Donate to FreeBSD. Forums New posts Search forums. What's new New posts Latest activity. Log in Register. Search titles only.
Search Advanced search…. New posts.
What about the TPU chip. What-in the heck is that anyway? Never heard of it. If that Realtek chip is the LAN then we can go clay-pidgin shooting with it. Last edited: Nov 8, Phishfry said:. CraigHB said:.GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together. Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account. How similar or how different are these? Are there any plans to merge the two efforts? Facebook released their project and it gained some interest within a few members of the OpenPower community. A little over a year ago, Rackspace committed to an open-source BMC project and collaborated with us to create it. When we started, there was some design decisions Facebook had made that we did not feel was scalable for the scope of what we wanted an open source BMC to do, since their main focus was as an internal project rather than a potential commercial offering, so we decided to create our own proof-of-concept of an open-source BMC.
Hence, this project is the result of our collaboration with Rackspace and others to create that. Right now, we are focused heavily on development for a Power9-based commercial offering that will utilize this code base.
We are also working closely with developers at Google for another Power9-based system that they and Rackspace will utilize. But, our intention is not to have design aspects that are Power-unique; we fully intend that this code base will be used some day on "other architectures".
We have been working with Facebook off and on to attempt to arrive at some amount of commonality. We hope that as we both get a more mature implementation of our visions we will be able to converge on the best of both implementations, but converging on the userspace applications is a little farther off.
We are both working on the same concept, but with entirely different code right now other than that we are both utilizing Yocto Linux as the basis. This issue has been automatically marked as stale because no activity has occurred in the last 6 months.
It will be closed if no activity occurs in the next 30 days. If this issue should not be closed please add a comment. Thank you for your understanding and contributions. Not a bug, and we now also have pieces for each of the features in comment. We use optional third-party analytics cookies to understand how you use GitHub. Learn more. You can always update your selection by clicking Cookie Preferences at the bottom of the page.
For more information, see our Privacy Statement. We use essential cookies to perform essential website functions, e. We use analytics cookies to understand how you use our websites so we can make them better, e.
CVE-2019-6260: Gaining control of BMC from the host processor
Skip to content.A severe security vulnerability was discovered recently that impacts multiple Baseboard Management Controller BMC firmware stacks and hardware. A baseboard management controller, or BMC, is essentially a small computer that is a part of almost all server motherboards. Smith explained that the vulnerability gets into action based on BMC setups and hardware configuration such as bare-metal cloud hosting arrangements. OpenBMC versions up to version 2. He further said that it is possible that other BMC hardware and architectures to have been affected, however, they have not been tested.
Smith said that resolving the vulnerability is platform-dependant as it requires a patch to be issued to both BMC firmware and host firmware. Smith goes on to describe the various features of BMC systems that are impacted by this vulnerability and suggests disabling those features to avoid the security risk.
In addition to that, he mentions that it is not clear whether to define this vulnerability as local or remote. This would depend on whether one considers the connection between the BMC and the host as a network or not.
OpenBMC provides a u-boot patch which disables the affected features to avoid the security risk. OpenBMC platform maintainers can opt-in for this patch at this link. Write to us at contact cyware. Call Us at Follow us on. Alerts Events DCR. Go to listing page. BMC hardware affected A baseboard management controller, or BMC, is essentially a small computer that is a part of almost all server motherboards.
Consequences of unauthenticated access Smith explained that if exploited, unauthorized access might lead to the following, Malware execution Overwriting of existing firmware Performing arbitrary reads or writes to BMC RAM Configuration of an inband BMC console fro the host BMC bricking by disabling the CPU click until a future power cycle Smith said that resolving the vulnerability is platform-dependant as it requires a patch to be issued to both BMC firmware and host firmware.
Mitigation Smith goes on to describe the various features of BMC systems that are impacted by this vulnerability and suggests disabling those features to avoid the security risk.
Product & Technology
Previous Proof-of-Concept exploit gives way for remote jailbreak Malware and Vulnerabilities. Next A vulnerability in Sky Go app exposes session data incl News and Updates, Hacker News. Download Cyware Social App.Besides the fact that the BMC has overwhelming ability to affect virtually all system components, including while the system is running, the BMC also directly influences how quickly the system can be brought up. You can download and audit these critical pieces, including Raptor's Talos OpenBMCand you are encouraged and actively supported to build and install your own.
