2021 18:00:00 +0200

Yo!

New month, new update!

The start of this month was marked with FOSDEM! I held a talk about secure boot and the tooling stuff I have written, sbctl. It’s a tool to help you manage secure boot keys and signing files. With help from sbsigntools it also does live enrollment of keys.

The talk went great (I think) and it was fun to see how FOSDEM pulled off the conference with matrix and jitsi. I gave me some inspiration for Arch Conf 2021 that I should try kick off some planning on.

FOSS Activities in January 2021

Mon, 01 Feb 2021 00:21:00 +0200

And January is over! Time has frankly been moving fast the past days.

Packaging wise, things has been fine. Added tailscale and some other minor packages, but had a real purge of old packages from resigned maintainers. Also dropped ntop to the AUR which hasn’t been actively developed for years at this point. I’m curious when people are going to bug me about that one :)

On the security side of things there has been quite a lot happening just the past week. sudo had CVE-2021-3156 and libgcrypt had CVE-2021-3345 which are both are quite severe. My personal take is that the sudo one bad, but not that bad. While libgcrypt is a bit more terrible considering the data is parsed before it’s authenticated. However both was patched fairly quickly in Arch.

FOSS Activities in December 2020

Sat, 02 Jan 2021 11:20:00 +0200

End of the year and third blog post! Hope everyone has had a nice new years eve :)

The first news of the month is that Remi Gacogne was accepted as Trusted User. Congratulations to him and super exciting.

Other then that I have had a meeting with the devops team discussing how we should implement the debuginfod system on our infrastructure. I have written up the ansible role for debuginfod and it was more or less decided that we want to host it on a small VPS for the service itself, and sync debug packages to the host to serve them. This avoid the problem of hosting more services on our server which distributes packages with services it does not really need.

Kubernetes in Arch Linux

Wed, 23 Dec 2020 20:00:00 +0200

Arch Linux got kubernetes packaged into the [community] repository the past week with the hard work of David Runge. I contribute to testing the packages so I thought it would be interesting to write up quickly the testing that was done. Originally I did the testing with docker but with the dockershim deprecation I rewrote the blog to utilize containerd instead.

David has reworked the kubernetes archwiki article as well. It currently doesn’t cover all use cases and contributions welcome. I will try cover the containerd parts of this page to the wiki.

FOSS Activities in November 2020

Tue, 01 Dec 2020 00:00:00 +0200

Second month of doing these posts. In short not much has been happening the past weeks, but that would be a slight lie.

I have sponsored rgacognes Trusted User application. The application was posted to the mailing list, and it’s currently being voted and decided by a weeks time.

There has also been some discussion for years about bringing debug packages into Arch. This has largely been stalled but I brought it back to life again. Essentially the problem might be solved by utilizing the new debuginfod project, and we can later distribute the packages itself when we understand the new mirror requirements. There is currently a discussion on [arch-dev-public] about it.

PAM Bypass: when null(is not)ok

Tue, 24 Nov 2020 20:00:00 +0200

The Problem

Someone enters an IRC support channel and proclaims their dovecot server has been hacked and a non existing user sends spam email from their server. The initial reaction might be something along the lines of

Wat ಠ_ಠ

With the following assumption that the user clearly did something wrong. Hosting email is difficult after all. I don’t quite recall how rest of the support went, but it was solved and the root cause was not found. However, we keep on rolling! Then someone posts about a similar incident on r/archlinux.

FOSS Activities in October 2020

Sun, 01 Nov 2020 00:00:00 +0100

I wanted to start writing these for myself as I have been reading quite a few monthly resports from Chris Lamb and other Debian contributors. They make for interesting content for readers curious about what distribution maintainers do during a month, and motivation for myself as not everything one does is visible work.

I’ll try have some sort of structure with them, by starting off with the menial tasks, and add the meeting notes and misc contributions at the bottom.

Improving the Secure Boot user experience

Mon, 18 May 2020 00:00:00 +0200

Secure boot tooling is terrible, can we do better?

