-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from 3mdeb/nlnet_application
Add KGPE-D16 NLNet application
- Loading branch information
Showing
3 changed files
with
423 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,107 @@ | ||
| ## Attachment no. 1 | ||
|
|
||
| ## Projects or organisations relevant to the project before | ||
|
|
||
| - [coreboot](https://github.com/coreboot/coreboot) | ||
|
|
||
| Open source firmware framework supporting the hardware of the aforenamed project | ||
| relates to. In general coreboot allows to build the firmware (also called BIOS) | ||
| from source code. By firmware (or BIOS) one should understand the lowest level | ||
| software executed on the processor right after machine launch. It is | ||
| responsible for hardware initialization and preparation for operating system | ||
| launch. The BIOS implementation for KGPE-D16 is fully open and auditable in | ||
| contrast to closed source proprietary solutions of current hardware vendors. | ||
|
|
||
| - [libreboot](https://notabug.org/libreboot/libreboot) | ||
|
|
||
| This project is based on coreboot, but operates with different rules and | ||
| restrictions. First and foremost the libreboot project does not allow any | ||
| source code for platform firmware which requires closed source components to | ||
| operate. coreboot on the other hand supports platforms that require closed | ||
| source and proprietary components used for hardware initialization (Intel FSP, | ||
| AMD AGESA, Intel ME, AMD PSP). | ||
|
|
||
| - [Heads](https://github.com/osresearch/heads/) | ||
|
|
||
| A coreboot's Linux based payload focusing on security of the firmware and | ||
| operating systems booting. Uses sophisticated methods for privacy preserving, | ||
| security measures, hardware ownership and Root of Trust attestation. The | ||
| ultimate goal is to ensure that the computer is in a trusted state and that the | ||
| operating system may be launched securely without fear of leaking sensitive and | ||
| private data or the presence of malware. Has initial support for the board: | ||
| https://github.com/osresearch/heads/pull/335 | ||
|
|
||
| - [OpenBMC](https://github.com/openbmc/openbmc) | ||
|
|
||
| Open implementation of the Baseboard Management Controller (BMC) present on | ||
| server/desktop platforms, based on Linux. The BMC is responsible for | ||
| out-of-band management of the server/desktop platform, it has privileged access | ||
| to the resources of the machine thus is very important piece of hardware and | ||
| software that should be protected. Open implementation assures auditability and | ||
| security of the BMC solution typically delivered by hardware vendors as a | ||
| closed source component. Has support for the board (unmaintained) done by | ||
| Raptor Engineering: | ||
| https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php | ||
|
|
||
| - [u-bmc](https://github.com/u-root/u-bmc) | ||
|
|
||
| The BMC Linux distribution similar to OpenBMC but written in Go language. | ||
| Currently does not support KGPE-D16's AST2050 chipset: | ||
| https://github.com/u-root/u-bmc/issues/133 | ||
| The main advantages of u-bmc are minimalism and compactness comparing to | ||
| OpenBMC. | ||
|
|
||
| - [U-boot](https://github.com/u-boot/u-boot) | ||
|
|
||
| U-Boot is a boot loader for Embedded boards based on PowerPC, ARM, MIPS and | ||
| several other processors, which can be installed in a boot ROM and used to | ||
| initialize and test the hardware. It is one of subcomponents of the OpenBMC | ||
| implementation. Initial implementation: | ||
| https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-files/ast2050-uboot-tree.tar.bz2 | ||
|
|
||
| - [Linux kernel](https://github.com/torvalds/linux) | ||
|
|
||
| Linux is an open source implementation of the GNU operating system's kernel. It | ||
| is a subcomponent of the OpenBMC implementation and subcomponents of operating | ||
| systems launched by the KGPE-D16. Initial implementation: | ||
| https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-files/ast2050-linux-kernel-tree.tar.bz2 | ||
|
|
||
| - [Poky Yocto](https://git.yoctoproject.org/cgit/cgit.cgi/poky/) | ||
|
|
||
| Poky is a reference distribution of the Yocto Project. It contains the | ||
| OpenEmbedded Build System (BitBake and OpenEmbedded Core) used to build a Linux | ||
| distribution. A subcomponent of the OpenBMC implementation. Initial | ||
| implementation for the KGPE-D16: | ||
| https://git.raptorengineering.com/git/ast2050-yocto-poky | ||
|
|
||
| All the source code lack maintainership since the platform has been orphaned by | ||
| the initial maintainer. The number of bugs is growing and soon the code will be | ||
| deprecated and dropped from the projects like coreboot and others. | ||
|
|
||
| - [Trenchboot](https://github.com/TrenchBoot/documentation) | ||
|
|
||
| Trenchboot is a framework that allows individuals and projects to build | ||
| security engines to perform launch integrity actions for their systems. The | ||
| framework builds upon Boot Integrity Technologies (BITs) that establish one or | ||
| more Roots of Trust (RoT) from which a degree of confidence that integrity | ||
| actions were not subverted. 3mdeb already contributed to this project by | ||
| enabling the Secure Launch feature offered by the hardware security engines | ||
| on the PC Engines apu2 board. | ||
|
|
||
