Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

UEFI presentation

3,067 views

Published on

Presentation around the UEFI technology covering SecureBoot and the new HP RESTful interface

Published in: Technology
  • Be the first to comment

UEFI presentation

  1. 1. Together for the New Style of IT HP Enterprise Technology & Solutions Summit 2015 Dublin, Ireland June 15-19 #HPETSS
  2. 2. Please give us your feedback!
  3. 3. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. UEFIandHPProLiantServers Bruno CORNEC, Open Source and Linux Strategist WW Linux Community Lead - Open Source Profession
  4. 4. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 Introducing Myself● Software engineering and Unices since 1988 – Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix systems – Discovered Open Source & Linux (OSL) & made first contributions in 1993 – Full time on OSL since 1995, first as HP reseller then @HP ● Currently: – OSL Technology Strategist, EMEA EG Innovation Solution Center aka HP/Intel Solution Center, Grenoble – HP OSL Advocate and Converged Infrastructure Ambassador – WW Linux Community Lead for the HP Open Source Profession – POSS conference, OpenStack.fr and AFUL board member. Conferences at WW level at LinuxCon, Linux.conf.au – MondoRescue, Project-Builder.org, UUWL and PUSK Project Lead – LinuxCOE, mrepo, tellico, rinse, fossology, collectl, Ironic contributor – FOSSBazaar/SPDX and OSL Governance enthusiast – Mandriva, Mageia, Fedora packager
  5. 5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. UEFI Overview and Industry Status
  6. 6. UEFI = Unified Extensible Firmware Interface A fundamentally different BIOS stack from legacy BIOS with new capabilities and features Platform Initialization (PI) Interfaces produced & consumed by firmware only Promote interoperability between firmware components Latest PI specification version is 1.4 (April 2015) UEFI Pre-OS (and limited runtime program interfaces) between UEFI Applications (incl. OSes) / UEFI Drivers and system firmware Latest UEFI specification version is 2.5 (Apr 2015) Latest UEFI Shell specification version is 2.1 (July 2014) Cf: http://www.uefi.org UEFI Technology
  7. 7. Processor architecture agnostic EFI System Table EFI_ACPI_20_TABLE_GUID RSDP XsdtAddress Entry XSDT Header RsdtAddress Header MADT contents Header CSRT contents Header DBG2 contents Header BGRT contents Header FPDT contents Header DSDT Differentiated Definition Block Header SPCR contents Header GTDT contents FACS Header FACP a.k.a. FADT FIRMWARE_CTRL DSDT (0-4GB) X_FIRMWARE_CTRL X_DSDT ARM_BOOT_ARCH … Entry Entry Entry Entry Entry Entry Entry Entry Header SSDT Definition Block XXXX Tables defined by ACPI Tables reserved by ACPI XXXX Header SSDT Definition Block Entry …n Header SRAT contents Header SPMI contents Header SLIT contents Header PMTT contents Entry ACPI = Advanced Configuration and Power Interface Static tables and primary runtime interprested control methods provided by system firmware to the OS for system configuration, power management and error handling ACPI Interfaces consumed by the OS Processor architecture agnostic Latest specification version is 6.0 (April 2015) Cf: http://www.uefi.org/acpi ACPI Technology
  8. 8. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 HP Drove for the Creation of UEFI UEFI & ACPI Timeline 2004 tianocore.org, open source EFI community launched UEFI as the converged firmware infrastructure 2014 ACPI v5.1 for ARM AArch64 support (e.g., ARM SBSA/SBBR servers) 1995 HP/Intel needed a boot architecture for Itanium servers that overcame BIOS PC-AT limitations 1997 - 2000 Intel created EFI with HP and others in the industry, made it processor agnostic (x86, ia64) 2012 Windows 8 and ubiquitous native UEFI adoption for client PCs (Boot Performance, Secure Boot focused) 2013 Linux Distros extended support for UEFI Secure Boot. First Linux Foundation hosted UEFI Plugfest. UEFI v2.4 extended to ARM AArch64. 2005 Unified EFI (UEFI) The UEFI Forum, with 11 promoters, was formed to standardize EFI, extended to x64 2009 UEFI extended to ARM AArch32 1996 Intel/Microsoft/Toshiba created ACPI 1.0 for 16 and 32 bit PC client devices 2000 Compaq/Intel/Microsoft/Phoenix/Toshiba publishes ACPI 2.0 for 64-bit support as well as support for multiprocessor workstations and servers 2013 ACPI Asset transferred to the UEFI Forum. Ready for future ACPI.next development 2004 HP/Intel/Microsoft/Phoenix/Toshiba published ACPI 3.0 further enhancing the spec to support both client and server systems 2009 ACPI 4.0 is published providing additional support for both client and server systems 2011 Hardware-reduced ACPI model was introduced into the published ACPI 5.0 spec to include the support for SoC devices. ARM specific descriptions are also introduced ACPI HistoryUEFI History 260+ members and growing!
