In this talk I will speak about what the Future Technology Team did in the last year. Some of the bigger topics are: * Update on Full Disk Encryption with TPM and Fido2 * Adding grub2-BLS support: - YaST2 - Images (including with full disk encryption) - Making it the default * Adding FDE+TPM support to YaST2 * New features for transactional-update and rework of /etc handling * systemd-sysext on MicroOS * systemd-pull and OBS * New tools (e.g. sndiff) * And much more

As confidential computing continues to evolve, AMD SEV-SNP has gained traction in the open-source community and is now supported by cloud providers such as AWS, Google Cloud, and Azure. By encrypting memory, SEV-SNP ensures that a virtual machine’s memory remains accessible only to itself, thereby protecting sensitive data in virtualized environments. This session will provide an analysis of SEV-SNP’s security, examining its role in confidential computing, its protection mechanisms, and their limitations. Attendees will gain valuable insights into SEV-SNP’s strengths and overall security implications.

The packaging of Linux kernel firmware has evolved from a simple copy of embedded blobs in the kernel source to a complex process. Initially, the linux-firmware Git tree was created due to licensing and other issues, and kernel-firmware package was a flat copy of its all contents. Meanwhile, the tree's growth, driven by third-party contributions, led to a problem of too large package size and installation footprint. Also, the recent fast development of the tree required the need for faster updates. This talk will follow the long history of kernel firmware packaging on (open)SUSE distributions and see how those problems have been addressed.

Have you ever wondered how exactly your RAM is being used in Linux and how you can find out? How much memory will be freed when killing a particular process? What exactly does the “top”s RES column even mean, and why is the sum of it over all processes much larger than what “free” reports as used? Or much smaller? Why in /proc/meminfo is the value of AnonPages different from Active(anon) plus Inactive(anon)? Which of the fields there should actually sum up to MemTotal? How can I find out where the missing memory went when the proper sum is much smaller than MemTotal? What even is MemAvailable? Why is sometimes swap used even when there seems to be enough free memory? This talk will provide ways to answer questions like these, and explain why the answers are often not trivial.

While we do support NVMe-over-TCP and TLS encryption for quite some time now, recently a partner has complained about performance and scalability issues when running TLS encryption on NVMe-over-TCP. So I decided to do some performance measurements, which turned out to be surprisingly tricky; normal statistical analysis fell through the floor as the standard deviation _far_ exceeds the mean value. This presentation is giving an overview of the tests performed and the analysis done. I will also present fixes and methods for better analyse performance, but I hope to have a discussion which other methods can be employed to do a more reliable performance measurement.

Goal of the project is to look more into practical usability of PSI (pressure stall information), a Linux kernel scheduler feature that provides insights into resource contention. I will explain the concept and variants of the metrics. I will show some examples of PSI values, I will consider its applicability to some user scenarios and compare it with some more traditional metrics. Ideally, I'll peek into overhead of PSI tracking.

The Kernel Key Retention Service is a Linux Kernel feature that allows cryptographic keys, authentication tokens, cross-domain user mappings, and similar to be cached in the kernel for use in filesystems, kernel services, and by user-space [1]. Each key is stored in a keyring, which is a special type of key that is used to hold other keys. A key can be linked to one or more keyrings. Keyrings can have different lifetimes, and be associated with a program, thread, or session. Key types can be extended through modules, and the kernel supports a number of asymmetric, symmetric, trusted and encrypted keys. Interaction with the service is done via three syscalls: keyclt(2), add_key(2), and request_key(2). The focus of this work is on trusted keys [2] backed by a TPM trust source. I show that using only the 3 syscalls listed above, one can use the kernel as secure storage for sensitive cryptography material without using external dependencies; and can even replace external, hardware-based, solutions like smartcards and YubiKeys. As a proof-of-concept, I've implemented a SSH-agent [3][4] that stores all of it's sensitive cryptographic material in the kernel using a trusted key to bind each of it's keys to the host machine. I've also explore the problems and approaches used to persist keys, given the volatile nature of the service. A comparison is made with other operating systems, like the Keychain on macOS; and also, with other key management/interoperability protocols like PKCS #11 (commonly used in tokens/smartcards). I also present future work that can be done in the kernel to improve the usability of the service by user-space applications. [1] - https://docs.kernel.org/security/keys/core.html [2] - https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html [3] - https://github.com/say-fish/zssh [4] - https://github.com/say-fish/krs-agent (Will be available in a few weeks)