| - [vboot](https://chromium.googlesource.com/chromiumos/platform/vboot_reference/) | ||
|
|
||
| Google's Verified Boot reference implementation, an alternative to UEFI's | ||
| SecureBoot. Provides mechanisms for cryptographical signing and verification of | ||
| boot firmware components. | ||
|
|
||
| - [Vikings GmbH](https://www.vikings.net/) | ||
|
|
||
| Company that sells the ASUS KGPE-D16 with libre firmware based on an old | ||
| version of coreboot. Big kudos to Vikings for sending 2 boards for testing and | ||
| development of the project. | ||
|
|
||
| - [Raptor Engineering LLC](https://www.raptorengineering.com/) | ||
|
|
||
| The company that did the initial implementation of the coreboot firmware and | ||
| OpenBMC for the ASUS KGPE-D16. The board has been neglected by this company and is | ||
| no longer maintained in those projects. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| # Attachment no. 2 | ||
|
|
||
| ## Task description | ||
|
|
||
| 1. Setting up the hardware validation [1500 Euro] | ||
|
|
||
| Validation standards in firmware related projects are not yet well established. | ||
| Testing is very a crucial part when software directly touches hardware. Even the | ||
| slightest change may cause huge negative impacts on the machine's operation. | ||
| That is why we need to have automated tests that will constantly check for | ||
| issues and regression due to the code change. | ||
|
|
||
| --- | ||
|
|
||
| 2. The specific tasks to be performed for coreboot project: | ||
|
|
||
| 2.1 The processor and chipsets code should be separated from board specific | ||
| code. [2000 Euro] | ||
|
|
||
| Separating the code allows for better maintenance and development of code by | ||
| the whole community. Reduces the board specific code significantly and allows | ||
| easier integration of existing and new boards. | ||
|
|
||
| 2.2 KGPE-D16 firmware should support RELOCATABLE_RAMSTAGE and cache the | ||
| ramstage in TSEG. [2000 Euro] | ||
|
|
||
| One of the coreboot requirements to keep the platform supported in the | ||
| project. Implementing those mechanisms will allow us to use suspend to RAM | ||
| (sleep mode). | ||
|
|
||
| 2.3. KGPE-D16 firmware support for POSTCAR_STAGE and NO_CAR_GLOBAL_MIGRATION [1500 Euro] | ||
|
|
||
| One of the coreboot requirements to keep the platform supported in the | ||
| project. Allows clean separation of the boot firmware stages and makes | ||
| the code far simpler. | ||
|
|
||
| 2.4 KGPE-D16 firmware shall support C_ENVIRONMENT_BOOTBLOCK [1500 Euro] | ||
|
|
||
| One of the coreboot requirements to keep the platform supported in the | ||
| project. Allows to enable temporary memory early and setup a Root of | ||
| Trust in the very early stage of machine startup. | ||
|
|
||
| 2.5 KGPE-D16 firmware save memory training parameters [1500 Euro] | ||
|
|
||
| This feature will decrease the startup time by avoiding time-consuming memory | ||
| training in subsequent machine launches. | ||
|
|
||
| 2.6 KGPE-D16 should initialize CPUs in parallel [1500 Euro] | ||
|
|
||
| As KGPE-D16 is a server/desktop platform with up to 2 processing units with | ||
| multiple cores, their initialization may take a while. This feature will | ||
| reduce the startup time further. | ||
|
|
||
| 2.7 Improve the coreboot documentation and resolve existing and newly found | ||
| issues. [2000 Euro] | ||
|
|
||
| There were reports from the community that the board is no longer able to launch | ||
| modern Linux distribution without custom modifications. There are also lots of | ||
| unfixed items in the code base. | ||
|
|
||
| --- | ||
|
|
||
| 3. Contribution to other projects: | ||
|
|
||
| 3.1 Test and develop support in Heads project [1500 Euro] | ||
|
|
||
| The Heads project focuses on security and privacy of the hardware it runs on. | ||
| It is one of the very important use-cases of the KGPE-D16. The initial | ||
| support has been done by Thierry Laurion on top the older version of | ||
| coreboot. Required fixes and adjustments have not been propagated back. | ||
|
|
||
| 3.2 Develop, test and contribute support to OpenBMC and u-bmc projects. [4000 Euro] | ||
|
|
||
| There is a huge amount of code developed by Raptor Engineering, but it's not | ||
| contributed back to the upstream repositories. The support was developed over | ||
| 2 years ago and nothing has been done since that time. There is also a serial | ||
| over IPMI feature to be developed in order to provide better remote | ||
| accessibility to the board from network. This task requires contribution to | ||
| projects like OpenBMC, Linux kernel, U-Boot, Poky and coreboot. | ||
|
|
||
| 3.3 Develop and test Secure Launch implementation in Trenchboot. [1500 Euro] | ||
|
|
||
| Performing Secure Launch allows to establish the Root of Trust at any time of | ||
| machine startup. It is a very important security feature offered by hardware. | ||
| Moreover it was never done in an open source way for AMD processors (except | ||
| Trenchboot for apu2 co-developed by 3mdeb) which are present on the KGPE-D16. | ||
|
|
||
| 3.4 Contribution to libreboot [1500 Euro] | ||
|
|
||
| libreboot is based on the coreboot, however it implements the build system in | ||
| its own way and modifies the coreboot source to its needs. The task will | ||
| focus on adjusting the libreboot project in order to build the firmware image | ||
| successfully and contribute the changes back. |
Oops, something went wrong.