From 2021 to 2022, our team of developers thrived, contributing to firmware projects. Our primary focus revolved around coreboot, a firmware framework we have worked with since 2015. We also dedicated efforts to the advancement of fwupd and flashrom, contributed to overall improvements in firmware update ecosystems. Our dedication to platform security didn’t stop there — we actively developed Trenchboot, enabling dynamic integrity measurements for platform software components. And let’s not forget involvement in the intricate world of Yocto, where we left our mark on various Yocto layers.
In addition to contributing to these open-source projects, our team is also passionate about promoting the benefits of open-source software, like greater transparency, flexibility, and security. Those characteristics are critical to keeping closed-source software accountable. By contributing to these projects and advocating for open-source software, we aim to foster a culture of collaboration and innovation in the technology industry. We are committed to positively impacting the community through our work, and we look forward to continuing our open-source contributions in the future.
Our Valued Contributors
To begin with, we want to express our appreciation for the dedicated efforts of our contributors, who persistently endeavor to improve many open-source projects:
- Michał Żygowski
- Sergii Dmytruk
- Karol Zmyslowski
- Krystian Hebel
- Yaroslav Kurlaev
- Kacper Stojek
- Michał Kopeć
- Norbert Kamiński
- Tomasz Żyjewski
- Cezary Sobczak
- Maciej Pijanowski
Significant Updates and Features
coreboot is an open-source firmware that provides a lightweight, secure, and fast boot experience for PCs, laptops, servers, and embedded devices. In that time frame, we contributed over 150 patches adding 12k SLOC and removing over 38k SLOC. It would be tough to mention every possible contribution or even list those patches, so we choose to group those and highlight the most important one:
- inteltool extension with modern architecture support - we added support for Tiger Lake, Elkhart Lake and Alder Lake P chips detection and GPIOs. Those changes should simplify further work on porting new mainboards supporting mentioned microarchitectures to coreboot.
- Support for Intel Alder Lake - we added support for Intel Alder Lake P and S SoC, as patch series concerning GPIO definitions for PCH-S, ADL-S devices, support for HSPHY firmware loading and many other features of this Intel microarchitecture.
- TPM TCG log format support - we redesigned TPM API and made CRTM log format agnostic, what required a couple of other patches ([1],[2],[3]) to clean up.
- We added support for MSI Z690, Dell Precision T1650 and QEMU POWER9 mainboard.
We described the most recent coreboot contributions in detail in the 4.20 release blog post. If you want to improve your devices' security while reducing your dependence on proprietary firmware, you could benefit from using coreboot. We can also help you reduce time-to-market by simplifying the firmware development process. As well, if you want user-friendly and well-documented firmware, then coreboot-based Dasharo firmware is a solution for you.
fwupd is an open-source daemon that manages the firmware updates of various devices. You will surely benefit from using fwupd if you are interested in automating the firmware update process on your devices and reducing the risk of security vulnerabilities by keeping your firmware up to date.
Changes to fwupd can be divided into several areas:
-
Support for Qubes OS - The biggest challenge when updating firmware in the case of Qubes OS is the hard separation of the hardware layer from the network layer. Hence, to update the firmware, it is necessary to download the update in a virtual machine that has access to the network and then verify and pass the files to the virtual machine administrating the system (DOM0), which for security reason has no network access. Initially fwupd had no support for such update model changes we developed address that problem and allow firmware updates from within reasonably secure operating systems. Norbert Kamiński was responsible for these changes.
-
Support for FreeBSD - These changes made it possible to open fwupd to the group of BSD operating systems. BSD operating systems are often used in networking applications (routers, firewalls etc.) These changes lay the groundwork for supporting fwupd in networking applications. Details were described in our earlier blog posts. These changes were worked on by Michał Kopeć, Sergii Dmytruk, and Norbert Kamiński.
-
flashrom support for TUXEDO laptops - These changes were tied to firmware and EC updates. Thanks to them, owners of TUXEDO laptops may enjoy a simple and intuitive firmware update on their hardware.
Our team can help you seamlessly integrate into the fwupd ecosystem across a variety of platforms and operating systems. Say goodbye to clunky update processes and hello to a streamlined, hassle-free experience with fwupd!
