BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Pentabarf//Schedule 0.3//EN CALSCALE:GREGORIAN METHOD:PUBLISH X-WR-CALDESC;VALUE=TEXT:Open Source Firmware, BMC and Bootloader devroom X-WR-CALNAME;VALUE=TEXT:Open Source Firmware, BMC and Bootloader devroom X-WR-TIMEZONE;VALUE=TEXT:Europe/Brussels BEGIN:VEVENT METHOD:PUBLISH UID:10411@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T150000 DTEND:20200201T152500 SUMMARY:Open source UEFI and TianoCore DESCRIPTION:
Historically, the UEFI forum has been a bit rubbish at interacting with open source development, but this is improving.
This talk gives a background on why (both the rubbish and the improvement) and what is being done.
Also, a brief update on news for the TianoCore/EDK2 project.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_osuat/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Leif Lindholm":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10192@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T153000 DTEND:20200201T155500 SUMMARY:Discover UEFI with U-Boot DESCRIPTION:The Unified Extensible Firmware Interface (UEFI) is the default for booting most Linux and BSD distributions. But the complexity of the UEFI standard does not offer an easy entry point for new developers. The U-Boot firmware provides a lightweight UEFI implementation. Using booting from iSCSI with U-Boot and iPXE as an example let's delve into the UEFI API.
The UEFI sub-system in U-Boot has developed from barely starting GRUB to supporting complex UEFI applications like iPXE and the EFI shell and passing most of the UEFI compliance tests for the implemented protocols and services.
The session gives an overview of the boottime and runtime services of UEFI with a focus on driver binding. The challenges of integrating the UEFI subsystem with U-Boot's infrastructure are described and an outlook is provided.
Questions this talk should answer:- How does the UEFI driver model work?- How does this integrate with U-Boot?- What to expect next in U-Boot's UEFI implementation?
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_duwu/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Heinrich Schuchardt":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10524@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T160000 DTEND:20200201T162500 SUMMARY:Heads OEM device ownership/reownership : A tamper evident approach to remote integrity attestation DESCRIPTION:Insurgo had engaged itself in the adventure of facilitating security accessibility and received NlNet funding to do exactly that. Now it wants to get developers involved and expand funding.
The goal of this is to bridge the gap between reasonably secure OS (QubesOS) and slightly more secure hardware (Heads) to help privacy-focused users and those that are vulnerable. But we need to prepare for the future now!
Insurgo has challenged the status quo that has been prevalent since 2015 and has made it possible for OEMs to preinstall QubesOS, thanks to the Heads Open Source Firmware (OSF) and his own PrivacyBeast QubesOS certified branch, not yet merged upstream, due to the lack of time and resources of a single man effort needing additional collaboration.
The integrity of the firmware and boot files is already remotely sealed and can be attested over smartphone (TPMTOTP) and from the bundled Librem Keys/Nitrokey Pro 2 (HOTP), prior to shipping. Thanks to HOTP-enabled USB security dongles bounded to shipped products, the user can visually validate that the hardware they've received is in OEM attested state, prior to complete reownership which is regenerating all required secrets from a trustable recovery environment (Heads OSF) thanks to a re-ownership wizard that guides the user until completion.
This is just the beginning of the adventure and the road ahead requires your help. Insurgo wants to propel this movement forward.
Today's secure hardware (REAL open source initialized hardware, eg. the RYF KGPE-D16, replicant supported phones, Sandy bridge/Ivy bridge based boards, eg. x230) struggle to stay current with upstream code and compliance requirements. LineageOS dropped support of the i9300. Coreboot dropped support of the KGPE-D16 platform. And the list will expand if no measures are taken to support maintainership of privacy focused projects that are taken for granted until support is finally dropped. This is a real problem requiring real solutions.
New efforts to support future, REAL Open Source Hardware (newly Respect Your Freedom [RYF] certified hardware, eg. Talos II from RaptorEngineering, future Power10 based hardware) are neither currently under active development nor currently supported by QubesOS. This needs to change. Now.
There is an opportunity for transition. This requires leadership, developers and funding.This is why we've created the Insurgo Initiative on the OpenCollective platform.
This is where transparent funding will be available to the public for open source R&D. Please consider participating through code contributions!
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_hodorateatria/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Thierry Laurion":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10450@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T163000 DTEND:20200201T165500 SUMMARY:Improving the Security of Edge Computing Services DESCRIPTION:For the last several years, hypervisors have played a key role in platformsecurity by reducing the possible attack surface. At the same time, the hypesurrounding computing and Internet of Things Gateways has led to an increase innetwork appliance devices. Our target was to create a less-insecure virtualnetwork appliance using TrenchBoot, Trusted Platform Module 2.0 and AMD SKINITDynamic Root of Trust for Measurement to establish a Xen hypervisor with ameta-virtualized pfSense firewall. We are going to present it with an updateof the status of support of TrenchBoot for AMD processors.This appliance is supported by are supported by apu2, a reliable low-SWaP x86device from Swiss OEM PC Engines. It can be used as a Single Office / HomeOffice firewall or an industrial edge device and has mostly open-sourcehardware, coreboot firmware, mPCIe extensibility and an extended supportlifecycle for the embedded Central Processing Unit and motherboard.In this talk, we will show how to create a system, which enables a significantportion of computations to the edge devices while maintaining security. Usinga simple, well-known platform, we will conduct a secure boot using the StaticRoot of Trust for Measurement with coreboot, move to the Dynamic Root of Trustfor Measurement by SKINIT in TrenchBoot and use all of this to provide acomplete chain of trust for the Xen hypervisor, a virtual firewall applianceisolated by an input–output memory management unit (IOMMU) from the physicalnetwork interface controller (NIC) devices. We will present benchmark dataon virtualization overhead, explain how this complexity can still be practicaland outline the value of this stack. In the second part of presentation we willdiscuss current status of Intel TXT development in the GRUB and Linux kernel.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_itsoecs/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Daniel Kiper":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Piotr Król":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10327@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T170000 DTEND:20200201T172500 SUMMARY:Introducing AUTOREV DESCRIPTION:Modern Open Source boot firmware ships with an increasing amount of BLOBs. While it's often claimed that it eases the integration,it makes life of Open Source developers harder, as it's not documented what is done inside BLOBs and what should be done outside ofthe same.
We will show how to trace the MMIO access of BLOBs in firmware by using Open Source tools. As analysing the traces for possiblebranches and loops is hard and stressful work, we created our own framework for automatic reverse engineering.Our framework allows to capture and analyse MMIO traces, fuzz the BLOB under test and finally generates readable code in a high level language,like C, for easy analysing.
During this talk, we will discuss the legal side, the motivation behind reverse engineering, and the benefit for the Open Source community.We will explain the problems we faced, and explain the basic concept used, with examples from the real world.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_ia/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Patrick Rudolph":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10416@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T173000 DTEND:20200201T175500 SUMMARY:Look at ME! DESCRIPTION:With Intel's Firmware Support Package (FSP) and the recent release of aredistributable firmware binaryfor the Management Engine, it has become possible to share full firmware imagesfor modern x86 platforms and potentially audit the binaries. Yet, reverseengineering, decompilation and disassembly are still not permitted. However,thanks to previous research, we can have a closer look at the binary data andcome to a few conclusions. This talk briefly summarizes the fundamentals ofdeveloping custom and open source firmware, followed by a quick guide throughthe process of analyzing the binaries without actually violating the terms tounderstand a few bits, and finally poses a statement on the political issuesthat researchers, repair technicians and software developers are facingnowadays, taking into account how consumers are affected and how they perceivethe situtation eventually.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_lam/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Daniel Maslowski (CyReVolt)":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10467@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T180000 DTEND:20200201T182500 SUMMARY:Capsule Update & LVFS: Improving system firmware updates DESCRIPTION:As the rich capabilities of platforms increase, so does their complexity. As hypervisors and operating systems harden their attack surfaces, malware has been moving deeper into the platform. For example, a modern laptop may have over 15 updatable firmware elements, each with low-level access to a specific hardware domain. From the early days of proprietary BIOS in the 1980’s and 1990’s, to the world of standards in the 2000’s, to the post-PC world of the last few years, the nature of firmware has changed. In order to provide security guarantees for platform firmware, the servicing model of the platform takes center stage.
This session discusses the evolution of platform servicing using examples based on device firmware, non-host/system on a chip (SOC) firmware, and implementation of the Unified Extensible Firmware Interface (UEFI). A modern servicing model features elements for component-based update, resiliency in case unexpected conditions, a more seamless user experience, lowering the friction of update integration, and telemetry for a view into platform health and firmware inventory.
This talk will discuss current trends in standards such as UEFI and associated EDK II firmware, and how the Linux Vendor Firmware System (LVFS) used these components as part of a holistic, open source approach to seamless firmware updates.
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_culisfu/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Brian Richardson":invalid:nomail END:VEVENT BEGIN:VEVENT METHOD:PUBLISH UID:10394@FOSDEM20@fosdem.org TZID:Europe-Brussels DTSTART:20200201T183000 DTEND:20200201T185500 SUMMARY:Opening Intel Server firmware based on OpenBMC example DESCRIPTION:Have you ever heard of Board Management Controller? It has been black box firmware to manage servers since last century … now it’s open. OpenBMC is a Linux Foundation project with a goal to produce an open source implementation of BMC firmware stack. It is a vendor independent Linux distribution created using Yocto project that provides complete set of manageability features. Backbone technologies in OpenBMC include D-Bus and systemd. With embedded web server it provides user friendly WebUI and Redfish interface for easy server management using modern RESTful APIs. Intel as one of the founding companies offers additional functionalities on top of OpenBMC implementation which will be presented as a part of this presentation.
In this talk we will:- tell you a short history and overview of OpenBMC- have a quick view on OpenBMC architecture (Yocto, Dbus, systemd)- show what’s new in latest 2.7 releases and what is planned for 2.8 (Feb 2020)- talk about Intel specific features available in OpenBMC- tell you how to contribute to OpenBMC project- give you a guide on how to modify, build and run the project on target BMC on Intel server
Audience: software engineers, validation engineer, embedded software architects, data center administrators
CLASS:PUBLIC STATUS:CONFIRMED CATEGORIES:Open Source Firmware, BMC and Bootloader URL:https:/fosdem.org/2020/schedule/2020/schedule/event/firmware_oisfbooe/ LOCATION:K.4.601 ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Maciej Lawniczak":invalid:nomail ATTENDEE;ROLE=REQ-PARTICIPANT;CUTYPE=INDIVIDUAL;CN="Przemyslaw Czarnowski":invalid:nomail END:VEVENT END:VCALENDAR