### Server platforms: experiment with your expensive hardware too!

Jeremy Kerr

jk@codeconstruct.com.au / @CodeConstruct



### Server platforms: experiment with break your expensive hardware too!

Jeremy Kerr

jk@codeconstruct.com.au / @CodeConstruct



### Servers?

| Compatible Product Series    | Intel® Xeon® Scalable Processors |
|------------------------------|----------------------------------|
| Board Form Factor            | SSI EEB (12 x 13 in)             |
| Chassis Form Factor          | Rack or Pedestal                 |
| Socket                       | Socket P                         |
| Integrated Systems Available | No                               |
| Integrated BMC with IPMI ?   | IPMI 2.0 & Redfish               |
| Rack-Friendly Board          | Yes                              |
| TDP ?                        | 205 W                            |

| n-Board Devices        |                                                                                                                                                                                                 |
|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SATA                   | SATA3 (6 Gbps)                                                                                                                                                                                  |
| IPMI                   | <ul> <li>Support for Intelligent Platform<br/>Management Interface v. 2.0</li> <li>IPMI 2.0 with virtual media over<br/>LAN and KVM-over-LAN<br/>support</li> <li>ASPEED AST2500 BMC</li> </ul> |
| Network<br>Controllers | <ul> <li>Provided via Ultra Riser Card</li> <li>1 Realtek RTL8211F PHY<br/>(dedicated IPMI)</li> </ul>                                                                                          |
| VGA                    | ■ ASPEED AST2500 BMC                                                                                                                                                                            |

|                                        | Onboard<br>Chipset      | Onboard Aspeed AST2500                                                                                           |
|----------------------------------------|-------------------------|------------------------------------------------------------------------------------------------------------------|
| Server<br>Management                   | AST2500 iKVM<br>Feature | 24-bit high quality video compression / Supports storage over IP and remote platform-flash / USB 2.0 virtual hub |
| ······································ | AST2500 IPMI<br>Feature | IPMI 2.0 compliant baseboard management controller (BMC)<br>/ 10/100/1000 Mb/s MAC interface                     |

# 

### "Server-style" functionality

Server

I/O (storage, network, console, ...)





Simpler interactions

More complex interactions

Simpler interactions

More complex interactions

Host manages platform HW
BMC remote power & console only

Simpler interactions

More complex interactions



Host manages most core functions BMC performs some HW management (eg cooling)

Simpler interactions

More complex interactions

BMC is required for core functions; heavy interactions with host

# AST2500?

- ARM system-on-chip
- ... plus hardware features for BMC functions

Embedded CPU 800MHz ARM11 800Mbps DDR3/1600Mbps DDR4 SDRAM SDRAM Memory 16-bit data bus width Up to 1G Byte ECC option Flash Memory SPI flash memory

aspeedtech.com/server\_ast2500/

BMC

## OS? Linux!

- with upstream kernel support!







### ok, but now what?











### BMC firmware?

#### kernel

aspeed\_g5\_defconfig

#### buildroot

```
BR2_arm=y
BR2_arm1176jz_s=y
BR2_TARGET_ROOTFS_CPI0=y
BR2_TARGET_ROOTFS_CPI0_XZ=y
```

### (optional) u-boot

github.com/openbmc/u-boot

BMC



### host firmware access



### host serial



#### host serial



Serial-over-LAN (SoL)

### host video



#### host video - remote



#### **Host** ↔ BMC interfaces

LPC/eSPI basic IO

PCIe video, DMA engine

**USB** BMC-endpoint devices

I<sup>2</sup>C On-chip peripherals

**GPIO** Arbitrary signalling

**PECI** Processor control (x86)

**FSI** Processor control (OpenPOWER)

#### LPC devices

0x3f8 Serial #1

0x2f8 Serial #2

0x80 POST codes

0xe4 BT: in-band IPMI

configurable LPC2AHB bridge

# wait, what?

```
LPC host ↔ BMC bus
```

**2** to

AHB internal BMC bus

#### LPC2AHB



#### CVE-2019-6260

"Gaining control of BMC from the host processor"



Single trust domain



Split trust domain



# be careful with hardware boundaries





## Example: x86 power control





1. BMC receives a request to power-on the host over IPMI/REST/etc



- 1. BMC receives a request to power-on the host over IPMI/REST/etc
- 2. BMC-internal state verification



- 1. BMC receives a request to power-on the host over IPMI/REST/etc
- 2. BMC-internal state verification
- 3. BMC deasserts power button GPIO



- 1. BMC receives a request to power-on the host over IPMI/REST/etc
- 2. BMC-internal state verification
- 3. BMC deasserts power button GPIO
- 4. BMC checks power-OK signal



- 1. BMC receives a request to power-on the host over IPMI/REST/etc
- 2. BMC-internal state verification
- 3. BMC deasserts power button GPIO
- 4. BMC checks power-OK signal
- 5. BMC checks for S3/S5 exit



- 1. BMC receives a request to power-on the host over IPMI/REST/etc
- 2. BMC-internal state verification
- 3. BMC deasserts power button GPIO
- 4. BMC checks power-OK signal
- 5. BMC checks for S3/S5 exit

# no magic required

(almost)

# OpenBMC

github/openbmc

## get experimentin'!

Simpler interactions

More complex interactions



#### Resources

- github/openbmc: OpenBMC platform
- buildroot: embedded system userspace
- Bus Pirate: i2c/SPI/UART/anything interface