Welcome to the FOSDEM 2026 RISC-V DevRoom
FFmpeg is the most versatile multimedia codec and format support library, and was one of the first open-source project to include some RISC-V-specific optimisations, though there is still a long way to go. The RISC-V Vector extension was also the first scalable vector extension to be supported. We will cover the background, challenges and outcomes of this effort.
https://www.ffmpeg.org/
A discussion of historical lessons that RISC-V did learn from, and mistakes that it repeated. Focused on the design constraints forced by RVC and RVV, as well as the choices around breaking out the F and D profiles out from a mandatory vector unit, and the state changes that come with it.
The broad context will be specific to OoO SS processors
Efforts to port Fedora Linux to RISC-V began in 2016, long before physical hardware was accessible to developers. Today, the vast majority of Fedora packages have already been ported to riscv64 (i.e. the RV64GC baseline) and OS images—both generic and board-specific—are available for recent releases.
RISC-V is currently an alternative architecture in Fedora, so these (non-official) images are built by a dedicated team of community contributors, the Fedora RISC-V team. However, the end goal is to make RISC-V a primary architecture on Fedora.
So, what changed since the last update at DevConf 2024? What does the path for RISC-V to become a primary architecture on Fedora look like? What are we currently working on and what are our future plans?
Beyond software, we'll also survey the current hardware reality. Today several development boards are available. If one is getting started with RISC-V today, what board to pick? We'll review the available hardware, from the "VisionFive 2" to other capable boards, and outline our experience building Fedora on it.
Finally, whether you have a board on your desk or just a desire to contribute, there are many ways to help push Fedora’s RISC-V journey across the finish line. Join us to learn more!
This talk will introduce the architecture and instruction set of the ET Minion, a RISC-V CPU with custom extensions used in the ET platform, AI Foundry's open-source manycore architecture.
The talk will describe the details of the custom vector and tensor extensions implemented in this minimal RISC-V core.
For more information about the ET-platform and AI Foundry, visit https://github.com/aifoundry-org/et-platform
In this talk I'll present the pain and joy of working on a BootROM we use for booting our RISC-V SoC prototypes in the lab, with networking capabilities. First I'll give an overview on how writing bare metal code looks like, the challenges one has to deal with, and how we solved it in a prototype-independent way. Then I'll present netboot as an example use case, give an idea of the constraints we had to deal with and where they came from, why such a thing is a requirement when working with SoC prototypes (or even in production), how I did it, and finally do a live demo if time permits.
Last year, I gave a talk about running upstream embedded Linux on RISC-V with the powerful SpacemiT K1-based Banana Pi BPI-F3 as an example. Fast forward one year, and we have many a new contender on the block. This talk first revisits the BPI-F3, looking at the upstreaming progress made and issues remaining. Secondly, it introduces the new Siflower SF21H8898-based Banana Pi BPI-RV2, the ESWIN Computing EIC7700-based EBC77 with SiFive HiFive Premier P550 cores and the Ky X1-based Orange Pi RV2 and R2S. The latter two I will leave to my subsequent speaker, Michael Opdenacker from Bootlin (;-p). Those are all interesting new boards I added to my embedded Linux testing lab. Comparing the various downstream vendor options with the upstreaming efforts will show us the overall progress embedded Linux has made on RISC-V. Last but not least, I will discuss the upcoming RVA23-compatible boards based on chips like the SpacemiT K3 SoC with its X100 cores, the Tenstorrent TT-Ascalon IP SoC, the UltraRISC UR-DP1000 and the Zhihe A600 SoC. The time is truly ripe for embedded Linux to shine on RISC-V!
RISC-V hardware momentum is everywhere: more tape-outs, more open cores, more startups, and increasingly affordable boards that everyone can try. But hardware alone doesn’t make a usable platform. From blinking LEDs to critical space exploration missions, adoption depends on the software ecosystem being mature, well-integrated, and ready for developers to rely on.
So, how ready is RISC-V software today? Toolchains, kernel support, hypervisors, RTOSes and simulators are all evolving, but progress happens at different speeds across the stack. Users still encounter rough edges, and contributors often struggle to navigate the ecosystem and find where help is needed most.
This talk shares a personal journey through RISC-V software enablement: from building Linux images and contributing to Zephyr, to enabling hypervisors and firmware. I’ll highlight what’s solid, what’s still forming, and the challenges faced along the way - and how anyone can begin contributing and using RISC-V.
Bringing Kubernetes to RISC-V isn't just about cross-compiling Go - it's a crash course in open hardware meets cloud-native reality. This talk walks through the journey of bringing a FOSS Kubernetes distribution to RISC-V: wrestling with missing cloud infra, build tooling, container images, CI pipelines, and everything else they conveniently gloss over when they say you "just" need to export GOARCH=riscv64.
The last decade of CPU vulnerabilities has shown how microarchitectural performance optimizations can undermine isolation. Transient execution attacks like Meltdown and Spectre exposed deep flaws in x86 CPUs. RISC-V, by contrast, enters with the promise of simplicity and transparency—a clean slate. Yet the question remains: will we repeat the same mistakes, or can we design a secure architecture from the start?
This talk takes a critical look at how RISC-V implementations handle microarchitectural security today. We show that even "simple" in-order designs already suffer from architectural flaws and powerful side channels. In our earlier work, we demonstrated novel attacks, such as Cache+Time and CycleDrift, on the first commercial RISC-V CPUs, exploiting unprivileged access to instruction-retirement counters and cache-timing leakage.
But manual analysis does not scale. RISCover, our open-source differential fuzzing framework, automatically discovers architectural vulnerabilities across closed-source RISC-V CPUs. By comparing instruction behavior across 8 commercial CPUs from 3 vendors, RISCover found what manual analysis missed: GhostWrite, a bug in T-Head's XuanTie C910 that lets unprivileged code write directly to physical memory, completely bypassing virtual memory isolation. We also discovered multiple "halt-and-catch-fire" sequences that crash CPUs from userspace, leading to denial-of-service.
These findings reveal a pattern: while the RISC-V specification provides strong security primitives (e.g., PMP and cleaner privilege separation), implementations consistently choose insecure defaults—leaving unprivileged timing sources enabled, shipping undocumented vendor extensions like XTheadVec without proper validation, and omitting features to limit speculation. RISC-V is at an inflection point: the architecture is still young enough to fix, but adoption is accelerating fast. The decisions vendors make today—insecure defaults, unvalidated extensions, missing mitigations—will be baked into billions of chips we cannot patch.
Why buy a bottle when you can have your own keg? Open source hardware might not shout “free beer” but the new Unified RISC-V IP Access Platform, maintained by OpenHW Foundation, is just that – free recipes for your own free-flowing beer. From CVA6 superscalers to UVM support on Verilator, Chips JU project TRISTAN has united Europe’s biggest industry players with academia to move open source semiconductors from the lab to the real world. Now with the UAP, you can benefit from all of this hard work. In this talk, you’ll get uncensored access to recent advancements in European RISC-V, and a demonstration of how you can immediately leverage industry-ready open source designs from projects across Europe, all explained with glorious beer.
In the course of the past months, Michael has contributed to support for OrangePi RV2 and R2S in the mainline Linux kernel (6.19+), in Yocto's meta-riscv BSP layer and hopefully before FOSDEM 2026, in the U-Boot bootloader. Hoping to attract more users and contributors, and to inspire owners of other RISC-V boards, this presentation will review what has been done so far and the necessary steps to achieve this. It will also cover what's left to do on each board.
As security threats become more sophisticated, the need for efficient, real-time communication between identity providers and relying parties is essential. The Shared Signals Framework (SSF) and related specifications such as CAEP and RISC address this challenge by providing a standardised way for systems to exchange security related signals, such as session revocations, credential breaches, and other identity-related incidents, in a secure and scalable manner. This talk introduces the Shared Signals Framework and explains how it enhances security and operational efficiency in modern identity ecosystems. We'll explore how SSF can be supported in Keycloak to enable real-time event-driven communication between providers and relying parties. Attendees will learn how Keycloak can help to detect and mitigate threats, and improve overall system security with SSF.
We introduce the SCIM client app for Nextcloud that allows Nextcloud users and groups to be automatically synced to external services that support the SCIM standard. This enables Nextcloud to act as an authoritative store of user identity information, simplifying user management across multiple connected services.
This talk will discuss the motivations behind the app as well as its practical use cases.
OAuth 2.0 and OpenID Connect have been around for years to secure web and mobile applications alike with growing popularity.
To keep your applications and their data secure, these standards are evolving to align with security best practices.
Join this talk to see how the FAPI 2.0 Security Profile and the upcoming OAuth 2.1 standard promotes and enforces best practices, how to adapt your applications, and how Keycloak as an Open Source IAM can help you. Expect a demo and examples for some of the enhancements.
ProConnect is an open-source Federated Identity Provider written mainly in TypeScript and designed to connect professionals with government services. Developed by the French Interministerial Digital Directorate (DINUM), it builds on the experience of FranceConnect while introducing a lightweight, modern architecture.
This talk will present the story behind ProConnect—from its origins as an open-source fork of FranceConnect to the motivations that guided its redesign. We will provide a high-level overview of its main components (identity management, federation, moderation workflows, administrative tools) and demonstrate how the platform operates in practice.
A particular focus will be placed on the identity broker layer and its technical foundations, including the use of panva/node-oidc-provider, panva/openid-client, and related tooling. We will look under the hood at how ProConnect implements current practices in identity federation and how its evolving architecture continues to take shape through ongoing development.
