UEFI presentation

Together
for the New Style of IT
HP Enterprise Technology & Solutions Summit 2015
Dublin, Ireland June 15-19
#HPETSS

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
UEFIandHPProLiantServers
Bruno CORNEC, Open Source and Linux Strategist
WW Linux Community Lead - Open Source Profession

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Introducing Myself●
Software engineering and Unices since 1988
– Mostly Configuration Management Systems (CMS), Build systems, quality tools, on multiple commercial Unix
systems
– Discovered Open Source & Linux (OSL) & made first contributions in 1993
– Full time on OSL since 1995, first as HP reseller then @HP
●
Currently:
– OSL Technology Strategist, EMEA EG Innovation Solution Center aka HP/Intel Solution Center, Grenoble
– HP OSL Advocate and Converged Infrastructure Ambassador
– WW Linux Community Lead for the HP Open Source Profession
– POSS conference, OpenStack.fr and AFUL board member. Conferences at WW level at LinuxCon, Linux.conf.au
– MondoRescue, Project-Builder.org, UUWL and PUSK Project Lead
– LinuxCOE, mrepo, tellico, rinse, fossology, collectl, Ironic contributor
– FOSSBazaar/SPDX and OSL Governance enthusiast
– Mandriva, Mageia, Fedora packager

UEFI Overview and Industry Status

UEFI = Unified Extensible Firmware Interface
A fundamentally different BIOS stack from legacy BIOS with new
capabilities and features
Platform Initialization (PI)
Interfaces produced & consumed by firmware only
Promote interoperability between firmware components
Latest PI specification version is 1.4 (April 2015)
UEFI
Pre-OS (and limited runtime program interfaces) between UEFI
Applications (incl. OSes) / UEFI Drivers and system firmware
Latest UEFI specification version is 2.5 (Apr 2015)
Latest UEFI Shell specification version is 2.1 (July 2014)
Cf: http://www.uefi.org
UEFI Technology

Processor architecture agnostic
EFI System Table
EFI_ACPI_20_TABLE_GUID
RSDP
XsdtAddress
Entry
XSDT
Header
RsdtAddress
Header
MADT
contents
Header
CSRT
contents
Header
DBG2
contents
Header
BGRT
contents
Header
FPDT
contents
Header
DSDT
Differentiated Definition
Block
Header
SPCR
contents
Header
GTDT
contents
FACS
Header
FACP
a.k.a. FADT
FIRMWARE_CTRL
DSDT (0-4GB)
X_FIRMWARE_CTRL
X_DSDT
ARM_BOOT_ARCH
…
Entry
Entry
Entry
Entry
Entry
Entry
Entry
Entry
Header
SSDT
Definition Block
XXXX
Tables defined by ACPI
Tables reserved by ACPI
XXXX
Header
SSDT
Definition Block
Entry
…n
Header
SRAT
contents
Header
SPMI
contents Header
SLIT
contents
Header
PMTT
contents
Entry
ACPI = Advanced Configuration and Power Interface
Static tables and primary runtime interprested control
methods provided by system firmware to the OS for system
configuration, power management and error handling
ACPI
Interfaces consumed by the OS
Processor architecture agnostic
Latest specification version is 6.0 (April 2015)
Cf: http://www.uefi.org/acpi
ACPI Technology

HP Drove for the Creation of UEFI
UEFI & ACPI Timeline
2004 tianocore.org, open source EFI community launched
UEFI as the converged firmware infrastructure
2014
ACPI v5.1 for ARM AArch64 support
(e.g., ARM SBSA/SBBR servers)
1995
HP/Intel needed a boot architecture for Itanium servers that overcame
BIOS PC-AT limitations
1997 - 2000
Intel created EFI with HP and others in the industry, made it processor
agnostic (x86, ia64)
2012
Windows 8 and ubiquitous native UEFI adoption for client PCs (Boot
Performance, Secure Boot focused)
2013
Linux Distros extended support for UEFI Secure Boot. First Linux
Foundation hosted UEFI Plugfest. UEFI v2.4 extended to ARM AArch64.
2005
Unified EFI (UEFI)
The UEFI Forum, with 11 promoters, was formed to standardize EFI,
extended to x64
2009 UEFI extended to ARM AArch32
1996
Intel/Microsoft/Toshiba
created ACPI 1.0 for 16 and 32 bit PC client devices
2000
Compaq/Intel/Microsoft/Phoenix/Toshiba publishes ACPI 2.0 for 64-bit
support as well as support for multiprocessor workstations and servers
2013
ACPI Asset transferred to the UEFI Forum. Ready for future ACPI.next
development
2004
HP/Intel/Microsoft/Phoenix/Toshiba published ACPI 3.0 further
enhancing the spec to support both client and server systems
2009
ACPI 4.0 is published providing additional support for both client and
server systems
2011
Hardware-reduced ACPI model was introduced into the published
ACPI 5.0 spec to include the support for SoC devices. ARM specific
descriptions are also introduced
ACPI HistoryUEFI History
260+ members and growing!

