I just learned about redfish-finder, a Redfish discovery tool for Linux. It maps your BMC NIC to the name redfish-localhost. When the Spring 2019 UEFI Forum Plugfest slides and videos are uploaded, there’s a presentation that talks about this tool. It is in the latest version of Fedora. Hopefully coming soon to other distros….
OpenBMC 2.6 released
This is the first release with Redfish support!
CVE-2019-6260: PantsDown: Gaining control of BMC from the host processor
CVE-2019-6260: Gaining control of BMC from the host processor
Posted on 23/01/2019 by Stewart Smith
This is details for CVE-2019-6260 – which has been nicknamed “pantsdown” due to the nature of feeling that we feel that we’ve “caught chunks of the industry with their…” and combined with the fact that naming things is hard, so if you pick a bad name somebody would have to come up with a better one before we publish.
I expect OpenBMC to have a statement shortly.[…]
Eclypsium: Remotely Bricking a Server
ZeroNights: Turning your BMC into a revolving door
Eclypsium research on SuperMicro BMC/Redfish vulnerability
The Unbearable Lightness of BMC’s
The Register has a bit of background on BMC attacks, based on the recent presentation at Blackhat:
The Unbearable Lightness of BMC’s
AMI on their MegaRAC SP-X Service Processor BMC product
In a new blog post, AMI gives an introduction to their MegaRAC SPX-Service Processor, useful background if you’ve no idea about what it is.
[…]In our next post on MegaRAC SP-X, we will look more closely at some of the other specific features and benefits of MegaRAC SP-X mentioned earlier, including hardware and software inventory, power, BIOS and user management, along with more of the different interface protocols that SP-X supports.
upcoming queue of BMC/iLO research…
3 different submissions to upcoming conferences. One abstract (for SSTIC’18) is below:
Subverting your server through its BMC: the HPE iLO4 case
Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 13 juin 2018 à 11:30 — 30 min.
iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM micro-processor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics: firmware unpacking and memory layout, embedded OS internals, vulnerability discovery and exploitation as well as full compromise of the host server operating system through DMA. One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open, namely; are the iLO systems resilient against a long term compromise at firmware level. For this reason, this paper is focused on the update mechanism and how a motivated attacker can achieve long term persistence on the system; how a new/backdoored firmware can be crafted then installed, to offer an attacker a stealth and resilient backdoor in an environment which has been compromised.
Amazon seeks Firmware Developers
Senior Software Development Engineer – BIOS Firmware
The AWS Hardware Engineering team creates server designs for Amazon’s innovative web services. Our designs are industry-leading in frugality and operational excellence, and are critical to the success of the AWS business and the more than one million customers who use AWS today. Our Firmware Engineers solve challenging technology problems, and build architecturally sound, high-quality components to enable AWS to realize critical business strategies. The ideal candidate for this role will be an innovative self-starter. You will be a BIOS firmware expert, gain a strong understanding of our firmware stack, and analyze it in its current and future context. You will use comprehensive knowledge of the system in your projects to find the best solutions to multi-factor problems. You will work with engineers across the company as well as external companies and lead firmware development efforts. You will collaborate with internal and external development engineers (architecture, hardware, validation, software services). AWS Engineers are shaping the way people use computers and designing the future of cloud computing technology – come help us make history! What you will do: You will be a member of a team designing AWS-specific hardware, firmware and software. You will be a part of the firmware effort from conception, through validation and into production. You will explore emerging technologies and their impact on AWS. You will work closely with AWS software engineers to tailor devices for the AWS environment.[…]
Software Development Engineer – Server Manageability Firmware
The AWS Hardware Engineering team creates server designs for Amazon’s innovative web services. Our designs are industry-leading in frugality and operational excellence, and are critical to the success of the AWS business and the more than one million customers who use AWS today. Our Firmware Engineers solve challenging technology problems, and build architecturally sound, high-quality components to enable AWS to realize critical business strategies. The ideal candidate for this role will be an innovative self-starter. You will be a Baseboard Management Controller (BMC) firmware expert, gain a strong understanding of our firmware stack, and analyze it in its current and future context. You will use comprehensive knowledge of the system in your projects to find the best solutions to multi-factor problems. You will work with engineers across the company as well as external companies and lead firmware development efforts. You will collaborate with internal and external development engineers (architecture, hardware, validation, software services). AWS Engineers are shaping the way people use computers and designing the future of cloud computing technology – come help us make history! What you will do: You will be a member of a team designing AWS-specific hardware, firmware and software. You will be a part of the firmware effort from conception, through validation and into production. You will explore emerging technologies and their impact on AWS. You will work closely with AWS software engineers to tailor devices for the AWS environment.[…]
AMI providing Redfish-enabled firmware for Intel and Aspeed models
AMI is now offering firmware for both BIOS and BMC on Intel customer reference boards (CRB) for the Intel Xeon® processor D-1500 product family and the 4th generation baseboard management controller (BMC) from Aspeed, the Aspeed AST2300 BMC. AMI has developed generic Redfish BIOS and BMC firmware support and has tested on the next generation AMD silicon. AMI’s BIOS and BMC firmware are highly integrated, allowing data center administrators to simultaneously, remotely and securely manage a number of server platforms out-of-box. Other features include BIOS-level firmware configuration and firmware updating. BMC functionality is based on the open industry standard specification and schema from DMTF’s Redfish™ API with the goal of creating seamless integration into existing tool chains.