Contribution details - fwupd
- Sergii Dmytruk (29):
- plugins/flashrom: manage flashrom context at plugin level
- plugins/flashrom: create separate device for ME region
- plugins/flashrom: enable for 2 Tuxedo laptops
- plugins/flashrom: add flashrom-specific GUIDs
- plugins/flashrom/fu-flashrom-device.c: create layout on open
- plugins/flashrom: make region we’re flashing a property
- plugins/intel-spi: mark ME region device locked if it’s RO
- plugins/superio: don’t leak chiplet property of device
- trivial: plugins/superio: include prj_name in IT55’s to_string
- fu-util: pull device flags after unlocking
- trivial: libfwupd,libfwupdplugin: fix typos in several comments
- trivial: plugins/superio: don’t add same flag twice
- Add support for SuperIO IT5570
- Load hwinfo on fwupdtool firmware-dump command
- Switch from sysctl to ioctl for ESRT on FreeBSD
- Depend on libefivar in uefi-capsule
- Corrections for fu-efivar-freebsd.c
- Fix formatting in fu_common_get_block_devices ()
- Fix two off-by-one errors in uefi-capsule plugin
- Correct error msg in fu_common_get_block_devices
- Handle bsdisks' UDisks2 implementation on FreeBSD
- Fix formatting in fu_common_get_block_devices ()
- Fix two off-by-one errors in uefi-capsule plugin
- Correct error msg in fu_common_get_block_devices
- Improve error message in fu-uefi-backend-freebsd
- Don’t fail if memfd_create() is not available
- Handle missing defaults in fu-uefi-devpath.c
- Branch explicitly per OS type
- Include <efivar-dp.h> explicitly
- Norbert Kamiński (24):
- qubes: Add qubes-fwupdmgr.py to src folder and…
- trivial: contrib/qubes: Delete test for unexisting method
- fwupd.spec.in: Drop fwupd_usbvm_validate.py from qubes-vm package
- trivial: contrib/qubes: Add missing import
- qubes/src/heads: Update Heads versioning
- qubes/test/fwupdmgr: Update cabinets checksums and URLs
- contrib/README.md: Fix Qubes related Docker commands
- fu-uefi-common.h: Fix efivar compatibility with FreeBSD
- freebsd/Makefile: Disable gudev based plugins
- Revert “trivial: Disable FreeBSD CI again”
- main.yml: Install protobuf-c as fwupd dependency in the FreeBSD job
- main.yml: Bump GitHub Action freebsd-vm
- Revert “trivial: Disable the FreeBSD CI action as it’s been failing f…
- build_freebsd_package.sh: Build package with generated pkg-plist
- freebsd-ci: Change FreeBSD artifact extension
- Add FreeBSD package to the CI matrix
- meson.build: Change python version check order
- fu-smbios.c: Add kenv support
- fu-tool.c: Use traditional UNIX record locks if OFD is not available
- fu-engine.c: Fix undeclared variable for *BSDs builds
- fwupd port for BSD distros
- libxmlb.wrap: Bump revision
- contrib/qubes: Add Qubes wrapper source and create packages
- contrib/README.md: Update instructions for distribution packages
- Michał Kopeć (4):
If you’re looking for a tailored Linux-based operating system that perfectly meets your unique requirements and security needs, Yocto is an open-source project for you. As a comprehensive suite of tools and templates, Yocto provides the flexibility and customization, you need to create a bespoke solution for your device. What is very important that Yocto is a framework used to build OpenBMC de facto standard for server and workstation Board Management Controller software stack.
Our engineers have added fixes to some of Yocto’s most popular layers:
-
Support for the Dunfell version of
meta-openwrt
- Those changes allow building OpenWrt, a Linux-based router distribution, using Yocto. The solution was tested and run on the PC Engines apu2. More details description you can find in Tomasz’s presentation at Yocto Project Summit 2021.05. Changes contributed by Tomasz Żyjewski. -
Support for python3-binwalk and python3-uefi-firmware in the
meta-openembedded
layer - Those are the tools needed to develop and debug firmware solutions in Python. Thanks to Tomasz Żyjewski for contributing those changes. -
Support for the Nezha Allwinner D1 in the
meta-riscv
layer - You have all the details about porting this platform in Cezary’s presentation from Yocto Project Summit 2022.05. Changes made by Cezary Sobczak. -
Minor fixes for the
meta-sunxi
layer - Changes made by Maciej Pijanowski.
