Senior Platform Security Engineer
CurrentAt the start of this period, I moved from security engineering to a security focused role on the Ubuntu Foundations team, as part of Ubuntu engineering, although the scope of my role did not change.Before the move, I began to architect, design and began the integration of TPM protected FDE as part of Ubuntu Core desktop and the Ubuntu hybrid desktop offering. This included extra features such as the ability to add + remote TPM + PIN and TPM + passphrase keys, adding + removing recovery keys, improvements to the boot experience in this space, improvements to the install experience, improvements to repair / reprovision options and the integration of online re-encryption, integration of Landscape for recovery key backup.I also began the architecture of a method to perform firmware updates on Ubuntu Core without the use of recovery keys in the absence of metadata from OEMs where it isn't possible to predict PCR values.I began my long term vision for Ubuntu Core, which I would be expecting to be responsible for architecting. This includes moving to a fully verified and fully attestable runtime (including all code and security relevant configuration), providing appliance developers a way to restrict what apps a device can execute (even if they have valid signatures) or locking a device to a specific model in a way that is protected from the root user, integrity and rollback protection of locally protected data (eg, config, system data, user data), integration of virtualization based security, dynamic launch on CPUs that support DRTM, redesign of the boot stack, no MOKs etc.