Open Source Firmware, BMC and Bootloader
Improving the Security of Edge Computing Services
Update status of the support for AMD and Intel processors
February 1, 2020
4:30 PM – 4:55 PM Add to calendar
4:30 PM – 4:55 PM Add to calendar
K.4.601
For the last several years, hypervisors have played a key role in platform
security by reducing the possible attack surface. At the same time, the hype
surrounding computing and Internet of Things Gateways has led to an increase in
network appliance devices. Our target was to create a less-insecure virtual
network appliance using TrenchBoot, Trusted Platform Module 2.0 and AMD SKINIT
Dynamic Root of Trust for Measurement to establish a Xen hypervisor with a
meta-virtualized pfSense firewall. We are going to present it with an update
of the status of support of TrenchBoot for AMD processors.
This appliance is supported by are supported by apu2, a reliable low-SWaP x86
device from Swiss OEM PC Engines. It can be used as a Single Office / Home
Office firewall or an industrial edge device and has mostly open-source
hardware, coreboot firmware, mPCIe extensibility and an extended support
lifecycle for the embedded Central Processing Unit and motherboard.
In this talk, we will show how to create a system, which enables a significant
portion of computations to the edge devices while maintaining security. Using
a simple, well-known platform, we will conduct a secure boot using the Static
Root of Trust for Measurement with coreboot, move to the Dynamic Root of Trust
for Measurement by SKINIT in TrenchBoot and use all of this to provide a
complete chain of trust for the Xen hypervisor, a virtual firewall appliance
isolated by an input–output memory management unit (IOMMU) from the physical
network interface controller (NIC) devices. We will present benchmark data
on virtualization overhead, explain how this complexity can still be practical
and outline the value of this stack. In the second part of presentation we will
discuss current status of Intel TXT development in the GRUB and Linux kernel.
Additional information
| Type | devroom |
|---|
More sessions
| 2/1/20 |
Historically, the UEFI forum has been a bit rubbish at interacting with open source development, but this is improving. This talk gives a background on why (both the rubbish and the improvement) and what is being done. Also, a brief update on news for the TianoCore/EDK2 project.
|
| 2/1/20 |
The Unified Extensible Firmware Interface (UEFI) is the default for booting most Linux and BSD distributions. But the complexity of the UEFI standard does not offer an easy entry point for new developers. The U-Boot firmware provides a lightweight UEFI implementation. Using booting from iSCSI with U-Boot and iPXE as an example let's delve into the UEFI API. The UEFI sub-system in U-Boot has developed from barely starting GRUB to supporting complex UEFI applications like iPXE and the EFI shell ...
|
| 2/1/20 |
Insurgo had engaged itself in the adventure of facilitating security accessibility and received NlNet funding to do exactly that. Now it wants to get developers involved and expand funding. The goal of this is to bridge the gap between reasonably secure OS (QubesOS) and slightly more secure hardware (Heads) to help privacy-focused users and those that are vulnerable. But we need to prepare for the future now! Insurgo has challenged the status quo that has been prevalent since 2015 and has made ...
|
| 2/1/20 |
Modern Open Source boot firmware ships with an increasing amount of BLOBs. While it's often claimed that it eases the integration, it makes life of Open Source developers harder, as it's not documented what is done inside BLOBs and what should be done outside of the same. We will show how to trace the MMIO access of BLOBs in firmware by using Open Source tools. As analysing the traces for possible branches and loops is hard and stressful work, we created our own framework for automatic reverse ...
|
| 2/1/20 |
With Intel's Firmware Support Package (FSP) and the recent release of a redistributable firmware binary for the Management Engine, it has become possible to share full firmware images for modern x86 platforms and potentially audit the binaries. Yet, reverse engineering, decompilation and disassembly are still not permitted. However, thanks to previous research, we can have a closer look at the binary data and come to a few conclusions. This talk briefly summarizes the fundamentals of developing ...
|
| 2/1/20 |
As the rich capabilities of platforms increase, so does their complexity. As hypervisors and operating systems harden their attack surfaces, malware has been moving deeper into the platform. For example, a modern laptop may have over 15 updatable firmware elements, each with low-level access to a specific hardware domain. From the early days of proprietary BIOS in the 1980’s and 1990’s, to the world of standards in the 2000’s, to the post-PC world of the last few years, the nature of ...
|
| 2/1/20 |
Have you ever heard of Board Management Controller? It has been black box firmware to manage servers since last century … now it’s open. OpenBMC is a Linux Foundation project with a goal to produce an open source implementation of BMC firmware stack. It is a vendor independent Linux distribution created using Yocto project that provides complete set of manageability features. Backbone technologies in OpenBMC include D-Bus and systemd. With embedded web server it provides user friendly WebUI ...
|