The problem, however, is that OpenBMC is relatively slow to get the system going when power is applied and the machine can't be started until it does.
On a server which is normally up this is generally unimportant; my POWER6 gets rebooted pretty much only when the backup power fails. Similarly, this T2 is usually running all the time. My Blackbird, on the other hand, boots when the projector is turned on and gets shutdown when I'm not in the home theatre room. With over two minutes to get from turning on the power strip to a Fedora login and almost a full minute of that just to get the ability to start main power, this is a major drag and harms the ability to dogfood POWER9 in smaller applications.
There is also the small but non-zero risk that if a power failure occurs during access to the flash that it could brick the system. The longer the bring-up time, the longer that potential window of vulnerability. Fortunately, it looks like further advancements are now finally making a dent in the BMC bring-up delay. Another big winner was apparently moving to dbus-brokerwhich is D-Bus compatible but higher performance. With all of these the OpenBMC bring-up on their Witherspoon box has reduced substantially and the upcoming AST is reportedly three to four times faster.
This is a nice improvement even if it's probably most of the low-hanging fruit, and the OpenBMC team should get a solid thumbs up for the work here. I look forward to this appearing in a future firmware update for the T2 family. However, OpenBMC start time is only just one albeit significant piece of the startup puzzle: once main power is on, from the time the Blackbird boot screen appears i. Much of the time spent seems to be in Hostboot before Skiboot even gets initialized, but even Skiboot adds some overhead.
Again, if you're like me and this is your primary computer, you won't deal with this often. But there's lots of Blackbirds and T2 Lites out there which are sidecars and while this is an obvious first world problem it's still a useability penalty to be paid. None of this is a crippling fault with the platform, but particularly for the workstation market many of us are in, it's suboptimal.
Therefore, continued improvement in basics like these makes the liveability of OpenPOWER on the desktop even better than it already is. And these improvements in OpenBMC hopefully should be just the beginning. No dbus, systemd, etc. Might even be worth a short article? That does sound like an interesting alternative, and would definitely be a thought to put on the Bird I'd probably keep the Talos stock.
I'll contact Shawn and see what's up.At Facebook, reliability and rapid iteration are two important tenets of our work. This makes feature velocity and the ability to troubleshoot our own systems significant items as we build out our infrastructure.
For context, a BMC is a specialized controller embedded in servers. A BMC connects to sensors to read environmental conditions and to fans to control temperature. It also provides other system management functions, including remote power control, serial over LAN, and monitoring and error logging of the server host CPU and memory. Until now, on the software side, the complete BMC software stack was closed.
BMC software is usually developed by the hardware manufacturer during the hardware-development phase. Because the BMC software was closed, whatever was developed for the existing hardware could not be reused for the next generation.
The long BMC software schedule directly affected new hardware development. When hardware development ended, the BMC software development stopped as well. Further bug fixes or new features had to wait for the hardware manufacturer. However, in the first months of the project, many requirements for the BMC software emerged, introducing extra complexity, coordination, and delays into the BMC software-development process. By itself, BMC hardware is a computer system.
Compared with modern computer systems, the hardware resources in a BMC are very limited. The OpenBMC image includes a bootloader u-boota Linux kernel, open source packages, and board-specific packages:. In Yocto, software packages are grouped together into recipes, and different recipes are then grouped together into layers. OpenBMC is in an early phase, but we believe in building a strong OpenBMC ecosystem, and so we have gone ahead and shared this early working code.
We recently restructured the code to better support different SoCs and boards. There are some applications developed for Wedge that can be reused for other boards. In order to do so, we will need to add a hardware abstraction between the applications and the hardware. With Wedge being proposed as a contribution to the Open Compute Project, application developers can use open hardware as the development platform for OpenBMC.
We can envision contributions at all the different layers of OpenBMC:. Wedge is the first hardware powered by OpenBMC, and 6-pack will be the second. We are excited to share OpenBMC with the community and work toward next-generation system management.
