Welcome to the dark corner of BIOS reverse engineering, code injection and various modification techniques only deemed by those immensely curious about BIOS

Monday, January 30, 2017

IBM OpenPower Firmware Source Code Brief Analysis

First post this year ;-)

I'm taking a detour to other hardware architecture here, despite this blog is focused on x86/x86-64. As for why, it's because I was working with IBM Power 5 machine for more than a year and I found it interesting. I'm not going to talk about Power 5 here though because it's a closed system, in terms of firmware. I'm here to talk about Power 8 and its successor.

The Power 8 architecture is the first incarnation of OpenPower hardware architecture. Luckily, the firmware source code for this platform is freely available in Github: https://github.com/open-power.

Now, let's look at how we might read the code:

  • The most interesting part is the Initial Program Loader (IPL) firmware: https://github.com/open-power/hostboot. This is basically the equivalent of UEFI Platform Init (PI) code, or the bulk of the BIOS code in the old days--excluding the runtime code, such as power management and SMI handlers.
  • The next interesting part is skiboot: https://github.com/open-power/skiboot. This looks like the equivalent of the non-PI part of UEFI because it provides the interface that the OS can call at runtime to communicate with the platform firmware. I might be wrong tough, but all code I skimmed over indicates that.
  • Last but not least is petitboot: https://github.com/open-power/petitboot. This is basically an analog of GRUB or Systemd bootloader in x86/x86-64 Linux.
The important thing that's missing from the OpenPower Github is the Baseboard Management Controller (BMC) source code. I'm not sure why IBM doesn't standardize that part as well or at least provide a reference implementation. Perhaps, it's because IBM wants to provide a point for differentiation among its partners. Also, if we think about it, the BMC code is probably the most vulnerable point should some one wants to attack an OpenPower environment because it usually provides a remote access to manage the server even before it finished booting.

I'll update this post once I've read the IPL code in more detailed manner. Hint: if you want to read it as well, try starting with the linker script (*.ld) file.
Post a Comment

No comments: