Bestand wählen
Merken

Bringing Linux back to server boot ROMs with NERF and Heads

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the that was
it and and and 1 of the the and the so what do you think and because it wants to replace this closed source Vermeer it openly Linux both person and our next speaker German hearts and he's an integral part of the project and he's here to provide an overview of these limits bolts project thank very much and please give a warm round of golf examined to future time securing the boot process is really fundamental to having no task assistance because of the is it that the variability is in from where it can affect any of of security that they are system tries to provide and for that reason it's I think it's really important that we replace the proprietary vendor for with open source like x the this is not a new idea my collaborative on medical
is started a project called 1 expires back in the nineties when he was at Los Alamos National Labs they built the worlds of 3rd fastest supercomputer analytics cluster that used by us in the alarm to make it more reliable Linux bias turned
into core beauty as in 2 thousand and 5 and the Linux part was removed and became a generic boot In our power is the Chromebooks as well as projects like the head's slightly more secure laptop from where they're presented last year CCC unfortunately it doesn't support any server mainboards anymore most servers are
running in the a variant of Intel's you if I firmware which is about a given that Intel started to replace the so aging 16 bit room of bias in the eighties and nineties and
like a lot of 2nd systems it's pretty complicated if you've been to any talks a security you've probably seen this slide before it the because the multiple faces as the ASR system boots the 1st phase it does a crib rapid verification of the part the pre Pfeiffer is this the TEI phase is responsible for Brampton memory controller the CPU interconnect and a few other critical devices it also enables pages long the and then jumps into the the device execution environment Dixie case the this is where you if I option runs are executed as well as all of the remaining devices are initialized once the PCI bus and USB busses have been what enumerated attaches to the blue 2 way selection phase which figures out which disk or stick USB stick or network had to be from the that would say from that device which eventually load real operating which is the opposite this running on a machine what we're proposing here is that we replace all of this
with the links to the kernel and runtime we can do all of the device enumeration in Linux RE has support for doing this and we can use more sophisticated protocols and tools to locate the real kernel and we want to write in user exec system call to be able to start that new kernel but and the reason that
we want to use Linux here because it gives us the ability to have a more secure system it gives us a lot more flexibility and hopefully it lets us create more resilient to the as system out of it the on the security front 1 of the big areas that
we get some benefit is we reduce the attack surface that In the Dixie
phase these drivers are an enormous amount of good the on the Intel
s 26 100 the over 400 marginals take a loaded they do things like the answer on so I mentioned and if you 1 example of how dangerous option runs can the you can look at my straight talks for a few years ago they also do things like displaying the time that the boots splash the vendor logo and this has been a place where quite you buffer overflows have been found in the different words in the past they have a complete network stack of IPV for in the 6 as well as I http and should they have legacy device drivers for things like floppy drives and again distrait dusty corners are aware of our abilities in Zen have been found to be the rise a break the there also bottles that the Microsoft 0 inactivation that we just don't know but they deal or things like a Y 2 rollover module that probably hasn't been tested in 2 decades the to
the final Ellis bootloader phase section a part of you if I but it's typically in lake system is corrupt the grand unified the letter and no
many of you probably familiar with its this interface but did you know that it has its
own file system video and network drivers that almost 250 thousand lines of code that would make a prob the I don't bring up the size of this to complain about the space it takes but because of how much it increases are attack surface you might
think that having 3 different operating systems involved in this process gives us the defense in depth but I would argue that we're subject to the weakest link in this chain is you can compromise you if I you can of my scrub saving compromise grab you can compromise the Linux kernel that you want to run on the machine so he then there are lots of
ways these attacks could be launched as I mentioned to you if I has a network device driver grub hasn't worked by striver of course Linux hasn't worked nice Trevor this means that a remote attacker could potentially K could execution during the boot process the if you
if I has a flat file system driver city has a USB that driver the grab has a USB driver of course Linux's USB driver there have been bugs found in USB stacks which where signatures are very complex in a buffer overflow in a USB descriptor handler could allow a local attacker to plug in a device and take control of the firm order in the boot
it costs you if I has a bad driver graph has a bad driver Linux's effect driver this gives an attacker a place to gain persistence and perhaps that's why the leverage the execution during the of the initial file-system repetition walk so what we argue is that
we should have the operating system that has the most contributors and list could reveal and the most frequent updates petrol for these roles that Linux and has a lot more eyes on it it undergoes a much more rapid than did special thing but it prevention even the firmware
you might ask why do we keep the this the PI and the 2nd phase from the unified framework could we use and in in this place in the problem is that vendors are not document and the memory controller or the CPU interconnect instead they're providing
the opaque binary blobs called before a support package for FST the but does the memory controller and the acid you initialization on most
core on most corporate systems on Miss Margaret systems corporate Educause into the FSP to do this initialization and on a lot of the devices the FSB has grown in scope so you know includes video device drivers and power management and larger than the PI face when some observers that we're dealing with the the other guy wrinkle is that most modest CPU's don't that come out of research into the legacy reset after anymore instead they execute an authenticated good partial codebook God that signed by Intel and the CPU will not and will not that start up if that's not present the good news is that this blue card ACM measures the TEI phase into the TPM which allows us to detect it intends to modify them from malicious attacks the bad news is that we are not able to change it on many systems but even with that in place we
still have a much much more flexible system the if you've ever worked with the you if I
shall or with their grabs menuing configured it's really not that it is not as flexible the tool is not anywhere near his mature
as you would ratings with shell scripts or would go or 3 languages
yeah it is showing we can configure kernel with standard that Linux convict tools you will find supports going from that file systems but what makes that we can build from any of the hundreds of our systems supports we can boot from cryptid file system since we have done lots and cryptsetup the most you firmwares only boot from the network device that is installed on server motherboard we can build from any network devices that Linux supports and we can use proper protocols were limited they pick C and T a T P we can use this itself we can do cryptographic measurements of of the kernel so we receive the In the
runtime that makes up like speech is also very flexible the last year I presented the heads runtime for laptops this is the very focused and that initial round desk that it seems to provide a slightly more secure measured and tested for that from where this works really well with what explicit the my collaborator around the
neck is working on based framework called and this is written entirely in
just-in-time compiled go which is really nice because it gives you memory safety and is very popular inside Google tailor the device Trevisan included also allows the system to boot much faster you if I on the OpenCV you where fell the cell 8 minutes to start up the with the nerve is a with that little excluded nerve it starts that 20 seconds the I found similar results on the Intel main where they're working on and I hope they will get a video the
this action this is from power on that to excuse the PI phase that out of the wrong in jumps into a small wrap around but external which in inferences serial port and we now have felt that would explain case the we in interactive shell in about 20 seconds which is quite bit better than the formats that the system used to take it's ruled by pretty fast
but the you might you might have noticed that the case this list of thinks it's under year fight suppose we have a small wrapper around the kernel but for the most part the kernel is able to do all of the PCI and device enumeration it needs to do it on the does it since it doesn't trust the vendor biases in honor cases
so for and really glad that Congress is added the tracker on that technical resiliency and out I would
encourage Congress add a track on resiliency of our social systems to Chile vital that we can deal with that online offline harassment and I think that that will help us make it a safer and more secure that Congress as well the mn
in and so last year when presented heads I
propose 3 criteria for any resilient at technical system that they need to people with open source software the 3 reproducibly belt and they need to be measured in the central cryptographic hardware the opening is yeah I think that this guy is is not controversial but
the reason that we need it is because a lot of the server vendors don't action control their own firmware they license it from independent bias vectors the it within that tailored for whatever current models that machine that he had been lecture is making this means that the typically don't support older hardware and if if they're about abilities it's necessary that we are able to make these patches or a schedule and we need to be able to help when it comes to to our own security the the other problem is that
closed source systems and hide vulnerabilities for decades this is especially true for very privileged to places like the management engine given several talks your Congress about that the concerns that we have with the management agenda the
so vendors or even violating our trust entirely and using the from using their place in the in the firmware to launch install malware and where want to that systems the so for this reason we really need are going to have to our own control over this where the the reproducibility
is becoming much more of an issue
and the goal here is to build to ensure that everyone who builds the Linux platform where it's exactly the same result but everyone else does this is a requirement to build to ensure that they were not interested but accidental abilities through pick up the long library or intentional ones through compiler supply chain attacks such as the that can consonants trust interest article with
the listed from where our kernel and initial in d are increasingly built to be exactly the same hashes uh on on the the firmware a partially we control the UIA 5 portions of reason that the PI intersect phase so there's got included in our in our reproducibility right now it the measured it is a
and know the place where we need to take into account that the the runtime security the system so you refusal builds handled compile-time but measuring
was running into cryptographical processes like the TPM give us the ability to uh that make attestations as to what is actually running on the system the on the heads from where we
do this to the user that the from where can I k can produce a one-time secret that you can compare against your phone to know that it has not been tampered with In the server case it uses remote attestation to build a proof to the user that the code that is running is what they
expect the this is a collaboration with the mass of a class project out the Boston University in 1980 that is attempting to provide a hardware word of trust for the servers so that you can know that a cloud that provider has not tampered with that your system the the TPM is not
invulnerable as of across from sky defined at the level of effort that it takes to break into a T P TPM to decapitate and to read out of the bits with a microscope raises the bar really significantly and but part of resiliency is making them on this trade offs about security threats verses that that the difficulty in launching attacks and if the tkm improve presents a remote attacks or prevent solve for all the tax that has a sufficiently high bar for a lot of these applications we have quite a bit
of ongoing research with this
but as I mentioned management engine here is an area of great concern and we are working on figure out how to remove most of its capabilities so that it's not able to interfere with the running system the there's another device and assist
in Mercer motherboards cut the board management control had the B and C that has a similar level of access to memory and devices so will internal which went on there and this
project out of Facebook called open and that is the open-source Linux distributions to run on that coprocessor and what Facebook is done through the Open Compute initiative is to be have their Ohioans installing that on the gods the new open computer time nodes switches and storage systems and this is really where we need to get with dialects but as well the right now it
requires physical access to the by flash in hardware programmer to be able to install that's not a hurdle for everyone but this is not something that we want people to be doing uh in the server and we want OEM so to be providing these systems secure by default so that it's not necessary to have break out you're euro jet clipped to make this happen but if you do want to
contribute right now we we support 3 different mainboards the that Intel as 26 100 which is a modern it will pass city of the mass of a cloud is working with the devil or 6 30 which is a it has well I believe in long an edge in a summary of work in on the open computer hardware this is again a a lie in conjunction with OpenPMC a real potential for having free software in our where again the so if you like more
info and we have a website to solid structions time and we'd love to that help you build the more secure more flexible and more resilient systems would what data when the commute led overlooked as request and so you might have a few thank you very much and have this talk we have 10 minutes for q in a so please line up at the microphones if you have any questions but there are no questions from the signaling cell and the internet so please make a phone number 1 of sort work with questions to sigma using this for you the internal systems and the how much of and the outer reaches of embedded to try and make this beyond just the Open Compute but also a lot of foreigners stood out is to currently currently we don't have any deployed systems that take advantage of it and it's still very much at the research stage what I've been spending quite a bit of time as you know we understand when Michaels between 18 is to have the uh mainstream million ship in at and the heads project is shipping for where on the on some laptops from uh from Lieberman and I'm hoping that we can get Linux but on servers as well the microphone number 2 place and the that was the question I have is about the size of the next so you mentioned that there's problems with you if I am and it's not open source and stuff like that but the issue of you mentioned that is that the the main part of you you find is the decay which is open source and then some I mean I just have to guess that the pieces clients and stuff that they have in in the upper would I assume was is for downloading the film where but how is replacing something that's huge with something that's even bigger are going to make this a more secure because I think the the whole point of having secured the crown was to have a really small to be verifiable and I don't see that happening with uh Linux because at the same time people up and coming up with other things I don't remember the the other hypervisor which is supposed to be better than JVM because KVM is not really verifiable so that the degree western that the that the concern is that Linux is a huge TCP a trusted computing base and that that is the concern of 1 since we're already running Linux on the server it essentially is inside a TCP already so it's uh it is large it is difficult to verify that however the lessons that we learned in 40 when x to run in this environment they can also vary that conceivable that we could build other uh systems if you want to use a certified to me and have verified uh microkernel there would be a great place to bring into that it into the firmware that and I love to figure out some way to make that happen and the 2nd question just as I I that even though EDTA tube which is the open source components of you if I know our open source there's a huge amount of closed source because into building in from where that we can verify the closed-source part and even the Open Source Parts I don't have the level of the inspection and that the correctness that external is gone through and Linux uh the systems that are exposed on the Internet and most of the you if I development is not focused on at that level of defense that the Linux has to deal with every day microphone them into place that people would be possible also to support the uh apart from servers as to support model especially the 1 level down by go so the issue with that require a lot is that the CPU fuses are typically set in what's called a verified that mode and that will not at the blue card ACM if the Darfur where does not match the manufacturers hash so this doesn't give us any way to take it to to circumvent that most server chip sets are a setting in which were measured at mode so the blue card ACM gesture and measures the next stage in the TPM and contained in and jumps into it so if an attacker has modified the firmware you'll be was attempted it during the attestation phase
microphone number 1 please just some question thank you um on armies theory it's much faster to boot something from which in basal so much simpler you have an address you would've been fired and boots our on heating the much more complex and the amount of quotes a youth always program uh relates to that uh my question I've seen or in the Board's uh cortex 8 uh voting in 4 seconds um just to get the shell uh and 6 seconds together to to be sold in childhood acute he to do with the support for car full 5 to 6 seconds some wondering why is there such a big difference in the force over a true to to take 20 or 22 seconds is it's the profiles that needs to be um initialized or what's the reason for it the so there's several things they contribute to the 20 seconds and 1 of the things that we're looking into is trying to profile that and we were able to swap out the PI for internal of debugging and what I've seen on that on the Dell System a lot of the time is spent waiting for the management engine to come on line and then there's also it appears to be a 1 second timeout for every CPU in the system that they knew that the that they bring CPs on in what of 1 at time it takes on honesty precisely you know 1 million microseconds for each 1 so there are things in the winter from where that we currently don't have the ability to change in that appear to be the the the long to and and and the long pole in the tent on the process microphones for in the back please you will address the lot about security some up my question is rather than the model settings for example by others there's so do you for settings and there's stuff like remote doing which is hold on for of protocols proprietary staff and stuff that's really hard to handle if you have a large installation for example you can't say OK deploy all of my and all of us all the biased settings but I going to address that in some unified nice way where can say OK you have this 1 protocol that run for my um the from there that does that nicely this that say exactly how it's done the sites will deploy it that they will write their own bootstraps that use it to traditional which we use normal protocols so in the mass of cloud they're doing a the was the w get but I'll go over SSL that can then measure the perceived kernel into the TPM and k exec at image stand I without requiring now that changes to find even variables are all the sort of set up that you have to put into you give you if I system that can be replaced with with a very small shell script we have time for 1 last question and this is from the signaling because the Internet has a question just inference because those 2 worries simple technical questions of but do you know if there's any progress will be no funny lady days on the tell the project and are the only size concerns when writing for marine go the Civitella to project is a power based our system and right now we're mostly focused on the axis 6 as services that's very mainstream available sort of boards and the ego from where is actually quite small so I've most of the work on the heads side which is this 1 shell scripts at my understanding is that the the just-in-time compiler go does not add more than a few hundred kilobytes add to the ROM image and in only a few hundred milliseconds to to the boot time the advantage of go is it is Mary safe and it's the actual programming language so it allows to the initialization scripts to be verified in a way that shell scripts can be very difficult to deal the so thank you very much single these questions please give a warm round of applause to determine what to do life
few was was that the
and and the the it the the PEP at but but
Horizontale
Server
Systemstart
Open Source
Computersicherheit
Abgeschlossene Menge
Unrundheit
Physikalisches System
Task
Variable
Systemstart
Mereologie
Inverser Limes
Notepad-Computer
Projektive Ebene
Booten
Sigma-Algebra
Booten
Supercomputer
Notebook-Computer
Mereologie
Server
Speicherabzug
Projektive Ebene
Hauptplatine
Analytische Menge
Schreib-Lese-Kopf
Leistung <Physik>
Schnittstelle
Bit
Dienst <Informatik>
Homepage
Virtuelle Maschine
Physikalisches System
Last
Software
Systemstart
Mini-Disc
Trennschärfe <Statistik>
Computersicherheit
Booten
Druckertreiber
Phasenumwandlung
Nichtlinearer Operator
Systemstart
Computersicherheit
Programmverifikation
Systemplattform
Firmware
Programmierumgebung
Physikalisches System
Konfiguration <Informatik>
Coprozessor
Rechenschieber
Festspeicher
Mereologie
Gamecontroller
Leistung <Physik>
Bus <Informatik>
Programmierumgebung
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Programmverifikation
Systemaufruf
Rechenzeit
Systemplattform
Binder <Informatik>
Kernel <Informatik>
Coprozessor
Flächeninhalt
Systemstart
Abzählen
Computersicherheit
Leistung <Physik>
Booten
Randverteilung
Schnittstelle
Flächentheorie
Keller <Informatik>
Dienst <Informatik>
Physikalisches System
Last
Software
Flächentheorie
Systemstart
Computersicherheit
Kontrollstruktur
Booten
Druckertreiber
Phasenumwandlung
Systemstart
Vervollständigung <Mathematik>
Systemplattform
Diskettenlaufwerk
Programmierumgebung
Modul
Konfiguration <Informatik>
Coprozessor
Druckertreiber
Pufferüberlauf
Leistung <Physik>
Wort <Informatik>
Schnittstelle
Dienst <Informatik>
Code
Raum-Zeit
Videokonferenz
Physikalisches System
Last
Flächentheorie
Software
Systemstart
Code
Speicherabzug
Computersicherheit
Dateiverwaltung
Booten
System-on-Chip
Druckertreiber
Gerade
Phasenumwandlung
Schnittstelle
Systemstart
Systemplattform
Physikalisches System
Programmierumgebung
Gerade
Coprozessor
Druckertreiber
Emulation
Mereologie
Leistung <Physik>
Garbentheorie
Inklusion <Mathematik>
Systemstart
Prozess <Physik>
Indexberechnung
Fitnessfunktion
Physikalisches System
Binder <Informatik>
Kernel <Informatik>
In-System-Programmierung
Open Source
Virtuelle Maschine
Software
Freeware
Verkettung <Informatik>
Druckertreiber
Software
Verschlingung
Speicherabzug
Zählen
Term
Differenzenrechnung
Schnittstelle
Server
Konfiguration <Informatik>
Keller <Informatik>
Freeware
Speicherabzug
Dateiverwaltung
MIDI <Musikelektronik>
Soundverarbeitung
Inklusion <Mathematik>
Elektronische Publikation
Graph
Booten
Krümmung
Verhandlungs-Informationssystem
Indexberechnung
Fitnessfunktion
Elektronische Unterschrift
Programmfehler
Inverser Limes
Software
Druckertreiber
Emulation
Pufferüberlauf
Generizität
Gamecontroller
Ordnung <Mathematik>
Innerer Punkt
Term
Systemplattform
Betriebssystem
Zentraleinheit
Framework <Informatik>
Coprozessor
Open Source
Festspeicher
Code
Firmware
Speicherabzug
Gamecontroller
Computersicherheit
Leistung <Physik>
Booten
Boolesche Algebra
Phasenumwandlung
Codebuch
Atomarität <Informatik>
Desintegration <Mathematik>
Content <Internet>
Zentraleinheit
ROM <Informatik>
Videokonferenz
Intel
Datenmanagement
Systemstart
Gamecontroller
Computersicherheit
Luenberger-Beobachter
Phasenumwandlung
Leistung <Physik>
Binärcode
Softwareentwickler
Güte der Anpassung
Systemplattform
Firmware
Partielle Differentiation
Physikalisches System
Coprozessor
Chipkarte
Transduktor <Automatentheorie>
Druckertreiber
Funktion <Mathematik>
Festspeicher
Grundsätze ordnungsmäßiger Datenverarbeitung
Gamecontroller
Leistung <Physik>
Authentifikation
Speicherabzug
Zentraleinheit
Kernel <Informatik>
Konfiguration <Informatik>
Nabel <Mathematik>
Formale Sprache
Gewichtete Summe
Hauptplatine
Kernel <Informatik>
Wiederherstellung <Informatik>
Physikalisches System
Verzeichnisdienst
Software
Dateiverwaltung
Skript <Programm>
Skript <Programm>
Booten
Konfigurationsraum
Navigieren
Booten
Protokoll <Datenverarbeitungssystem>
Schlüsselverwaltung
Physikalisches System
Bitrate
Dateiformat
Nabel <Mathematik>
Kundendatenbank
Einheit <Mathematik>
Server
Mini-Disc
Bitrate
Standardabweichung
Wurm <Informatik>
Systemprogrammierung
Kollaboration <Informatik>
Exploit
Systemstart
Notebook-Computer
Rechenzeit
Firmware
Bootstrap-Aggregation
Unrundheit
Sprachsynthese
Framework <Informatik>
Schreib-Lese-Kopf
Resultante
Dynamic Host Configuration Protocol
Booten
Festspeicher
Zwei
Zellularer Automat
Booten
Physikalisches System
Nabel <Mathematik>
Videokonferenz
Schnittstelle
Kernel <Informatik>
Nabel <Mathematik>
Inferenz <Künstliche Intelligenz>
Gruppenoperation
Polygonnetz
Programmverifikation
HIP <Kommunikationsprotokoll>
Benutzerfreundlichkeit
Obere Schranke
Iteriertes Funktionensystem
Homepage
Kernel <Informatik>
Intel
W3C-Standard
Wechselsprung
Fahne <Mathematik>
Abzählen
Prozessfähigkeit <Qualitätsmanagement>
Wrapper <Programmierung>
Protokoll <Datenverarbeitungssystem>
Booten
Phasenumwandlung
Leistung <Physik>
Fehlermeldung
Video Genie
Gerichtete Menge
Programm/Quellcode
Konfigurationsraum
Zwei
Mailing-Liste
Physikalisches System
Menge
Zugriffskontrolle
Advanced Encryption Standard
Mereologie
Prozessfähigkeit <Qualitätsmanagement>
Dateiformat
Serielle Schnittstelle
Innerer Punkt
Systemprogrammierung
Weg <Topologie>
Physikalisches System
Offene Menge
Hardware
Software
Offene Menge
Open Source
Messprozess
Physikalisches System
Schreib-Lese-Kopf
Hardware
Texteditor
Open Source
Computersicherheit
Stochastische Abhängigkeit
Gruppenoperation
Strömungsrichtung
Physikalisches System
Vektorraum
Intel
Virtuelle Maschine
Patch <Software>
Scheduling
Software
Informationsmodellierung
Datenmanagement
Softwareschwachstelle
Code
Firmware
Computersicherheit
Server
Kette <Mathematik>
Software
Wurzel <Mathematik>
Firmware
Gamecontroller
Malware
Physikalisches System
Resultante
Binärcode
Compiler
Verhandlungs-Informationssystem
Programmverifikation
Systemplattform
Nabel <Mathematik>
Eins
Quellcode
Software
Verzeichnisdienst
Verkettung <Informatik>
Datenverarbeitungssystem
Rhombus <Mathematik>
Code
Generizität
Hash-Algorithmus
Firmware
Programmbibliothek
Widerspruchsfreiheit
Phasenumwandlung
Prozess <Physik>
Computersicherheit
Rechenzeit
Messprozess
Physikalisches System
Schreib-Lese-Kopf
Klasse <Mathematik>
Programmverifikation
Identitätsverwaltung
Abstraktionsebene
Information
Service provider
Code
Service provider
Konsistenz <Informatik>
Digital Rights Management
Booten
Airy-Funktion
Implementierung
Normalvektor
Hardware
Streuungsdiagramm
Torus
Hardware
Ruhmasse
Systemplattform
Programmierumgebung
Physikalisches System
Knotenmenge
Keller <Informatik>
Kollaboration <Informatik>
Beweistheorie
Server
Wort <Informatik>
Projektive Ebene
Eindeutigkeit
p-Block
Cloud Computing
Streuungsdiagramm
Bit
Mereologie
Computersicherheit
Mereologie
Kartesische Koordinaten
Kombinatorische Gruppentheorie
Bildauflösung
Übergang
Virtuelles LAN
Unterring
Server
Regulärer Graph
Übergang
TLS
Ähnlichkeitsgeometrie
Physikalisches System
Hauptplatine
Whiteboard
Übergang
Intel
Videokonferenz
Datenmanagement
Flächeninhalt
Datennetz
Festspeicher
Digital Rights Management
Gamecontroller
Leistung <Physik>
ICC-Gruppe
Notepad-Computer
Figurierte Zahl
Drahtloses lokales Netz
Distributionstheorie
Distributionstheorie
Facebook
Hardware
Computersicherheit
Open Source
Programm
Computerunterstütztes Verfahren
Physikalisches System
Computer
Dialekt
Flash-Speicher
Rechter Winkel
Offene Menge
Grundsätze ordnungsmäßiger Datenverarbeitung
Server
Projektive Ebene
Coprozessor
Speicher <Informatik>
Default
Stereometrie
Web Site
Vektorpotenzial
Bit
Punkt
Abgeschlossene Menge
Zahlenbereich
Zellularer Automat
Computerunterstütztes Verfahren
Hauptplatine
SI-Einheiten
Internetworking
Übergang
Intel
Mikrokernel
Informationsmodellierung
Client
Software
Notebook-Computer
Zusammenhängender Graph
Softwareentwickler
Phasenumwandlung
Hilfesystem
Gerade
Schreib-Lese-Kopf
ATM
Hardware
Open Source
Ruhmasse
Physikalisches System
Kommutator <Quantentheorie>
Quick-Sort
Chipkarte
Portscanner
Menge
Offene Menge
Firmware
Mereologie
Server
Projektive Ebene
Information
Programmierumgebung
Lie-Gruppe
Streuungsdiagramm
Web Site
Subtraktion
Prozess <Physik>
Inferenz <Künstliche Intelligenz>
Nabel <Mathematik>
Stab
Mathematisierung
Bootstrap-Aggregation
Adressraum
Programm
Zahlenbereich
Unrundheit
Kartesische Koordinaten
Zentraleinheit
Physikalische Theorie
Whiteboard
Kernel <Informatik>
Internetworking
Variable
Informationsmodellierung
Datenmanagement
Arithmetische Folge
Skript <Programm>
Gerade
Bildgebendes Verfahren
Leistung <Physik>
Schreib-Lese-Kopf
Programmiersprache
Videospiel
Systemstart
Protokoll <Datenverarbeitungssystem>
Booten
Just-in-Time-Compiler
Computersicherheit
Zwei
Ruhmasse
Profil <Aerodynamik>
Physikalisches System
Quick-Sort
Polstelle
Menge
Forcing
Server
Projektive Ebene
Streuungsdiagramm
Hypermedia
Medianwert
Systemprogrammierung

Metadaten

Formale Metadaten

Titel Bringing Linux back to server boot ROMs with NERF and Heads
Serientitel 34th Chaos Communication Congress
Autor Hudson, Trammell
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34852
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The NERF and Heads projects bring Linux back to the cloud servers' boot ROMs by replacing nearly all of the vendor firmware with a reproducible built Linux runtime that acts as a fast, flexible, and measured boot loader. It has been years since any modern servers have supported Free Firmware options like LinuxBIOS or coreboot, and as a result server and cloud security has been dependent on unreviewable, closed source, proprietary vendor firmware of questionable quality. With Heads on NERF, we are making it possible to take back control of our systems with Open Source Software from very early in the boot process, helping build a more trustworthy and secure cloud.
Schlagwörter Resilience

Zugehöriges Material

Folgende Ressource ist Begleitmaterial zum Video
Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback