Hardening Debian from UEFI to Userland, an example with LF Energy SEAPATH
Mathieu and Eloi are the main contributors of LF Energy SEAPATH which use Debian as an VM hypervisor to host critical applications within Digital Substations.
SEAPATH is used in production by RTE, the french electricity Transmission Service Operator (TSO). Because SEAPATH is used in a critical environment, cybersecurity hardening need to be deployed on top of Debian.
This talk walks through the full system hardening process on Debian, starting with UEFI secure boot configuration and ending at service-level protections. We’ll cover secure bootloader (GRUB) configurations, encrypted and integrity-verified storage (dm-crypt, dm-verity), kernel hardening via command-line parameters, systemd service sandboxing, and general Debian-level hardening strategies.
Attendees will gain actionable steps to improve the security posture of their Debian deployments, whether on laptops, servers, or embedded systems.