  9. 9. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 Board of Directors (11 Promoters) Industry & Communications WG (ICWG) UEFI Specification WG (USWG) Platform Initialization WG (PIWG) Security Subteam Test WG (UTWG) Officers: President: Mark Doran (Intel); VP (CEO): Dong Wei (HP) Secretary: Jeff Bobzin (Insyde); Treasurer: Bill Keown (Lenovo) 11 Promoters 40 Contributors 193 Adopters 20 Individual Adopters 260+ Members260+ Members ACPI WG (ASWG) UEFI Forum Security Subteam Security Response Team Configuration SubteamConfiguration Subteam Network Subteam Shell SubteamShell Subteam ARM Binding Subteam
  10. 10. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 UEFI Advantages • CPU architecture agnostic • GPT Support: >2TiB Boot Volume Support; >4 Disk Partitions; etc. • Remove PC-AT restrictions (e.g, VGA, PIC, 1MiB) • Secure Boot • IPv4, IPv6 and multicat PXE boot • iSCSI Boot using a built-in software initiator • Embedded UEFI Shell (scriptable) • Driver model and Runtime Services • Bare metal UEFI Shell-based deployment framework • TPM 2.0 support  • USB 3.0 boot support • Boot from NVMe SSD drives • Boot from some PCIe SSD drives • Boot from Smart Array software RAID on embedded SATA • Boot from HTTP to replace PXE   • Boot from FTP • Unified Human Interface Infrastructure (HII) for System and Option ROM
  11. 11. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 UEFI/ACPI Roadmap • Leader on x86 clients and servers • ARM servers with UEFI/ACPI support emerging • Opportunities on IoT and embedded • Persistent Memory, SD, UFS devices support • More work related to Security & Resiliency (TLS, Trusted Recovery, SmartCard, NoExecute, Variable Lock, Crypto I/F, RAM redundancy) • Boot from HTTP (RamDisk device path) • REST protocol • Wifi, Bluetooth support
  12. 12. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 • Microsoft Windows Server 2008 (x64 only) • Microsoft Windows Server 2008 R2 (x64 only) • Microsoft Windows 2012 • Microsoft Windows 2012 R2 • RHEL 6.0 and later • Oracle Linux 6.4 and later • SLES 11 and later • Ubuntu 10.10 and later • VMware ESX 5.0 and later • Solaris 11.1 and later (support started in November 2012) All current operating systems support UEFI Boot and Legacy Boot. Operating Systems supporting UEFI
  13. 13. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13 Class 0 Class 1 Obsolete Class 2 Class 3 Legacy BIOS CSM & UEFI Boot UEFI switch UEFI Only Gen8 DL580 Gen8 & Gen9 Gen Future (goal) • Class 2 System: UEFI definition of a system that can boot into UEFI mode or Legacy BIOS mode • Class 3 System: UEFI definition of a system that can only boot into Native UEFI mode • CSM: Compatibility Support Module. Allows as Class 2 UEFI system to boot into BIOS mode UEFI CSM 1 only UEFI Systems Classes
  14. 14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HPProLiantGen9UEFIsupport
  15. 15. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 HP ProLiant UEFI Transition ProLiant Gen8 Legacy BIOS (Class 0) ProLiant Gen8 Legacy BIOS (Class 0) ProLiant Gen9 UEFI Class 2 ProLiant Gen9 UEFI Class 2 GoalGoal Next Gen ProLiant UEFI Class 3 Next Gen ProLiant UEFI Class 3 • DL580 Gen8 defaults to Legacy Boot Mode. • ProLiant Gen9 defaults to UEFI Boot Mode. • Future Moonshot Cartridges and ProLiant servers are targeted to be Class 3 • CTO option to set default Boot Mode supported. UEFI Specification Version 2.4 Platform Initialization Spec. 1.3 UEFI Shell Specification 2.1 EDK2EDK2 ProLiant Gen9 Specification Compliance Why UEFI now for HP ProLIant: • Mature standards • UEFI Server Ecosystem ready (Option cards drivers, OS, deployment, management) • Important functionalities for customers (IPv6 & multicast PXE, 2.2 TB boot drivers, Secure Boot)
  16. 16. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 • Unified Pre-boot Configuration Environment − Platform Configuration, NIC Configuration, iLO Configuration • Improved Option Card Error Handling • NVMe and USB 3.0 Boot support (*) • UEFI Shell Scripting Environment − Platform Configuration, Save and Deploy Settings, Firmware Update • Pre-boot tools − AHS Download, System Information, Integrated Management Log (IML) Viewer • Improved Option Card Error Handling • Robust SecureBoot Implementation (*) • HP RESTful API for Platform Configuration Settings • HP RESTful Interface tool HP ProLiant UEFI functionality (*) Only in UEFI Boot Mode Future functionalities: • UEFI Shell Scripting Environment −Platform Configuration for BIOS, iLO AND NIC, Storage − Network Boot support (deployment via Shell over Network) • Additional Pre-boot tools −AHS Download, System Information Enhancements • HTTP Boot (*) • ISCSI Boot (using SW initiator) (*)
  17. 17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SecureBootonHPProLiant
  18. 18. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Industry Support • UEFI Standard. Certification requirement for clients. Supported in Windows 2012. • Now fully supported with both Community and Enterprise Linux Distributions. Functionality • All UEFI Option ROMs, OS boot loaders, and UEFI applications must be signed. • BIOS uses trusted public keys (embedded in the BIOS) to verify the above and will not execute if the signature verification fails. • Creates a chain of trust. Improved solution over TCG Trusted Boot. • Some operating systems (SLES 11 SP3+ & RHEL7+) will also require kernel modules to be signed. • Once Enabled, can only be disabled securely (RBSU or remote console to RBSU). Secure Boot
  19. 19. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 Hardware (stores policy) Hardware (stores policy) firmwarefirmware OSOS middlewaremiddleware application softwareapplication software validate transfer control Secure Boot Enforcing Boot Policy (UEFI) ● Each component in the chain is validated and authorized by the preceding one against a given policy before allowing its execution ● Secure Boot policy implementation can range from digital signatures (UEFI 2.3.1C) to preloaded hash values ● Secure Boot doesn't rely on TPM but on local DB
  20. 20. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 Program 10101 10110 10101 10110 Signature Driver or Program Hash Function (SHA256) 10101 10110 10101 10110 Hash Encrypt Hash Using Signer’s Private Key 10101 10110 10101 10110 Signature Certificate Attach to Program = Digitally Signed Program Digitally Signed Driver or Program Signing – by the creator: Verification – In the system: Hash Function (SHA256) Decrypt Hash with Signer’s Public Key Check local databases for certificate. If certificate found and not revoked, run UEFI Executable. 10101 10110 10101 10110 Hash 10101 10110 10101 10110 Hash =? Secure Boot Mechanisms
  21. 21. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 PK Platform Key – Root key set to enable Secure Boot KEK Key Exchange Key List of Certificates Owners with db, dbx update privilege db List of Allowed Driver or App. Signers dbx List of Revoked Signers SetupMode 1= in Setup Mode, 0 = PK is Set (User Mode) SecureBoot 1 = Secure Boot in force Notes: • Owner of certificates in KEK can update db, dbx (Microsoft and HP on ProLiant) • Owner of certificates in PK can update KEK (HP on ProLiant) Secure Boot Databases
  22. 22. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Secure Boot on Linux: Ubuntu approach NOTE: Secure Boot supported after Ubuntu 12.10 Debian 7 does not support Secure Boot
  23. 23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 Secure Boot on Linux: Fedora/Red Hat approach NOTE: Secure Boot supported after Fedora 18, RHEL 7 And after openSUSE 12.3 and SLES 11 SP3
  24. 24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 ● Generate a certificate/key pair # openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc -out cert.der -outform der -nodes -days 4745 -subj "yourname" ● Sign kernel module with private key # /usr/src/linux/scripts/sign-file sha256 key.asc cert.der e1000e.ko ● Load public certificate into MOK or DB # mokutil --import cert.der NOTE: Physical console access is required to enroll keys in DB or MOK. Secure Boot on Linux: kernel module signing
  25. 25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 • BIOS POST • Load signed option roms • Load signed shim.efi • Load signed grub.efi • Load signed vmlinuz kernel • Load signed kernel modules • courtesy from SUSE Ney Yay! Secure Boot on Linux: Boot sequence
  26. 26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. UEFIShellScriptingEnvironment
  27. 27. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 HP ProLiant servers feature an embedded UEFI Shell Pre-boot CLI environment for scripting Embedded in the System BIOS Can be used in both UEFI and Legacy BIOS boot modes UEFI ShellUEFI Shell Configuration FW Updates Deployment Scripting Embedded (Bare Metal) Troubleshooting UEFI Shell overview
  28. 28. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 UEFI embedded Shell enhancements • WebClient and FTP : for scriptable network transfers • SysConfig platform configuration • SysInfo Collect system inventory • FWUpdate for updating firmware components, including BIOS, NICs, and storage cards. • RAMDisk : for provisioning temporary staging locations • Compress : to reduce data transferred over the network. • Boot : seamless transition to other boot targets (such as a downloaded OS image) without the need for a reboot. • IMLView : Export the Integrated Management Log (IML) • AHS CLI to download the Active Health Subsystem (AHS) data for service troubleshooting
  29. 29. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 Scripting − echo, if / else / endIf, shift, for / endfor − startup.nsh auto start file similar to Autoexec.bat. Other scripts with .nsh − Comma separated output (-sfo) that can be parsed using a parse command Files manipulation − Can read any FAT16 and FAT32 − Standard commands: md, rd, cd, cp/copy, del, dir/ls, atrib, alias, touch, setsize, comp, ver, vol − File editing (edit) and viewing (type) − And more : eficompress/efidecompress, date/time, timezone, set, etc… − Input/output redirection from/to consoles/files Troubleshooting − Dump hardware information: memmap, dmem, smbiosview, pci, drivers, devices, dh HP ProLiant UEFI Shell
  30. 30. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 BIOS Configuration CLI • Get / Set setting(s) • Get Information • Possible values, help text, default value, limits, etc… • Reset to defaults • Export / import settings to/from files (scriptable) • Both name/value text files and JSON Scriptable • Same name/value pairs used by other HP in-band and out-of-band service • JSON output compatible with other tools Extensible • Possible to extend in the future to device configuration HP ProLiant UEFI Shell enhancements: sysconfig Configure any System BIOS / Platform setting
  31. 31. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 HP ProLiant UEFI System Configuration UI
  32. 32. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 • New Pre-boot environment “Look and Feel” • Pre-boot Configuration UI for Platform Settings and Option Cards • No longer prompted for configuration by option ROMs (storage, NIC, iLO, ...) • FwUpdate command to update firmware components such as BIOS ROM, NIC, … HP ProLiant UEFI Firmware management UI
  33. 33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HPUEFIDeploymentSolution
  34. 34. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 UEFI deployment • Possibility to use PXE (pxelinux has UEFI support) ● PXE problems: TFTP timeout, UDP packet loss, download and deployment times, security ● Alternative with iPXE not fully available under UEFI so forcing to switch to CSM • Possibility to use iLO virtual media, scripted URLs • Slower than NIC • UEFI will provide HTTP Boot with the 2.5 specification • HP provides HP UEFI Extended Network Stack • HTTP DHCP boot of EFI file or ISO image from EFI Network Bootstrap Program (NBP) • Pre-configured boot of EFI file or ISO image from HTTP/FTP URL • Embedded UEFI Shell script auto-execution from network without relying on local media or iLO virtual media
  35. 35. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.35 HP UEFI extended Network Stack
  36. 36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HPRESTfulAPI
  37. 37. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.37 • Programmatic interface with a public facing API ● Used by OneView, ● User-choice scripting tools, ● HP RESTful Interface tool (hprest). • Available in-band (iLO driver in the OS) and out-of-band (https to iLO, even if server down – aux power) • Published Schema/Registry (all available values and configuration settings, dependencies, UI metadata, ...) • Supports UEFI and iLO as of now and NIC and storage in the future • Human readable data (JSON) with Name/Value pairs for all configuration settings • Enables customer scripting as well as building block for HP tools HP ProLiant UEFI RESTful API
  38. 38. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.38 1. RESTful Client GETs BIOS settings 2. RESTful Client writes modified pending (staged) settings 3. …on next reboot… 4. UEFI BIOS fetches pending settings 5. UEFI BIOS adopts and publishes new settings ClientClient iLO HP RESTful Interface iLO Persistent StoreiLO Persistent Store HP RESTful ServiceHP RESTful Service Default Settings Default Settings Staged Settings Staged Settings Current Settings Current Settings UEFI BIOS (Provider) UEFI BIOS (Provider) Avail. SettingsAvail. Settings • Ability to GET configuration information: • Current Configuration • Manufacturing Defaults • User Defined Defaults. • Ability to PUT/PATCH desired settings. • UEFI Pending settings take affect on reboot. • Status available. HP ProLiant UEFI RESTful API
  39. 39. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. UEFIimpactforcustomers
  40. 40. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40 Must configure PXE environment for UEFI Must configure PXE environment for UEFI Must modify deployment scripts and OS images – Maintain 2 environments Must modify deployment scripts and OS images – Maintain 2 environments Legacy Boot Media will NOT bootLegacy Boot Media will NOT boot Option Card SupportOption Card Support Windows 2008 won’t work “out of the box” Windows 2008 won’t work “out of the box” Customer Impacts for UEFI Mode Customer Impacts for UEFI Mode Boot Order is More Flexible (but more complex) Boot Order is More Flexible (but more complex)
  41. 41. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.41 • Server will support Legacy Boot mode and UEFI Boot Mode. • Boot configuration is far more flexible and complex in UEFI Boot Mode. • If Secure Boot is enabled, UEFI Option ROMs and OS boot loaders must be signed. −Disabled by default but can be enabled in Setup. • More options for restoring defaults −Restoring Defaults does NOT erase UEFI Variables. −Separate option for erasing UEFI Variables. • The date and time are NOT modified when defaults are restored (default time zone is UTC) Points to remind about HP ProLiant UEFI
  42. 42. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 Making the new style of IT a reality » 14+ years of success, world wide programs, including Cloud Center of Excellence, Big Data Center of Excellence, Open Source Solutions Initiative, RISC to HP Intel Architecture Migrations, NVF Center of Excellence, EMEA Networking Customer Visit Center and more » Complete IT (400+ systems, 3000+ network ports, 500+ TB storage) » Portfolio of 40+ ready to demo solutions with access to our ecosystem of Partners » Complete test & validation environment » Strategic partnership with Intel, 14-year long standing collaboration » Strategic partnership with Red Hat 7-year collaboration (OSSI) » A unique proof point in the industry with a proven service offering Grenoble Mission: Accelerate the adoption of new and² innovative solutions by creating simple and rewarding end-to-end customer experiences that benefit our customers and partners, in a compelling and engaging collaborative environment. …more information available at http://www.hpintelco.net EMEA SolutionInnovation Center WorkshopPoCLivedemoCoE
  43. 43. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 ”Changes are never easy to make. There is comfort and safety in tradition, but change must come, no matter how painful or expensive it may be.” Bill Hewlett Bruno.Cornec@hp.com (Open Source and Linux Technology Strategist at the HP Solution Innovation Center, EMEA) http://www.hp.com/linux http://opensource.hp.com Thanks goes to: Linus Torvalds, Richard Stallman, Eric Raymond, Nat Makarevitch, René Cougnenc, Eric Dumas, Rémy Card, Bdale Garbee, Bryan Gartner, Craig Lamparter, Lee Mayes, Gallig Renaud, Andree Leidenfrost, Phil Robb, Bob Gobeille, Martin Michlmayr, Dong Wei, Samer El- Haj Mahmoud among others, for their work and devotion to the Open Source Software cause... and my family for their patience :-) Contact - Thanks

×