By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy. Skip to content Search this site. By Tian Fang. The board-specific packages include initialization scripts and tools for a particular board. For example, it includes a tool to dump asset info from the EEPROM and a fan-controller daemon to control the fan speed based on environment readings.
Both the bootloader and the kernel are defined in the SoC layer. The board layer includes packages for different boards. Specifically, we are releasing the hardware configuration, initialization scripts, and tools specific to Wedge. We can envision contributions at all the different layers of OpenBMC: Innovation in system management application can be contributed to the common layer.GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
This document is intended to provide a set of recipes for common OpenBMC customisation tasks, without having to know the full yocto build process. For example:. You can build the sdk receive a fakeroot environment. Follow the prompts.
After it has been installed the default to setup your env will be similar to this command. Great tool to issue D-Bus commands via cli. That way you don't have to wait for the code to hit the path on the system. Great for running commands with QEMU too!
'Pantsdown': Critical vulnerability found in multiple BMC firmware stacks
QEMU has a palmetto-bmc machine as of v2. OpenBMC also maintains a tree with patches on their way upstream or temporary work-arounds that add to QEMU's capabilities where appropriate. If you get an error you likely need to build QEMU see the section in this document.
Using a bridge device requires a bit of root access to set it up. The benefit is your qemu session runs in the bridges subnet so no port forwarding is needed. There are packages needed to yourself a virbr0 such as There are some other useful parms like that can redirect the console to another window. This results in having an easily accessible qemu command session. You may want to investigate which file s are persisting through the overlay rwfs.
To do this, you can list this path and then remove those files which you'd prefer the originals or remove the deletion overlay to restore files. It takes a long time for the first build of OpenBMC.
It downloads various repos from the internet. Bitbake will extract the code to the working directory during build, so the downloads directory could be shared by different builds on a system:. If you experience extremely slow download speed during code fetch e.See section 1. The typical consequence of external, unauthenticated, arbitrary AHB access is that the BMC fails to ensure all three of confidentiality, integrity and availability for its data and services.
For instance it is possible to:. Using 1 we can obviously implant any malicious code we like, with the impact of BMC downtime while the flashing and reboot take place.
This may take the form of minor, malicious modifications to the officially provisioned BMC image, as we can extract, modify, then repackage the image to be re-flashed on the BMC. As the BMC potentially has no secure boot facility it is likely difficult to detect such actions.
Abusing 3 may require valid login credentials, but combining 1 and 2 we can simply change the locks on the BMC by replacing all instances of the root shadow password hash in RAM with a chosen password hash — one instance of the hash is in the page cache, and from that point forward any login process will authenticate with the chosen password. IBM has internally developed a proof-of-concept application that we intend to open-source, likely as part of the OpenBMC project, that demonstrates how to use the interfaces and probes for their availability.
The intent is that it be added to platform firmware test suites as a platform security test case. Access from userspace demonstrates the vulnerability of systems in bare-metal cloud hosting lease arrangements where the BMC is likely in a separate security domain to the host.
There has not been any investigation into other hardware. State: Enabled at cold start Description: The VGA graphics device provides a host-controllable window mapping onto the BMC address-space Impact: Arbitrary reads and writes to the BMC address-space Risk: Medium — the capability is known to some platform integrators and may be disabled in some firmware stacks Mitigation: Can be disabled or filter writes to coarse-grained regions of the AHB by configuring bits in the System Control Unit.
There is some debate on if this is a local or remote vulnerability, and it depends on if you consider the connection between the BMC and the host processor as a network or not.
The fix is platform dependent as it can involve patching both the BMC firmware and the host firmware. OpenBMC has a u-boot patch that disables the features:. The process is opt-in for OpenBMC platforms because platform maintainers have the knowledge of if their platform uses affected hardware features.
Again, this is not by default for all platforms as there is BMC work required as well as per-platform changes. There have been many more people who have helped with this issue, and they too deserve thanks.
This site uses Akismet to reduce spam. Learn how your comment data is processed. I expect OpenBMC to have a statement shortly.
The specific issues are listed below, along with some judgement calls on their risk. Like this: Like Loading Leave a Reply Cancel reply.