Open Source Firmware in the Bare-Metal Cloud Scott Burns Senior Director of Research and Development

packet.com / @packethost Greetings, OSFC 2019! A great place to collaborate on the future of open source firmware

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider ● Minimum unit is a full server

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider ● Minimum unit is a full server ● Different server “sizes” are available

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider ● Minimum unit is a full server ● Different server “sizes” are available ● Direct access to server, without virtualization

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider ● Minimum unit is a full server ● Different server “sizes” are available ● Direct access to server, without virtualization ● Bring your own virtualization if you like!

packet.com / @packethost What is Packet?

● Packet is a bare-metal cloud computing provider ● Minimum unit is a full server ● Different server “sizes” are available ● Direct access to server, without virtualization ● Bring your own virtualization if you like! ● Proud to support open source organizations such as Linux Foundation and Cloud Native Computing Foundation

packet.com / @packethost Open Source Firmware

BMC:

● OpenBMC ● u-bmc

BIOS:

● Coreboot ● TianoCore ● LinuxBoot ● SeaBIOS ● TrustedFirmware.org packet.com / @packethost Open Source BMC Firmware

● OpenBMC ● u-bmc

packet.com / @packethost OpenBMC

● Facebook OpenBMC ○ Prototyped in 2014 ○ Released in 2015 ○ https://github.com/facebook/openbmc

packet.com / @packethost OpenBMC

● Facebook OpenBMC ○ Prototyped in 2014 ○ Released in 2015 ○ https://github.com/facebook/openbmc ● IBM OpenBMC ○ Released in 2015 ○ https://github.com/openbmc/openbmc

packet.com / @packethost OpenBMC

● Facebook OpenBMC ● IBM OpenBMC ● Linux Foundation OpenBMC ○ Released in 2018 ○ Facebook, Google, IBM, Intel, Microsoft ○ https://github.com/openbmc/openbmc

packet.com / @packethost u-bmc

● Released in 2018 ● Based on the Go language ● Built on u-root ● Replaces IPMI with gRPC

packet.com / @packethost Replacing proprietary BMC firmware

How do we replace proprietary BMC firmware with an open source image?

packet.com / @packethost Physical access

packet.com / @packethost Physical access

SOIC clip + Raspberry Pi

packet.com / @packethost Physical access

SOIC clip + Raspberry Pi

Fine for prototyping, but doesn’t scale packet.com / @packethost socflash (for Aspeed BMCs)

● Runs on host system ● Bypasses BMC software stack

packet.com / @packethost socflash (for Aspeed BMCs)

● Runs on host system ● Bypasses BMC software stack ● Recent firmware disables this feature

packet.com / @packethost Vendor image format

● Server vendors provide BMC firmware in a proprietary format

packet.com / @packethost Vendor image format

● Server vendors provide BMC firmware in a proprietary format ● In most cases, the format is easy to reverse engineer

packet.com / @packethost Vendor image format

● Server vendors provide BMC firmware in a proprietary format ● In most cases, the format is easy to reverse engineer ● It’s possible to modify vendor-provided firmware

packet.com / @packethost Vendor image format

● Server vendors provide BMC firmware in a proprietary format ● In most cases, the format is easy to reverse engineer ● It’s possible to modify vendor-provided firmware ● Modified firmware can be used for raw flash access

packet.com / @packethost Porting BMC firmware

● Many servers use the same BMC SOC, but they connect it in different ways

packet.com / @packethost Porting BMC firmware

● Many servers use the same BMC SOC, but they connect it in different ways ● To port to a new model, we need to know the device tree and sensor list

packet.com / @packethost Porting BMC firmware

● Many servers use the same BMC SOC, but they connect it in different ways ● To port to a new model, we need to know the device tree and sensor list ● Many of these details can be extracted from the vendor’s firmware image

packet.com / @packethost Open Source BIOS

● Coreboot ● TianoCore ● LinuxBoot ● SeaBIOS ● TrustedFirmware.org

packet.com / @packethost Coreboot

● Basic hardware initialization only ● Load a payload for more advanced functionality

packet.com / @packethost TianoCore

● Most UEFI implementations are based on TianoCore EDK2 ● Works as Coreboot payload

packet.com / @packethost LinuxBoot

● Partial UEFI implementation on Linux kernel ● Works as Coreboot payload

packet.com / @packethost SeaBIOS

● Legacy x86 BIOS implementation ● Works as Coreboot payload

packet.com / @packethost TrustedFirmware.org

● Open Source reference implementation for Arm secure world ● Contributed by Arm ● Maintained by Linaro ● Can be integrated with Coreboot

packet.com / @packethost Flexible boot

● Initialize hardware with Coreboot ● Load appropriate payload on-demand ● Coordinate with BMC to select payload

packet.com / @packethost Benefits of open source BIOS for bare metal

● Check option ROM and UEFI driver hash before loading ● Ignore unneeded option ROMs and UEFI drivers ● Fast! Boot in seconds instead of minutes ● Ability to add custom system management interrupt handlers ● Integration with open source BMC firmware ● Anything we can think of!

packet.com / @packethost System Management Mode

● “Ring -2” on x86 ● Higher privilege than OS (ring 0) or even hypervisor (ring -1) ● OS/hypervisor can’t access SMM memory ● OS/hypervisor can’t disable System Management Interrupts ● Originally used for power management ● Can be used for security features

packet.com / @packethost Flash monitoring with System Management Mode

● Configure chipset to generate SMI on flash access ● SMI handler installed by Coreboot (or later payload) ● Combine with open source BMC to send real-time alert

packet.com / @packethost Open hardware

● Improved security is possible with additional hardware ● Security controller can protect firmware for CPU, BMC, NIC, etc. ● Hold system in reset until early firmware is verified ● Provide multiple SPI bus lines for devices ● Emulate multiple flash chips while sharing just one ● Compression: firmware images often waste a lot of space ● Could build on Microsoft Project Cerberus ● Packet prototype design based on small, non-volatile FPGA

packet.com / @packethost Bonus topics

● SmartNIC firmware ● Easier hardware access for firmware developers ● Collaboration with server vendors

packet.com / @packethost Special thanks to Packet colleagues

Manny Mendez

Carl Perry

My Truong

packet.com / @packethost Questions?

Scott Burns

Senior Director of R&D

[email protected]

packet.com / @packethost