Board of Directors (11 Promoters)
Industry & Communications
WG (ICWG)
UEFI Specification WG
(USWG)
Platform Initialization
WG (PIWG)
Security Subteam
Test WG (UTWG)
Officers:
President: Mark Doran (Intel); VP (CEO): Dong Wei (HP)
Secretary: Jeff Bobzin (Insyde); Treasurer: Bill Keown (Lenovo)
11 Promoters
40 Contributors
193 Adopters
20 Individual Adopters
260+ Members260+ Members
ACPI WG (ASWG)
UEFI Forum
Security Subteam
Security
Response Team
Configuration SubteamConfiguration Subteam
Network Subteam
Shell SubteamShell Subteam
ARM Binding Subteam

UEFI Advantages
• CPU architecture agnostic
• GPT Support: >2TiB Boot Volume Support; >4 Disk Partitions; etc.
• Remove PC-AT restrictions (e.g, VGA, PIC, 1MiB)
• Secure Boot
• IPv4, IPv6 and multicat PXE boot
• iSCSI Boot using a built-in software initiator
• Embedded UEFI Shell (scriptable)
• Driver model and Runtime Services
• Bare metal UEFI Shell-based deployment framework
• TPM 2.0 support
• USB 3.0 boot support
• Boot from NVMe SSD drives
• Boot from some PCIe SSD drives
• Boot from Smart Array software RAID on embedded SATA
• Boot from HTTP to replace PXE
• Boot from FTP
• Unified Human Interface Infrastructure (HII) for System and
Option ROM

UEFI/ACPI Roadmap
• Leader on x86 clients and servers
• ARM servers with UEFI/ACPI support emerging
• Opportunities on IoT and embedded
• Persistent Memory, SD, UFS devices support
• More work related to Security & Resiliency (TLS, Trusted Recovery,
SmartCard, NoExecute, Variable Lock, Crypto I/F, RAM redundancy)
• Boot from HTTP (RamDisk device path)
• REST protocol
• Wifi, Bluetooth support

• Microsoft Windows Server 2008 (x64 only)
• Microsoft Windows Server 2008 R2 (x64 only)
• Microsoft Windows 2012
• Microsoft Windows 2012 R2
• RHEL 6.0 and later
• Oracle Linux 6.4 and later
• SLES 11 and later
• Ubuntu 10.10 and later
• VMware ESX 5.0 and later
• Solaris 11.1 and later (support started in November 2012)
All current operating systems support UEFI Boot and Legacy Boot.
Operating Systems supporting UEFI

Class
0
Class
1
Obsolete
Class
2
Class
3
Legacy BIOS CSM & UEFI Boot
UEFI switch
UEFI Only
Gen8
DL580 Gen8
& Gen9
Gen Future
(goal)
• Class 2 System: UEFI definition of a system that can boot into UEFI mode or Legacy BIOS mode
• Class 3 System: UEFI definition of a system that can only boot into Native UEFI mode
• CSM: Compatibility Support Module. Allows as Class 2 UEFI system to boot into BIOS mode
UEFI CSM
1
only
UEFI Systems Classes

HPProLiantGen9UEFIsupport

HP ProLiant UEFI Transition
ProLiant Gen8
Legacy BIOS (Class 0)
ProLiant Gen8
Legacy BIOS (Class 0)
ProLiant Gen9
UEFI Class 2
ProLiant Gen9
UEFI Class 2
GoalGoal Next Gen ProLiant
UEFI Class 3
Next Gen ProLiant
UEFI Class 3
• DL580 Gen8 defaults to Legacy Boot Mode.
• ProLiant Gen9 defaults to UEFI Boot Mode.
• Future Moonshot Cartridges and ProLiant servers are targeted to be Class 3
• CTO option to set default Boot Mode supported.
UEFI Specification Version 2.4
Platform Initialization Spec. 1.3
UEFI Shell Specification 2.1
EDK2EDK2
ProLiant Gen9 Specification Compliance
Why UEFI now for HP ProLIant:
• Mature standards
• UEFI Server Ecosystem ready (Option cards drivers, OS, deployment, management)
• Important functionalities for customers (IPv6 & multicast PXE, 2.2 TB boot drivers, Secure Boot)

