yabits: Yet Another UEFI coreboot Payload September 13, 2018 OSFC 2018: Open Source Firmware Conference @retrage

Abstract • UEFI is the de-facto standard BIOS • There are two types of UEFI implementations, • TianoCore and closed firmware • Closed firmware has problems • The users can not fix the bugs • The code shipped without enough verifications • TianoCore is an open source UEFI • The code base is too big in the view of booting OS • It is not suitable for embedded systems or bare metal clouds • =>yabits, a new UEFI implementation. • It is small footprint and boots fast. 1

Bio • Akira Moroo • A graduate student at Tokyo University of Science. • Majors electrical engineering. • Researches in the field of software engineering. • Interested in • Firmware/coreboot/UEFI/boot process of operating systems • Has ported mruby to UEFI shell in 2015. • Started yabits project in 2017. • As one of IPA Mitou project 2

BIOSes for x86-based PCs • Legacy BIOS and UEFI • Legacy BIOS • The origin is the BIOS of IBM PC in 1981. • Runs in 16-bit real mode for backward compatibility. • Does not standardized. • There are many incompatible extensions. • It is not suitable for modern x64-based machines. • => UEFI is proposed in 2005. 3

Recap: UEFI • Unified Extensible Firmware Interface (UEFI) • Based on EFI, developed for IA-64 by Intel. • Standardized by UEFI Forum[1]. • You can find the specification online[2]. • Supporting many Architectures. • IA-32, x64, ARM, ARM64, RISC-V etc • A lot of features compared with Legacy BIOS. • => Almost all x86-based PCs are shipped with UEFI. 4

UEFI Implementations • TianoCore and other closed firmware • TianoCore • An open source UEFI reference implementation. • Developed by Intel and its community. • Closed firmware • Developed by BIOS vendors. • Based on TianoCore, special features are added. 5

UEFI Ecosystem[3] 6

Problems in Current UEFIs • Closed firmware • Remain bugs fixed in TianoCore if vendors do not update. • Shipped features without enough verifications. • Users can not fix bugs unless reverse engineering it. • As they uses same code base, they have same vulnerabilities even shipped from different vendors[4]. • Example: ThunderStrike2: Apple and ASUS • => There are problems when using closed firmware. 7

Solution: coreboot • An Open source BIOS • supports various mainboards. • Machine dependent part and Payload • Payload • “Machine independent” part • Freestanding ELF • SeaBIOS, TianoCore, FILO, GRUB2, Linux Kernel etc. • => So, TianoCore on coreboot is the answer? 8

TianoCore is the Giant • TianoCore is too big from the view of booting OSes. • Unused device drivers and protocols. • Large footprint, long boot time. • Requirements of the new UEFI implementation. • Open source • Another code base from TianoCore • Small footprint • Booting fast • => yabits, yet another UEFI implementation. 9

yabits: Design • Focus on booting OSes • A coreboot Payload. • Minimal features. • Only BootServices and RuntimeServices • Same Inferfaces as UEFI specification. (Yes, of course) • Class 3 UEFI, pure UEFI and no CSM mode. • Features • BootServices • RuntimeServices • EFI System Table support • GUID Partition Table Disk Layout support 10

yabits: Design (cont’d) 11 PEI DXE BDS TSL RT Hardware Init Driver Driver Driver Driver Services Boot Manager Boot Loader OS

yabits: Design (cont’d) 12 PEI DXE BDS TSL RT Hardware Init Driver Driver Services Boot Manager Boot Loader OS

yabits: Implementation • Minoca OS • Unix-like OS written from scratch. • Small footprint, suitable for embedded systems. • It includes bootloader and UEFI for booting Minoca OS. • uefi of Minoca OS in x86 • TianoCore DuetPkg like x86 support. • Booting from Legacy BIOS and launching UEFI • yabits is based on uefi of Minoca OS. • Porting to coreboot Payload. • Natively runs on a machine. 13

yabits: Implementation (cont’d) • Currently support IA-32 and x64(WIP). • Deeply Dependented on Libpayload. • Libpayload is a library for coreboot. • Ported Libpayload to x64 to reuse the code. • Add translation to 64-bit long mode. • Device drivers • Only IDE and AHCI. • The source code is available on: • https://github.com/yabits/uefi 14

Demo Booting OpenBSD on QEMU https://youtu.be/2jjS4zQgUxQ 15

Demo Boot Time Comparison with Default on Lenovo ThinkPad X230 https://youtu.be/1OTUr2_W5r4 16

Evaluation: Boot Time • Tested on Lenovo ThinkPad X230. • The boot time of yabits is 2x faster than that of default. 17 Default yabits Boot Time (sec) 7.15 3.15

Evaluation: Boot Time (cont’d) • Tested on QEMU. • The boot time of yabits is 9x faster than that of OVMF. 18 OVMF yabits Boot Time (sec) 7.48 0.81

Evaluation: Footprint • Binaries for QEMU. • TianoCore is TianoCore + coreboot • The footprint of yabits is 10x smaller than that of TianoCore. 19 TianoCore OVMF yabits Footprint (MiB) 4.0 2.0 0.4

Future work • ARM/ARM64 support • Setting menu • Secure boot support • Graphic Output Protocol (GOP) support • Windows boot support • This may be hard task. • There is just one developer. (only me) • Please pull requests and contribute! • https://github.com/yabits/uefi 20

Conclusion • UEFI replaced Legacy BIOS in x86-based PCs. • There are two types of UEFI. • TianoCore • Other closed firmware • TianoCore is too large in the view of booting OSes. • yabits • Fast and lightweight yet another UEFI implementation. • For embedded systems and bare metal clouds. • https://yabits.github.io/ 21

Acknowledgement • This project (yabits) was supported by IPA Mitou Project 2017. I thank project managers and colleagues from IPA Mitou Project 2017 who provided insight and expertise that greatly assisted the project. 22

References • [1] https://uefi.org/ • [2] https://uefi.org/specifications • [3] https://github.com/rrbranco/BlackHat2017/blob/m aster/BlackHat2017-BlackBIOS-v0.13-Published.pdf • [4] https://trmm.net/Thunderstrike2_details 23