yabits: Yet Another UEFI coreboot Payload September 13, 2018 OSFC 2018: Open Source Firmware Coference Tokyo University of Science Akira Moroo Abstract

• UEFI is a de-facto standard BIOS • There are two types of UEFI implementations, • TianoCore and closed firmware • Closed firmware has problems • The users can not fix the bugs • The code shipped without enough verifications • TianoCore is an open source UEFI • The code base is too big in the view of booting OS • It is not suitable for embedded systems or bare metal clouds • =>yabits, a new UEFI implementation. • It is small footprint and boots fast.

1 Bio

• Akira Moroo • A graduate student at Tokyo University of Science. • Majors electrical engineering. • Researches in the field of software engineering.

• Interested in • Firmware/coreboot/UEFI/boot process of operating systems • Has ported mruby to UEFI shell in 2015. • Started yabits project in 2017. • As one of IPA Mitou project

2 BIOSes for x86-based PCs

• Legacy BIOS and UEFI

• Legacy BIOS • The origin is the BIOS of IBM PC in 1981. • Runs in 16-bit real mode for backward compatibility. • Does not standardized. • There are many incompatible extensions. • It is not suitable for modern x64-based machines.

• => UEFI is proposed in 2005.

3 Recap: UEFI

• Unified Extensible Firmware Interface (UEFI) • Based on EFI, developed for IA-64 by Intel. • Standardized by UEFI Forum[1]. • You can find the specification online[2]. • Supporting many Architectures. • IA-32, x64, ARM, ARM64, RISC-V etc • A lot of features compared with Legacy BIOS.

• => Almost all x86-based PCs are shipped with UEFI.

4 UEFI Implementations

• TianoCore and other closed firmware

• TianoCore • An open source UEFI reference implementation. • Developed by Intel and its community.

• Closed firmware • Developed by BIOS vendors. • Based on TianoCore, special features are added.

5 UEFI Ecosystem[3]

6 Problems in Current UEFIs

• Closed firmware • Remain bugs fixed in TianoCore if vendors do not update. • Shipped features without enough verifications. • Users can not fix bugs unless reverse engineering it. • As they uses same code base, they have same vulnerabilities even shipped from different vendors[4]. • Example: ThunderStrike2: Apple and ASUS

• => There are problems when using closed firmware.

7 Solution: coreboot

• An Open source BIOS • supports various mainboards. • Machine dependent part and Payload • Payload • “Machine independent” part • Freestanding ELF • SeaBIOS, TianoCore, FILO, GRUB2, Linux Kernel etc.

• => So, TianoCore on coreboot is the answer?

8 TianoCore is the Giant

• TianoCore is too big from the view of booting OSes. • Unused device drivers and protocols. • Large footprint, long boot time.

• Requirements of the new UEFI implementation. • Open source • Another code base from TianoCore • Small footprint • Booting fast • => yabits, yet another UEFI implementation.

9 yabits: Design

• Focus on booting OSes • A coreboot Payload. • Minimal features. • Only BootServices and RuntimeServices • Same Inferfaces as UEFI specification. (Yes, of course) • Class 3 UEFI, pure UEFI and no CSM mode. • Features • BootServices • RuntimeServices • EFI System Table support • GUID Partition Table Disk Layout support

10 yabits: Design (cont’d)

DriverDriver Hardware Driver Boot Driver Init Loader

Boot Services OS Manager

PEI DXE BDS TSL RT

11 yabits: Design (cont’d)

Driver Hardware Driver Boot Init Loader

Boot Services OS Manager

PEI DXE BDS TSL RT

12 yabits: Implementation

• Minoca OS • Unix-like OS written from scratch. • Small footprint, suitable for embedded systems. • It includes bootloader and UEFI for booting Minoca OS. • uefi of Minoca OS in x86 • TianoCore DuetPkg like x86 support. • Booting from Legacy BIOS and launching UEFI • yabits is based on uefi of Minoca OS. • Porting to coreboot Payload. • Natively runs on a machine.

13 yabits: Implementation (cont’d)

• Currently support IA-32 and x64(WIP). • Deeply Dependented on Libpayload. • Libpayload is a library for coreboot. • Ported Libpayload to x64 to reuse the code. • Add translation to 64-bit long mode. • Device drivers • Only IDE and AHCI. • The source code is available on: • https://github.com/yabits/uefi

14 Demo

Booting OpenBSD on QEMU https://youtu.be/2jjS4zQgUxQ

15 Demo

Boot Time Comparison with TianoCore https://youtu.be/1OTUr2_W5r4

16 Evaluation: Boot Time

Default yabits Boot Time (sec) 7.15 3.15

• Tested on Lenovo ThinkPad X230. • The boot time of yabits is 2x faster than that of default.

17 Evaluation: Boot Time (cont’d)

OVMF yabits Boot Time (sec) 7.48 0.81

• Tested on QEMU. • The boot time of yabits is 9x faster than that of OVMF. • Note that I failed to boot TianoCore on coreboot.

18 Evaluation: Footprint

TianoCore OVMF yabits Footprint 4.0 2.0 0.4 (MiB)

• Binaries for QEMU. • TianoCore is TianoCore + coreboot • The footprint of yabits is 10x smaller than that of TianoCore.

19 Future work

• ARM/ARM64 support • Setting menu • Secure boot support • Graphic Output Protocol (GOP) support • Windows boot support • This may be hard task. • There is just one developer. (only me) • Please pull requests and contribute! • https://github.com/yabits/uefi

20 Summary

• UEFI replaced Legacy BIOS in x86-based PCs. • There are two types of UEFI. • TianoCore • Other closed firmware • TianoCore is too large in the view of booting OSes. • yabits • Fast and lightweight yet another UEFI implementation. • For embedded systems and bare metal clouds. • https://yabits.github.io/

21 Acknowledgement

• This project (yabits) was supported by IPA Mitou Project 2017. I thank project managers and colleagues from IPA Mitou Project 2017 who provided insight and expertise that greatly assisted the project.

22 References

• [1] https://uefi.org/ • [2] https://uefi.org/specifications • [3] https://github.com/rrbranco/BlackHat2017/blob/m aster/BlackHat2017-BlackBIOS-v0.13-Published.pdf • [4] https://trmm.net/Thunderstrike2_details

23