Patterns hiding in DRAM initialization
Having looked at multiple implementations of DRAM initialization code for
different platforms, both in binary and source form, I have started to see
certain patterns occur. In this talk, we will focus on the binary form, since it
is how that code is often distributed these days, and thus useful to gain an
understanding of how modern DRAM controllers work and how they are integrated in
contemporary platforms. We will walk through the process of finding data and
data structures that are used in the code, and see how we can make sense of
them, so that we can extract them as pure facts, or come up with simpler
solutions for some of them when implementing our own initialization procedures.
To assist us with different aspects of analysis, we will feature helpful tools
and techniques for certain steps, and conclude with achievements made so far.
Tools for Chips
Over the years, I have created multiple tools that let you work directly
with the loader protocols offered by many SoC (system on chip) mask ROMs.
Such tools would usually come from the chip vendors themselves and be less
flexible, but when open source, tell us how the APIs work, and through
reverse engineering, we can understand even more of how the mask ROM code
works.
In this talk, I showcase a bunch of tools that I have created with the help
of others over the years that now help us with the development and testing
of firmware in a fast manner, bypassing the whole procedure of flashing
code to storage parts. We will look at the specifics per vendor and chip,
what we needed to do to get to where we are now, and finish up with a few
demos.
What's the diff?
Diffing firmware images
In this talk, we dive deep into parsing and comparing AMD firmware images
with their specific challenges: they may have different sizes, come from
different OEMs, target different mainboards, and support various ranges
and variants of processors. I have extended and built a
CLI on top of System76 / Jeremy Soller's romulan library that will
eventually also be integrated in Fiedka.
Look at ME in Rust!
A few years ago, I
looked at the Intel Management Engine.
At Labortage 2023, I showed
how Rust can be used in web browsers and Electron via WebAssembly.
This time, combining both, I present the implementation of a
Rust library for Intel ME file systems
and demo its use in Fiedka, diving deeper into
how Intel ME platform firmware is partitioned and how its file systems work.
LONGTERM
The terminal you have been longing for
Are terminals really a relic of the past? I beg to differ.
Let me introduce LONGTERM, a modern terminal for the world of the 2020ies, in
which lots of devices and gadgets float around.
What would this even _be_, how does one hook up with a terminal nowadays?
Those are the questions this talk will discuss and propose solutions to.
Digging for Documentation
A Tale of Reverse Engineering
Modern hardware platforms are based on complex SoC designs and are going
even beyond. RISC-V application processors are no different in that regard.
When working on the lowest layers of software, i.e., firmware and operating
systems, the many small details of a design need to be well understood in
order to fit into existing abstractions, derive new ones, figure out where
to split responsibilities, and potentially feed back new concepts into
designs again.
Although this might sound like a straightforward process, it is anything but.
Software engineers often run into surprises and open questions, so we need
to know how to deal with challenges and find our way through a deep sea of
missing documentation, note down our approaches and results, and finally
share them with the wider community. In this talk, we summarize previous and
current issues and experiences with contemporary RISC-V SoCs and discuss
ideas and strategies to address these challenges in the future.
centre, left and right
beyond the stereotype
We propose a refresh of what a system and its environment shall look like. The times
they have a-changed. No more terminals connect many people to a shared “mini”computer
that really is the size of three fridges, and no longer do we pile up PCs. We have very
capable phones, tablets and laptops now, plus lots of gadgets, IoT and building automation
equipment. That calls for radically controversial shifts in multiple directions to rethink
compute models and operating systems yet again.
What comes before Linux?
We look at what firmware has to do on application processor platforms such as
common laptops and single board computers, why it is needed, and what solutions
there are on the market, walking through open source projects and their roles,
concluding with a discussion of issues regarding ownership and sustainability.
Bringing the Hack Back into the Chaos
While more and more hackerspaces have been founded in the recent years, there
are many different topics that are being discussed at the same time:
AI, 3D printing, Arduino, social and political questions, and lots more.
Where are the hacks though? Things are happening, and with this talk, we want
to talk about them and call for exchange.
At Chaospott in Essen, we have developed rich tools to interact with and inspect
hardware, enabling people to bring their gadgets to new life and run their own
code, be it on TV boxes, network cameras, or appliances of various kinds.
In other words, should a cloud service go down or unmaintained software get
compromised, we revive what would otherwise be bricks.
Visualizing Device Trees
Device trees are used to describe a lot
of hardware, especially in the embedded world and are used in U-Boot, Linux,
Zephyr, and other boot loaders and systems. A device tree enumerates addresses
and other attributes for peripherals, hardware decoders, processing cores and
external components attached to systems on chips (SoCs) on printed circuit
boards (PCBs).
Because device trees are textual, commonly consisting of multiple files and
can grow large, roughly 1000 nodes being typical for a common single board
computer (SBC), we created a tool to visualize them. The
dtvis tool
runs in the web browser and is written partly in Rust, building on top of a
crate that we forked and keep developing and maintaining within the
Platform System Interface
project.
In this talk, we present the ideas we have implemented, how we did it, and
open ideas and challenges that remain.
Aligned on RISC-V
Looking at multiple RISC-V firmware projects and processors, this talk
compares how their approaches to providing a RISC-V platform align, such
that operating systems and applications can be easily ported across them.
We start with a summary of recent progress on RISC-V in the coreboot
project and its fork oreboot. During the development of oreboot, we noticed
that while RISC-V is already an extensible ISA with many ratifications in
place and the first application SoCs produced, they are not yet fully
defined platforms. Details such as memory access and clear protocols of what
an OS may or may not be able to control and handle are still open issues, so
that the same application may behave different from one piece of hardware to
another.
With this talk, we dive deep into a socio-technical design discussion on
strategies around unaligned memory access, how hardware may or may not
support it, how it can be handled with traps in M-mode, S-mode or simply by
what compilers emit, how hypervisors change perspectives, and what a full
stack could look like that takes hardware, firmware, OS, compilers and
application software design into account.
Hack the Gadget!
For a bunch of years, I have collected lots of gadgets from every hacker's
favourite online stores, and coined the term "root on arrival" at some point.
Leaning against the good old "Hack All The Things: 20 Devices in 45 Minutes"
talk by The Exploiteers, I present another series of devices to hack on:
IP cameras, network video records, wireless storages, car media players,
TV boxes, physical access control systems, lounge/room control panels,
portable mobile network gateways - you name it. Because all of those are
actually nice gadgets to have, besides just popping those boxes, I will go
further and walk through a handful of nice projects leveraging existing
products to put custom software on them.
Clueless OS Development
Like many other people, I love to experiment. "Every now and then, try something
new" - that is a slogan, a lifestyle, a challenge.
With this talk, I compile how I went from system to system and eventually starting
writing code myself. This will be an almost intergalatic journey through time and
space full of experiences with happenstance, humans, design ideas, fantasies and
basic questions up until contemporary projects.
Die wirre Welt der kleinen Computer
Wer sich gern mit Gadgets und Einplatinenrechnern auseinandersetzen mag oder
auch wegen Lieferengpässen des bekannten Raspberry Pi nach weiteren Optionen sucht,
verliert schnell in einer Hülle und Fülle von Angeboten den Überblick, ob als
Privatperson oder zu geschäftlichen Zwecken. Bestenfalls finden sich Empfehlungen,
idealerweise von Bekannten, und dennoch bleiben Herausforderungen auf vielen
Ebenen nicht aus: Von den Chips, Prozessorarchitekturen und Anschlüssen, von der
Firmware und Auswahl von Betriebssystemen bis zu eigenen Vorstellungen und damit
der Möglichkeit von Anpassungen, lassen sich viele Fragen vor dem Kauf nur schwer
und selbst im Nachhinein kaum beantworten. Mit diesem Vortrag biete ich einen
Überblick über verschiedene Projekte an, die zum einen die Entscheidung für
konkrete Produkte vereinfachen, zum anderen deren Flexibilität mit der Zeit
deutlich erhöhen und damit eine Nachhaltigkeit schaffen, durch die Enttäuschungen
behoben und Geräte zum Wegwerfen zu schade werden. Dazu gibt es Demos und
Anregungen zu konstruktiven Anschlussdiskussionen.
Bootloaders in Limbo
Between Platform Initialization and Operating System
While hardware platforms have evolved over the years, operating systems had to
follow along. At the same time, their portability poses an increasing challenge
in terms of complexity: A memory-intense system these days relies on DRAM that
needs to be kept stable, commonly performed by dedicated controllers. Those
feature thousands of registers for configuration. Beyond that, the diversity of
peripherals requires lots of drivers, and the OS still has to come from somewhere.
This is solved in a multi-step manner, a process refered to as "booting".
However, those steps may overcomplicate the issue, bringing duplication and hard
to understand interwoven components into the concept. In this talk, we will look
at a range of projects involved, classify them, discuss and compare the various
approaches, and come to a modern solution taming a good portion of the problem space.
oreboot on RISC-V
Comparing Implementations on Two Platforms
After the Allwinner D1 SoC, we got back to porting the StarFive JH7100. In this
short presentation, we compare the boot flows on both, analyze the effort it
took and how comprehensible each of the platforms is. In the end, we evaluate
how both implementation approaches differ, one being based on a
Rust Peripheral Access Crate generated from an SVD file] vs manual definitions
of registers, blocks, and helper functions.
Platform System Interface
Design and Evaluation of Computing as a Whole
Could we ever, and can we still, understand computers and how they really work?
Based on many years of research, education, curiosity and experience, this talk
presents and discusses the many aspects of what makes computing what it is:
Hardware, software, operating systems, apps, services, human and machine
interfaces, and the many ideas all around them.
Looking from a high level perspective, we walk through the host of interwoven
facets that make up electronics from gadgets to mobile devices and large
computers, eventually tying everything back to where it came from: The people
who made it, the ones who work and play with it, how they are all but different,
and what drives them.
This is a primer to starting the overarching
Platform System Interface
project, which seeks to document
hardware and software co-design as a whole in prose with
psi-spec,
and offer guides, tools, and a framework.
oreboot 2022 status report
on to RISC-V
This year we pivoted the oreboot project, a downstream fork of coreboot
written entirely in Rust, to focus on RISC-V platforms, including the first
version of Beagle-V. We have focused our energies on platforms we can
control from power-on reset, with no binary blobs.
Over the last year, the Allwinner D1 SoC, which offers a Linux-capable 64bit
XuanTie C906 RISC-V core and is found on many boards, has been fully ported,
including DRAM init. In addition, we picked up the work on the JH7100 SoC again
that was found on the BeagleV Starlight SBC, because it is also on the StarFive
VisionFive board, which has been provided to us by RISC-V International for the
developer support program.
In this talk, we present challenges we faced during
the development, including writing DRAM code from C code, not chipset documentation;
how we are taking advantage of the rapid growth of "bare metal" support in
the Rust ecosystem and how it has impacted our code, in ways large and small;
and how the project is growing as new members join.
Finally, we summarize the current status of the oreboot project.
SBoM Annotations and Audits
When firmware is only available in binary form, i.e., the end user or corporate
entity has no access to its source code, quality and security assessment is
limited by legal constraints, and fixing bugs and flaws harder to achieve. While
possible escape hatches have been developed, such as replacing large parts of
the stock firmware with auditable environments like LinuxBoot, some uncertainty
still remains regarding drivers and other components that cannot be removed.
However, there are still options to help oneself where the OEM or other vendor
does not offer the flexibility or assurance one needs: We can build up a
knowledge database of drivers, and offer guidance towards patching or replacing
them, and offer the tooling to automate the process. With Fiedka the firmware
editor, components can be annotated and those annotations
exported for reuse. In this short talk, we will evaluate the necessary workflows
and discuss user experience design considerations around the process.
Firmware Settings and Menus
Among many challenges around initializing hardware, security, and booting into
operating systems, firmware also needs to provide an interface for the user to
change settings, set up a trust anchor, or simply enjoy colorful graphics. This
talk summarizes approaches from (U)EFI dating back to 2003, looking at modern
OEM UIs in comparison to open implementations such as the menu in webboot, those
from System76, EDK2, and Dasharo, and showcasing prototyping environments for
further development, finishing with a short discussion of reusable and portable
abstractions for designing APIs.
Speedy Distro Porting via the cpu Command
Last year, I ported oreboot to the Allwinner D1 SoC that is found on
the Nezha SBC and many other boards now. For a boot loader environment,
I chose to embed LinuxBoot, and then partitioned an SD card with two
root filesystems for testing: OpenWrt, which is small and just ran
right away, and openSUSE, which required some extra effort. I was
happy to see a new D1 board advertised with openSUSE support, though
the process of getting there was tedious enough that I wanted to find
an improvement to the workflow.
In this talk, I recap how I modified the openSUSE RISC-V root
filesystem, moving an SD card back and forth, and showcase a faster
approach instead by leveraging the cpu command that lets us do that
iteration over the network. Eventually, we will see how that can be
leveraged to continuously test Tumbleweed on real hardware through
OpenQA and a corresponding setup, which can also be applied to other
hardware, such as ARM.
