An Enigma, unikernels booting on RISC-V, a rack encased in liquid. OH MY.

Sunday, March 17, 2019

I have written a bit about how I am spending my time while being unemployed and I thought I would continue.

There was one thing I had left out of my previous post on my visit to the Pentagon. THEY HAVE A REAL ENIGMA MACHINE THERE. Okay, moving on…

QCon and University of Cambridge

I gave a talk at QCon on SGX and ended up giving the same talk to some really awesome folks at University of Cambridge. Each time I gave the talk provoked some really interesting conversations. One of the topics that came up a couple of times was if RISC-V was going to be supported by any major cloud provider anytime soon. My honest opinion, which some might disagree with, is this is years away BUT it would certainly help adoption and integration into projects if it was backed by a company with a lot of time to develop integrations. Also I got a bit nerd sniped by some ARM folks and researchers to look more into TrustZone (which is the ARM secure enclave). I haven’t dug in yet but it’s on my list.

It was awesome spending a day in Cambridge (thanks Anil for the tour!) and learning about all the awesome things they are doing. The MirageOS team is booting unikernels on baremetal RISC-V!

They use this on boards to power light bulbs (at the University!) super securely since it removes the need for all the shitty firmware most other things ship and has a super minimal environment. I’m sure you can think of a number of different other use cases as well. Honestly, unikernels replacing all the crap firmware in the world would be a huge win.

Open Compute Summit

Just this past week I spent a day at the Open Compute Summit. What is happening there in the open firmware space is truly awesome. They had demos of hardware they are booting with LinuxBoot and Coreboot. Facebook runs this on their infrastructure as well as with OpenBMC to replace the traditional, proprietary BMC firmware. Trammel Hudson has some great posts on LinuxBoot, which include links to some really great talks by him and Ron Minnich.

Facebook’s server racks are gorgeous. They have a power bus which runs down the center and everything gets power from that, with the main power coming out of the power unit towards the middle of the rack (in the first picture below).

Boot Guard

One thing I learned that I found fascinating was about Boot Guard for Intel processors and the equivalents on ARM and AMD. Boot Guard is supposed to verify the firmware signatures for the processor. The problem with this, in Intel’s case, is only Intel has the keys for signing firmware packages. This makes it impossible for you to then use Coreboot and LinuxBoot or equivalents as firmware on those processors. If you tried, the firmware would not be signed with Intel’s key and would brick the board. Matthew Garrett wrote a great post about this as well.

If a person owns the hardware, they have a right to own the firmware as well. Boot Guard prevents this. In another great talk by Trammel, he found a vulnerability to bypass BootGuard.

This “feature” from hardware vendors is preventing the innovation of this community and preventing pushing technology to a safer place. If you are in a position to push back on these hardware vendors, please do so. They need all the help they can get.

Server rack encased in liquid

Lastly, I saw something bat shit crazy at Open Compute Summit. It was something I saw in the Expo Hall. One vendor has encased an entire server rack in liquid for liquid cooling. I’m not sure I could sleep at night using this. The funniest part about this though was the demo at their booth still had fans in the rack! I mean… why would you need fans if you had liquid cooling… they claimed it was just “left over” and you wouldn’t need that. But at a conference where everyone is showing off their custom hardware, you’d think they would have left the fans at home ;).

That’s the end of this update of my adventures. Hope you all enjoyed it. I know I enjoyed living it!