and more can be expected. This space
is turning out many awesome projects, and I am lucky to be able to shine
a light on the amazing work being
done. Open sourcing the software at
the lowest levels of the stack provides
visibility into the code running with
the most privileges on systems. We
can only hope this will lead to more
eyes vetting the code, encourage more
minimal architectures, and lessen
the risk of systems being caught with
their “Pantsdown” in the future.
Thanks to the individuals in the open
source ecosystem for helping me
learn about their projects: Rick Altherr, Chris Koch, Christian Svensson,
Ron Minnich, Trammell Hudson,
Eric Shobe, and Jared Mednick. If you
are interested in helping with any of
the projects mentioned here, check
Security for the Modern Age
Commercializing Open Source Software
Michael J. Karels
GNL is Not Linux
1. Common Vulnerabilities and Exposures. CVE-
2. Common Vulnerabilities and Exposures. Intelligent
Platform Management Interface; https://cve.mitre.
3. Eclypsium. Virtual media vulnerability in BMC opens
servers to remote attack; http://bit.ly/2NSdX2b
4. Fang, T. Introducing ‘OpenBMC:’ An open software
framework for next-generation system management.
Facebook Engineering, 2015; http://bit.ly/2PHS73 T
5. Frazelle, J. Open-source firmware. acmqueue 17, 3
6. Heiliger, J. Building efficient data centers with the
Open Compute Project. Facebook, 2011; http://bit.
7. Hudson, T. 2019. Modchips of the State; https://trmm.
8. Shobe, E., Mednick, J. RunBMC: OCP hardware spec
solves data center BMC pain points; https://blogs.
9. Sullivan, A. OpenPO WER & Open Compute: Full speed
ahead with Barreleye, 2015; https://blog.rackspace.
Jessie Frazelle is an independent consultant.
She previously worked on the Docker Core Team,
Google, and Microsoft.
Copyright held by author/owner.
after DRAM initialization, thus removing the need for a bootloader such as
u-boot. As of the publication of this
article, u-bmc supports BMCs based
on the ASPEED AST2400 and AST2500,
but plans to support more in the future and always welcomes contributions. If you have a Supermicro
X11SSH board that supports coreboot,
it is possible to use u-bmc as your
RunBMC. Not only has software
around the BMC been open sourced,
but the hardware has as well. Eric
Shobe and Jared Mednick of Dropbox
analyzed all the BMC system topolo-gies and their differences on a plat-form-by-platform basis. The result
was RunBMC, a standard hardware
interface for BMCs. Dropbox donated version 1 of the RunBMC hardware specs, along with two reference
boards for the Nuvoton NPCM75OR
and ASPEED 2500 RunBMC modules,
to the Open Compute Project in August 2019.8
The RunBMC design allows for
swapping out BMCs separate from
the rest of the board, isolating and
locking down the BMC subsystem.
Previous to this, the BMC was soldered onto the board. This is compelling from a security perspective since
focus is shifted to a single, swap-pable BMC card, which can easily be
replaced if broken, updated with a
different version, or integrated with
other security features. For example,
a root of trust, the trusted source that
verifies system software before execution, can secure I/O between the
BMC card and the rest of the board.
This also allows users to switch easily
between the common BMC manufacturers, ASPEED, and Nuvoton. Interesting fact: Sun also had a BMC inter-connect with its Integrated Lights Out
Manager (ILOM), as did Dell with Dell
Remote Access Controller (DRAC),
HP with Integrated Lights-out (iLO),
and IBM and Lenovo with integrated
management module (IMM)—
however, most do not ship this way today.
Open Source Moving
the Ecosystem Further
OpenBMC set the stage for BMC
firmware and hardware to be open
sourced. This spawned a series of other innovations being open sourced,
OpenBMC set the
stage for BMC
hardware to be
This spawned a
series of other
and more can be