Also posted on medium.
When running services on a Linux system, there is the issue of how to pass in secrets that the service needs in a secure way. Usually this is done by creating a config file with credentials and then protecting this with file system permissions and also possible a Linux security module such as Apparmour or SELinux. This still leaves the issue that the credentials are stored in a plain text file, which can be compromised.
Although secure boot support has been in place in most distros for a while, most, if not all, still have a missing part in the chain, namely the missing signing of the initrd image. This allows an attacker to tamper with the initrd image without detection.
Using cec-client with a raspberry pi on debian or ubuntu does not work out of the box, as the cec-client in the debian and ubuntu repositories has not been compiled with support for the propriary raspberry libraries. In addition, these libraries are 32-bit only. This is a guide in how to get this working.
First you need to set up a 32-bit chroot environment. Install debootstrap and then run
debootstrap --variant=buildd --arch=armhf bullseye /opt/cec-client/ You will then need to download the raspberry pi libraries.
Introduction This short post describes how i configured my own IPv6 home router using Debian GNU/Linux. I used a Dreamplug, but any form of device with at least 2 NICs should be usable. Allthough this guide describes the setup using Debian, it should be no problem using another distribution or one of the BSD variants.
I will not go into to many details about the configurations, for more information you should read the man pages and/or documentation.
Introduction At work we use a Checkpoint Endpoint VPN and although SNX works, it is not ideal and I would much rather have native IPsec. Thus the quest began.
I found this page which helped me get on the right track. I also found Andrew de Quincey’s patch. I then had all the components required to set this up.
Setting it up Patching ipsec-tools You need to patch ipsec-tools with the patch from Andrew de Quincey to add support for Checkpoints xauth to ipsec-tools.