Open-Source Success Achieved For Greater Transparency & Security: Running AMD openSIL + Coreboot On EPYC
([Motherboards] 2 Hours Ago
2 Comments)
- Reference: 0001640099
- News link: https://www.phoronix.com/review/amd-opensil-coreboot-ar1
- Source link:
Ever since [1]AMD announced openSIL in early 2023 for [2]open-source CPU silicon initialization to eventually replace AGESA and enhance their Coreboot support, I have been eager to try it out. The openSIL code drops to date though have just focused on select reference platforms with only [3]aiming for production status in the Zen 6 timeframe . But thanks to [4]3mdeb porting openSIL and Coreboot to a Gigabyte server motherboard , it's now possible to try out openSIL+Coreboot right now on Zen 5 hardware.
[5]
The 3mdeb consulting firm has been adapting AMD [6]openSIL and Coreboot to get the open-source firmware stack up and running on [7]Gigabyte MZ33-AR1 motherboard for EPYC 9005 series processors. For those more interested in desktop AMD Ryzen hardware, they are alos in the middle of [8]porting Coreboot and openSIL to an MSI retail motherboard too for release later this year.
In recent years there has been much more interest in open-source firmware from hyperscalers to security minded organizations for greater transparency, the ability to modernize and trim down the firmware for faster boot times and reduced attack surface, and similar substantive goals beyond just the ideas of open-source firmware. In the years ahead the corporate demands around open-source firmware especially on firmware is only likely to grow especially for security and confidential computing needs.
[9]
In having bought a Gigabyte MZ33-AR1 motherboard when 3mdeb announced their initial work on a Coreboot+openSIL port, as soon as they announced the release of Dasharo as their downstream flavor of Coreboot with openSIL, I gave it a go. Similar to when they [10]ported Coreboot to an Intel Alder Lake desktop motherboard , it was ultimately a pleasant experience.
[11]
With Dasharo is also a more secure out-of-the-box experience like enabling Secure Memory Encryption by default.
[12]
In the case of the Gigabyte MZ33-AR1, they support flashing to their Dasharo build from the BMC web interace of the Gigabyte server motherboard. So no need to muck around with Flashrom or anything like that but quickly and easily from the BMC web interface you can move off the proprietary BIOS and on to Coreboot+openSIL-powered Dasharo. Similarly, it's also possible from the BMC web interface to flash back to the default Gigabyte BIOS images as well if needed after using Dasharo.
[13]
At first I did hit a few issues... I happened to have a Turin Dense CPU installed and it turns out that wasn't covered by AMD's openSIL release for Turin. But in working together with the 3mdeb engineers, that was ultimately fixed up. As of today is [14]this openSIL upstream pull request now for 3mdeb working to get those changes into upstream openSIL for supporting Turin Dense. In the interim I also tried non-dense EPYC 9005 and with high core count CPUs also came to some issues due to 3mdeb having tested on lower core count CPUs and ended up overflowing the size of some data structures. But long story short those issues are also now addressed in their latest builds.
[15]
With the latest builds tested, the three year old goal has finally been realized! I am up and running on AMD openSIL with Coreboot! After three years of covering openSIL developments, it was gratifying to be able to finally try it out and see it running without issues after going through the few initial fixes. After overcoming those initial challenges, it's been working well without any other issues to note.
[16]
Prior to openSIL, those wanting to run Coreboot / open-source firmware on AMD server hardware have largely been limited to many year old AMD Opteron server motherboards with Coreboot. Really not practical at all for modern computing needs using a more than decade old Opteron platform if striving for open-source firmware ideals. Now thanks to 3mdeb's work on bringing Dasharo to a Gigabyte retail EPYC 9005 motherboard, it's possible to enjoy Coreboot on a current-generation AMD EPYC server motherboard.
It is important to reiterate though that AMD isn't planning for openSIL production readiness until Zen 6, but even so I was left impressed with how well it was working out so far in my initial testing.