Drivers From Outer Space
Fast, Simple Driver Development
During the last two years, I have collected ARM and RISC-V gadgets and
development boards. What I realized is that many of them run systems far off
mainline Linux, and quite often do the vendors not publish the sources. However,
when able to get serial output, I can fix that. And that is where many engineers
start with regular development, so we are in the same boat.
Now how do the original drivers work? Applications in existing products often
have userspace or hybrid drivers, which opens up a door. We can emulate the app,
e.g., in QEMU, and monitor I/O accesses. Then we can write our own driver. But
that is a tedious and time consuming process, the most inconvenient step being
testing. Given storage media, we need to physically move things. Over network,
we could `scp` and `ssh` over to the target machine, then run our code. What if
that could be done in one single step?
The solution is cpu, a concept
originating from the Plan 9 research operating system that came out of Bell Labs:
Transparently run a program on another machine in the network as if it was
local. In this talk, I show `cpu` in practice and what I have done myself with
it.
Fiedka the Firmware Editor
Advancing from CLIs to GUIs
This talk presents the birth of Fiedka out of utk-web, a proof of concept
firmware exploration tool that runs on web platforms using WebAsseambly.
Leveraging Fiano's utk, Fiedka supports firmware developers and
analysts through quick navigation and ideas from the web development world,
organizing the many different views on the same image in a concise manner.
For example, when looking at a typical AMD platform OEM image, there are UEFI
and PSP parts. Walking through the challenges of building a suitable
graphical interface with a great experience and dealing with specifics, the
talk concludes with where Fiedka is at right now and what the next milestone
will be, what users can do and try out already, and how to contribute on the
various layers of back-end and front-end work as well conceptual ideas and
feature requests.
webboot
The LinuxBoot way of multi distro ISO booting
With the growing demand and support for LinuxBoot in firmware, new approaches
to booting operating systems have become possible, based on the Linux kexec
mechanism. This talk walks through the process of creating an environment for
booting a large set of different ISOs from various distributions, covering
different methods tried and ideas that came up, concluding with how webboot
eventually offers a decent and easy to use interface that can be deployed on
a USB stick, tried out in a VM, or even run straight from a mainboard's
firmware.
Repurposing Gadgets
In this talk, I will show you how you can approach gadgets running Linux
based embedded systems, such as IP cameras, network video recorders
(NVRs), wireless USB storages, and more. We will look at what typical
boot flows are, ways to repurpose the devices, and go beyond what the
vendors got you stuck with.
Harvey OS
Glenda and the Gopher Rejoin
Harvey OS ist ein Betriebssystem aus der Familie der Plan 9 Systeme und
wird stets weiterentwickelt von verschiedenen Menschen weltweit. Mit den
in Go geschriebenen Werkzeugen aus u-root verfügt Harvey seit September
2020 über ein umfangreiches Userland. Dieser Vortrag gibt eine Einführung
in das System und vermittelt den verfolgten Ansatz von Einfachheit, der
es neben seinen Features ausmacht.
Look at ME!
Intel ME Investigation
With Intel's Firmware Support Package (FSP) and the recent release of a
redistributable firmware binary for the Management Engine, it has become
possible to share full firmware images for modern x86 platforms and
potentially audit the binaries. Yet, reverse engineering, decompilation
and disassembly are still not permitted. However, thanks to previous
research, we can have a closer look at the binary data and come to a few
conclusions.
This talk briefly summarizes the fundamentals of developing custom and
open source firmware, followed by a quick guide through the process of
analyzing the binaries without actually violating the terms to
understand a few bits, and finally poses a statement on the political
issues that researchers, repair technicians and software developers
are facing.
LinuxBoot
Let Linux do it
Instead of proprietary UEFI firmware or other projects maintained
outside a user's control, we can apply the Linux kernel to develop
modern firmware based on well-tested drivers. That is the idea behind
LinuxBoot.
This talk explains what this means and demonstrates application examples.
Open-Source Firmware
Firmware is found in all computing devices, including PCs, laptops, networking
equipment, printers, embedded devices such as IoT and industrial controllers,
mobile phones, tablets, and more. The community around open source firmware has
grown over the last years, allowing for more exchange in the development and
granting freedom to end users. Prominent projects like U-Boot, Tianocore,
coreboot and others teach how firmware works and welcome contributions.
This talk provides an overview of the current state, an end user report, and a
summary of the first Open Source Firmware Conference.