back

Bringing Linux back to server boot ROMs with NERF and Heads

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:29:52
Language
English
Abstract
The NERF and Heads projects bring Linux back to the cloud servers' boot ROMs by replacing nearly all of the vendor firmware with a reproducible built Linux runtime that acts as a fast, flexible, and measured boot loader. It has been years since any modern servers have supported Free Firmware options like LinuxBIOS or coreboot, and as a result server and cloud security has been dependent on unreviewable, closed source, proprietary vendor firmware of questionable quality. With Heads on NERF, we are making it possible to take back control of our systems with Open Source Software from very early in the boot process, helping build a more trustworthy and secure cloud.

The NERF project was started by Ron Minnich (author of LinuxBIOS and lead of coreboot at Google) in January 2017 with the goal to bring Linux back to the BIOS by retaining a minimal set of PEI modules for memory controller initialization and replacing the entirety of the server vendor's UEFI DXE firmware with a reproducibly built Linux runtime. It has been ported to a few different manufacturer's servers, demonstrating the general portability of the concept.

NERF is fast - less than twenty second boot times, versus multiple minutes. It's flexible - it can make use of any devices, filesystems and protocols that Linux supports. And it's open - users can easily customize the boot scripts, fix issues, build their own runtimes and reflash their firmware with their own keys.

The Heads runtime was started by Trammell Hudson (author of Thunderstrike and Magic Lantern) and was presented last year at 33c3. It is a slightly more secure bootloader that uses Linux, the TPM, GPG and kexec to be able to load, measure, verify and execute the real kernel. As part of porting Heads to work with NERF on server platforms, it now includes tools like Keylime to allow severs to remotely attest to user controlled systems that the NERF/Heads firmware matches what they expect, as well as network and iSCSI drivers for diskless compute node servers.

In this talk we'll provide an overview of the NERF project, the currently supported server mainboards, and the continued development on the Heads runtime that allows more trust in the servers that make up the cloud.

Talk ID
9056
Event:
34c3
Day
3
Room
Saal Clarke
Start
12:15 p.m.
Duration
00:30:00
Track
Resilience
Type of
lecture
Speaker
monoxyd
Talk Slug & media link
34c3-9056-bringing_linux_back_to_server_boot_roms_with_nerf_and_heads

Talk & Speaker speed statistics

Very rough underestimation:
138.2 wpm
760.9 spm
141.8 wpm
792.5 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
138.2 wpm
760.9 spm
linuxbootfirmwaresystemuefiopensystemsdevicekernelphasesourceserversecuritydriverquestionrunningthingsprojectsecuregrubcallednetworkpeitimeshellplacesupportvendorusbsecondstpmcodememoryguardworkingfilemanagementcpuheadsdevicesapplausevendorscomputequestionshardwareserversstuffsmallcoreboot
monoxyd:
141.8 wpm
792.5 spm
linuxbootfirmwaresystemdevicesystemsuefiphasekernelopendriverrunningnetworksecuresecurityusbcodegrubcalledserverpeiplaceattacksvulnerabilitiesoperatingvendorcorebootsupportintelrealmemorycpudevicesdriversthingsmanagementtpmworkinghardwarereasonprojectbuiltheadscryptographiccontrollerruntimefilecompromisecontrol