By partnering with our team, we can help you leverage the power of Yocto and build a custom Linux distribution that fully aligns with your vision. From feature-rich IoT devices to mission-critical servers, we’ve got you covered. Let us create a personalized solution that meets your specifications and takes your device’s capabilities to the next level.
Contribution details - Yocto
- Maciej Pijanowski (24):
- u-boot: rebase nanopi_neo_air emmc patch
- Revert “u-boot: rebase nanopi_neo_air emmc patch”
- conf: sunxi.inc: add wks file for arm
- machine: nanopi-m1: add config
- linux-beaglev: sync dts from u-boot
- beaglev: add 1st on-hardware test results
- preliminary beaglev support
- beaglev.md: add basic readme
- opensbi-beaglev: w/a for do_deploy failure
- beaglev: rename BSP components from -beaglev to -stafive
- linux-beaglev: explain dts sync patch
- beaglev-starlight-jh7100.conf: add wic.bmap IMAGE_FSTYPE
- linux-starfive: rename LINUX_VERSION_EXTENSION to -starfive
- beaglev-starlight-jh7100.conf: remove leftovers from freedom-u540.conf
- linux-beaglev: update LIC_FILES_CHKSUM
- beaglev-starlight-jh7100.conf: remove comment about SBI_PAYLOAD
- hostapd: update 300-noscan.patch to 2.9 version
- ipset: use BPN in SRC_URI
- procd: Inherit update-alternatives
- cdrkit: split into more packages
- cdrkit: add native to BBCLASSEXTEND
- Tomasz Żyjewski (24):
- python3-uefi-firmware: add recipe for version 1.9
- python3-binwalk: add recipe for version 2.3.3
- ppp: adopt to use with OpenWRT
- collectd: adopt to use with OpenWRT
- luci: expand cmake patch to install more mods
- hostapd: apply patches from OpenWRT
- comgt: add recipe to control gsm interface
- dropbear: adopt to use with OpenWRT
- coova-chilli: add recipe to provide coova-chilli package
- daemon: add recipe as rdepends of coova-chilli
- liblucihttp: add recipe
- haserl: add recipe as rdepends of coova-chilli
- luci: set DEPENDS and INSANE_SKIP variables
- luci: add do_configure prepend to copy plural_formula files
- luci: add plural_formula files to SRC_URI
- hostapd: correctly set FILES variable
- hostapd: install ppp.sh script
- luci: build from openwrt-19.07 branch
- luci: add liblucihttp as RDEPENDS
- netifd: build from openwrt-19.07 branch
- hostpad: install missing mac80211.sh script
- hostpad: install missing hostapd.sh script
- procd: disable warning as error for array-bounds and unused-results
- busybox: remove merged patch
- Cezary Sobczak (15):
- opensbi: add patches for Nezha board
- boot0: add patch for Makefile to fit it with yocto build environment
- nezha-allwinner-d1.conf: add machine configuration for Nezha board
- u-boot-nezha: add patch which fix build with binutils 2.28
- nezha.yml: add file used with kas-docker
- linux-nezha: add patch which fix build with binutils 2.28
- boot0: add patch which fix build with binutils 2.28
- u-boot-nezha: add recipe with patches for Nezha board
- boot0: add recipe of the Nezha SPL
- linux-nezha-dev: use custom version of kernel with patches for D1 chip
- u-boot-nezha: add patch which increase the CONFIF_SYS_BOOTM_LEN
- opensbi: update mainline with patches to fit Nezha board
- nezha.wks: description of SD card image for Nezha D1 dev board
- toc.cfg: add configuration file of TOC1 U-Boot image
- uEnv-nezha.txt: U-Boot bootargs for Nezha board
TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that the adversary did not subvert integrity actions is derived.
