Open Source Firmware, BMC and Bootloader

Improving the Security of Edge Computing Services

Update status of the support for AMD and Intel processors
For the last several years, hypervisors have played a key role in platform security by reducing the possible attack surface. At the same time, the hype surrounding computing and Internet of Things Gateways has led to an increase in network appliance devices. Our target was to create a less-insecure virtual network appliance using TrenchBoot, Trusted Platform Module 2.0 and AMD SKINIT Dynamic Root of Trust for Measurement to establish a Xen hypervisor with a meta-virtualized pfSense firewall. We are going to present it with an update of the status of support of TrenchBoot for AMD processors. This appliance is supported by are supported by apu2, a reliable low-SWaP x86 device from Swiss OEM PC Engines. It can be used as a Single Office / Home Office firewall or an industrial edge device and has mostly open-source hardware, coreboot firmware, mPCIe extensibility and an extended support lifecycle for the embedded Central Processing Unit and motherboard. In this talk, we will show how to create a system, which enables a significant portion of computations to the edge devices while maintaining security. Using a simple, well-known platform, we will conduct a secure boot using the Static Root of Trust for Measurement with coreboot, move to the Dynamic Root of Trust for Measurement by SKINIT in TrenchBoot and use all of this to provide a complete chain of trust for the Xen hypervisor, a virtual firewall appliance isolated by an input–output memory management unit (IOMMU) from the physical network interface controller (NIC) devices. We will present benchmark data on virtualization overhead, explain how this complexity can still be practical and outline the value of this stack. In the second part of presentation we will discuss current status of Intel TXT development in the GRUB and Linux kernel.

Additional information

Type devroom

More sessions

2/1/20
Open Source Firmware, BMC and Bootloader
Leif Lindholm
K.4.601
Historically, the UEFI forum has been a bit rubbish at interacting with open source development, but this is improving. This talk gives a background on why (both the rubbish and the improvement) and what is being done. Also, a brief update on news for the TianoCore/EDK2 project.
2/1/20
Open Source Firmware, BMC and Bootloader
Heinrich Schuchardt
K.4.601
The Unified Extensible Firmware Interface (UEFI) is the default for booting most Linux and BSD distributions. But the complexity of the UEFI standard does not offer an easy entry point for new developers. The U-Boot firmware provides a lightweight UEFI implementation. Using booting from iSCSI with U-Boot and iPXE as an example let's delve into the UEFI API. The UEFI sub-system in U-Boot has developed from barely starting GRUB to supporting complex UEFI applications like iPXE and the EFI shell ...
2/1/20
Open Source Firmware, BMC and Bootloader
Thierry Laurion
K.4.601
Insurgo had engaged itself in the adventure of facilitating security accessibility and received NlNet funding to do exactly that. Now it wants to get developers involved and expand funding. The goal of this is to bridge the gap between reasonably secure OS (QubesOS) and slightly more secure hardware (Heads) to help privacy-focused users and those that are vulnerable. But we need to prepare for the future now! Insurgo has challenged the status quo that has been prevalent since 2015 and has made ...
2/1/20
Open Source Firmware, BMC and Bootloader
Patrick Rudolph
K.4.601
Modern Open Source boot firmware ships with an increasing amount of BLOBs. While it's often claimed that it eases the integration, it makes life of Open Source developers harder, as it's not documented what is done inside BLOBs and what should be done outside of the same. We will show how to trace the MMIO access of BLOBs in firmware by using Open Source tools. As analysing the traces for possible branches and loops is hard and stressful work, we created our own framework for automatic reverse ...
2/1/20
Open Source Firmware, BMC and Bootloader
Daniel Maslowski (CyReVolt)
K.4.601
With Intel's Firmware Support Package (FSP) and the recent release of a redistributable firmware binary for the Management Engine, it has become possible to share full firmware images for modern x86 platforms and potentially audit the binaries. Yet, reverse engineering, decompilation and disassembly are still not permitted. However, thanks to previous research, we can have a closer look at the binary data and come to a few conclusions. This talk briefly summarizes the fundamentals of developing ...
2/1/20
Open Source Firmware, BMC and Bootloader
Brian Richardson
K.4.601
As the rich capabilities of platforms increase, so does their complexity. As hypervisors and operating systems harden their attack surfaces, malware has been moving deeper into the platform. For example, a modern laptop may have over 15 updatable firmware elements, each with low-level access to a specific hardware domain. From the early days of proprietary BIOS in the 1980’s and 1990’s, to the world of standards in the 2000’s, to the post-PC world of the last few years, the nature of ...
2/1/20
Open Source Firmware, BMC and Bootloader
K.4.601
Have you ever heard of Board Management Controller? It has been black box firmware to manage servers since last century … now it’s open. OpenBMC is a Linux Foundation project with a goal to produce an open source implementation of BMC firmware stack. It is a vendor independent Linux distribution created using Yocto project that provides complete set of manageability features. Backbone technologies in OpenBMC include D-Bus and systemd. With embedded web server it provides user friendly WebUI ...