• Unified Pre-boot Configuration Environment
− Platform Configuration, NIC Configuration, iLO Configuration
• Improved Option Card Error Handling
• NVMe and USB 3.0 Boot support (*)
• UEFI Shell Scripting Environment
− Platform Configuration, Save and Deploy Settings, Firmware Update
• Pre-boot tools
− AHS Download, System Information, Integrated Management Log (IML) Viewer
• Improved Option Card Error Handling
• Robust SecureBoot Implementation (*)
• HP RESTful API for Platform Configuration Settings
• HP RESTful Interface tool
HP ProLiant UEFI functionality
(*) Only in UEFI Boot Mode
Future functionalities:
• UEFI Shell Scripting Environment
−Platform Configuration for BIOS, iLO AND NIC, Storage
− Network Boot support (deployment via Shell over
Network)
• Additional Pre-boot tools
−AHS Download, System Information Enhancements
• HTTP Boot (*)
• ISCSI Boot (using SW initiator) (*)

SecureBootonHPProLiant

Industry Support
• UEFI Standard. Certification requirement for clients. Supported in Windows 2012.
• Now fully supported with both Community and Enterprise Linux Distributions.
Functionality
• All UEFI Option ROMs, OS boot loaders, and UEFI applications must be signed.
• BIOS uses trusted public keys (embedded in the BIOS) to verify the above and will not execute if the signature verification fails.
• Creates a chain of trust. Improved solution over TCG Trusted Boot.
• Some operating systems (SLES 11 SP3+ & RHEL7+) will also require kernel modules to be signed.
• Once Enabled, can only be disabled securely (RBSU or remote console to RBSU).
Secure Boot

Hardware
(stores policy)
Hardware
(stores policy)
firmwarefirmware
OSOS
middlewaremiddleware
application softwareapplication software
validate
transfer control
Secure Boot
Enforcing Boot Policy (UEFI)
●
Each component in the chain is validated and authorized by the
preceding one against a given policy before allowing its execution
●
Secure Boot policy implementation can range from digital signatures (UEFI
2.3.1C) to preloaded hash values
●
Secure Boot doesn't rely on TPM but on local DB

Program
10101
10110
10101
10110
Signature
Driver or
Program
Hash
Function
(SHA256)
10101
10110
10101
10110
Hash Encrypt Hash
Using Signer’s
Private Key
10101
10110
10101
10110
Signature
Certificate
Attach to
Program
=
Digitally
Signed
Program
Digitally
Signed
Driver or
Program
Signing – by the creator:
Verification – In the system:
Hash
Function
(SHA256)
Decrypt Hash
with Signer’s
Public Key
Check local databases for certificate. If certificate
found and not revoked, run UEFI Executable.
10101
10110
10101
10110
Hash
10101
10110
10101
10110
Hash
=?
Secure Boot
Mechanisms

PK Platform Key – Root key set to enable Secure Boot
KEK Key Exchange Key
List of Certificates Owners with db, dbx update privilege
db List of Allowed Driver or App. Signers
dbx List of Revoked Signers
SetupMode 1= in Setup Mode, 0 = PK is Set (User Mode)
SecureBoot 1 = Secure Boot in force
Notes:
• Owner of certificates in KEK can update db, dbx (Microsoft and HP on ProLiant)
• Owner of certificates in PK can update KEK (HP on ProLiant)
Secure Boot Databases

Secure Boot on Linux: Ubuntu approach
NOTE: Secure Boot supported after Ubuntu 12.10
Debian 7 does not support Secure Boot

Secure Boot on Linux: Fedora/Red Hat approach
NOTE: Secure Boot supported after Fedora 18, RHEL 7
And after openSUSE 12.3 and SLES 11 SP3

