
Open-source firmware - ericdanielski
https://mullvad.net/ja/blog/2019/8/7/open-source-firmware-future/
======
bkircher
Related: vendors should also support fwupd [1].

[1] [https://www.fwupd.org/](https://www.fwupd.org/)

------
kfreds
I’m the author of the article. Currently on my phone, but feel free to ask
questions and I’ll answer as I’m able.

~~~
acd
How much work do you think it would be to support open firmware in other
Supermicro motherboards?

~~~
pgeorgi
As kfreds correctly states, there are important questions other than who the
OEM for a mainboard is. With the exception of notebooks (where OEM specific
components like the embedded controller require a fair bit of work that can be
transferred from one device to the next), I'd even say that the OEM is among
the least interesting bits about a mainboard on the technology side.

However, if the OEM supports the coreboot port (e.g. by providing schematics
and generally answering questions that come up) that's very helpful.

So, question to kfreds: how was the cooperation with Supermicro? Are they
aware of your effort, were they helpful?

(disclosure: doing coreboot development for 12 years now, some of that
professionally, now for Google's Chrome OS devices)

~~~
kfreds
Hi Patrick! I unfortunately don’t recall the details. If you’re interested
reach out to Philipp at 9eSec.

------
justinjlynn
Absolutely - nobody should accept anything less than a fully owner controlled
and fully auditable system - especially when you're providing secure
networking services to customers. Good on them for porting coreboot to this
new, modern supermicro platform - it's a gargantuan amount of hard work and
I'm glad they did it and published it.

However, I have to take issue with this statement:

> This is the first time a modern off-the-shelf server platform gains coreboot
> support, and it is an integral part of realizing our vision of transparent
> and independently auditable VPN servers.

While this is the first modern coreboot system - it is not, by the
implication, the first modern server system with fully open source firmware.
In fact, I contend that the firmware isn't even fully open source, nor is it
fully auditable - the ME taint is still present, as the article clearly
states.

(EDIT: I did not read the original article terribly clearly - it is extremely
clear in this regard - and it doesn't position the system as being "fully"
open source. My mistake and I'm sorry. See comments below for response/apology
in response to author's correction.)

In contrast, the Talos II server system, a POWER9 (powerpc64/LE) system, by
Raptor Computing Systems has been shipping for well over a year now - and it
has fully open source firmware - and by that I mean _everything_ , supported
and developed by both the community, Raptor Computing, other OpenPOWER
Foundation members and IBM.

The only remaining blob on the base Talos II system is the blob firmware for
the onboard NICs - and that's been fully documented and clean-room reverse
engineered and the replacement open source project is just about completed
(project ortega). It's already usable in beta form, but if it's an issue for
you until them - disable them and use an add-in card.

However, unlike the Xeon platform referenced as being the first modern
coreboot server platform, the Talos II, or any other OpenPOWER system, does
_not_ have an invasive management engine in every CPU you have zero access to
with zero auditability.

It's not enough for the firmware to be open source, I want my systems
documentation to look like this:
[https://wiki.raptorcs.com/wiki/Category:Documentation](https://wiki.raptorcs.com/wiki/Category:Documentation)
\- so that I can write that firmware if I have to. I seriously doubt the
supermicro board would include schematics, like the Talos II or Blackbird
does, either.

That said, if instead the existing open source firmware, you really want
coreboot - which the Talos II does not yet support - for a specific reason -
it's being actively ported to the platform, but not out of necessity, instead
it's an exercise in open source firmware diversity - as it should be.

If you want a fully auditable, owner controlled, open source platform for your
VPNs, or for any other application, x86 based systems aren't it - because, by
Intel's ME and AMD's PSP designs, they can't be.

~~~
nickik
Using Talos for a major global deployment of VPN servers is fantasy.

Having open source coreboot on those machines and what it allows you do on top
(linuxboot for example) can massively improve your operational security and
its viable for a global VPN network.

~~~
justinjlynn
Yes, it absolutely can. However, the first part of good opsec is not lying to
yourself about its shortfalls. Fantasy is thinking you can have a "fully open
source firmware" for x86 systems, it just isn't - unless it's leaving out
major parts of system initialisation and monitoring. Of course you can remove
bits and pieces from the ME, but you can't guarantee that'll always be the
case - Intel may not let you do so in the future when the next major microcode
update comes out. That said, if you're going for cost cutting and as such
you're willing to compromise on opsec, you won't beat major established VPN
services on cost. That said, cost is a balance, but costs change - as a VPN
provider, for your users - opsec is forever.

~~~
nickik
You can in theory. In practice buying hardware that is 10x more expensive is
not really viable. Mullvad is already fairly specialized mostly for privacy
nerds and there are just not enough people who car about the potential
security of Intel ME.

Improving the state-of-the-art step by step on the platform that dominates the
market will lead to more security gain overall then using what is essentially
specialized hardware.

~~~
justinjlynn
You and I could probably debate at length the merits of the trade-offs
involved and the effect such trade-offs would have on fulfilling any given
threat model. The point I was making is that it's not 10x as expensive now,
it's probably 3-4x, and that cost is likely to become lower in the future
anyhow. It's not specialised in the sense that it's single purpose - it's
niche, so, the implication of "special purpose" in the computing sense, as in
limited in functionaly for the purpose of greatly improved performance for
specific tasks, doesn't really apply.

------
raxxorrax
I really hope the author is correct. This would make many things easier. What
too much proprietary hardware can do, you can see on the phone market. I doubt
many people are happy with what they see here.

~~~
bkircher
Me too. Might also be a competitive factor in the future. Looking at you
Intel, AMD.

------
amarshall
HN post for the corresponding write-up from 9elements:
[https://news.ycombinator.com/item?id=20644165](https://news.ycombinator.com/item?id=20644165)

------
rwmj
I'm confused about the details here. Does this run Intel SMM? Does it not run
Intel SMM and still manage not to reboot after 30 minutes?

~~~
fox8091
Intel's SMM doesn't actually reset the platform after 30 minutes. Intel's ME
does if the firmware is missing on ME 11 and above. However, you can still
strip the ME heavily and have it "disabled" via the HAP bit.

------
voltagex_
[https://www.supermicro.com/en/products/motherboard/X11SSH-
TF](https://www.supermicro.com/en/products/motherboard/X11SSH-TF) 6th and 7th
gen Intel chips (current gen is 9th, with 10th on the horizon). Not a bad
board, though.

------
jchw
Wow, as a fan of both Mullvad and Coreboot I am excited to see this happening.
I hope to be able to contribute meaningfully to Coreboot in the future.

I wonder what caveats come with running Coreboot on modern Intel servers. I
thought Boot Guard was an issue?

------
u35517
The call to action targets certain kinds of professionals. What can I, as a
regular user, do to help and promote what is best for humanity here?

~~~
voltagex_
Support projects like this and the companies that undertake them.

------
vardump
Just remember in this less than perfect world, firmware bugs can cause
physical damage.

\- Signed, firmware developer.

------
rurban
dang: could the link please changed from the Japanese to the English version?

~~~
kfreds
Good point. Or even without a specific language:
[https://mullvad.net/blog/2019/8/7/open-source-firmware-
futur...](https://mullvad.net/blog/2019/8/7/open-source-firmware-future/)

Could the submitter or a moderator also change the title to "Open-source
firmware is the future"?