[1] https://www.phoronix.com/news/AMD-openSIL-Open-Source
[2] https://www.phoronix.com/news/AMD-openSIL-Replace-AGESA
[3] https://www.phoronix.com/news/AMD-openSIL-September-2024
[4] https://www.phoronix.com/news/Dasharo-Firmware-MZ33-AR1
[5] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_1_lrg
[6] https://www.phoronix.com/search/OpenSIL
[7] https://www.phoronix.com/review/gigabyte-mz33-ar1
[8] https://www.phoronix.com/news/3mdeb-June-B850-P-WiFI
[9] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_2_lrg
[10] https://www.phoronix.com/review/coreboot-adl-dream
[11] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_3_lrg
[12] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_4_lrg
[13] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_5_lrg
[14] https://github.com/openSIL/openSIL/pull/49
[15] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_7_lrg
[16] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_6_lrg
[5]
The 3mdeb consulting firm has been adapting AMD [6]openSIL and Coreboot to get the open-source firmware stack up and running on [7]Gigabyte MZ33-AR1 motherboard for EPYC 9005 series processors. For those more interested in desktop AMD Ryzen hardware, they are alos in the middle of [8]porting Coreboot and openSIL to an MSI retail motherboard too for release later this year.
In recent years there has been much more interest in open-source firmware from hyperscalers to security minded organizations for greater transparency, the ability to modernize and trim down the firmware for faster boot times and reduced attack surface, and similar substantive goals beyond just the ideas of open-source firmware. In the years ahead the corporate demands around open-source firmware especially on firmware is only likely to grow especially for security and confidential computing needs.
[9]
In having bought a Gigabyte MZ33-AR1 motherboard when 3mdeb announced their initial work on a Coreboot+openSIL port, as soon as they announced the release of Dasharo as their downstream flavor of Coreboot with openSIL, I gave it a go. Similar to when they [10]ported Coreboot to an Intel Alder Lake desktop motherboard , it was ultimately a pleasant experience.
[11]
With Dasharo is also a more secure out-of-the-box experience like enabling Secure Memory Encryption by default.
[12]
In the case of the Gigabyte MZ33-AR1, they support flashing to their Dasharo build from the BMC web interace of the Gigabyte server motherboard. So no need to muck around with Flashrom or anything like that but quickly and easily from the BMC web interface you can move off the proprietary BIOS and on to Coreboot+openSIL-powered Dasharo. Similarly, it's also possible from the BMC web interface to flash back to the default Gigabyte BIOS images as well if needed after using Dasharo.
[13]
At first I did hit a few issues... I happened to have a Turin Dense CPU installed and it turns out that wasn't covered by AMD's openSIL release for Turin. But in working together with the 3mdeb engineers, that was ultimately fixed up. As of today is [14]this openSIL upstream pull request now for 3mdeb working to get those changes into upstream openSIL for supporting Turin Dense. In the interim I also tried non-dense EPYC 9005 and with high core count CPUs also came to some issues due to 3mdeb having tested on lower core count CPUs and ended up overflowing the size of some data structures. But long story short those issues are also now addressed in their latest builds.
[15]
With the latest builds tested, the three year old goal has finally been realized! I am up and running on AMD openSIL with Coreboot! After three years of covering openSIL developments, it was gratifying to be able to finally try it out and see it running without issues after going through the few initial fixes. After overcoming those initial challenges, it's been working well without any other issues to note.
[16]
Prior to openSIL, those wanting to run Coreboot / open-source firmware on AMD server hardware have largely been limited to many year old AMD Opteron server motherboards with Coreboot. Really not practical at all for modern computing needs using a more than decade old Opteron platform if striving for open-source firmware ideals. Now thanks to 3mdeb's work on bringing Dasharo to a Gigabyte retail EPYC 9005 motherboard, it's possible to enjoy Coreboot on a current-generation AMD EPYC server motherboard.
It is important to reiterate though that AMD isn't planning for openSIL production readiness until Zen 6, but even so I was left impressed with how well it was working out so far in my initial testing.
[1] https://www.phoronix.com/news/AMD-openSIL-Open-Source
[2] https://www.phoronix.com/news/AMD-openSIL-Replace-AGESA
[3] https://www.phoronix.com/news/AMD-openSIL-September-2024
[4] https://www.phoronix.com/news/Dasharo-Firmware-MZ33-AR1
[5] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_1_lrg
[6] https://www.phoronix.com/search/OpenSIL
[7] https://www.phoronix.com/review/gigabyte-mz33-ar1
[8] https://www.phoronix.com/news/3mdeb-June-B850-P-WiFI
[9] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_2_lrg
[10] https://www.phoronix.com/review/coreboot-adl-dream
[11] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_3_lrg
[12] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_4_lrg
[13] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_5_lrg
[14] https://github.com/openSIL/openSIL/pull/49
[15] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_7_lrg
[16] https://www.phoronix.com/image-viewer.php?id=amd-opensil-coreboot-ar1&image=amd_opensil_6_lrg