●
Generate a certificate/key pair
# openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout key.asc
-out cert.der -outform der -nodes -days 4745 -subj "yourname"
●
Sign kernel module with private key
# /usr/src/linux/scripts/sign-file sha256 key.asc cert.der e1000e.ko
●
Load public certificate into MOK or DB
# mokutil --import cert.der
NOTE: Physical console access is required to enroll keys in DB or MOK.
Secure Boot on Linux: kernel module signing

•
BIOS POST
•
Load signed option roms
•
Load signed shim.efi
•
Load signed grub.efi
•
Load signed vmlinuz kernel
•
Load signed kernel modules
•
courtesy from SUSE
Ney
Yay!
Secure Boot on Linux: Boot sequence

UEFIShellScriptingEnvironment

HP ProLiant servers feature an embedded UEFI Shell
Pre-boot CLI environment for scripting
Embedded in the System BIOS
Can be used in both UEFI and Legacy BIOS boot modes
UEFI ShellUEFI Shell
Configuration
FW Updates
Deployment
Scripting
Embedded (Bare Metal) Troubleshooting
UEFI Shell overview

UEFI embedded Shell enhancements
• WebClient and FTP : for scriptable network transfers
• SysConfig platform configuration
• SysInfo Collect system inventory
• FWUpdate for updating firmware components, including BIOS, NICs, and storage
cards.
• RAMDisk : for provisioning temporary staging locations
• Compress : to reduce data transferred over the network.
• Boot : seamless transition to other boot targets (such as a downloaded OS image)
without the need for a reboot.
• IMLView : Export the Integrated Management Log (IML)
• AHS CLI to download the Active Health Subsystem (AHS) data for service
troubleshooting

Scripting
− echo, if / else / endIf, shift, for / endfor
− startup.nsh auto start file similar to Autoexec.bat. Other scripts with .nsh
− Comma separated output (-sfo) that can be parsed using a parse command
Files manipulation
− Can read any FAT16 and FAT32
− Standard commands:
md, rd, cd, cp/copy, del, dir/ls, atrib, alias, touch, setsize, comp, ver, vol
− File editing (edit) and viewing (type)
− And more : eficompress/efidecompress, date/time, timezone, set, etc…
− Input/output redirection from/to consoles/files
Troubleshooting
− Dump hardware information: memmap, dmem, smbiosview, pci, drivers, devices, dh
HP ProLiant UEFI Shell

BIOS Configuration CLI
• Get / Set setting(s)
• Get Information
• Possible values, help text, default value, limits, etc…
• Reset to defaults
• Export / import settings to/from files (scriptable)
• Both name/value text files and JSON
Scriptable
• Same name/value pairs used by other HP in-band and out-of-band service
• JSON output compatible with other tools
Extensible
• Possible to extend in the future to device configuration
HP ProLiant UEFI Shell enhancements: sysconfig
Configure any System BIOS / Platform setting

HP ProLiant UEFI System Configuration UI

• New Pre-boot environment “Look and Feel”
• Pre-boot Configuration UI for Platform Settings
and Option Cards
• No longer prompted for configuration by option
ROMs (storage, NIC, iLO, ...)
• FwUpdate command to update firmware components
such as BIOS ROM, NIC, …
HP ProLiant UEFI Firmware management UI

HPUEFIDeploymentSolution

UEFI deployment
• Possibility to use PXE (pxelinux has UEFI support)
●
PXE problems: TFTP timeout, UDP packet loss, download and deployment times, security
●
Alternative with iPXE not fully available under UEFI so forcing to switch to CSM
• Possibility to use iLO virtual media, scripted URLs
• Slower than NIC
• UEFI will provide HTTP Boot with the 2.5 specification
• HP provides HP UEFI Extended Network Stack
• HTTP DHCP boot of EFI file or ISO image from EFI Network Bootstrap Program (NBP)
• Pre-configured boot of EFI file or ISO image from HTTP/FTP URL
• Embedded UEFI Shell script auto-execution from network without relying on local media or iLO virtual media

HP UEFI extended Network Stack

HPRESTfulAPI

• Programmatic interface with a public facing API
●
Used by OneView,
●
User-choice scripting tools,
●
HP RESTful Interface tool (hprest).
• Available in-band (iLO driver in the OS) and out-of-band (https to iLO, even if server down – aux power)
• Published Schema/Registry (all available values and configuration settings, dependencies, UI metadata, ...)
• Supports UEFI and iLO as of now and NIC and storage in the future
• Human readable data (JSON) with Name/Value pairs for all configuration settings
• Enables customer scripting as well as building block for HP tools
HP ProLiant UEFI RESTful API

