Denver coreboot Conference 2017

Denver coreboot conference
Monday June 5 – Tuesday June 6, 2017
Optional Hacking Day
Wednesday June 7, 2017

https://www.coreboot.org/events/denver2017

https://www.coreboot.org/Denver2017

See also:

https://firmwaresecurity.com/2017/01/28/european-coreboot-conference-2017/

 

European coreboot conference 2017

OEMs: please note!

Carl-Daniel Hailfinger posted an announcement to the upcoming European coreboot conference 2017 to the coreboot-announce list:

We are currently planning to host a coreboot conference in Germany with 2 days of talks and an additional 2 days of hacking. The date will probably either be October 19-22 or October 26-29, i.e. directly before or after Embedded Linux Conference Europe and LinuxCon Europe. Ticket prices haven’t been decided yet and depend on the location and venue availability. The location will be either in Bonn or Bochum. Both Bochum and Bonn offer a variety of interesting activities for conference participants. Bochum is reachable by public transport from Frankfurt Airport within 120 minutes, from Dusseldorf Airport within 40 minutes and from Cologne Airport within 80 minutes. Bonn is reachable by public transport from Frankfurt Airport within 70 minutes, from Dusseldorf Airport within 70 minutes and from Cologne Airport within 30 minutes.
YOUR ACTION NEEDED!
Please fill out the application and subscribe to the newsletter if you are planning to join us!
https://www.coreboot.org/events/ecc2017

Full announcement:
https://www.coreboot.org/pipermail/coreboot-announce/2017-January/000024.html

librecore

Phoronix has a new article about librecore, a free-as-in-freedom firmware project:

librecore is a distribution of Free/Libre firmware recipes for compiling and generating firmware for devices. The intended targets for the firmware include only those which can be run in total freedom by the user. This means that librecore firmware is distributed as source code, and does not include any binary blobs. The purpose of this project is to push the limits of software freedom in boot firmware. librecore is free firmware not unlike coreboot however with a different focus. While we collaborate with coreboot and share mature code to further these goals, our focus is more around maintainability and feature completeness of more libre hardware platforms such as POWER, SPARC, RISC-V and other non-x86 ISA’s.

https://github.com/librecore-org/librecore-org.github.io

http://librecore.info/

http://www.phoronix.com/scan.php?page=news_item&px=Librecore-Formation

https://www.phoronix.com/forums/forum/hardware/motherboards-chipsets/925901-librecore-aiming-to-be-a-better-libre-spin-of-coreboot

Read the Reddit thread and the Phoronix Forums for more background beyond the main article.:

“[…]I am one of the core developers of librecore and I can confidently say everything you wrote in your article about our project is complete speculative garbage. The librecore and libreboot projects are completely independent projects that have no relationship what-so-ever. The librecore project is a fork from coreboot by some original coreboot developers such as myself with different technical objectives.[…]”

(Not to be confused with librecores (plural):

https://www.librecores.org/

Yuriy and Oleksandr at REcon

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems
By: Yuriy Bulygin, Oleksandr Bazhaniuk

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.

https://recon.cx/2017/brussels/talks/baring_the_system.html

https://firmwaresecurity.com/2017/01/05/yuriy-to-speak-at-recon-brussels/

 

 

Coreboot Conference 2017 announced!

European Coreboot Conference 2017
Location: Germany

We are currently planning to  host a coreboot conference with 2 days of talks and an additional 2 days of hacking. Sometime in October 2017 in Bonn or Bochum, Germany.
The dates will probably either be October 19-22 or October 26-29,  i.e. directly before or after Embedded Linux Conference Europe and LinuxCon Europe.
Ticket prices haven’t been decided yet and depend on the location and venue availability.  Add your email address to be sent an invite to the conference when it is announced.

https://www.coreboot.org/events/ecc2017

 

FOSDEM

The other day I mentioned that coreboot was going to be at FOSDEM’17.

https://firmwaresecurity.com/2017/01/05/coreboot-at-fossdem/

(I mistakingly called it FOSSDEM instead of FOSDEM. And I mistakingly pointed to the FOSDEM’16 expo layout, ignore that.) 😦

In addition to coreboot presence, there are also multiple interesting presentations, including (but not limited to):

https://fosdem.org/2017/schedule/event/libreboot/
https://fosdem.org/2017/schedule/event/abusing_chromium_ec/
https://fosdem.org/2017/schedule/event/sniffing_usb/
https://fosdem.org/2017/schedule/event/secure_safe_embedded_updates/
https://fosdem.org/2017/schedule/event/terrible_bsp/
https://fosdem.org/2017/schedule/event/lava_laboratory/
https://fosdem.org/2017/schedule/event/testing_with_volcanoes/
https://fosdem.org/2017/schedule/track/internet_of_things/
https://fosdem.org/2017/schedule/event/panopticon/
https://fosdem.org/2017/schedule/event/securing_qemu_guest/
https://fosdem.org/2017/

OEMs: request from coreboot community

I agree. I’d like to see more OEMs shipping Linux-centric models, not just Windows or Chrome or Android PCs, leaving Linux users to deal with installing their preferred OS, which is getting harder and harder with pre-OS security (Secure Boot, etc.) preventing customization. Windows PCs have ACPI tied to Windows OS, a Linux PC does not need those ACPI tables, and perhaps may even want some Linux-centric ACPI tables.

Last time I looked, most “Linux OEMs” — scoped to laptops, not servers — still shipped BIOS-based systems. I asked one large Linux vendor why they were still doing this, and they said that Secure Boot was great for sales for them, Linux users avoid it and prefer BIOS. This may be good for ease-of-configurability, but it is bad for security. If you’re going to keep using BIOS, at least consider using SeaBIOS.

OEMs, please take one decent laptop and desktop of your Windows line, and make a Linux-friend model. Dell used to do this. These years, with Secure Boot, it is much more needed.

Talos FlexVer technology -vs- Evil Maids

Talos has a new post on their use of FPGAs on their OpenPower-based workstation.

https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation/updates/talos-fpga-functions-and-responsibilities-part-2

https://firmwaresecurity.com/2016/09/02/talos-secure-workstation-coreboot-power8/

 

SeaBIOS 1.10.0 released!

Kevin O’Connor announced the 1.10.0 release of SeaBIOS.

New in this release:
* Initial support for Trusted Platform Module (TPM) version 2.0
* Several USB XHCI timing fixes on real hardware
* Support for “LSI MPT Fusion” scsi controllers on QEMU
* Support for virtio devices mapped above 4GB
* Several bug fixes and code cleanups

Multiple contributors: Kevin O’Connor, Stefan Berger, Gerd Hoffmann, Igor Mammedov, Dana Rubin, Marcel Apfelbaum, Alex Williamson, Cao jin, Cole Robinson, Don Slutz, Haozhong Zhang, Matt DeVillier, Paolo Bonzini, Piotr Król, Roger Pau Monne, and Zheng Bao.

More info:
https://www.coreboot.org/pipermail/seabios/2016-October/010996.html
https://www.seabios.org/Releases#SeaBIOS_1.10.0

 

coreboot 4.5 released

Martin Roth posted a new coreboot blog post, announcing version 4.5 of coreboot! Look at the blog post for lots of details.
Two hightlights for me are: “Add support for TPM 2.0″and “SPI & refactored I2C TPM driver”.