Each month it seems we are made aware of a break in security. Some report of a data base of identity information that is reported as captured by an entity of some type. Lists of passwords, ID numbers, bank account information, credit card information. And these are only the ones we hear about, since many of these break-ins are not reported, or kept quiet.
Often we hope that the data is encrypted, but as we all know quantum computers are coming quickly and quantum computers can take present-day encrypted data even with the highest key lengths and break them in minutes which would have taken conventional high performance computers centuries to break.
Another threat comes from the sovereignty of your system and data. While many cloud companies have put additional servers in various countries (even yours) the companies that generate that software (often closed source) are headquartered in the United States and therefore under US laws like the Patriot Act.
You want a system that is made with Open Source, which allows you to run it on standard equipment that you can inspect, in the country that you want to run it.
A system that puts security first. This talk will detail such a system.
SUSE’s IAM evolution mirrors its corporate journey, beginning with deep dependency on Novell (later MicroFocus) Access Manager, following its transition to independence. As the organization grew, individual departments adopted several tools to solve immediate authentication needs.
This led to a proliferation of unmanageable authentication silos across customer portals, partner networks, and internal employee systems. Recognizing the inefficiencies and risks of this fragmented landscape, SUSE IT has set the goal to consolidate these scattered silos by unifying identities into a single, modern governance solution.
Passkeys are now first-class citizens on Windows, macOS, Android and iOS - but the Linux desktop still has no standard FIDO2 platform APIs for browsers and native apps.
This talk presents Credentials for Linux (github.com/linux-credentials), a cross-desktop effort to bring Passkeys and other credentials to Linux in a way that works for sandboxed apps and browsers alike.
We’ll cover:
libwebauthn: a Rust FIDO2/U2F platform library with support for USB, BLE and Hybrid authenticators (ie. Android & iOS smartphones), designed with pluggable transports and passkey features such as resident keys and user verification. credentialsd: a D-Bus service and proposed XDG portal for credential management, including a reference UI, Firefox integration (web extension + patched Flatpak build) and distro packages via OBS (Fedora/openSUSE). credentialsd to talk to hardware security keys and phones, and how native applications can use the same D-Bus API. The talk is aimed at people interested in identity and access management on the desktop: browser and desktop maintainers, distribution engineers, security practitioners and anyone who wants to help make passkeys a first-class citizen of the Linux platform.
If you've ever used Cockpit you might know of the different authentication methods it currently supports. It can be pretty much anything, such as username and password, Kerberos, public keys, Single Sign-On (SSO), or smart cards. But given the nature of Cockpit being a web-based interface we can only support public key authentication through our Flatpak package called Cockpit Client as browsers themselves are sandboxed and can't access your system keys.
If we don't want to setup SSO or smart cards for a system, we're pretty much left with username and password authentication in the browser using PAM modules. Password authentication is less than ideal, let's see if passkeys can save the day! We'll look over what it takes to support WebAuthn with PAM modules, what limitations there are, and what tools currently exist to help us with this - such as Yubico's pam-u2f, sssd, and FreeIPA.
Cockpit is a web-based graphical interface for server management of a variety of Linux distributions. Our modifications of the system are made using system APIs and commands with our authentication functioning in the same way with the help of PAM modules.
The world is moving toward more modern and secure authentication methods. This transition is driven by a global push for Zero Trust Architecture (ZTA), which many organizations are adopting as a security mandate.
In this context, the FreeIPA, SSSD, and GNOME Display Manager (GDM) ecosystems have been working to meet these evolving demands.
As a result, GDM has received several improvements to enhance the authentication experience. Two new mechanisms have been added: passkeys and external IdP (web login). Users can now choose among the supported authentication mechanisms, and the PAM conversation has been extended to support this new scenario with multiple authentication options.
In this talk, we’ll cover what the GDM authentication architecture looks like and how it handles PAM conversations. We will discuss the new PAM extension that uses JSON messages to support these mechanisms, the changes made in GDM to allow selecting different authentication methods, upcoming enhancements, and provide a demonstration of the current implementation.
An ongoing effort to reduce potential attack surface on privileged components of system administration by rewriting them in modern programming languages or introducing new components creates additional problems as well. The system management at scale requires centralization of the access controls, yet most of the new tools do not have such capabilities or don't really concern with such use cases.
In this talk we'd reflect on our experience of supporting large organizations relying on the infrastructure provided by FreeIPA and SSSD.
Linux-PAM (Pluggable Authentication Modules) is a crucial but often misunderstood component of modern Linux systems. This talk provides a comprehensive introduction to PAM, explaining how it enables system administrators to configure authentication, account management, session setup, and password policies without recompiling applications.
