Comment by gnufx

7 years ago

Actually, at least a bit of it does exist. There are two different "OpenBMC"s. The IBM/Rackspace one is used for POWER9, as in the Summit and Sierra supercomputers.

Another effort in the free space -- a different part from Talos -- is EOMA68 https://www.crowdsupply.com/eoma68 with a parallel effort for RISC-V.

3 comments

gnufx

Reply
nickpsecurity  7 years ago

It's a nice exception to the rule. IBM has enough patents to crush anyone that messes with them. So, they're not as worried. Don't forget older PPC and SPARC boxes with Open Firmware, too. I have one at the house from 2003 that can run Youtube vids.

https://en.m.wikipedia.org/wiki/Open_Firmware

Gaisler had a GPL'd SPARC core to go with it, too. Oracle's T1 and T2 were open, too.

  • gnufx  7 years ago

    I haven't forgotten Openboot, but as far as I know, ALOM wasn't part of it, and I doubt anything current comes with a free version. The two OpenBMCs aren't purely IBM, and that's more than one example apart from RISC-V possibilities. BMC is particularly important, because remote access is critical for large-scale management, typically implemented with a lot of problems, and often exposed highly insecurely. There's obviously a very real problem, but POWER9 seems to be an encouraging example that deserves support, and even Talos has some non-free firmware, as far as I remember (apart from add-on graphics).

    • nickpsecurity  7 years ago

      "two OpenBMCs aren't purely IBM, and that's more than one example apart from RISC-V possibilities. BMC is particularly important, because remote access is critical for large-scale management, typically implemented with a lot of problems, and often exposed highly insecurely. "

      Very, well said. I've definitely thought about this. I was just turning ideas around instead of digging super deep. Still, one problem I had was how to sell the security-enhanced solution to businesses that were already leveraging backdoored, low-quality products. I'm concerned there would be a lot of "who gives a shit" reaction to the product.

      The trick I advocated long ago was to embed and/or disguise security products as stuff with (non-security benefit worth buying here). The trick would be to figure out whatever chip, PCI card, etc had useful functionality to add to their servers. And, btw, it also has an ultra-secure interface to the buggy management systems. Back in the day, people like the folks behind Diamondtek LAN got secure tunnels and management systems certified by NSA for this stuff. There might still be a tiny market. Nonetheless, I'd rather have a non-security benefit, esp performance or monitoring, to sell them on with the security features subsidized by its sales. This concept is partly inspired by Bell's "selfless acts of security."

      http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...