openbmc-specific dynamic security scanner

Lee Fisher lee at preossec.com
Thu Mar 19 03:46:18 AEDT 2020


> [...] But the BMC itself is ARM [...]

Intel CHIPSEC team has expressed interest in accepting patches from
non-Intel systems.

I think there might be an issue for the first non-Intel ISA to try to
port CHIPSEC to their chip: CHIPSEC supports the public interfaces of
Intel systems, but may require an NDA to access equivalent info on some
systems. That might be why there's no AMD port.

ARM (Linaro) has been porting the Yocto-based LUV (Linux UEFI
Validation) distro, a test distros for UEFI vendors, which includes
CHIPSEC They've not ported CHIPSEC yet, but they have expressed an
interest. Perhaps ARM-based OpenBMC and Linaro UEFI teams could share
resources and port CHIPSEC to ARM. A former Intel CHIPSEC team, now at
Eclypsium, did a quick port of parts of CHIPSEC to ARM, but never
upstreamed the patch, I think that may've caused Linaro to block on
attempting a CHIPSEC port.

Regardless of the complications, industry NEEDS to have tool like
CHIPSEC on ALL processors -- CPUs or BMCs --  other non-Intel chip
vendors should have something similar. Maybe it makes sense to share
same codebase as CHIPSEC, maybe simpler for a new codebase and duplicate
some of the security tests.

FWIW, there's only 1 or 2 Intel business class laptops that pass all the
CHIPSEC security tests. All the others fail miserably, and the non-Intel
systems can't be tested. Having tests doesn't mean the vendors will do
anything about fixing their security issues. :-( Hopefully you can
incentivise your OpenBMC vendors to pass security tests.

> [...] A simple script may be okay initially[...]

There is a script that calls CHIPSEC to gather multiple things:

https://github.com/ANSSI-FR/chipsec-check




More information about the openbmc mailing list