We are happy to announce the release of coreboot 4.5. The 4.5 release covers commit 80a3df260767 to commit 0bc12abc2b26. This release is the first since the project switched from doing quarterly releases to doing biannual releases.  The next release will be in April of 2017. Since the last release in April, the coreboot project has had 1889 commits by 119 authors. The release tarballs and gpg signatures are available in the usual place at https://www.coreboot.org/releases/ There is a 4.5 tag in the git repository, and a branch will be created as needed.

coreboot statistics:
Total Commits: 1889
Average Commits per day: 10.92
Total authors: 119
New authors: 47
Total Reviewers: 67
Total Submitters: 19
Total lines added: 164950
Total lines removed: -182737
Total difference: -17787

http://blogs.coreboot.org/blog/2016/10/21/announcing-coreboot-4-5/

October 7-9, Berlin: coreboot.berlin event!

On the coreboot-announce list, Peter Stuge just announced the coreboot.berlin event happening NEXT WEEKEND, October 7-9:

SHORT NOTICE: coreboot.berlin next weekend, Oct. 7-9
Hello all, I’m happy to *finally* have the information and registration page online:
https://coreboot.berlin/
Yes, it’s very late, but I hope that we will still be a good number of people meeting up next weekend. Quick feedback helps me make sure that everyone will get food. If you are interested in attending, but unable to register at the Community Registration Fee cost then please get in touch with me, so that we can try to work something out. Thank you very much, and hope to see you in Berlin on the 7:th!

https://www.coreboot.org/pipermail/coreboot-announce/2016-September/000023.html

https://coreboot.berlin/

coreboot now supports Ada

Ihttp://spark-2014.org/

https://review.coreboot.org/#/c/11836/

https://review.coreboot.org/#/c/11869/

“Add minimal GNAT run time system (RTS)
Add a stripped-down version of libgnat. This is somehow comparable to libgcc but for Ada programs. It’s licensed under GPLv3 but with the runtime library exception. So it’s totally fine to link it with our GPLv2 code and keep it under GPLv2.”

WIP: SPARK: Add driver for Intel GMA initialization
This is derived from an experimental branch, which was started to support Haswell. It supports many processors in the Core architecture line starting with the Ironlake graphics (found first in Nehalem). But I had to strip off the FDI (connection between processor and chipset) configuration during refactoring, so not everything is working again yet. Also, after the refactoring, I started to work with SPARK 2014. While the code is SPARK 2014 compliant, it’s pretty much unannotated. Absence of runtime errors is automatically provable (with one exception), though. What currently should work: Virtually everything but VGA on Haswell and Broadwell. eDP on Ivy Bridge (maybe Sandy Bridge and Nehalem, too, but untested). Other connectors would need FDI configuration on these older processors. Integration is most WIP: Configuration is static and hardcoded currently (see HW.GFX.GMA.Config). There is one package with an interface to C (HW.GFX.GMA.Coreboot) that’s hardcoded to bring up an eDP on Ivy Bridge. There’s another interface in HW.GFX.GMA: Update_Outputs() which supports two different, runtime selectable outputs[…]

ORWL funded!

ORWL, “The First Open Source, Physically Secure Computer”, just got funded on CrowdSupply!

https://www.crowdsupply.com/design-shift/orwl/updates/funded-and-coreboot-bios

Joanna Rutkowska wrote a recent post that gives some great background on ORWL’s physical security:

http://blog.invisiblethings.org/2016/09/03/thoughts-about-orwl.html

Talos Secure Workstation: coreboot + POWER8

New potential product on CrowdSupply with a NICE set of features (…and I wonder how secure it will be):

* Blob-free operation
* Fully libre (open-source) IBM OPAL primary firmware w/ PetitBoot interface
* Fully libre (open-source) OpenBMC secondary (IPMI / OoBM) firmware
* NO signing keys preventing firmware modification

https://www.crowdsupply.com/raptorcs/talos

coreboot adds Intel BootGuard support to Intel ME Tool

“util/intelmetool: Add bootguard information dump support:
With this implementation it’s possible to detect the state of bootguard in intel based systems.
Currently it’s WIP and in a testphase. Handle it with care!”

 

https://review.coreboot.org/#/c/16328/

https://coreboot.org/