Pinczakko on BMCs
The post is on BMC security in general, and looks at the OpenBMC project, among others:
FWTS 15.11.00 released
Alex Hung of Canonlical has announced the release of FWTS (FirmWare Test Suite) version 15.11.00, the November 2015 quarterly release, with multiple changes to the UEFI and ACPI tools.
= Significant Updates =
* Update ACPICA to version 20150930
= New Features =
* Add in the notion of ACPI compliance tests.
* MADT subtables: Local SAPIC structure has 3 reserved bytes, not 1
* ACPI: MADT: update GICC flag checks for ACPI 6.0
* ACPI: MADT: further update to GICC flag checks for 6.0
* acpi: method: skip scope names in method_evaluate_method
* acpi: method: add _GPE test
* acpi: method: add _TSN test
* acpi: method: add _TFP test
* acpi: method: add _EC test
* acpi: method: add _CWS test
* acpi: method: add _BTH test
* auto-packager: mkpackage.sh: add xenial
* acpi: tpm2: add check for zero control area address (LP: #1506442)
* securebootcert: change fail to warning when MS UEFI CA not found in DB
* lib: fwts_uefi: add BMC device path define
* uefidump: add dumping the BMC device path
* uefibootpath: add test for the BMC device path
* lib: fwts_uefi: add the URI device path define
* uefibootpath: add test for the URI device path
* uefidump: add dumping for the URI device path
* lib: fwts_uefi: add the UFS device path define
* uefidump: add dumping for the UFS device path
* uefibootpath: add test for the UFS device path
= Fixed Bugs =
* dmi: dmicheck: fix SMBIOS issues on aarch64 systems
* acpidump: add missing reserved fields to MADT structures
* cpufreq: the calibration is taking a long time, make it faster
* acpi: tcpa: replace tab with spaces to fix formatting alignment
Facebook’s OpenBMC project
I just learned about Facebook’s OpenBMC, thanks to Sai Dasari of Facebook, who just posted a message to the Open Compute Project’s hardware management list, talking about DMTF Redfish and Facebook’s OpenBMC.
OpenBMC is an open software framework to build a complete Linux image for a Board Management Controller (BMC).
When we were developing Facebook’s top-of-rack “Wedge” switch, we followed our usual process in the beginning; our partner was responsible for developing the BMC software. However, in the first months of the project, many requirements for the BMC software emerged, introducing extra complexity, coordination, and delays into the BMC software-development process. To address these challenges, at one of Facebook’s hackathon events, four engineers worked to create our own BMC software. Within 24 hours, we were able to build a minimum BMC software image, including an SSH server and the ability to change fan speed, power-on the host CPU, and blink some LEDs. It was far from a production image, but it gave us a strong confidence that we could eventually develop our own BMC software for “Wedge.” Fast-forward eight months, and we’ve deployed our solution — code-named “OpenBMC” — into production along with Wedge. And today we’re sharing OpenBMC with the open source community in the hope that we can collaborate based on this open software framework for next-generation system management.
Arium, ASSET InterTech, and Intel IE
Though I’ve discussed some Intel UEFI debugging so far:
I’ve not mentioned Arium’s debugger yet. The Intel Tunnel Mountain UEFI dev board can be used with the Intel UDK Debugger Tool, a 2-system debugging solution that uses Windbg on Windows, GDB on Linux. If you want to trace into silicon, you need to buy some debugging hardware, and a debugger that works with that hardware. One solution is to use Arium’s ITP widget and their debugger. It is EXPENSIVE, so you have to be well-funded to have one of these units, but I’ve heard it is powerful. They have products for ARM and Intel.
ASSET InterTech acquired Arium a while ago, though I still think of them as Arium. 😦
The other week at Intel IDF, Intel announced the Innovation Engine (Intel IE), but no details yet, except for this blog post:
ASSET just blogged about updating their product to support Intel IE, excerpt here:
At this past Intel Developers Forum (IDF) in San Francisco, Intel unveiled some preliminary information on the new Innovation Engine (IE). In a nutshell, the IE is an embedded processor which allows system builders and their partners to build unique, differentiating firmware for server, storage, and networking markets. Differentiation has always been, and always will be, a key challenge for OEMs in the Intel space. Hardware, in and of itself, is very common across platforms designed with Intel silicon. There can be some differentiation based upon using some custom Intel SKUs (if you are a large enough customer), or designing circuit boards which deviate from the platform design guideline recommendations, but these come at a high cost – either in terms of Bill of Materials (BOM) cost, or risk of having a product with lower overall operating margins. Competitive advantage on Intel designs often comes from the embedded firmware, either the BIOS or the Baseboard Management Controller (BMC) code. And in the server world, OEMs are often beholden to the UEFI vendors for customization. So OEMs often invest in customization of system management to create differentiation – which is where the IE comes in. The IE can supplement or replace much of the functionality that may exist on today’s BMCs. In addition, for lower-end systems that may not require BMCs, the IE can provide a platform which delivers system management capabilities at no extra BOM cost. In Intel’s words, “some possible uses include hosting lightweight manageability features in order to reduce overall system cost, improving server performance by offloading BIOS and BMC routines, or augmenting the Intel® Management Engine for such things as telemetry and trusted boot.”
I’m waiting for Intel to release real information on their Innovation Engine.
Read the full ASSET blog post here, to see how they are using Intel IE with their diagnostic products: