were previously very proprietary. Using
LinuxBoot makes boot times 20 times
faster. 12 Booting an open compute
node to a Linux shell went from 8 minutes to 17 seconds, a speed improvement of 32 times.
What About All
the Other Firmware?
Open source firmware is needed for a
plethora of other devices, too. These
include the following:
˲ EC (embedded controller)/SIO (
super I/O). This is for mobile devices and
desk-based platforms. It controls keyboards, temperature monitoring, etc.
˲ TPM (trusted platform module).
This is a secure home for cryptographic
˲BMC (baseboard management
controller)/ME (management engine).
A BMC is associated with server platforms while an ME is typically associated with client platforms. For an open
source BMC, there are two projects:
OpenBMC ( https://github.com/open-bmc/openbmc) and u-bmc (https://
is the project used to clean the Intel
Management Engine to the smallest
˲ NIC (network interface controller).
Work is being done in the open compute
project on NIC 3.0, 13 a spec for a NIC.
˲ GPU (graphics processing unit).
˲eMMC (embedded MultiMedia-Card (eMMC)/UFS (universal flash
storage). Storage devices for mobile
˲ Power supply.
˲CPLDs (complex programmable
logic devices), FPGAs (
field-program-mable gate arrays). The programmable
Open source firmware is necessary
not only to provide visibility into the
stack, but also to verify the state of software on a machine.
Intel’s Boot Guard
Boot Guard is supposed to verify the
firmware signatures for the processor.
The problem with this, in the case of
Intel processors, is that only Intel has
the keys for signing firmware pack-
ages. This makes it impossible to use
coreboot and LinuxBoot or their equiv-
alents as firmware on those processors.
If you tried, the firmware would not be
signed with Intel’s key, and the failed
attempt to boot would brick the board.
A post by Matthew Garrett about
Boot Guard highlights the importance
of user freedom when it comes to firm-
ware. 1 The owner of the hardware has
a right to own the firmware as well.
Boot Guard prevents this. In the secu-
rity keynote at the 2018 Open Source
Firmware Conference, 5 Trammel Hud-
son described how he found a vulner-
ability to bypass Boot Guard (http://bit.
ly/2S6oGrd); the bugzilla details can
be found at http://bit.ly/2XVdAKU. The
bug allows an attacker to use unsigned
firmware and boot normally, complete-
ly negating the purpose of Boot Guard.
Root of trust. The goal of the root of
trust should be to verify that the soft-
ware installed in every component of
the hardware is the software that was
intended. This way you can know with-
out a doubt and verify if hardware has
been hacked. Since you have little to
no visibility into the code running in a
lot of places in your hardware, it is cur-
rently difficult to do this. How do you
really know the firmware in a compo-
nent is not vulnerable or that it doesn’t
have any backdoors? You cannot know
without a firm root of trust.
Every cloud and vendor seem to have
its own way of implementing a root of
trust. Microsoft has Cerberus, 15 Google
has Titan, 18 and Amazon has Nitro. 4
Paul McMillan and Matt King gave a
presentation in 2018 on securing hard-
ware at scale. 8 It covers in great detail
how to secure bare metal, while also
giving customers access to the bare
metal. When customers return hard-
ware to them, they need to ensure with
consistency and reliability that noth-
ing from the customer is hiding in any
component of the hardware.
All clouds must ensure the hard-
ware they are running has not been
compromised after a customer has
used compute resources.
Platform firmware resiliency. Hip
vendors are investing in platform firm-
ware resiliency (PFR) based on NIST
guidelines. 17 These guidelines focus
on ensuring the firmware remains in
a state of integrity, detecting when it
has been corrupted, and recovering
the pieces of firmware back to a state
firmware can help
to a more secure
place by making
the actions of
visible and less
likely to do harm.