Linux Security Summit Europe 2025

Linux Virtualization based Security (LVBS) is a security feature that leverages hypervisors to a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the guest kernel gets compromised by creating an isolated environment that runs at a higher trust level than the normal operating environment. A key kernel integrity feature of LVBS is to ensure that kernel memory protections (read-only, W^X) are backed up by this trusted environment using Second Level Page Tables so that even if the guest kernel is compromised, the kernel memory cannot be tampered with.
One of the challenges in enabling hypervisor-enforced kernel memory protection is that the Linux kernel inherently supports features that either modify existing kernel code or inject code into the kernel memory space. In this talk, we aim to examine a comprehensive list of such kernel features (which are inherently easier exploit surfaces) and then discuss how these features can be hardened via LVBS to ensure that the integrity and authenticity of patched code, even if the kernel is compromised. Finally, we present the status of our work in implementing these hardenings.

Microarchitectural attacks such as Branch History Injection (BHI) can expose kernel data when instructions at a mispredicted indirect call target are executed speculatively with malicious data crafted by the attacker.

FineIBT (Fine-grain Control-flow Enforcement with Indirect Branch Tracking) is a hardening technique adopted by the Linux kernel (first merged in 6.2) that performs a check at each indirect call target to ensure that the target’s type (e.g., void (*)(int)) matches the type of the function pointer that was used to make the call. Although FineIBT can provide substantial defense-in-depth against architectural attacks such as Call-Oriented Programming (COP), its current implementation does not address microarchitectural attacks.

This talk introduces a new enhancement to FineIBT that hardens the Linux kernel against a plethora of microarchitectural attacks—including BHI—by poisoning the contents of live registers whenever the FineIBT check fails, thus preventing an attacker from using those registers to pass malicious data to a mis-predicted call target. This enhancement has been merged into Linux 6.15.

One of Landlock's main goals is to empower Linux users to sandbox their programs. We've focused on building the foundation of a new unprivileged access control system, including an interface for developers to sandbox programs. While sandboxing tools already leverage Landlock, a well-defined way to describe security policies is still needed.

To address this, we're designing a user-friendly configuration format, marking a significant step toward making Landlock more accessible. This format enables users to describe a set of restrictions enforced on their programs and helps democratize Linux sandboxing. The new configuration format and related library simplify sandbox creation by allowing users to compose modular security policies. Linux distributions can also provide predefined policies that users can customize, reducing the maintenance burden.

In this talk, we’ll explain the design of this new configuration format, available to end users via TOML and to developers via JSON. We'll also demonstrate a new tool that makes Landlock sandboxing straightforward and accessible.

This talk presents a fully open-source framework to achieve secure full disk encryption (FDE) for TPM-equipped Edge devices (IoT), balancing strong security guarantees with practical maintainability at scale. We address key features including automated disk unlocking and recovery, monitoring and remote access. The talk will cover the following:

* A fully verified boot chain, from EFI firmware through the initramfs. We'll cover which system components to verify and common pitfalls to avoid when setting up a secure boot chain.
* A newly-developed, open-source TPM PCR prediction mechanism enabling seamless reboots after kernel or initramfs updates.
* Automated disk encryption key onboarding and recovery using Tang and Clevis.
* Secure remote access and fleet observability while disks remain locked - using WireGuard, SSH, and Prometheus.
* Guidance on how to extend the initramfs (dracut) with your own tooling.
* Discussion of shortfalls and potential security risks

Our aim with this talk is to help you make FDE convenient, recoverable and monitored to make large-scale rollouts possible.