1. RESTful Client GETs BIOS settings
2. RESTful Client writes modified pending (staged) settings
3. …on next reboot…
4. UEFI BIOS fetches pending settings
5. UEFI BIOS adopts and publishes new settings
ClientClient
iLO
HP RESTful Interface
iLO Persistent StoreiLO Persistent Store
HP RESTful ServiceHP RESTful Service
Default
Settings
Default
Settings
Staged
Settings
Staged
Settings
Current
Settings
Current
Settings
UEFI BIOS
(Provider)
UEFI BIOS
(Provider)
Avail. SettingsAvail. Settings
• Ability to GET configuration information:
• Current Configuration
• Manufacturing Defaults
• User Defined Defaults.
• Ability to PUT/PATCH desired settings.
• UEFI Pending settings take affect on reboot.
• Status available.
HP ProLiant UEFI RESTful API

UEFIimpactforcustomers

Must configure PXE environment for
UEFI
Must configure PXE environment for
UEFI
Must modify deployment scripts and
OS images – Maintain 2 environments
Must modify deployment scripts and
OS images – Maintain 2 environments
Legacy Boot Media will NOT bootLegacy Boot Media will NOT boot
Option Card SupportOption Card Support
Windows 2008 won’t work “out of the
box”
Windows 2008 won’t work “out of the
box”
Customer Impacts for UEFI
Mode
Customer Impacts for UEFI
Mode
Boot Order is More Flexible (but more
complex)
Boot Order is More Flexible (but more
complex)

• Server will support Legacy Boot mode and UEFI Boot Mode.
• Boot configuration is far more flexible and complex in UEFI Boot Mode.
• If Secure Boot is enabled, UEFI Option ROMs and OS boot loaders must be signed.
−Disabled by default but can be enabled in Setup.
• More options for restoring defaults
−Restoring Defaults does NOT erase UEFI Variables.
−Separate option for erasing UEFI Variables.
• The date and time are NOT modified when defaults are restored (default time zone is UTC)
Points to remind about HP ProLiant UEFI

Making the new style of IT a reality
» 14+ years of success, world wide programs, including Cloud Center of
Excellence, Big Data Center of Excellence, Open Source Solutions
Initiative, RISC to HP Intel Architecture Migrations, NVF Center of
Excellence, EMEA Networking Customer Visit Center and more
» Complete IT (400+ systems, 3000+ network ports, 500+ TB storage)
» Portfolio of 40+ ready to demo solutions with access to our
ecosystem of Partners
» Complete test & validation environment
» Strategic partnership with Intel, 14-year long standing collaboration
» Strategic partnership with Red Hat 7-year collaboration (OSSI)
» A unique proof point in the industry with a proven service offering
Grenoble
Mission: Accelerate the adoption of new and² innovative solutions by creating
simple and rewarding end-to-end customer experiences that benefit our
customers and partners, in a compelling and engaging collaborative
environment. …more information available at http://www.hpintelco.net
EMEA SolutionInnovation Center
WorkshopPoCLivedemoCoE

”Changes are never easy to make.
There is comfort and safety in
tradition, but change must come, no
matter how painful or expensive it
may be.”
Bill Hewlett
Bruno.Cornec@hp.com
(Open Source and Linux Technology Strategist at the HP
Solution Innovation Center, EMEA)
http://www.hp.com/linux
http://opensource.hp.com
Thanks goes to:
Linus Torvalds, Richard Stallman, Eric Raymond, Nat
Makarevitch, René Cougnenc, Eric Dumas, Rémy Card,
Bdale Garbee, Bryan Gartner, Craig Lamparter, Lee
Mayes, Gallig Renaud, Andree Leidenfrost, Phil Robb,
Bob Gobeille, Martin Michlmayr, Dong Wei, Samer El-
Haj Mahmoud among others, for their work and
devotion to the Open Source Software cause... and my
family for their patience :-)
Contact - Thanks

UEFI presentation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to UEFI presentation

Similar to UEFI presentation (20)

More from Bruno Cornec

More from Bruno Cornec (20)

Recently uploaded

Recently uploaded (20)

UEFI presentation