We begin by exploring the problems PAM was designed to solve—hardcoded authentication logic, inflexibility, and inconsistent security policies across applications. The talk then covers PAM's four management groups: authentication (verifying identity), account management (checking access restrictions), session management (setting up user sessions), and password management (enforcing password policies and token changes).
Attendees will learn how to read and write PAM configuration files, understand the behavior of different control values (required, requisite, sufficient, optional), and leverage advanced control syntax for complex authentication flows. Special attention is given to the "frozen stack" concept—a frequently misunderstood behavior where PAM fixes the module sequence during the first API call.
Through real-world examples and practical configuration insights, attendees will learn how to troubleshoot PAM issues and understand the impact of PAM configuration changes.
Beyond understanding current PAM functionality, the talk explores the future of PAM: potential enhancements to address modern authentication needs, architectural improvements and the challenges that stand in the way of evolution. We'll discuss compatibility constraints, the need for backward compatibility with existing deployments, and the tensions between maintaining a stable API and introducing new features.
This talk is suitable for system administrators, security engineers, and developers who want to understand and effectively configure PAM-based authentication on Linux systems.
SSH is the default access method for Linux servers, typically configured with passwords or public/private key authentication. However, in large multi-user deployments, these methods have significant drawbacks: security of private keys on unmanaged clients, key management on the server side, and the difficulty of integrating multi-factor authentication.
Alternative methods exist but are not always easy to implement. In this talk, I compare two of the most promising approaches—OpenSSH certificates and OpenPubKey (OPKSSH)—based on a recent evaluation for a multi-user compute cluster with dozens of machines and hundreds of unmanaged clients. I discuss the advantages and limitations of each approach, including client configuration, required additional software, and operational complexity.
The presentation includes live demos illustrating how each method works from both the client and server perspective, and a closer look at the inner workings of SSH certificates and OPKSSH.
Links: https://www.openssh.org https://github.com/openpubkey/openpubkey https://github.com/openpubkey/opkssh
bind-dyndb-ldap is a dynamic database plugin that allows the BIND DNS server to store and retrieve all DNS zone and record data directly from an LDAP directory server. This deep integration is essential for centralized identity management solutions, particularly in FreeIPA setups.
To achieve its function, bind-dyndb-ldap must utilize BIND's internal, lower-level APIs. When a recent major BIND release introduced significant breaking changes, what began as a simple compilation bug because of a missing header quickly escalated into a massive technical challenge. The core problem: adapting years of legacy code to the new BIND server architecture.
This talk will cover the challenges of planning the redesign, how we faced the technical challenges when adapting old code to modern APIs and the lessons learned through the journey.
https://pagure.io/bind-dyndb-ldap https://github.com/freeipa/freeipa https://www.isc.org/bind/
In modern identity-centric infrastructures, DNS is a critical—but often overlooked—component of a Zero-Trust Architecture. This talk, positioned within the IAM devroom's core infrastructure and security track, explores how environments that rely on FreeIPA as their authoritative DNS can adopt encrypted DNS end-to-end without sacrificing performance or operational clarity.
We present the results of our work integrating encrypted DNS across Fedora systems and Kubernetes clusters while seamlessly interacting with FreeIPA's BIND-based DNS service. Throughout this process, we identified key integration challenges, their practical resolutions, and the tangible security benefits gained from encrypting internal DNS traffic.
To validate the feasibility of this approach at scale, we performed extensive workload and performance tests—covering multiple orders of 1,000+ DNS requests per second—comparing encrypted vs. non-encrypted scenarios. These tests demonstrate how to achieve stronger security guarantees without imposing unacceptable latency or throughput penalties.
As part of this effort, we extended FreeIPA's DNS service with Prometheus-ready metrics, enabling real-time visibility into encrypted DNS performance, request patterns, and system-level statistics. These observability enhancements provide operators with the data required to meet and maintain Zero-Trust mandates.
By the end of the talk, attendees will understand not only how to deploy encrypted DNS in hybrid Fedora and Kubernetes environments, but also how to measure, validate, and operationalize it in a way that fully aligns with Zero-Trust principles.
Building FreeIPA’s modern WebUI meant leaving Dojo behind for React, but we couldn't leave our robust authentication capabilities behind. We needed to bring password, OTP, Kerberos, and certificate support into the new era. This raised a fundamental question: how do we translate these complex legacy flows into clean, modern code?
We invite you to explore this adaptation journey with us. We’ll discuss shifting from scattered widget logic to unified Redux state management and declarative components, while reimagining our API layer. This process didn't just replicate old features—it evolved them, delivering a more secure and optimized codebase through the power of strict type safety.
-- At first it was a funny idea to give AI a try --
With the help of Claude a new light weight CA backend for FreeIPA has been created. It is written in Python and uses python-cryptography. The the goal is full dogtag compatibility for use with FreeIPA.
The talk will show the journey: The experience with AI, the good and also not so good steps and results. In the end the actual state will be shown.