Currently the most widely used tooling for secure boot is the Ubuntu sbsigntools and efitools. If you are currently using secure boot both of these packages are probably installed on your system. Both of them support the basics of generating signature lists and signing the EFI variables with certificates, but they still have differences which is a source of confusion.

efitools has 3 different ways of generating signature lists: cert-to-efi-hash-list, cert-to-sig-list and hash-to-efi-sig-list. “Luckily” there are man pages you can read which assumes you have some familiarity with UEFI itself.

Packaging LXD for Arch Linux

Mon, 27 Apr 2020 23:30:00 +0100

With the release of 3.20, LXD was included into the community repository of Arch Linux in January, and has currently been sitting there happily for the past months. LXD is a container manager from Canonical that manages containers as if they where independent machines in a cluster. I have somehow taken to calling them “containers-as-machines”. This is in contrast to podman and docker which would be “containers-as-applications”. Think of lxd as ganeti, but for containers.

Reproducible Arch Linux Packages

Mon, 11 Nov 2019 12:00:00 +0100

Arch Linux has been involved with the reproducible builds efforts since 2016. The goal is to achieve deterministic building of software packages to enhance the security of the distribution.

After almost 3 years of continued effort, along with the release of pacman 5.2 and contributions from a lot of people, we are finally able to reproduce packages distributed by Arch Linux!

This enables users to build packages and compare them with the ones distributed by the Arch Linux team. Users can independently verify the work done by our packagers, and figure out if malicious code has been included in the pristine source during the build, which in turns enhances the overall supply chain security. We are one of the first binary distributions that has achieved this, and can provide tooling down to users.

Mailpile, sendmail and procmail

Wed, 09 Jul 2014 00:00:00 +0100

What is Mailpile?

[Mailpile] (https://www.mailpile.is) is mail client with a rather unusual goal in todays world. It wants to be free, open-source, privacy oriented and easy to use with encryption. This all comes with the goal of being self-hosted.

This is a contrast to Protonmail who still keeps all your information on their servers, making people with a slight trust issue look at you in a rather funny way. However, Protonmail and Mailpile is among several email providers in the wake of the NSA scandal to try and give you secure options to gmail, outlook and yahoo. Which is in my opinion, Awesome!

The State of Hy

Fri, 17 Jan 2014 00:00:00 +0100

So, with the recent hipster attitude of posting a “State of *” every year, I thought i’d try and do it for something I have been contributing to for the past 6 months, Hy.

Short introduction

Hy is a Lisp leeching living off the Python world. It compiles down to Python’s AST and is completely bidirectional, you can import Hy into Python and vica versa seamlessly! It just works. Hy is also more portable then normal Python code. Any code you write with Hy can be run on Python 2.6, 2.7, 3.2, 3.3, even 3.4 and pypy! It’s a rather young language but have hit a one year mark, but it does not mean Hy dosn’t got neato features.

Mon, 01 Jan 0001 00:00:00 +0000

Blog

Topics

Debug packages
Debuginfod
Supply Chain basics

Monthly

blog/foss-work-october.md blog/foss-work-november-2020.md blog/foss-work-december-2020.md blog foss work january 2021 blog foss work februrary foss_work_march_2021 blog foss_work_april_2021 blog foss_work_may_2021

In Progress

blog/streaming-a-foss-conference.md blog/reproducing packages blog reproducible tailscale blog practical_example_for_go_work blog debug_packages blog work update

Done

blog personal_infra.md blog/self-hosting-dns.md blog/terraform-provider-openwrt.md blog nix is not reproducible blog chromecast resolved bash vlc blog ssh tpm agent blog age plugin tpm blog ecdh tpm blog go_delve_debug_packages blog pam auth bypass blog/kubernetes in arch linux blog mkinitcpio uefi stubs blog monitoring_the_kernel org_transparency_log blog streaming gamemode from steamdeck

Misc

About