Lund Linux Conference & Security Fest 2026

I recently attended the Lund Linux Conference (LLC). LLC is a small invite-only Linux conference in Lund, Sweden, about 20 km from Malmö, where I live. Despite its local name it's still an international conference with about 200 attendees, mostly Linux kernel developers. There's a surprising number of kernel developing companies around here (Axis, Arm, Ericsson, Intel, Western Digital, …) , but some people travel quite far for this little con.

I've been to LLC many times by now, but this was the first time I held a presentation, and funnily enough on World Goth Day (May 22)! I was incredibly nervous to speak in front of so many kernel developers, but I think my Linux laptop was even more nervous.

My box froze up almost immediately when I started talking. I could still move the mouse pointer, but nothing reacted, not even trying to change to another VC. Dammit. I had to reboot. I said something lame inspired by The UNIX-HATERS Handbook (PDF): "As they used to say about Sun workstations: At least they boot fast." and got a few laughs. No, this generally never happens. I think my box didn't like the projector very much. Both mirroring and fullscreen was involved.

The talks were recorded this year. I'm sorry about the Youtube link, but here's my talk, "Creating secrets with measured & verified boot":

https://www.youtube.com/watch?v=FDrfVoTVVac

The talk is about the next generation Tillitis TKey and the way we have tried to solve the obvious problem with DICE-like measured boot: that even a benign app update will change all your cryptographic keys. Our solution is to mix the measured boot of an app verifying the next app with something it left to be measured, typically the publisher's public key. This combination creates the base secret, ensuring both the integrity of the boot stage, that the verification of the next app went through, and that a certain publisher stands for it.

I'm slightly embaressed I forgot that we had managed to increase the frequency to 24 MHz. Sorry! I sort of handwaved the possible use of the Sigsum transparency log, but I think that could easily had been a talk in itself. Focus here was on the combination of measured and verified boot.

The rest of the programme is available here:

https://lundlinuxcon.org/?page=past

with links to the recorded presentations. I especially liked Krister Walfridsson's "Detecting GCC miscompilations" and Gerhard de Clercq's "Litterbox: Somewhat Isolated Development Environments".

You should probably read Krister's blog and follow his interesting projects:

• https://github.com/kristerw/smtgcc
• https://github.com/kristerw/pysmtgcc

Read about Gerhard's Litterbox here:

https://litterbox.work/

Code here:

https://github.com/Gerharddc/litterbox

I was also recently at Security Fest 2026 in Gothenburg. It's also an international conference, but much, much larger than LLC. I didn't present anything and didn't even manage to attend any talks! I had booth duty for Tillitis the entire conference. At least the talk about hacking z/OS sounded a little interesting, but otherwise the talks at SecFest aren't really my thing, so I don't think I missed anything terribly important.

We had a small competition going where you could get a free TKey if you correctly decoded some Morse code blinking on a LED on a TKey. The winning move was usually to record the blinking and then play it back slower. I guess some people used Morse decoding apps or even synthetic assistants, but at least some people did it for real.

Most of the messages were quotes from infosec people, hackers or hacker-adjacent fiction, so if you got part of it you could usually guess the rest. Some of the messages were quite long and challenging, but all ten of the TKeys were claimed.

I felt very much like a booth babe when Jesper, one of the conference organizers, described me and some of the people I was talking to as "the elders of the Internet". Haha. I liked the "The IT Crowd" reference.

When a gaggle of young women stood around me, smiling and laughing I also felt very much like a booth babe, or perhaps slightly embarassed that I had done something stupid I only half-remembered the night before.

Yes, as usual the order at Security Fest is: conference dinner, then the Bishops Arms pub, then the Tullen pub, which closes at 3am. Memories are a little fuzzy about the end of the evening. Also, again, I don't have to pay for my beers these days?

About that… Even during the day I suddenly got beers brought to me. Even when the bar wasn't even open yet! I still suddenly got a cold glass of beer in front of me. WTF? My friend Nemo, always doing the impossible.

Food during SecFest was a bit strange (vegan with allergies, remember?), but the people in charge helped me a lot.

I stuck around after the last day and managed to go a concert with Abu Nein. Apparently the goth/wave/punk/industrial club Klubb Död, usually in Stockholm, started doing events in Gothenborg, too! Happy, happy! Now, let's do something about Malmö, too!

I got back to the hotel very, very late on Friday night… uh… Saturday morning. We unwisely ended up doing a bar crawl after the concert. Probably should have skipped that, considering the after party at SecFest started already at 2pm.

Got a ride back with friends the day after. Very nice, although I was somewhat… tired.