I recently got a new laptop, and wanted to setup a dual-boot solution. To do this, most guides simply tell you to disable Secure Boot and then leave it that way. I wanted to keep Secure Boot enabled.

Secure Boot basics

I will construct a PKI according to the image below. There are three types of keys in a Secure Boot PKI.

• Platform Key (PK): A single root key, used to sign the Key Exchange Keys below it.
• Key Exchange Key (KEK): One or more keys used to sign changes to the DB and DBX databases.
• DB Signature Key (DB key): One or more keys used to sign EFI binaries that should be allowed to boot.

A simplified, but almost correct, description is that DB keys sign the EFI binaries (bootloader, kernels, etc.) that should be allowed to boot. To show which DB keys are allowed to do so, valid DB keys must be signed by a KEK. In the same way, all KEKs must be signed by the Platform Key.

This is a continuation of my previous article regarding FreeRADIUS with SQlite as storage backend.

I recently came to think that it sometimes would be nice to be able to temporarily disable (or enable) accounts. For example, consider a scenario where you have some friends who does not come and visit you very often. Why keep their accounts activated all the time? Wouldn’t it be convenient (and more secure) just to enable their accounts when they are visiting, and then disable the accounts again?

I recently bought a UniFI AP AC Pro [1] access point to replace my old useless AP. For obvious geeky reasons I wanted to use WPA2 Enterprise instead of WPA2 Personal. In that way, I can have different accounts for accessing my wireless network, which means I can easily revoke access to someone using my WiFi.

Using WPA2 Enterprise requires the use of a RADIUS server, so I have written down the steps I used to configure this together with RADIUS assigned VLANs, so that different accounts gets different VLANs. I have stored this configuration inside an SQLite database for simplicity. An interesting and possible future tweak may be to move to an LDAP server instead.

So I wanted to put my shiny Kerberos server to some use on my network, and decided that I want some web services protected by Kerberos authentication. By doing so, I will automatically have access to those services on my local machine (because I get a Kerberos ticket upon local login, see my previous post). My web server will run Apache 2.4, and run on FreeBSD.

I recently bought an Intel NUC (NUC5i3RYK to be precise). I have equipped it with 8 GB of RAM, but with no storage. My goal is to make the HTPC boot completely over the network using PXE. This should load Kodi (XBMC) and be able to access all shared files located on my file server.

Since I want the network boot and HTPC root filesystem separated from the rest of the network, so that it won’t interfere with my regular DHCP server, I have located them on an separate VLAN. It is also possible to put everything on the same VLAN if you would like to, but then you would need to configure the DHCP server you usually use to point to the TFTP server used for PXE boot.

In one of my recent apps I wanted to download data from an internal server, which had a certificate signed by an in-house certificate authority. To avoid hard-coding fingerprints in the application, I would rather validate the certificate to ensure that it was signed by any trusted CA, including my own.

To download files I have used NSUrlConnection asynchronously, thus my class needs to implement the protocol NSURLConnectionDataDelegate. The function which handles server certificate validation (together with for example HTTP Basic authentication) is connection:willSendRequestForAuthenticationChallenge.

So I recently setup a Kerberos server on my local network to use with a file server running NFSv4. The share is mounted upon boot using systemd and /etc/fstab. So far so good. However, because the NFS share is secured with sec=krb5, a Kerberos ticket is required to be able to actually access anything on the share.

However, it would be nice to actually acquire this ticket automatically upon logging in on my desktop computer, rather than having to run kinit manually.

Background

I recently bought an ACR122U reader [1] to play around with RFID, and especially MIFARE Classic cards because of their low security [2] [3] [4] [5] and widespread adoption.

The different sectors of the MIFARE Classic card are protected by different keys. To be able to decrypt the content of the card, the keys must be found. There are two well-known applications for this: mfcuk [6] and mfoc [7]. A typical attack scenario is to use mfcuk to find the first key of the card (which may take quite some time). When one key is found, mfoc can be used to find all other keys within minutes.

Preparing the USB stick

The first step was to prepare a USB-stick with the XenServer 6.2 ISO downloaded from http://www.xenserver.org. Since my workstation runs Linux, I initially tried using dd, but my server refused to boot from the USB stick.

After trying virtually every guide on the Internet, I could finally put something together that worked.

On my home computer I run Arch Linux, some paths in the commands below might have to be adapted for your system (most probably the /usr/lib/syslinux/bios paths). Throughout the commands /dev/sdX is the USB stick. Make sure you choose the correct path!

EDIT 2013-11-24: As of kernel 3.12, the driver has been included in the staging area of the Linux kernel [1]. Upgrading your kernel to get the included driver may be easier than compiling your own kernel module.

[1] http://kernelnewbies.org/Linux_3.12-DriversArch#head-535f1b62f845d5e0d9d20c2980ab6b35525f67c5

So I recently bought a TP-Link TL-WN725N wireless adapter to use together with my Raspberry Pi. The main reason to buy this particular model was that it should work out of the box together with the Linux kernel in Raspberry Pi.