openbmc-specific dynamic security scanner

Joseph Reynolds jrey at
Wed Mar 18 06:57:06 AEDT 2020

On 3/17/20 1:20 PM, Lee Fisher wrote:
> On 3/17/20 8:01 AM, Joseph Reynolds wrote:
>> [...] And I am looking for your feedback.
> Perhaps, instead of creating a new OpenBMC-centric security tool, add
> OpenBMC-centric tests to an existing firmware security testing tool.
> IMO, there are basically two existing firmware security tools, FWTS and
> FirmWare Test Suite (FWTS) is from Canonical to run diagnostics (not
> necessarily security-centric) to see if a system (HW/FW) is capable of
> running an OS. Runs on multiple ISAs. Has security tests, but not
> security-centric. Probably has the best set of ACPI tests available,
> recommended by UEFI Forum for PC vendors doing ACPI testing. GPL C codebase.


Thanks for responding.

The tests I am proposing are specifically for OpenBMC firmware features, 
not for its hardware or platform features.  So I don't the fwts suite is 

> CHIPSEC is a firmware security-centric tool from Intel. It has existing
> security checks that OpenBMC could use. Main downside -- IMO -- is that
> it only works on Intel hardware, no support for
> AMD/ARM/RISC-V/POWER/etc. GPL Python codebase with a bit of asm.

I've been advised before to use CHIPSEC, but my use case is OpenPOWER, 
and I want this work to be accessible to everyone.
I would be okay if someone else to incorporate the checks I want check 
into CHIPSEC, but I don't think I could use the results.

- Joseph
> HTH,
> Lee
> blog:

More information about the openbmc mailing list