{"id":4207,"date":"2016-10-31T10:06:41","date_gmt":"2016-10-31T00:06:41","guid":{"rendered":"https:\/\/www.flamingspork.com\/blog\/?p=4207"},"modified":"2016-10-31T10:06:41","modified_gmt":"2016-10-31T00:06:41","slug":"fast-reset-trusted-boot-and-the-security-of-sbinreboot","status":"publish","type":"post","link":"https:\/\/www.flamingspork.com\/blog\/2016\/10\/31\/fast-reset-trusted-boot-and-the-security-of-sbinreboot\/","title":{"rendered":"Fast Reset, Trusted Boot and the security of \/sbin\/reboot"},"content":{"rendered":"

In OpenPOWER land, we’ve been doing some work on Secure and Trusted Boot<\/a> while at the same time doing some work on what we call fast-reset<\/a> (or fast-reboot, depending on exactly what mood someone was in at any particular time…. we should start being a bit more consistent).<\/p>\n

The basic idea for fast-reset is that when the OS calls OPAL<\/a> reboot, we gather all the threads in the system using a combination of patching the reset vector and soft-resetting them, then cleanup a few bits of hardware (we do re-probe PCIe for example), and reload & restart the bootloader (petitboot<\/a>).<\/p>\n

What this means is that typing “reboot” on the command line goes from a ~90-120+ second affair (through firmware to petitboot, linux distros still take ages to shut themselves down) down to about a 20 second affair (to petitboot).<\/p>\n

If you’re running a (very) recent skiboot, you can enable it with a special hidden NVRAM configuration option (although we’ll likely enable it by default pretty soon, it’s proving remarkably solid). If you want to know what that NVRAM option is… Use the source, Luke! (or git history, but I’ve yet to see a neat Star Wars reference referring to git commit logs).<\/p>\n

So, there’s nothing like a demo. Here’s a demo with Ubuntu<\/a> running off an NVMe drive on an IBM S822LC for HPC (otherwise known as Minsky or Garrison) which was running the HTX<\/a> hardware exerciser, through fast-reboot back into Petitboot<\/a> and then booting into Ubuntu<\/a> and auto-starting the exerciser (HTX<\/a>) again.<\/p>\n

https:\/\/www.flamingspork.com\/blog\/wp-content\/uploads\/2016\/10\/fast-reboot-128.webm<\/a><\/video><\/div>\n

Apart from being stupidly quick when compared to a full IPL (Initial Program Load – i.e. boot), since we’re not rebooting out of band, we have no way to reset the TPM, so if you’re measuring boot, each subsequent fast-reset will result in a different set of measurements.<\/p>\n

This may be slightly confusing, but it’s not really a problem. You see, if a machine is compromised, there’s nothing stopping me replacing \/sbin\/reboot with something that just prints things to the console that look<\/strong> like your machine rebooted but in fact left my rootkit running. Indeed, fast-reset and a full IPL should<\/em> measure different values in the TPM.<\/strong><\/p>\n

It also means that if you ever want to re-establish trust in your OS, never<\/strong> do a reboot from the host – always reboot out of band (e.g. from a BMC).<\/strong> This, of course, means you’re trusting your BMC to not be compromised, which I wouldn’t necessarily do if you suspect your host has been.<\/p>\n","protected":false},"excerpt":{"rendered":"

In OpenPOWER land, we’ve been doing some work on Secure and Trusted Boot while at the same time doing some work on what we call fast-reset (or fast-reboot, depending on exactly what mood someone was in at any particular time…. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[1,570,588,615],"tags":[708,709,636,569,568,710,426,711,55],"class_list":["post-4207","post","type-post","status-publish","format-standard","hentry","category-general","category-ibm-work-et-al","category-opal","category-powerpc","tag-fast-reset","tag-htx","tag-opal","tag-petitboot","tag-power8","tag-reboot","tag-security","tag-trusted-boot","tag-ubuntu"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5a6n8-15R","jetpack-related-posts":[{"id":3940,"url":"https:\/\/www.flamingspork.com\/blog\/2015\/02\/03\/building-openpower-firmware-for-use-in-power8-simulator\/","url_meta":{"origin":4207,"position":0},"title":"Building OpenPower firmware for use in POWER8 Simulator","author":"Stewart Smith","date":"2015-02-03","format":false,"excerpt":"Previously, I blogged on how to Run skiboot (OPAL) on the POWER8 Simulator. If you want to build the full Open Power firmware environment, including the Petitboot bootloader and kernel, you can now do so! My pull request for an op-build target for the simulator has been merged, so you\u2026","rel":"","context":"In "code"","block_context":{"text":"code","link":"https:\/\/www.flamingspork.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4072,"url":"https:\/\/www.flamingspork.com\/blog\/2016\/06\/20\/building-opal-firmware-for-power9\/","url_meta":{"origin":4207,"position":1},"title":"Building OPAL firmware for POWER9","author":"Stewart Smith","date":"2016-06-20","format":false,"excerpt":"Recently, we merged into the op-build project (the build scripts for OpenPOWER Firmware) a defconfig for building OPAL for (certain) POWER9 simulators. I won't bother linking over to articles on the POWER9 chip or schedule (there's search engines for that), but with this commit - if you happen to be\u2026","rel":"","context":"In "IBM"","block_context":{"text":"IBM","link":"https:\/\/www.flamingspork.com\/blog\/category\/work-et-al\/ibm-work-et-al\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3912,"url":"https:\/\/www.flamingspork.com\/blog\/2014\/12\/03\/running-skiboot-opal-on-the-power8-simulator\/","url_meta":{"origin":4207,"position":2},"title":"Running skiboot (OPAL) on the POWER8 Simulator","author":"Stewart Smith","date":"2014-12-03","format":false,"excerpt":"skiboot is open source boot and runtime firmware for OpenPOWER. On real POWER8 hardware, you will also need HostBoot to do this (basically, to make the chip work) but in a functional simulator (such as this one released by IBM) you don't need a bunch of hardware procedures to make\u2026","rel":"","context":"In "code"","block_context":{"text":"code","link":"https:\/\/www.flamingspork.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3991,"url":"https:\/\/www.flamingspork.com\/blog\/2015\/08\/28\/running-opal-in-qemu-the-powernv-platform\/","url_meta":{"origin":4207,"position":3},"title":"Running OPAL in qemu – the powernv platform","author":"Stewart Smith","date":"2015-08-28","format":false,"excerpt":"Ben has a qemu tree up with some work-in-progress patches to qemu to support the PowerNV platform. This is the \"bare metal\" platform like you'd get on real POWER8 hardware running OPAL, and it allows us to use qemu like my previous post used the POWER8 Functional Simulator - to\u2026","rel":"","context":"In "IBM"","block_context":{"text":"IBM","link":"https:\/\/www.flamingspork.com\/blog\/category\/work-et-al\/ibm-work-et-al\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4522,"url":"https:\/\/www.flamingspork.com\/blog\/2019\/12\/14\/booting-temporary-firmware-on-the-raptor-blackbird\/","url_meta":{"origin":4207,"position":4},"title":"Booting temporary firmware on the Raptor Blackbird","author":"Stewart Smith","date":"2019-12-14","format":false,"excerpt":"In a future post, I'll detail how to build my ported-to-upstream Blackbird firmware. Here though, we'll explore booting some firmware temporarily to experiment. Step 1: Copy your new PNOR image over to the BMC.Step 2: ...Step 3: Profit! Okay, not really, once you've copied over your image, ensure the computer\u2026","rel":"","context":"In "cool gadgets"","block_context":{"text":"cool gadgets","link":"https:\/\/www.flamingspork.com\/blog\/category\/cool-gadgets\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2019\/12\/Screenshot-from-2019-12-14-09-59-38.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2019\/12\/Screenshot-from-2019-12-14-09-59-38.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2019\/12\/Screenshot-from-2019-12-14-09-59-38.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":4544,"url":"https:\/\/www.flamingspork.com\/blog\/2020\/02\/01\/another-close-to-upstream-blackbird-firmware-build\/","url_meta":{"origin":4207,"position":5},"title":"Another close-to-upstream Blackbird Firmware Build","author":"Stewart Smith","date":"2020-02-01","format":false,"excerpt":"A few weeks ago (okay, close to six), I put up a firmware build for the Raptor Blackbird with close-to-upstream firmware (see here). Well, I've done another build! It's current op-build (as of this morning), but my branch with patches for the Raptor Blackbird. The skiboot patch is there, as\u2026","rel":"","context":"In "OPAL"","block_context":{"text":"OPAL","link":"https:\/\/www.flamingspork.com\/blog\/category\/opal\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/4207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/comments?post=4207"}],"version-history":[{"count":2,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/4207\/revisions"}],"predecessor-version":[{"id":4245,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/4207\/revisions\/4245"}],"wp:attachment":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/media?parent=4207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/categories?post=4207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/tags?post=4207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}