The most significant changes took place in the landing-zone component:
- support for the Xen hypervisor - This change adds support for the Xen Hypervisor separates the hardware layer from the programs running on the platform. Thanks to these changes, the landing zone can measure all hypervisor components.
- multiboot2 support for the GRUB2 bootloader - Support for multiboot in GRUB2 allows you to measure all the components used during system boot when using multiboot2.
The author of these changes is Krystian Hebel.
Trenchboot and dynamic measurements significantly reduce the possibility of compromising devices and therefore support our efforts to increase the trustworthiness of every computing device. If you’re looking for methods to enhance your devices' boot security, Trenchboot is the solution you’ve been searching for. Let us help you safeguard your computing device stack with advanced hardware security technologies.
- Krystian Hebel (14):
- Parse bootloader data in the form of tags
- main: do not do STGI for MB2, also do not clear VM_CR_R_INIT
- Add Multiboot2 support
- main: use one entry point for all protocols, implement stack overflow…
- multiboot2.h: drop unused structures, add ELF headers, clean up typedefs
- main.c: get proper MBI size, get kernel size from ELF headers
- util: add script for measuring extended PCR values for Multiboot
- extend_multiboot.sh: use section headers instead of program headers
- iommu.c: fix order of outb() arguments
- event_log: add code for initializing and filling the DRTM TPM event log
- event_log.c: make the log format compatible with TXT
- event_log: add fields for hash of LZ to the lz_header
- main: log PCR extend operations in DRTM TPM event log
- iommu: Implementation of early IOMMU
Upcoming events
Don’t forget to mark your calendars for Dasharo User Group #2, which will take place on July 6th, 2023. DUG events are an excellent opportunity to learn more about open-source projects and 3mdeb’s open-source contributions and connect with Dasharo developers.
The Dasharo User Group (DUG) is a forum for users of Dasharo to come together, share their knowledge, and stay informed about the latest developments in the Dasharo ecosystem. The DUG is a platform for users to connect and learn about new features and updates coming to Dasharo. The first DUG event will take place in early March and will include a variety of discussions on different topics related to Dasharo. We will share the agenda for the event in the next month. The event will be an excellent opportunity for Dasharo users meet other users, learn new things, and share their knowledge and experience with others.
Dasharo vPub 0x7 is a follow-up event to DUG#2 and will provide a space to engage in more informal conversations and discussions that we may not cover during DUG#2. The vPub is a less structured, more relaxed environment where the community can discuss topics that interest them. During the event, you can experience discussions about open-source firmware, open-source hardware and open instruction set architecture, technical challenges they are facing, and ideas for new features or improvements.
The Dasharo User Group (DUG#1) and vPub 0x6 event achieved great success, offering insightful presentations and engaging discussions on topics related to open-source firmware, hardware, and security. Key highlights encompassed Dasharo’s roadmap, the groundbreaking potential of NovaCustom’s hardware and open-source firmware for enhancing the laptop experience, the Dasharo Tool Suite roadmap, notable Dasharo Community Support ports like Supermciro X11SSH support and RPL-S CPU, the summary of PC Engines' post-EOL firmware survey, and much more.
We express our appreciation to the speakers who shared their expertise and perspectives during both DUG#1 and vPub vol.6. These remarkable individuals include Wessel klein Snakenborg from NovaCustom, Dennis ten Hoove from Slimmer AI, Brian Delgado from Intel Corporation, Dawid Potocki, Marcin Cieślak, Marek Marczykowski-Górecki from Invisible Things Lab/Qubes OS, and Thierry Laurion from Insurgo Technologies Libres/Heads.
For those unable to attend the event or interested in revisiting the sessions, recorded videos are available on YouTube via the following link. Furthermore, you can access event slides at: vpub.dasharo.com.
Summary
These are just a selection of our contributions to open-source. Since its inception, 3mdeb has contributed changes to more than 100,000 lines of code in open-source projects. So if you’re looking for expert guidance on open-source projects such as coreboot, fwupd, Yocto, and Trenchboot, our team is here to help. We’d love to discuss the details we can work together to bring your project to the next level.
If you are passionate about these topics, we also welcome you to join our recruitment process and become a part of our team.