Category: Security

Posted on by

Build a Trusted Network with Klinge

Klinge is an FPGA-based blade server suitable for building trusted networks. Klinge is especially suitable for this because its SOC/CPU is completely auditable and can be built and updated using 100% open-source software.

This post is a quick guide for setting up a private trusted network using two Klinge servers and a 5-port switch. This guide assumes you’re using Kakao Linux. Check out our Half10 repo for a 3D-printable rack system.

The network will look like this:

[ Internet ]
  |
[ Router / LAN (untrusted) ]
  |
[ Klinge #1 - DMZ (semi-trusted) ]
  |
[ Klinge #2 - Perimeter (trusted) ]
  |
[ 5-port switch - Trusted LAN ]

In this setup the perimeter can act as a firewall limiting or completely excluding traffic from the DMZ to the trusted network.

Here are the benefits of this setup according to ChatGPT:

FeatureOne ServerTwo Servers
Security ZonesSingle, flatClearly separated (DMZ vs LAN)
Defense-in-DepthNoYes
Exposure ManagementHighMinimized
Compromise ContainmentPoorBetter (breach isolation)
Policy GranularityLimitedFine-grained control
Service IsolationMinimalStrong

Configuration

Connecting the Ethernet cables is straightforward. The eth0 port on Klinge #1 connects to your existing LAN and the eth1 port connects to the eth0 port of Klinge #2. The eth1 port of Klinge #2 connects to the 5-port switch, which is the trusted network.

Configuring Klinge #1 (DMZ):

# enable ip forwarding
$ cat net.ipv4.ip_forward=1 >> /etc/sysctl.conf
$ sysctl -p

# edit /etc/network/interfaces:
auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 10.10.10.1
netmask 255.255.255.0

Configuring Klinge #2 (Perimeter):

# edit /etc/network/interfaces:
auto eth0
iface eth0 inet static
address 10.10.10.2
netmask 255.255.255.0

auto eth1
iface eth1 inet static
address 10.20.0.1
netmask 255.255.0.0

# to configure DHCP on the trusted LAN, edit /etc/dnsmasq.conf:
interface=eth1
dhcp-range=10.20.0.100,10.20.0.199,12h
dhcp-option=6,10.20.0.1

# to use this server as the nameserver, edit /etc/resolv.conf:
nameserver ::1
nameserver 127.0.0.1

# to set hostnames for static IPs, edit /etc/hosts:
127.0.0.1 localhost
10.20.0.1 perimeter
10.20.0.80 my-laptop

Here’s an example of a similar setup in a 10″ rack used by Grai for a long-term storage solution based on Ebenstahl:

Thanks for reading.

Posted on by

Zwölf Microcontroller Platform

Zwölf is an open microcontroller platform for simple embedded applications that require long-term data retention and/or long-term functionality.

Zwölf modules are available in a versatile package that can be soldered surface mount, through-hole (DIP-12) or used as a removable module with a DIP socket or spring contacts. The modules are also compatible with 6-pin PMOD sockets.

While the modules are built with a variety of MCUs, FPGAs and memories from various vendors, each module is partially pin-compatible and implements the same code-compatible stack-based CPU and a common interface for control and programming.

Zwölf is still under development, for more information please contact us or join the discussion on our BBS.

Tools

  • Spielplatz is a evaluation/development board.
  • Wolfsjunge is a minimal controller/programmer.
  • Wolfshöhle is a minimal breakout/host board with 16 digital GPIOs.
  • Tunken is an adapter for breadboard prototyping.
  • Wolfsfeld is a stand-alone FPGA-based handheld computer that can emulate and program Zwölf modules.

Resources

Zwölf Family Roadmap

Device Controller Memory Potential Lifespan¹ Data Retention Cost
LS0x MCU OTP + EEPROM 5+ years 100-200 years Low
LS1x MCU Flash + FRAM 5-20 years 200 years Higher
LS2x FPGA Flash + FRAM 20-100 years 200 years Highest
LS3x MCU FRAM 100 years 200 years Higher
LS5x Custom silicon FRAM/EEPROM 100 years 100-200 years Low

¹ Potential lifespan is an estimate of how long the device could potentially operate under ideal conditions.

Posted on by

Freedom of Thought

Deep thinking often requires writing. The writing down of thoughts can be affected by perceived privacy. Thus, the erosion of perceived privacy may reduce the capacity for deep thought.

I’ve always been interested in writing. I believe that in order to write interesting things, you can’t censor yourself, you have to write the first thought that pops into your mind. For me at least, this process requires privacy, because you’re putting down drafts of personal, unpolished thoughts, some of which you disagree with, and some you might find embarrassing, offensive or ridiculous and wouldn’t want others reading.

Over the years my perception of privacy while writing has diminished as computers have become more complex. I had essentially given up on the belief that any privacy existed when using a computer. Today, even the most advanced and security conscious users can’t be completely certain that they have total privacy.

This is a big part of what set me on the mission of creating computers that I could understand and trust at all levels. The computers that we’re making are simple enough to understand and even their CPUs can be audited. My hope is that these computers can help to restore, at least, perceived privacy, and potentially unleash more freedom of thought.

The computer itself isn’t the only threat vector, there is also the input and output devices. These are also difficult challenges but we hope to eventually offer solutions for them as well.

You can follow us on X and GitHub for the latest updates.