Uncategorized

Hagfish: UEFI Bootloader for Barrelfish

Barrelfish is a new research operating system being built from scratch and released by ETH Zurich in Switzerland, originally in collaboration with Microsoft Research and now partly supported by HP Enterprise Labs, Huawei, Cisco, Oracle, and VMware. […]

Hagfish is the Barrelfish/ARMv8 UEFI loader prototype: Hagfish (it’s a basal chordate i.e. something like the ancestor of all fishes). Hagfish is a second-stage bootloader for Barrelfish on UEFI platforms, most importantly the ARMv8 server platform. […]

http://www.barrelfish.org/

https://github.com/BarrelfishOS/hagfish

https://github.com/BarrelfishOS/uefi-sdk

Standard
Uncategorized

HPE increases ProLiant firmware security

HPE’s Gen10 Servers Will Have Security Drilled into Silicon

by Christine Hall on June 12, 2017

Hewlett Packard Enterprise unveiled Gen10 at Discover in Las Vegas last week, the first major upgrade to its ProLiant line of servers since Gen9 was released in 2014. While the release of a new server is generally not very interesting in this age of commodity hardware, this one is a bit more notable as it has some interesting security features built into the hardware. The announcement was made by Alain Andreoli, head of HPE’s infrastructure group, with no shortage of hyperbole: “We have definitively created the world’s most secure industry standard server.” The security feature works at the firmware level, utilizing custom HPE silicon. “In each Gen10 server we have created a unique individual fingerprint for the silicon,” Andreoli explained. “Your server will not boot unless the firmware matches this print — it is just locked end to end.”[…]

http://www.datacenterknowledge.com/archives/2017/06/12/hpes-gen10-servers-will-have-security-drilled-into-silicon/

 

Standard
Uncategorized

Brian Richardson on Redfish and x-UEFI Config Lang

Brian Richardson of Intel UEFI team has a new blog post, showing HP vendor data using DMTF Redfish as well as viewing UEFI x-UEFI Configuration Language data.

Redfish, RESTful and x-UEFI: Modern Data Center Firmware

For more on the x-UEFI Configuration language, see Vincent’s post:

https://firmwaresecurity.com/2016/02/18/vincent-zimmer-on-the-x-uefi-configuration-language/

Standard
Uncategorized

UEFI ported to RISC-V!

There’ve been a few presentations on porting UEFI to the RISC-V, but now there is public code! Abner Chang of HPE has submitted multiple patches with RISC-V support for various components of EDK-II.

[PATCH 0/3] *** EDK2 base tools support RISC-V processor***

EDK2 base tools support RISC-V arch. EDK2 build tool changes to generate RISC-V PE/Coff image from RISC-V ELF file, handle RISC-V relocations and generate EDK2 FW with RISC-V image machine type.

BaseTools: Support build RISC-V PE/Coff image.
 
The changes on BaseTools is for building RISC-V ELF image and PE/Coff Image. Also to generate FW and FV for RISC-V arch.     

[PATCH 0/2] *** EDK2 MDE for RISC-V processor ***

MdePkg: MDE implementations for RISC-V arch. The implementations of RISC-V MDE base libraries.

    Add RISC-V architecture image file machine code.
    Add RISC-V architecture relocation type.    
    Add RISC-V architecture context buffer.
    Add RISC-V architecture exception types.
    Add RISC-V architecture PXE tag definition.    
    Add RISC-V architecture EFI image machine type.
    Add RISC-V architecture removable media boot path.
    Add RISC-V architecture processor binding.
    
[PATCH] OvmfPkg/PciHostBridgeDxe: [RISC-V] Add back OVMF PciHostBridge module.

Use OVMF PCI host bridge driver as the RISC-V platform BUS.
This driver is used by RISC-V Virtualization package (RiscVVirtPkg).
Currently the platfrom spec for RISC-V is not yet ready, thus we use PCI host bridge in temporarily.

[PATCH] RiscVVirtPkg: RISC-V QEMU package.

This is RISC-V QEMU package. The image which built from this package can be launched on QEMU RISC-V port (not official QEMU). RiscVVirtPkg utilizes below modules from EDK2 OVMF package,
 – PciHostBridge DXE driver.
   Use PCI host bridge driver as RISC-V platform bus spec for adopting PC/AT components.
 – QemuFwCfgLib
   QEMU firmware configuration.
 – OVMF ACPI timer lib.
 – QemuFlashFvbServicesRuntimeDxe
 – QemuVideoDxe
 – XenIoPciDxe

[PATCH] RiscVPkg: RISC-V processor package.

 New processor package added to EDK2 open source for RISC-V.
 
[PATCH] MdeModulePkg/DxeIplPeim: RISC-V arch DxeIpl.

The implementation of RISC-V DxeIpl.

This is only the first round of these multiple patches, given initial discussion it is likely there will be another round. In the discussion for this patch, it appears there is more support upcoming, not yet public. In the thread, Abner mentioned:

“The UEFI/PI ECR for RISC-V is ready but not yet send to UEFI for review. I have been told to upstream RISC-V code first and then submit the spec. I will confirm this again.”

I am looking forward to seeing what happens with the RISC-V UEFI port, and seeing some consumer devices based on RISC-V!

For more info, see the various threads on the EDK2-devel list:
https://lists.01.org/mailman/listinfo/edk2-devel

Standard
Uncategorized

List of UEFI vendors who care about security

Which UEFI vendors care — or at least may care — about security? The list (alphabetically) is shorter than you might expect:

AMD
AMI
Apple
Dell
Hewlett Packard Enterprises
HP Inc.
Insyde Software
Intel Corp.
Lenovo
Microsoft
Phoenix Technologies

Nobody else. If your vendor is not listed above, ask them why you should purchase a UEFI-based system from them.

The above list is from the list of vendors who have feedback mechanisms listed on the UEFI Forum’s security contact page.

http://uefi.org/security

Standard
Uncategorized

HPE Synergy’s Unified API for UEFI and Redfish

HP, now called HPE, has enhanced firmware/pre-OS support in their new servers, with their Synergy product having a “Unified API” that addresses Pre-OS technologies like Redfish and UEFI. They have a new RESTful API, and a tool for using that API. I am unclear, I think they are related. (I don’t have access to the latest HP hardware to clarify.

More information:
http://www.computerworld.com/article/3010261/servers/hpes-synergy-is-a-new-type-of-composable-infrastructure.html
http://www.theregister.co.uk/2015/12/01/hpe_synergy/
http://www.pcworld.com/article/3010526/hpes-synergy-is-a-new-type-of-composable-infrastructure.html

http://www8.hp.com/us/en/products/servers/proliant/restful-interface-tool.html
https://github.com/HewlettPackard/PowerShell-ProLiant-SDK
https://github.com/HewlettPackard/python-proliant-sdk
http://www8.hp.com/us/en/products/server-software/product-detail.html?oid=7630408
http://www8.hp.com/us/en/products/server-software/product-detail.html?oid=6935826

Standard