Open Source Firmware Foundation

OSFF Assembly at 38C3

Daniel Maslowski — Mon, 20 Jan 2025 10:01:36 GMT

Like in the previous year, we visited the Chaos Communication Congress and hosted an assembly.

Once again, we exhibited a simple demo of the LogoFAIL vulnerability, and Ahmad Fatoum from Pengutronix joined us this time to provide a demo of the Barebox bootloader featuring Snake and DOOM.

LogoFAIL and Barebox demo

In total, we gave 4 workshops, offered 4 badges for people to discover, and had enough space to accomodate a dozen hackers. Many people visited us, being curious about what's in their laptop's firmware or how to get coreboot on their ThinkPad T480(s) laptops, which 4 of them successfully did through the help of deguard.

Flash parts on a mainboard

Projects

One of our main focuses was on laptops and mobile devices. With a handful of Ubuntu maintainers, we had a great exchange about Chromebook support in mainline Linux and distributions, such as enabling missing modules downstream as well as userland. Those require adjustments in the respective drivers. For example, mediatekdrmfb would currently break without a DisplayPort bridge being present. Such cases require careful handling in order to ship images that work well for everyone.

3 laptops, the middle one showing an Ubuntu login, and a Chromebook under the third one

Close to us sat our friends at the Linux on Mobile assembly, with whom we debugged Google's bootloader and device tree and from whom we borrowed a USB-Cereal. One of the core projects is postmarketOS, a Linux based operating system for mobile devices. That includes a lot of work on firmware on bootloaders.

Computer with an open case and attached peripherals

Over the days of hacking, we made progresss: On Arm64 platforms, such as MT8186+, we got some steps further with audio using Sound Open Firmware (SOF) for LinuxBoot. We also discovered a regression in Mesa on a Mali G57 GPU that we will report back.

Graphical glitch on a laptop with a Mali G57 GPU

Finally, to get more people started with the project, aprl and elly gave a talk on co rebooting Intel-based systems, explaining what to do when porting a new board.

Workshops

On the first day, in the first workshop, participants learned about firmware images as found on modern AMD and Intel platforms, consisting of many different parts, which they could browse using Fiedka, UEFITool and various command line tools.

On the second day, in two consecutive workshops, we took apart firmware blobs using Ghidra and learned about various ways of following remappings in memory and dealing with peripherals, then got started with oreboot on the platform we had investigated earlier.

Ghidra code view

Ghidra memory map

After some extra fiddling, we got the first output from a Canaan K230 SoC.

CanMV K230 board

oreboot on K230

Following up on ideas from LinuxBoot and the earlier workshop on firmware images, we looked at ways of modifying UEFI firmware on laptops on the third day in the last workshop, using the ThinkPad X270 as an example. With Fiedka, we could remove unnecessary UEFI binaries, and using utk from the Fiano suite of tools, we put a Linux kernel in flash booting up within 3 seconds, finishing up with a demo of running mpv via cpu to play a video on the target device.

Bad Apple playing on the X270 via mpv over cpu

In conclusion, we had a wonderful experience with lots of fun and many people joining in. We look forward to the 39th Chaos Communication Congress at the end of this year and the upcoming FOSDEM, where we will be hosting a stand showcasing coreboot, flashprog and other firmware projects.

A comparison between open source host firmware solutions and closed source UEFI

Arthur Heymans — Thu, 05 Dec 2024 14:18:06 GMT

This blog post was first posted on https://blog.aheymans.xyz/post/uefi-coreboot-comparison/ . In this article UEFI and closed source UEFI implementation are used interchangeably. EDK2 is an open source project, which is permissively licensed, but most implementation deployed don't release their source code.

This whitepaper makes the case that UEFI firmware and more specifically EDK2 based solutions, more specifically the closed implementations which are ubiquitous, hurt business by driving up cost and delaying time to market, while at the same time are the root cause of more and more security problems. This whitepaper will contrast this UEFI status quo with other existing solutions like LinuxBoot in combination with coreboot, which fully embrace open source development, are scoring better on all those metrics. This is both due to design decisions and the related development models.

To make this case it is first necessary to untangle the notion of host firmware. Everything that resides in the host flash boot medium is called host firmware. Silicon designs got more complicated and more integrated so naturally more and more firmware components are currently being placed in that host firmware flash. While the case for open source could likely be made for all the components on that flash, the focus of this whitepaper will be on the firmware that is run on the main CPU. On x86 systems a big part of silicon initialization is happening in that code. It’s good to further differentiate this into silicon specific hardware initialization and more generic hardware initialization and drivers that are used to load an operating system be it from disk or network. This roughly matches the UEFI PEI phase (silicon specific init) and UEFI DXE phase (load OS phase).

Part 1: UEFI DXE vs LinuxBoot

The DXE Foundation produces a set of Boot Services, Runtime Services, and DXE Services. The DXE Dispatcher is responsible for discovering and executing DXE drivers in the correct order. The DXE drivers are responsible for initializing the processor, chipset, and platform components as well as providing software abstractions for system services, console devices, and boot devices. These components work together to initialize the platform and provide the services required to boot an operating system. The DXE phase and Boot Device Selection (BDS) phases work together to establish consoles and attempt the booting of operating systems. The DXE phase is terminated when an operating system is successfully booted.

This is quoted from the UEFI PI spec 1.8. This basically sounds like UEFI DXE, Driver eXecution Environment, is an application specific operating system, with the application being loading an operating system. If that sounds like too many operating systems to you, then that’s what the project of LinuxBoot is all about: not reinventing the wheel. The idea is that most of what UEFI DXE phase is doing, Linux as a bootloader can do as well and typically better, be it faster and with less problems. So what the typical LinuxBoot firmware looks like and how does it work? LinuxBoot contains a small Linux kernel that is often very reusable on different hardware. It’s very common to have it just work on the first try. If necessary hardware specific kernel drivers can be added. This is then coupled with an initramfs that contains a small user space that is enough to securely load the target operating system, via kexec. Other functionality to debug or validate the platforms are often included in the initramfs too. A popular implementation of this initramfs is u-root . U-root is an initramfs builder, written in golang to create a busybox-like (1 binary) environment. Adding new commands and components is trivially achieved, which makes u-root very easy to customize.

So what are the advantages of this approach over UEFI DXE:

The Linux kernel is really high quality battle tested and the code is under a lot of scrutiny due to the high number of contributors. Hitting problems on never tested UEFI DXE code and corner cases on the other hand is not uncommon.
The target operating system is Linux, so using the same code and drivers in the bootloader, reduces development time.
There are a lot more developers that can write Linux userspace applications than there are UEFI developers. UEFI is written in DOS style C, where Linux applications can be written in any modern language.
Boot times are better as the Linux boot process is much better parallelized and is smarter at dependency resolution (UEFI often needs to reload DXEs).
Much less programs are used: 1 kernel (kernel modules are built in) + 1 busybox userspace application vs sometimes 100s of DXE modules in UEFI. This makes the SBOM and therefore also maintenance of security updates much more manageable.
It’s a very flexible bootloader that can be coupled with all sorts of hardware specific initializations: UEFI PEI, coreboot, u-boot, slim bootloader have all been successfully coupled.

LinuxBoot really isn’t a newcomer to the scene and is widely deployed in production for instance at Google and Bytedance. Some hardware vendors commonly use LinuxBoot to validate the hardware before implementing the UEFI firmware that eventually ships as it’s just that much easier/faster to get working.

Part 2: UEFI PEI & DXE vs coreboot

UEFI PEI, Pre-Efi Initialization, is in charge of doing silicon specific initialization before the DXE phase. This often consists of initialization of main memory (DRAM) amongst other things. It follows a similar modular design as the DXE phase:

PEI Modules in charge of initialization of some part of the hardware
A table of services that PEIM can use, e.g. heap services, multiple image support, …
PEIM to PEIM Interfaces (PPI) services over which modules can talk to each other
A instruction set for module dependency resolution
Creating Hand of Blocks for the remaining of the boot (DXE)
This again sounds like an Operating System environment like DXE, but a bit more limited as main memory is not yet available. After main memory is installed and ready, UEFI moves on to DXE phase to do the rest of hardware initialization and loading of the OS happens. DXE is a richer environment as the availability of main memory implies less restrictions.

Coreboot is a open source firmware component that can be compared to the hardware init parts of UEFI PEI & DXE. It does not implement any loading of the OS, but loads a payload, which can be any kind of binary, to do this. The limited scope of coreboot makes it flexible with regards to the use cases as the hardware init part typically does not vary so much: e.g. whether a board is to be used as a highly embedded router or a laptop, the DRAM init part is identical. The payload is then specifically tailored to the use case. For instance on embedded systems like routers there is no use case for being able to run Windows, so there is no need for a fully fledged UEFI interface in the firmware. More on that topic in part 3. Datacenter servers are in many respects very similar to embedded systems even though compute power is dramatically higher. Datacenter servers all come in identical or at least with very little variation in their setup and they only need to boot Linux. Given this highly specific use case using LinuxBoot makes a lot of sense, be it with UEFI or coreboot.

Coreboot ‘s design is radically simpler than UEFI PEI + DXE. Coreboot does not follow a modular design: there is just 1 program running before DRAM is up (romstage) and 1 program after DRAM is ready (ramstage). This reduces the complexity of the code that needs to be run at runtime, by moving more logic at build time. This significantly reduces the size of the binary produced: there is simply less code (no dispatch, no services, no PPI) but also less compiled code to be duplicated, compared to PEI/DXE modules that need to reimplement certain features like a standard library in each module. Also the ‘1 binary’ approach makes optimizations like linker garbage collection & linktime optimization possible. With UEFI, dependencies are resolved at runtime so the compiler cannot know what code can be optimised out. With coreboot the linker is very good at throwing away code that will not be used.
A reduced code size has many benefits:

Faster execution time
Reduced attack surface for vulnerability
Faster compile times and therefore faster development
Smaller binary size means a smaller flash can be used reducing BOM
To put some numbers on these claims let’s try to find a best apple to apple comparison out there: old 2011 Intel Sandy Bridge system. Those have 2 codepaths: a fully native coreboot codepath and also a binary codepath that is a wrapper around UEFI PEI(M) code. With native code the coreboot romstage is 87K large, which includes all the hardware init. Using the binary there is a 49K BibliographyBibliographyBibliographyromstage + 191K UEFI PEI binary.
With regards to build time, an anecdote from the AMD OpenSIL project will speak volumes. The AMD OpenSIL project has CI to buildtest its code in different host firmwares. At first there was only AMI APTIO-V being buildtested. That took CI roughly 20 - 30 minutes. When implementing coreboot CI, which supports exactly the same mainboard, AMD CI engineers were wondering what was wrong as it took only roughly 30 seconds to build a coreboot image even without any ccache.

TL;DR The UEFI implementation of hardware initialization is modularised. This increases complexity, code size, boot time. In comparison coreboot is simpler, smaller and faster while also achieving fully features hardware init.

Part 3: Development model and open source ecosystem

When comparing LinuxBoot and coreboot to UEFI there are 2 key technical differences that make the development model substantially different.

The first difference is that with both Linux and coreboot all code is developed in one tree or codebase. With Linux differences in hardware are abstracted in the driver code: e.g. you don’t have 1 driver per generation of GPU but a driver that thoughtfully captures similarities and differences between hardware generations. Coreboot has a similar approach to code, so that a lot of code is reused when a new generation of silicon is being released. This is to be contrasted with the UEFI model of development where for each generation and for each board the whole tree is copied and SoC and board specific modifications are made. The advantages of copying and modifying are that you don’t need to worry about breaking previous hardware or other boards. There is less need to collaborate with other developers. The one tree model however needs more overhead and collaboration, but has significant advantages:

Maintenance across different boards and SoC is reduced. If an improvement, be it a fix or a feature, it is automatically available for all boards and hardware in the tree. There is no need to port a fix to all SoC or Board repos, just pull the latest master branch / release.
The cost of deploying updates is reduced. As the codebase is the same for all boards, there is no need to validate non-board specific features individually.
Because updates are cheaper, security fixes land in more timely (or even at all). With UEFI, you’re often left out of security updates.
Time and cost of development is reduced: the board specific part of a coreboot port is very limited. Anecdotally some hardware vendors first do a coreboot port of their hardware to validate it, before porting UEFI, since it’s much simpler to get it working.

A second difference that contributes to differences in development is how modular UEFI is vs how monolithic Linux and coreboot is. UEFI consists of many PEI and DXE modules that can be separately compiled and put together. In fact Intel FSP, a binary which does hardware init on Intel hardware is just a collection of PEI and DXE modules. This modularity heavily favours closed source development. Every module can be separately developed and put together to generate a working image. It is commonly the case UEFI IBV (independant Bios Vendors) put in way more modules than is actually required to boot the platform. This is demonstrated by the NERF project (https://trmm.net/NERF/) that reduces the excess DXEs to use LinuxBoot. It is not uncommon to see completely wrong modules added to UEFI images, like Intel firmware components on AMD UEFI images. Also reinventing the wheel is a common problem with this overly modular architecture. Functionality from Baselib is commonly reimplemented for no good reason in modules. For instance on Intel Xeon-Sp UEFI code the hardware init has its own heap implementation alongside the common UEFI heap. With coreboot and Linux only one binary is created and upstream development is actively encouraged. Careless copying of code and duplication is usually blocked by the community driven review process.

Both coreboot and Linux are truly active upstream projects, maintained by a diverse and healthy community. To put in some numbers: at the time of writing coreboot has had 1202 contributors, Linux 26431, EDK2 531. Also when looking at the top 10 of contributors to coreboot we contributors ranging from independent developers, coresystems GmbH (gone), google, secunet, Intel, AMD, 9elements. On EDK2 8 out of 10 top contributors are from Intel, the other 2 are Red Hat and ARM. Having a healthy open community is probably the main argument why fully open source solutions should be pursued over closed source UEFI ones. Working upstream has its challenges mostly initially, as the code needs to reach certain standards and should not impede development of other platforms: collaboration has a certain overhead. However the benefit largely outweighs the costs: code quality is much better as this is required for collaboration on diverse platforms and use cases, code reuse is actively pursued to reduce maintenance costs, more eyes from diverse stakeholders make the code more flexible and secure. To develop firmware one needs to have a very solid knowledge of how the hardware works. This is a hard problem as hardware is incredibly complicated and is getting more complicated over time. Open source projects and communities optimise this sharing of knowledge. When asking a technical question on the respective fora, like bugtracker, irc, email, … of an open source project, one often gets a good answer quite quickly. This process is more efficient than for instance the ticket services that some silicon vendors set up to deal with firmware related problems, where a substantial portion of the time solving the issue is spent just to get in touch with someone that might adequately address it.

Along with these firmware specific differences there is also the generic argument for open source vs closed source like no vendor lock-in. You’re not bound to the company that delivers the software. This makes the market more competitive, but also holds future assurances as some companies might go out of business leaving you supportless.

Part 4: Does the OS need UEFI boottime and runtime services?

On x86 Linux does not need any UEFI boot time or runtime services, nor is any functionality lost when those are not provided. Linux can be given all the information it needs (ACPI/SMBIOS/E820/framebuffer) via other means. On other architectures like ARM64 the UEFI system table and some minimal runtime services are required. However this requirement is not the same as needing a fully fledged EDk2 UEFI implementation and very minimal implementations exist too, that provide as little as needed UEFI services. ARM LBBR fleshed out these minimum requirements into a spec.

Summary

Based on the facts presented in the article, it can be concluded that open
source host firmware solutions like coreboot + LinuxBoot offer several
advantages over closed source UEFI firmware.

In terms of performance and security, LinuxBoot and coreboot outperform UEFI
DXE. The Linux kernel used in LinuxBoot is highly tested and under constant
scrutiny, reducing the likelihood of encountering issues. Additionally, the
use of Linux as the bootloader reduces development time and allows for more
flexibility in writing applications, as Linux applications can be written in
any modern language.

Moreover, LinuxBoot and coreboot result in faster boot times compared to
UEFI, as the Linux boot process is better parallelized and has smarter
dependency resolution. The reduced number of programs used in these
solutions also makes maintenance of security updates more manageable.

From a development standpoint, LinuxBoot and coreboot offer simplified and
more efficient development models. All code is developed in one tree or
codebase, allowing for code reuse and reducing maintenance and validation
efforts across different boards and systems. This also leads to faster
development and deployment of updates. In contrast, UEFI requires copying
and modifying the codebase for each generation and board, resulting in
higher development and maintenance costs.

The monolithic runtime design of Linux and coreboot also provides advantages over
the modular design of UEFI. The reduced code size of coreboot and the
ability to optimize at build time result in faster execution time, reduced
attack surface, and faster development. UEFI, on the other hand, often
includes unnecessary modules, leading to larger and potentially more
vulnerable firmware.

In conclusion, the comparison between UEFI and coreboot + LinuxBoot
demonstrates that open source host firmware solutions offer better
performance, security, and development models. The use of Linux as the
bootloader, coupled with coreboot, simplifies the firmware process and
provides more flexibility and efficiency. These advantages make open source
solutions like coreboot + LinuxBoot a viable alternative to UEFI firmware.

Bibliography

LinuxBoot Project. Available online: https://www.linuxboot.org
Coreboot Project. Available online: https://www.coreboot.org
"UEFI PI Specification 1.8". 2024. The Unified Extensible Firmware Interface (UEFI) Forum. Available online: https://uefi.org
U-root Project. Available online: https://u-root.org
Intel FSP. Available online: https://www.intel.com/FSP
AMD OpenSIL Project. Available online: https://www.amd.com/OpenSIL
NERF Project. Available online: https://trmm.net/NERF/
ARM LBBR. Available online: https://developer.arm.com/documentation/little-kernel-boot-loader
"Contributors statistics". 2024. EDK2, coreboot and Linux GitHub repositories. Available online: https://github.com

Chrome AP Firmware Embraces to x86_64 Architecture

Subrata Banik — Fri, 28 Jun 2024 16:35:13 GMT

Executive Summary

This document details the successful implementation of 64-bit boot support (x86_64 architecture) in Chrome AP firmware to boot ChromeOS devices (i.e., Chromebook, Chromebox etc.) . The primary motivation for this transition was to overcome the 4GB memory limitation of the traditional 32-bit architecture, which is increasingly insufficient for modern hardware demands.

Key technical changes faced during enabling 64-bit mode in various boot phases, including Cache-as-RAM (CAR) mode, and ensuring compatibility with SoC APIs and the payload (libpayload and depthcharge for booting ChromeOS). A unified entry point for both 32-bit and 64-bit modes was implemented in libpayload, and depthcharge was modified to support 64-bit compilation.

Comparative analysis between 32-bit and 64-bit builds showed an expected increase in SPI flash size by approximately 0.3MB (to support 64-bit architecture), but no significant impact on boot performance. This confirms that the transition to 64-bit architecture is feasible without performance regressions, paving the way for future ChromeOS devices using Intel SoC platform.

Objective

This document captures the journey of adding 64-bit boot support to the Chrome AP firmware, which involved adopting the x86_64 architecture.

Background

Traditionally, the most popular x86 architecture supports the 32-bit architecture meaning the flat address space is limited to 4GB and need to enable remapping/physical to virtual memory mapping if wish to access memory above 4GB. The first x86 processor that introduced 32-bit architecture was the Intel 80386, also known as i386. It was released in 1985 and marked a significant advancement in the x86 line of processors.

The i386 could address up to 4GB of physical RAM memory.
32-bit Registers and Data Path allowed for faster calculations and manipulation of data.
Protected Mode, initially introduced in the 80286 processor, extended the addressable memory space significantly. This enabled the implementation of a robust memory management system, facilitating virtual memory and enhancing protection against software crashes

The primary constraint of the 32-bit architecture is that it can only address a maximum of 4GB of RAM (2^32 bytes). This limitation became increasingly problematic as software and operating systems became more demanding, requiring more memory to function properly. Additionally, processors are becoming more complex, and more advanced IPs (Intellectual Property) such as AI (Artificial Intelligence) accelerators, USB-C controllers, video, and image processing units are expected to consume more system memory to operate. System memory <4GB is already occupied by existing hardware resources (IPs), system software, etc. As a result, SoC programming logic is unable to meet the hardware resource requirements with advanced SoC IPs, which is another reason why the 32-bit CPU architecture is unable to meet the requirements of advanced use cases in 2024.
In comparison, a 64-bit architecture can theoretically address a much larger amount of physical memory (2^52 bytes or roughly 4092 terabytes) and virtual memory (2^48 bytes, or roughly 256 terabyte). While this is far more than any current system would ever need, it successfully removes the memory limitations imposed by 32-bit systems.

4GB maximum addressable RAM in 32-bit vs. virtually unlimited in 64-bit.
A 64-bit architecture can potentially process data faster due to larger registers and wider data paths.
Backward compatibility between 32-bit and 64-bit software is also possible.
The introduction of long mode with page-table enforces the security in system software where flat memory access seems prone to attack.

64-bit architecture for personal computers was first introduced in the early 2000s. The widespread adoption of 64-bit architecture in consumer-level desktops and laptops began in the mid-to-late 2000s with the release of operating systems like Windows Vista 64-bit and the increasing availability of 64-bit processors. System firmware also adapted towards 64-bit mode of booting even in the client segment as EDK2-based firmwares are largely leveraging the 64-bit infrastructure changes coming from the server ecosystem.

Overview

Due to the recent developments in Intel SoC architecture, including the integration of discrete tiles and the reorganization of SoC IPs, there has been an increasing need for more hardware resources. This is necessary to support improved performance and more efficient communication with reduced latency. For example, if a SoC IP/subsystem requires more system memory (than traditional ones) to map the entire device-specific register space. This space can be easily allocated above 4GB of memory if the underlying architecture supports it. However, for system firmware where accessing more than 4GB is not feasible, the SoC must support a special method to provide a window for accessing the same hardware register spaces within less than 4GB of memory boundary. Implementing a special method in SoC designs is costly and necessitates specific security enforcement. Suppose a situation where such special treatment is not feasible in the future SoC roadmap to map device register space below 4GB will no longer be supported. In this case, one possible solution is to enable more than 4GB of memory access, allowing the device register space to be mapped without incurring additional SoC costs.

This is not a significant concern for SoC vendors/ODMs/OEMs/IBVs utilizing EDK2-based system firmware (UEFI) because the 64-bit boot mode has been enabled and supported by Independent BIOS vendors (IBVs) for Windows and Linux-based client devices for several years. However, the UEFI implementation of booting x86_64 architecture is limited to specific boot phases. The early phases like Security (SEC) and Pre-EFI Initialization (PEI) are executed in 32-bit mode, and advanced stages like Driver Execution Environment (DXE) and Boot Device Selection (BDS) are solely executed in x86_64 mode.

Unfortunately, the system firmware (coreboot) used in Google ChromeOS devices has limited support for the x86_64 specification and does not have widespread support. Currently, x86_64 is only available on emulators (Qemu x86_64 board) and a few limited hardware platforms as an exploratory effort. A few specific 64-bit features have been added under the HAVE_X86_64_SUPPORT Kconfig, including:

Generating static page tables with entries pointing to Page Directory Pointer Entry (PDPE), PDPE with entries pointing to Page Directory Entry (PDE), and PDEs with 512 entries each.
Loading the Global Descriptor Table (GDT) to access more than 4GB of memory.
Calling into SoC blobs/APIs in 32-bit mode by following thunking (switching from 64-bit mode to 32-bit mode).
Transferring control to the payload only in 32-bit mode, where the payload binary should be loaded into less than 4GB of memory. During the jump into the payload, coreboot will transition from long mode to protected mode.

The rationale behind supporting x86_64 boot mode for future Intel SoC platforms is to ensure that hardware resources can be accessed without limitations. Therefore, the goal of AP Firmware used across ChromeOS devices is more ambitious than the current offerings of coreboot regarding x86_64 support. The following is a list of objectives that Chrome AP Firmware aims to achieve when claiming that x86_64 architecture support is production-ready:

Ability to switch to 64-bit while operating in Cache-as-RAM (CAR) mode, including validating CAR mode operation in long mode and enabling paging with a large 1GB page table.
Support for SoC blobs/APIs in 64-bit mode, particularly the ability to call into Firmware Support Package (FSP) API entry points without switching between protected mode and long mode upon exit, thereby reducing latency.
Exception handling should adhere to the x86_64 architecture specification across all differnt stages of the firmware boot (like boot firmware and/or payload).
Switch to the payload in long mode without thunking, leveraging libpayload in long mode instead of the traditional approach where coreboot always switches into the payload in protected mode. Design the coreboot to libpayload entry point in a scalable manner to allow more flexibility when switching between coreboot and payload. Validate all below modes of switching between coreboot and libpayload:
- Support traditional 32-bit mode of switching.
- Allow thunking from coreboot running in long mode but jumping into the payload in protected mode and eventually transitioning into long mode inside the payload.
- Support x86S mode of booting as well (for future SoC/FW readiness).
Migrate all debug interfaces, such as the GDB (GNU debugger), firmware shell (pre-boot CLI environment in Chrome AP firmware) etc. to support 64-bit mode of operations.
Conduct platform validation, Functional Automated Firmware Test (FAFT), and Targeted Acceptance Support Test (TAST) to ensure that x86_64 is as stable as traditional x86_32 mode of booting.

Detailed Implementation

This section aims to highlight the scattered changes made in the details across various boot phases, both within coreboot and the payload. Currently, the majority of x86 platforms hosted within coreboot projects support 32-bit architecture. Previously, there were limited experimental efforts to add 64-bit architecture support to the coreboot tree. This proof-of-concept work (performed using a Chromebook platform) extends those efforts to ensure that the x86_64 architecture support in coreboot is stable and well-tested.

Responsibility of x86_64 Kconfigs

In order to maintain support for the x86_64 (64-bit) platform alongside the current ecosystem, USE_X86_64_SUPPORT and HAVE_X86_64_SUPPORT Kconfigs are employed. The purpose of this document and the proof-of-concept work is to guarantee the x86_64 boot mode using the Intel Meteor Lake platform, even though supporting x86_64 boot using the coreboot tree is still in the experimental stage. This is done to prepare the Chrome AP firmware stack for future SoC generations from Intel.

To start coreboot in 64-bit mode, the ARCH_ALL_STAGES_X86_64 Kconfig option is enabled by default when selected. This allows coreboot to run in long (64-bit) mode. All coreboot stages are compiled using a 32-bit toolchain by default, but enabling this option switches to a 64-bit toolchain for all stages.

The Kconfig option USE_X86_64_SUPPORT becomes enabled when HAVE_X86_64_SUPPORT is selected. This selection ensures that all boot phases, including bootblock, verstage (if enabled), romstage, and ramstage, are compiled in long mode."

config ARCH_ALL_STAGES_X86_64

bool

select ARCH_BOOTBLOCK_X86_64

select ARCH_VERSTAGE_X86_64 if !VBOOT_STARTS_BEFORE_BOOTBLOCK

select ARCH_ROMSTAGE_X86_64

select ARCH_RAMSTAGE_X86_64

A 64-bit build of coreboot boot phase picks the Cflags/Linker scripts that are required for x86_64 architecture to generate executable binary in “elf64-x86-64” format.

ifeq ($(CONFIG_ARCH_BOOTBLOCK_X86_32),y)

$(eval $(call early_x86_stage,bootblock,elf32-i386))

else

$(eval $(call early_x86_stage,bootblock,elf64-x86-64))

endif

Moreover, x86_64-specific Kconfig options ensure that the low-level assembly files designed for long-mode operations are chosen over the ones for the native 32-bit implementation mode. For instance, the low-level operations memcpy, memset, and memmove have inherent differences in their operations between 32-bit and 64-bit architectures hence, to implement mem memory move operation in long mode, memmove_64.S file has been picked over memmove.S .

x86_64 support in Cache-As-RAM

During the power-on reset process of an x86 system, the x86-CPU begins in real mode (16-bit) and eventually transitions to protected mode (32-bit). To enable support for x86_64 long mode, it is crucial to transition the CPU from protected mode to long mode as soon as possible. There is a specific sequence of steps that must be followed to successfully perform this transition.

Enable PAE (Physical Address Extension):

Set the PAE bit in the CR4 control register, enabling 4KB paging and expanding the available physical address space.

Enable Long Mode in EFER:

Set the LME (Long Mode Enable) bit in the EFER (Extended Feature Enable Register), signaling the processor that Long Mode is desired.

Load a Valid PML4 Table:

Load the CR3 register with the physical address of the PML4 (Page Map Level 4) table. This is the root of the page table hierarchy for Long Mode.

Enable Paging:

Set the PG (Paging) bit in the CR0 control register, enabling paging. This is a requirement for Long Mode.

Far Jump to Code Segment:

Perform a far jump instruction to a code segment with a Long Mode compatible descriptor. This jump completes the transition into Long Mode.

In x86-64 long mode, the page table is vital for translating virtual addresses to physical addresses. They remain crucial for memory management, even in absence of physical memory (aka in CAR mode). A CPU core seeking data from a virtual address initially checks the TLB (Translation Lookaside Buffer), a cache for recent page table entries. If the entry is found, translation is rapid. However, a TLB miss triggers a traversal of the multi-level page table hierarchy. The process starts from the PML4 table (Page Map Level 4) down to the page table entry with the physical address. In the cache-as-RAM scenario, this page table walk retrieves the necessary entries from the cache, emulating regular RAM behavior. IA common code that manages setting up CAR mode, is also responsible to perform long mode transition and setting up the page table.

Early boot phase is also responsible for loading the Global Descriptor Table (GDT) in 64-bit mode that supports >4GB address accesses and exception handling.

Page Table (PT) in coreboot

Page Table in 64-bit architecture is used to bridge between virtual to physical memory access, which is also additionally meant to provide security. Each entry in the page table maps a virtual page to a physical frame, storing additional information like access permissions and caching attributes.

coreboot supports two different types of page table creation logic as below.

Supporting Large (1GB) Paging: Each page entry in the page table maps a 1GB chunk of virtual memory to a contiguous 1GB region of physical memory. In x86-64, 1GB pages typically bypass the Page Directory Table (PDT) level of the page table hierarchy, mapping directly from the Page Directory Pointer (PDPT) Table to the physical page.
Supporting Small (2MB) Paging: Each page entry maps a 2MB chunk of virtual memory to a contiguous 2MB region of physical memory. It utilizes all four levels of the x86-64 page table hierarchy: Page Map Level 4 (PML4), Page Directory Pointer Table (PDPT), and Page Directory (PDT).

Figure 1.0 shows the virtual to physical memory mapping in a long mode operation.

Figure 1.0: Structure of the 2MB Page Table (PT) used in x86_64 architecture

In the above example, coreboot creates a static (as physical memory is not yet available) Page Table (PT) and then programs the Page Map Level 4 (PML4) entry into the CR3 register (during the long mode entry the address of the PML4 has been programmed into the CR3 register).

For best software practices, 1GB pages can result in more efficient TLB usage due to fewer entries being required to cover the same amount of virtual address space. This can lead to faster translations and reduced overhead. If CPUID 0x80000001, EDX bit 26 is set to 1, it signifies a 1GB page size is supported. A recent change in the coreboot (!NEED_SMALL_2MB_PAGE_TABLES) attempted to ensure that the default page table creation follows the larger (1GB) paging.

Calling into SoC APIs (blobs) in long mode

On x86 platforms, all SoC programming is limited to executing the silicon vendor provided proprietary blob model. In this blob model, SoC programming starts from a coreboot call into the respective blob entry point. The integration between coreboot and SoC binaries follows the API (Application Programming Interface) model. Historically, the communication between coreboot and SoC binaries (aka FSP) API follows de-facto standards of 32-bit mode of calling conventions.

For example, the table below shows the code snippet for calling into Intel FSP-S (Silicon Init API). The default behavior is to call FSP APIs in protected mode (if the PLATFORM_USES_FSP2_X86_32 configuration is set), even if coreboot is compiled in 64-bit mode. The primary reason for this behavior is that the FSP specification and blobs do not support native 64-bit operations.

The FSP 2.4 specification for Intel next generation processor (post Meteor Lake) supports transfer of the control between coreboot to FSP in long mode. This proof-of-concept works using Intel Meteor Lake based reference design “Rex64”, adapted to the FSP2.4 specification and 64-bit FSP blobs to be able to call into FSP APIs in direct long mode w/o thunking into 32-bit mode.

if (ENV_X86_64 && CONFIG(PLATFORM_USES_FSP2_X86_32))

status = protected_mode_call_1arg(silicon_init, (uintptr_t)upd);

else

status = silicon_init(upd);

Transferring Control from coreboot to libpayload

The execution of each stage of coreboot is handled by arch_prog_run implementation found in the boot.c file. The transition to the next stage's entry point is determined by the operating mode of the current stage. For instance, programs running in 64-bit mode enter the next stage's entry point in long mode.

#if ENV_X86_64

void (*doit)(void *arg);

#else

/* Ensure the argument is pushed on the stack. */

asmlinkage void (*doit)(void *arg);

#endif

doit = prog_entry(prog);

doit(prog_entry_arg(prog));

When coreboot decides to pass control to the payload, the above mentioned logic does not apply. The libpayload, a crucial layer in the boot process, bridges the communication gap between the boot firmware (coreboot) and the payload responsible for booting a specific operating system.

Libpayload plays a fundamental role during the boot process to the ChromeOS-specific payload (depthcharge) by making platform-centric information accessible to the payload. The control transfer between coreboot (ramstage) and libpayload always operates in protected mode. This protected mode layer guarantees that the libpayload's entrypoint implementation only supports 32-bit operations. Consequently, payload memory access and operations are limited to 32-bit addressing, restricting access to resources beyond 4GB.

#if ENV_RAMSTAGE && ENV_X86_64

const uint32_t arg = pointer_to_uint32_safe(prog_entry_arg(prog));

const uint32_t entry = pointer_to_uint32_safe(prog_entry(prog));

/* On x86 coreboot payloads expect to be called in protected mode */

protected_mode_call_1arg((void *)(uintptr_t)entry, arg);

#else

In the next section, we will take a detailed look at the modifications made to the entry point of libpayload. This POC work (w/ below code change) allows coreboot to seamlessly switch between different modes (long and protected mode) based on the type of payload. This flexibility is important for validating different scenarios in the current and future scenarios (especially with the introduction of X86S).

#if ENV_RAMSTAGE

bool pl64 = is_payload_64_bit_enabled();

#if ENV_X86_64

if (pl64) {

void (*doit)(void *arg);

doit = prog_entry(prog);

/* coreboot is loading payload in long mode */

doit(prog_entry_arg(prog));

} else {

const uint32_t arg = pointer_to_uint32_safe(prog_entry_arg(prog));

const uint32_t entry = pointer_to_uint32_safe(prog_entry(prog));

/* On x86 coreboot payloads expect to be called in protected mode */

protected_mode_jump(entry, arg);

}

#else

if (pl64) {

die("Unsupported configuration, x86_32 coreboot/x86_64 payload\n");

} else {

asmlinkage void (*doit)(void *arg);

doit = prog_entry(prog);

doit(prog_entry_arg(prog));

}

#endif

Libpayload: Unified Entry Point for x86_32 and x86_64 mode

We have added x86_64 architecture specific CFlags, Linker Scripts, Tools chains etc. into the libpayload build system, similar to the approach followed previously in coreboot to add support for x86_32 architecture.

Along with other key changes made by CB:81968, the primary item that has been done in current implementation is refactoring the existing libpayload implementation for x86 architecture to keep both 32-bit and 64-bit support in parallel. Hence, added ARCH_X86_32 and ARCH_X86_64 Kconfig under the main ARCH_X86 architecture Kconfig. This effort allows all required architecture specific changes to be independent from each other.

As discussed in the previous section, the major limitation of the existing libpayload implementation was it only supported protected mode operations. Hence, the key feature being added by this work is to be able to support unified entry point implementation for 32-bit and 64-bit mode of operation. This new implementation would allow coreboot to directly jump into payload in long mode withoutthunking.

The heart of the implementation revolves around low level assembly changes as below:

1. head.S/head_64.S

Depending on the underlying ARCH, the platform selects either ARCH_X86_32 or ARCH_X86_64 Kconfig while building the libpayload. For example: head.S is getting compiled upon selecting ARCH_X86_32 Kconfig and head_64.S while building libpayload in 64-bit mode (w/ ARCH_X86_64).

The primary role head.S file is to fill the “cb_header_ptr” variable which is a pointer and holds the address of the coreboot table. Now the function calling convention differs between protected mode and long mode hence, the way head.S should fill the “cb_header_ptr” also differs.

Below table explains which libpayload entry point implementation to call into depending on the nature of operation.

coreboot	libpayload	trunking at entry point	entry point file
32-bit	32-bit	No	head.S
64-bit	64-bit	Yes	head_64.S
64-bit	64-bit	No	head_64.S

Let's follow the difference in operation between those two specific implementations of libpayload entry point assembly file.

Table: Comparison of libpayload entry point across different ARCH_X86_?? architectures

	head.S	head_64.S
		w/ trunking	w/o trunking
Save coreboot table pointer (cb_header_ptr)	coreboot tables has passed over the top of the stack while calling in protected mode. movl 4(%esp), cb_header_ptr	coreboot tables has passed over the top of the stack while calling in protected mode. movl 4(%esp), cb_header_ptr	The `cb_header_ptr` has passed as the first argument to the x86-64 calling convention. movq %rdi, cb_header_ptr
Loading the GDT	Load GDT in protected mode style like segment:ip. lgdt %cs:gdt_ptr	Load GDT in protected mode style like segment:ip. lgdt %cs:gdt_ptr	Load the GDT absolute address prior executing lgdt instruction. movabs $gdt_ptr, %rax lgdt (%rax)
Multiboot Header Support	Yes	Yes	No
Load Page Table (PT)	No	Yes call init_page_table movl $pm4le, %eax movl %eax, %cr3	Yes
Enable Physical Address Extension (PAE)	No	Yes movl %cr4, %eax btsl $5, %eax movl %eax, %cr4	Already Enabled
Enable Long Mode	No	Yes movl $(IA32_EFER), %ecx rdmsr btsl $8, %eax wrmsr	Already Enabled
Enable Paging	No	Yes movl %cr0, %eax btsl $31, %eax movl %eax, %cr0	Already Enabled
Jump into long mode	No	Yes ljmp $0x20, $LABEL	Already Enabled

2. pt.S

In long mode, libpayload/payload operation requires page table creation. There are two main reasons why the libpayload entry point should perform this step during the coreboot transition to libpayload:

Libpayload is built with ARCH_X86_64 Kconfig, while coreboot jumps into the payload entry point in protected mode. To switch back to long mode, libpayload must load the page table appropriate for the CPU architecture that supports large or small page tables.
coreboot jumps into libpayload in X86S mode, and the goal is to enable paging up to 512GB of range using a 1GB page table. This is crucial to avoid on-demand paging while depthcharge attempts to wipe-off or access memory >4GB in developer mode. Without this implementation, depthcharge would need to implement on-demand paging between virtual and physical memory when accessing memory >4GB. This could introduce latency and require redundant page table programming within depthcharge, which is something we want to avoid.

The page table creation in libpayload follows a similar implementation as in coreboot. However, the coreboot page table creation relies on static page table entries, resulting in a larger binary size and a potential security risk. The benefit of using a static page table in coreboot is that it requires minimal assembly programming and more importantly coreboot cannot have a single, link-time known location for the page table that has written into the memory and remains valid throughout the entire execution (due to CAR teardown) where else, In libpayload, we do not have this issue because we have DRAM available and no further stage transitions (until we hand off to the kernel). One more limitation of coreboot page table creation is that it maintains two separate implementations between small (2MB) and large (1GB) pages which increases the code maintenance.

While implementing the page table in libpayload, we had considered several factors as below: coreboot can eventually jump into the libpayload entrypoint either in protected or long mode depending upon the different modes of operations and we still should be able to create the page table being compatible with the operating mode.

Need to keep only one implementation that can dynamically support either 2MB or 1GB page table creation looking at the CPUID 0x80000001/EDX bit 26.
The page table initialization function `init_page_table` is designed to function in both 32-bit protected mode and 64-bit long mode.
The page table implementation will only utilize assembly instructions that have the same binary representation in both 32-bit and 64-bit modes.
We compile with `.code64` to ensure the assembler uses the correct 64-bit version of instructions (e.g., `inc`).
Additionally, we carefully utilize the registers:
use 64-bit register names (like `%rsi`) for register-indirect addressing to avoid incorrect address size prefixes.
It is safe to use `%esi` with `mov` instructions, as the high 32 bits are zeroed in 64-bit mode.

Figure 1.1: coreboot transitioning into libpayload in different operating mode

3. exception_asm_64.S

Exception handling is the process of responding to unexpected events, such as hardware errors or invalid instructions, that disrupt the normal flow of a program. For example: Divide by zero, Page fault, Machine check exception, Invalid opcode etc. Refer to payloads/libpayload/include/x86/arch/exception.h for more details about exception types.The Interrupt Descriptor Table (IDT) plays a critical role in this process. The IDT is a data structure that stores the memory addresses of different types of exceptions and interrupts, including their corresponding handlers. The IDT is indexed by the vector number of the exception, which is a value between 0 and 255. The IDT entry for a given vector contains the memory address of the corresponding exception handler, as well as a value that is used to determine the error code that is passed to the exception handler.

When an exception or interrupt occurs, the processor consults the IDT to locate the appropriate handler, which is a piece of code designed to address the specific event. This handler then takes necessary actions, such as logging the error, stack dump, hooking the GDB (GNU Debugger) or gracefully terminating the program.

There are basic differences between the size of the Interrupt Descriptor Table for 32-bit and 64-bit. On 32-bit processors, the entries in the IDT are 8 bytes long and form a table like this:

Interrupt Descriptor Table (32-bit)

Address Content

IDTR Offset + 0 Entry 0

IDTR Offset + 8 Entry 1

IDTR Offset + 16 Entry 2

... ...

IDTR Offset + 2040 Entry 255

On 64-bit processors, the entries in the IDT are 16 bytes long and form a table like this:

Interrupt Descriptor Table (64-bit)

Address Content

IDTR Offset + 0 Entry 0

IDTR Offset + 16 Entry 1

IDTR Offset + 32 Entry 2

... ...

IDTR Offset + 4080 Entry 255

When filling the interrupt table entries for a 64-bit system, we must consider three offsets: offset_0 (bits 0-15), offset_1 (bits 16-31), and offset_2 (bits 32-63). However, in a 32-bit IDTR, we do not need to account for the offset_2 field.

Depthcharge: Supporting x86_64 mode

Similar to libpayload, the depthcharge code changes also introduces ARCH_X86_64 (64-bit) and ARCH_X86_32 (for 32-bit) to keep two supported architectures in parallel as part of the payload support. Files necessary for 64-bit compilation are now guarded by the `CONFIG_ARCH_X86_64` Kconfig option.

Besides adding 64-bit architecture specific Kconfig and allowing to compile 64-bit implementations (.C and .S files) for the x86_64 architecture, this patch also modifies compiler flags to meet the stack boundary alignment requirements for 64-bit architecture. For example:

-mpreferred-stack-boundary=2 --> Aligns to 4-byte boundary (2^2 = 4) for x86_32 (32-bit)
-mpreferred-stack-boundary=4 --> Aligns to 16-byte boundary (2^4 = 16) for x86_64 (64-bit)

Similarly, we have encountered an interesting problem related to “firmware-shell” operating in long mode. While executing any in-built command inside the firmware-shell resulted in the exception. After debugging, we have concluded that the linker symbols of firmware-shell pre-built commands are not aligned to the underlying architecture. For example: while compiling the firmware-shell in x86_64 mode, the variable should be aligned to 8-bytes/16-bytes compared to the alignment requirement for 32-bit mode is 4-bytes.

Finally, libpayload implements arch_phys_map() function that maps virtual memory to physical memory for 64-bit in a more sophisticated way compared to the 32-bit implementation of arch_phys_map(). The 32-bit mode of implementation offers on-demand virtual addresses to a physical address and optionally invalidates any old mapping.

Transferring Control from Depthcharge to ChromeOS

Modern Linux operating systems support two different entry points while bootloaders plan to jump into the kernel entry point aka legacy protected mode and modern long mode. Traditionally, payload designed for CrOS performs a jump into kernel mode in protected mode. The only argument that it passes to the kernel entry point is “boot_params”. Below table provides the code snippet which has been executed by kernel, while transiting into the kernel entry point in protected mode.

puts("\nStarting kernel ...\n\n");

timestamp_add_now(TS_START_KERNEL);

post_code(POST_CODE_START_KERNEL);

__asm__ __volatile__ (

"movl $0, %%ebp \n"

"cli \n"

"jmp *%[kernel_entry] \n"

:: [kernel_entry]"a"(entry),

[boot_params] "S"(boot_params),

"b"(0), "D"(0)

);

This newer implementation relies on transferring control to the kernel entry point in long mode (which is 512-bytes apart from the kernel legacy entry point). The newer implementation relies on the kernel header data structure (e.g., an ELF header) that contains information about the kernel being loaded.

- xloadflags: A field within the hdr structure holding flags that describe the kernel's properties.

- XLF_KERNEL_64: A constant representing a flag indicating that the kernel is designed for 64-bit execution.

if (CONFIG(ARCH_X86_64)) {

if (!(hdr->xloadflags & XLF_KERNEL_64)) {

printf("Kernel is not 64-bit bootable.\n");

return 1;

}

entry += 0x200;

}

__asm__ __volatile__ (

"movl $0, %%ebp \n"

"cli \n"

"jmp *%[kernel_entry] \n"

:: [kernel_entry]"a"(entry),

[boot_params] "S"(boot_params),

"b"(0), "D"(0)

);

Eventually, the bootloader transfers the call into the kernel in long mode if “Kernel is 64-bit bootable” after looking into the XLF_KERNEL_64 flag is set within the xloadflags field.

Comparative Analysis

This POC work is not only helping to establish the fundamental block of x86_64 mode for Chrome AP firmware, which can be possibly used by Intel next generation SoC platform (aka Panther Lake). Therefore, it’s important to not only add foundational 64-bit code to create 64-bit binaries and be able to boot cleanly to the OS in x86_64 boot mode but also capture the comparative analysis between a platform in 32-bit mode vs the same platform supports 64-bit boot recipe as well.

We are able to create a 64-bit build for Rex (the reference platform based on Intel Meteor Lake generation) known as Rex64. We have completed the end-to-end measurement related to boot time and SPI size increase between Rex and Rex64 build.

Table: SPI Size Impact between Meteor Lake (32-bit) and Panther Lake (w/ N-1 aka Meteor Lake) due to 64-bit migration

Intel Meteor Lake	32-bit FSP		64-bit FSP		Growth
	Debug	Release	Debug	Release
FSP-M	1.4MB	852KB	1.4MB	902KB	50KB
FSP-S	385KB	213KB	393.4KB	223KB	10KB
	Total Growth in FSP size in 64-bit build				60KB * 3 copies (RO + RW-A/B) =180KB

Free space (CBFS)	32-bit boot		64-bit boot
COREBOOT Region	1.14MB		1.014MB		(-) 126KB * 1 copies (RO)
FW-MAIN-A/B Region	718KB		631KB		(-) 86KB * 2 copies (RW-A/B)= (-) 172KB

Total SPI Size Expected Growth due to 64-bit in coreboot (B)					(126+172)KB=298KB (RO: 126KB, RW-A/B: 172KB)

Based on the above table, we are expecting to see ~0.5MB growth in the SPI flash due to migrating to x86_64 mode.

Unfortunately, we are unable to see any savings in the FSP and/or overall coreboot boot numbers w/ this planned toolchain migration. But at the same time, the boot numbers are in parity with the 32-bit boot numbers (aka no-regression).

Table: Boot Impact between 32-bit AP firmware and 64-bit AP firmware

	FSP-M (ms)	FSP-S (ms)	MultiPhaseSIInit (ms)	Total (ms)
32-bit FSP + coreboot	43	130	108	281
64-bit FSP + coreboot	49	121	107	277

Summary

The document outlines the process of updating the coreboot, FSP, libpayload and depthcharge codebases to support x86_64 (64-bit) mode in ChromeOS.

Successfully enabled complete x86_64 boot flow using real hardware (Rex64).
Highlighted the total changes across different boot phases to support x86_64 mode.
It addresses the need for large page tables (1GB) to avoid on-demand paging and enable efficient memory wiping during developer mode.
The page table creation in libpayload is designed to support both 32-bit protected mode and 64-bit long mode, using assembly instructions with the same binary representation in both modes.
Depthcharge also introduces support for x86_64 and compiles 64-bit implementations for the x86_64 architecture.
The document highlights the challenges faced in ensuring proper stack boundary alignment and handling firmware-shell commands in long mode.
It concludes with a discussion on transferring control from depthcharge to ChromeOS, emphasizing the use of kernel header data structures to facilitate this transition.

Supermicro & AMD join the Open Source Firmware Effort

Philipp Deppenwiese — Thu, 16 May 2024 15:31:15 GMT

24th April, Lisbon, OCP Regional Summit

In a groundbreaking move at the OCP Regional Summit, Supermicro and AMD have aligned with the Open Source Firmware Foundation (OSFF) to pivot the tech landscape toward open-source firmware, challenging decades of dependence on proprietary systems.

A Technological Revolution at OCP

The joint booth of the Open Source Firmware Foundation, AMD and Supermicro was a focal point at the summit, where they showcased proof of concept (POC) firmware solutions on two mainboards. With the open-source release of AMD openSIL (PoC for AMD CRB platform based on 4th Generation AMD EPYC™ server processors) on June 14^th 2023, available on https://github.com/openSIL, Supermicro took on the challenge to perform a comprehensive evaluation of the new silicon initialization architecture and showcased their own server platform (Supermicro H13SSL-N) hosting 4^th Generation AMD EPYC™ server processors – demonstrating scalability and seamless integration of AMD openSIL across two host firmwares – (1) UEFI based Tianocore and, (2) coreboot/Linuxboot.

AMD's openSIL solution becomes available in 2026 as production-worthy open-source library for silicon initialization.

In addition to Open Host Firmware/BIOS, Supermicro has announced its intention to equip their systems with OpenBMC in the future.

Shifting Business Models

The traditional firmware model involves proprietary SDKs from BIOS vendors, which often leads to dependency and loss of control over the technology, which often leads to dependency and loss of control over the technology. The OSF model, by contrast, promotes collaboration with the OSF community and Independent BIOS Vendors (IBVs).

This model empowers companies to maintain control over their firmware and gain all the benefits of open-source innovation, supported by contracts and OSFF’s consultancy in navigating partner ecosystems.

Why It Matters

This strategic shift to open-source firmware offers a sustainable advantage by allowing companies to innovate more rapidly and securely. For industries ready to break boundaries, this model reduces risks associated with vendor lock-in, accelerates technological adaptability and offers a reduced time-to-market strategy for board bring-up of new systems.

Introducing Hancock Chang - OSF Ambassador for APAC

Hancock Chang steps up as the new OSFF Ambassador for the APAC region, ready to navigate the complexities of open-source adoption across continents.

Hancock Chang, Supermicro

Looking Ahead

Supermicro, AMD, and OSF are not just participants but pioneers in a movement setting a new standard in technology. As we watch this evolution unfold, the tech industry can expect more robust, customizable, and secure systems that align with modern demands and standards.

Stay connected to witness how this transformation will redefine the hardware industry, ushering in an era of transparency and collaborative innovation.

Open Source Firmware - Escape the proprietary cave

Werner Zeh — Mon, 26 Feb 2024 18:34:46 GMT

1 Preface

II have been doing firmware development for more than 12 years for a large German industrial group. I have started my professional firmware development career with x86 based systems. Back then, the old BIOS solution was currently phasing out, but I was able to get a good insight into the techniques and development flow coming from this approach. Then it was replaced by a new, standardized solution called UEFI. After a few years of development with UEFI on our devices and all the pain it brought from my point of view, I moved on and finally settled with coreboot, an open source project to serve the same demand, booting our devices into the OS.

This article will take a closer look at proprietary firmware solutions and the development workflow I was working with. Further on, the modern practices in the open source firmware development will be presented and benefits as well as drawbacks will be discussed.

All the aspects and arguments in this article are reflecting my experience with the different solutions and development flows in an active product development. For sure there can be different perceptions out there about the content which is mentioned in this article. Of course all of them might be applicable depending on the different situation they are coming from but the aim of this article is not to take each and every pathway into account.

2 What is meant by firmware in this article

The term ‘firmware‘ describes a piece of software that is tightly coupled to the hardware. It is stored on non-volatile memory devices directly located on the given circuit board. The firmware installation is usually done as part of the device manufacturing process by the OEM (Original Equipment Manufacturer) or ODM (Original Design Manufacturer) and the device will not start up properly if the firmware is missing or corrupt.

This article describes in particular firmware for x86 based systems. A very common term for this is the BIOS (Basic Input/Output System). In the last two decades the legacy BIOS was more and more suppressed by a different firmware stack called UEFI (Universal Extensible Firmware Interface). Both of the aforementioned solutions are closed source, proprietary implementations which usually come with a license fee. In addition, there are open source alternatives available to serve the same demand, one of these is called coreboot, which is a GPL project freely available to everyone.

3 The typical development flow with proprietary firmware

Proprietary firmware for x86 systems is usually provided by so called Independent BIOS Vendors (IBVs). These companies are specialized in cross-platform (client and server side) enablement including source code development and maintenance services, custom OEM tooling and bug fixes during the entire product life-cycle. Let’s evaluate how a new hardware product (e.g. PC mainboard of a consumer device) is brought to life at the hardware vendor(OEM or ODM). An OEM is developing a design but does not sell it by himself. Instead, a company which is then really selling a device to end customers reaches out to an ODM which will take the design from an OEM and make a real product out of it on behalf of the selling company.

It starts with the hardware design phase which takes care of the schematic and board layout. At this level the hardware feature set is defined by the silicon selection and the interconnects on the circuit board. Typically, the hardware design and board manufacturing is managed by the ODM with guidance of an OEM. Once this phase is completed and the hardware is manufactured, the next step is to populate it with a firmware. Usually, the hardware vendors do not have the needed knowledge or resources to develop the firmware for their product on their own from scratch. Instead, they reach out to IBVs which provide standardized firmware stacks. As the developed hardware is never 100% identical to all the other hardware designs out there, a certain level of adaptation is required on the firmware side. There are a few options how this adaptation can be achieved:

Option 1: Ask the IBV to do this as a service
Option 2: Ask a third party company to do the needed adaptation. This company will likely work closely with an IBV.
Option 3: Acquire the firmware stack from an IBV and do the adaptations by dedicated firmware engineers at the hardware vendor

In any case the IBV’s firmware stack is used as the basis for this adaptation. The first option requires the hardware vendor to share development details like schematic with the IBV. This can be very demanding and not every vendor is willing to do this for different reasons. Option 2 is even problematic as a third company is involved and needs to know hardware and firmware details, which is often hard to deal with. From my experience the often chosen option is therefore option 3, which means the needed adjustments will be performed at the hardware vendor side. To show the full development flow and all its dependencies, let’s take the last option here as an example (this is how I was working with UEFI).

So the hardware vendor purchases the firmware stack from the IBV of its choice. The delivery is, in the case of the nowadays standard UEFI firmware, a source code package with multiple ten thousands of files. It contains the real source code as well as the needed build system to compile the source code to a single image. The firmware engineers of the hardware vendor need to handle this giant amount of code in this scenario. This task is in practice very cumbersome due to the nature of proprietary firmware. There are some reasons and explanations I would like to point out as follows:

First, the IBVs have a huge development team contributing to the firmware stack. The aim is to support all the features of a given platform in a single firmware stack as the real use case of this stack is defined by the hardware capabilities. The code base grows over time. Some parts have been ported over from previous versions of the firmware stack and might not have been cleaned up properly to match a possible new structure. Other parts may have been provided by a 3rd party. A large amount was newly developed just to cover the needs of the new platform. Often there are complex override mechanisms for a big portion of the code which results in having the same files being present multiple times in the code tree, at different locations with in-transparent dependency rules. All this increases the number of source code files in the firmware stack and its complexity.

Secondly, the complex nature of modern silicon designs cannot be handled by the IBVs themselves. The silicon vendor is the only reliable source of knowledge for the latest silicon designs. Additionally, the silicon vendors often have their own reference firmware implementation which they need for early silicon commissioning. To ease the silicon platform integration at the IBVs, the silicon vendors provide their reference code (or parts of it) to the IBVs which is now included into the firmware stack at the IBV. Since this reference code is written by the silicon vendor and not by the IBV, it often does not match the structure and architecture the IBV uses in their firmware stack. And often there is no common code style available across these parts. Therefore, abstraction layers and a lot of glue code are used inside the firmware stack to enable the reference code usage. In some cases the silicon vendor is not able or willing to provide source code for a part of the platform (e.g. because this part was acquired from a supplier by the silicon vendor and the license does not cover code redistribution). In these cases the delivery form is a binary image (blob) with a defined API to call into.So in the end the firmware engineer at the hardware vendor has to deal with a huge code base which was developed by two or more big parties, at least the IBV and the silicon vendor. It even may contain blobs with little possibilities for modification. Figure 1 shows the code composition the hardware vendor needs to handle in this scenario.

Figure 1: Proprietary firmware composition

Now this code base needs to be tailored carefully to match the use case the new hardware implements. The closer the hardware implementation is to the reference design of a silicon vendor, the less adaptations are needed in the firmware stack. If one has a more specialized hardware for industrial or IoT use cases, the amount of required adaptations rises quickly and the risk grows to configure or adapt the provided firmware stack in a bad or inappropriate way.

3.1 Problems with proprietary firmware development

If we look further in the drawn scenario, the hardware vendor’s firmware engineer is now responsible for the adaptation of the provided firmware stack. The engineer needs a deep knowledge of the firmware source code in order to implement the required changes in the right way, without introducing hidden bugs or even security issues. This knowledge, once built up at the hardware vendor, cannot always be transferred to a new platform smoothly as in the meantime the IBV continues developing his firmware stack. So at the time a new CPU platform is used on a new design a few years later, the then acquired code base can be quite different compared to the last one from the same IBV. The engineer at the hardware vendor needs to go through the steep learning curve again, investing a lot of time and making new mistakes. If a different IBV is used, the whole case is just worse.

Now imagine there is an issue found by the engineer in the provided source code, either a general one or a special one dedicated to his use case. In such scenarios the usual process would be to reach out to the IBV and ask for help. This support is often covered by dedicated service contracts which the hardware vendor needs to pay for. In some cases the IBV might be able to provide a fix for the issue quickly. In other cases the issue might be more complex and the needed support hours to reproduce, find and fix the issues at the IBV’s side might count up fastly. In even more complex scenarios the root cause for the issue might be in the portion of the code which was delivered by the silicon vendor or, even worse, by its suppliers. Now, the IBV has to reach out to the silicon vendor and ask for help, for which the IBV needs to be able to reproduce the issue on his side and provide detailed information to the silicon vendor. Often it is the customer’s duty to provide a way to reproduce the issue on a reference design. Otherwise, neither the IBV nor its supplier will start an investigation for the root cause. This again increases efforts at the hardware vendor. One can easily see how quickly this model will become overloaded with a lot of parties involved in the solution with service hours growing quite fast. Of course the hardware vendor has to pay for all these service hours. Beside this, the time to get a fix in such a scenario can reach months. This in turn slows down the firmware adaptation process on the hardware vendor side a lot.

The other aspect of issues in such a development process is the code quality. The most important thing from the IBVs point of view is to deliver a functional code base in time. The code quality is not in the focus as a customer usually pays for functionality. This strategy leads to new problems as over time the code base will become really hard to maintain. Bugs will be hard to find or track which again will increase the requested service hours and slow down development dramatically.

Even when the hardware vendor was able to fix a bug in the purchased code base of an IBV by himself, there is no guarantee that this finding will ever find its way back to the IBV. And even if it will be reported, the implementation in the code base at the IBV is not necessarily done. The next customer of this IBV might get the old version of the code tree delivered and can step into the same pitfall again, investing now additional time to find and fix the same issue at his end. There is no established workflow between the IBV and its customers when it comes to reporting issues to the IBV which again results in bad code quality over time.

Sometimes there are contracts between the IBV and the hardware vendor that forces the hardware vendor to pass the ownership of the code changes the engineer at the hardware vendor develops at his end to the IBV. This makes it highly difficult for the hardware vendor to add additional, differentiating features to his product as they need to be passed back to the IBV and the IBV, being the owner of them per contract, can freely sell these features to the next customer (which easily can be a competitor of the original hardware vendor).

3.2 What will you get with proprietary firmware

As described, the development process with proprietary firmware can be tedious and cumbersome. But there is a second view which reveals benefits of this firmware approach.

First, there is a contract between the IBVs and their customer. Usually such a contract includes support from the IBV which the customer can count on if any cases or issues are coming up. Of course this service needs to be paid for but on the other hand it provides the customer a convenient way to get knowledge from the IBV and fix arising issues faster.

The second benefit is the fact that proprietary firmware is still mainstream. If a hardware vendor uses a proprietary firmware on its product, this product will be able to boot all the operating systems out there out of the box. The OS vendors treat the proprietary firmware case as de facto standard and provide all the needed implementation for such a scenario. All the tests are done with proprietary firmware in mind.

Once shipping of the product with proprietary firmware has started, the maintenance of the firmware becomes hard. The hardware vendor usually provides firmware updates in the first few months up to a year or two of the product life cycle. These updates are provided to extend functionality (add support for newer versions of silicon or memory modules), fix minor bugs that have been found at the hardware vendor side or provide security updates. Improvements in the firmware stack driven by the IBVs frequently do not flow back into this product since at this time the support contracts between the IBVs and their customers may have expired. So the end customer, who owns this device now, often has to live with issues in the firmware limiting the user experience. As there is no way that an owner of the device can have access to the firmware stack, an incident in the firmware cannot be fixed by the owner or other enthusiasts. Therefore, often fixes for a firmware bug are applied on the operating system level (the Linux kernel has a lot of such ‘fixes’) which in turn shifts the maintenance burden to the wrong level and makes the maintenance of the operating system complex.

4 Open source firmware

The open source software approach is available now for decades and has proven its power and benefits in various software projects all around the world. Starting with small applications driven by enthusiasts reaching to big enterprise solutions and operating systems all of us have had contact with open source products. No wonder that this model was adopted even for x86 firmware in the late 1990s already. In the meantime the number of projects around open source firmware has increased. Projects like coreboot, Tinaocore or Slim Bootloader are well known and actively developed. And the usage of such open source firmware grows continuously.

4.1 Open source firmware development flow

Let’s have a look at how a development process in the open source firmware domain looks like. Unlike the proprietary firmware there is no dedicated company that owns the open source firmware. Contrary, an open source project is driven by an open source community which consists of different members. There are pure enthusiasts spending their free time and passion to support an open source project development. There are members working for companies which use the open source firmware in their products or even offer services like an IVB for the open source domain. There are even members from different silicon vendors if the silicon vendor is interested in support for his latest platforms in a given firmware project. All of the mentioned members are working collaboratively in the open source firmware project and composing the community. Usually, the development inside the community is transparent and everybody has access to the changes and the whole code tree, even people who are not part of the community. And everybody is welcome to participate at any time. The well mixed community usually ensures high code quality as a broad and publicly visible review process can be established and maintained.

Of course this development model needs rules in order to keep the project in a good shape. These rules cover processes which describe how the development is done (where the repository is stored, how patches are pushed upstream, what the merge policy looks like, ...), include coding guidelines and describe the test infrastructure. They are accessible for everybody so that the overall project policy is known to all the members and possible users of an open source firmware.

Let’s now take the depicted example from chapter 3 (the proprietary workflow) where a device manufacturer chooses an open source firmware for its new product this time. Let us further assume that the hardware vendor is an active community member (the other case will be discussed later). The adaptation needed in the firmware for the new product now needs to be driven by the hardware vendor. So the engineer creates patches for the open source firmware and pushes them upstream. Now the major difference, compared to the proprietary flow, is visible: Before the patches can land in the code tree, a public review happens. Numerous community members can have a look at the proposed changes and send suggestions for improvement. This step is crucial because now the quality of the proposed change is increased. It is not just one single engineer who implements the feature or change on its own, it is a big community taking care of the change and its quality. Experienced members can judge if the proposed change matches the architecture and policy of the open source project and reply with change requests if needed. At the first glance this may look like an additional burden compared to the proprietary development flow. But with a closer look one can see easily how this is massively increasing the code base quality and therefore reducing the maintenance efforts inside the open source firmware project. And good code quality leads to a good firmware quality, decreasing the number of bugs and providing stability at execution time.

Beside the review there are often other helpers in place to help with the development. Code style checkers help to achieve a common coding style across the whole project, automated build tests ensure that a single commit is not harming the code base or leads to compile errors. Only after all the installed code checkers and build tests have been passed and a positive feedback was gained in the public review, the patch is considered to be good enough for merging. In some cases just being able to compile the code without errors and warnings is not enough to guarantee functionality of the code at runtime. Therefore it is crucial to reach out to platform owners (often community members who have access to various platforms, but everybody is welcome here) and ask them for a real test on dedicated hardware to ensure seamless functionality of a code change. For a quick fix of the flaw in the codebase a fast response is substantial in cases where a change introduces runtime issues.

From the developers point of view the open source approach has the benefit that the development of the code base can be observed continuously and the developer can stay familiar with the code. And even more, an active community member has always the possibility to shape the project by participating in the daily development. This will pay off quickly if more than one device of a vendor is using the open source firmware. Features implemented once can easily be used on other devices without the need to re-implement them. This is especially a benefit compared to the proprietary firmware as it varies a lot from platform to platform and features implemented earlier by the hardware vendor often cannot be just re-used later as they are but need adaptation or even re-implementation. In addition, a merged feature will most likely be maintained in the open source code base by the community (this depends on the community, though). So if the code will be refactored and a given feature is affected by this refactoring, the one who drives the refactoring will make sure that the feature stays functional.

Of course the hardware vendor could have chosen not to be an active community member and just fork the project on his side. As long as the license obligations are fulfilled, this model can be used. But one needs to be aware that all the mentioned benefits of community driven development will vanish in this model.

4.2 Code composition with open source firmware

The goal of an open source firmware project is always to keep the complete code base open source. Unfortunately, especially the firmware layer has a high dependency on the hardware and big silicon vendors are not always that open source friendly as they could be. There are many different reasons for that: There might be license issues which bind a vendor to stay closed or just the fear to open up some internals of a given IP, or even just the good old “We never did it the open way before!” phrase. Therefore, critical parts of the hardware initialization (memory and silicon initialization) are often covered by binary code parts provided by the silicon vendor. For modern x86 systems this blob is called the Firmware Support Package (FSP) and open source firmware needs to use this blob in order to be able to support a modern platform. Of course we now have this hard dependency on the silicon vendor and its willingness to provide the FSP. And to be honest, no recent platform would be able to boot without such a blob. This is the reason why there are activities out there to improve this situation (see blog posts here and there). The following figure shows the typical code composition in an open source firmware project for modern x86 systems.

Figure 2: Open Source firmware composition as an example for x86 systems

Issues arising in the blobs need to be addressed at the silicon vendor. It often is easier to handle such issues with direct contact to the silicon vendor without the IBV in between. On the other hand this requires a good relationship with the silicon vendor so that there is a way at all to reach out to him and get support in the form of fixes in the blob. This of course needs additional time compared to a fully open source approach but for now we do not have a better way to support modern platforms in the open source firmware domain.

4.3 What will you get with open source firmware

Generally, there is no limitation that open source firmware has compared to proprietary. Whatever is technically doable can be done the same way with open source firmware. The major difference right now might be the different policy open source firmware follows: Do just as little as needed to get your platform to boot the OS! This results in the fact that all the fancy (but not really required) features of proprietary firmware are just not implemented in open source firmware. Things like sophisticated setup UIs or network stacks are usually missing in nowadays open implementations. Not because it is not doable but because it contradicts the open source firmware philosophy. On the other hand open source firmware provides anything that is needed to boot into modern OSes, be it Linux or MS Windows.

The other thing that you get with open source firmware is the openness of the code base. You can easily perform audits on the code which will provide certainty in regards to the used firmware layer. This is not easily possible with proprietary firmware as the NDAs that are usually in place in such a case make it hard to impossible to share the code with an entity that can do the code audit. The next benefit of open source firmware is the higher code quality as it, like described earlier, usually has a mandatory code review in place before changes land in the code base.

One other benefit that becomes more and more important is the development speed. The open source development process is a modern approach designed for collaborative development across the world. Everybody has the ability of proposing changes to cover the needs. A proposed change can be quickly introduced and uploaded for review. Though the mandatory review of a change, which is essential to merge it, can take a while (depending on the change complexity), it will ensure high code quality of the patch. With this approach changes can be implemented on someone's own request quickly without the need of asking the IBVs and waiting for their implementation. And development speed will be the key in the future as the product cycles will become shorter over time.

Speaking of the coreboot project as an example here, there are other benefits in place:

coreboot is per architecture designed to be simple and fast. Its complexity is magnitudes lower compared to the proprietary solution UEFI.
The code base was designed to be quite similar to the one of the Linux kernel. This provides the benefit that a lot developers can be fast familiar with its code base which lowers the entry burden for the developers.
The community takes care of bug fixing, there is no maintenance cost required at the product price level.
Fixes are done at tree level. If a fix is in a common code path, all OEMs and SoCs can benefit from it equally.

4.4 What are the issues with open source firmware

The nature of the open source firmware is of course its openness. This means that implementations are freely available to others, including competitors (this depends on the chosen license). This might reveal information of a newly developed product (the used CPU generation, number of interfaces a board has, used interface types, etc.). Therefore, the hardware vendor, to stay within the depicted example, needs to act carefully. Depending on the license there might be ways to overcome this issue by not publishing the adaptations for a board. Or the vendor could choose to publish its modifications later where the new development is already revealed at a fair or on a website.

The other issue with open source firmware at the moment might be the limited feature set it provides (for a good reason, though). If an end user switches for example from an UEFI implementation to let’s say coreboot, then the most obvious difference will be the missing UI the user might be more familiar with. So all the fancy settings are not possible in the environment with coreboot. This limitation of course can be overcome with development in the open source firmware as like already mentioned there is no technical reason for not having it. And this brings us to the next limitation of open source firmware: The resources big companies spend for open source development are just limited at the moment. Often the bleeding edge development still happens in the proprietary space because the paradigm of the past decades kind of dictates it. But to emphasize at this point, this will probably not remain the case in the future. We are already seeing a shift away from proprietary to open source firmware. If this trend continues, open source firmware will become ever stronger.

Another issue of an open source project can be the way how new features are introduced. Contrary to a proprietary solution, where just one IBV is responsible for the code base and hence owns the features, there are multiple different players in the open source community. While one contributor would like to get a new feature in, he still needs to get acceptance in the project for this new feature. It can easily happen that someone invests time and resources to develop a new feature and then, when it gets presented to the community in the form of a patch train, it receives negative feedback or even a rejection. There might be requests from some community members to modify the way this feature was implemented heavily which will result in additional efforts at the introducer’s side. Or there is even somebody in the community who, for whatever reason, does not want this feature to be merged at all. Therefore, it is much better to stay in a close collaboration with the community and push out patches in small chunks early to get the other’s feedback and prevent huge throwbacks. In the end it might result in a long discussion before a new feature is accepted and provided in the code tree.

In addition, an open source firmware project heavily depends on the willingness of a SoC vendor to get involved in the project by either contributing to the project or at least openly providing enough information in order to enable the community to write code based on this information. If this type of information is simply not available or is kept under wraps by NDAs, the developing support for new SoCs in an open source project is hardly feasible because then you have to resort to techniques such as clean room design (see [1]) or trial-and-error, which are very time consuming and offer no guarantee for reliable results. It is therefore important that more companies share the open source vision and leave the proprietary approach in favor of the open source approach. Otherwise, open source will not work out in the long term.

5 Why is the firmware the wrong place for product differentiation

In discussions with various hardware and firmware vendors I often get the impression that the firmware is one of the big playgrounds for product differentiation. The IBVs enhance the firmware layer more and more by adding fancy features to it. If one has a look at a modern UEFI driven system and its setup screen, one will see a fully integrated GUI with HD graphics, animations and support for a pointing device. Even full network stacks with DHCP support and file system drivers as well as e-mail clients are implemented. Indeed, the proprietary firmware is a full OS nowadays. But what is the use case here? I recently was setting up a brand new off the shelf PC system and I visited the UEFI setup twice: The first time to update the firmware to the latest available version (the shipped mainboard includes a really old firmware though I just got it) and the second time to disable all the fancy features I do not want to be enabled in the firmware layer (really, I do not want my firmware to drive a network stack). After this, the rest happens in the OS. The only thing I need from the firmware layer now is: please transfer the control to the OS fast! Because all these fancy features in the firmware requires code to execute and this in turn will need time, time that the user has to wait before the system can be used for the task it was acquired for.

To me, the real differentiation of a system is defined by its hardware capabilities and then by the operating system and the applications that are used on this system. The firmware is just this piece of software that enables the operating system to take care of the hardware properly.

6 Recap

In the firmware space the proprietary approach is still dominant. It seems like it gives the decision makers more confidentiality while it pretends to reduce the risk of a product development. But the world has changed dramatically in the firmware space over the past 15 years. Given that firmware becomes more and more complex due to newer CPU generations, a modern software development flow is required to rule the challenges that the firmware is facing. And since development cycles are becoming shorter, there is no time to lose by re-implementing features or searching for issues caused by a questionable code base quality. The goal shall be to re-use as much as possible and spend the limited development resources to add support for new platforms and features. We need to change the paradigm and welcome the open source firmware approach as the new first class citizen as the benefits this approach provides just outweighs the old style firmware development flow. If there are more development forces flowing into the open source firmware, we will soon overcome the remaining limitations and provide a stable and reliable firmware experience that does what it was meant to do: boot the system into OS!

[1]: https://en.wikipedia.org/wiki/Clean_room_design

Breaking the Boundary: A Way to Create Your Own FSP Binary

Subrata Banik — Fri, 24 Feb 2023 17:44:20 GMT

Author: Subrata Banik (subratabanik@google.com) Collaboration with: Vincent Zimmer (vincent.zimmer@intel.com)

TL;DR: This document demonstrates a path forward that breaks the boundary of using FSP (Firmware Support Package) for firmware development, by defining a way to create your own custom FSP blob(s) that meets and aligns with your target product requirement.

A previous article written by me sometime last year named Refining Open-Source Firmware Support for the Intel Platform initiated the thought about bringing openness in firmware development even while working with closed-source silicon reference code. Although the previous article was more specific to detail the challenges seen with Intel SoC-based platform enablement using open source boot firmware aka coreboot, in practice the situation is not much different with other SoC vendors as well. To understand this problem in more detail, one should additionally refer to our last year OSFC talk named The “Thing” Around Your System Firmware.

The prior article had called for action to improve the overall platform-enabling environment that uses the open-source firmware development model with closed-source silicon reference blobs. Below is the list of the work items that came out from that discussion:

Improve the platform enablement environment by balancing out the `binary blob model` (only include the *mandatory* closed source blobs which can’t be open-source) and focusing on bringing openness in silicon code by leveraging open-source boot firmware e.g. coreboot.
Reduce the boundaries of proprietary firmware running on Host CPU Firmware a.k.a Intel Firmware Support Package (FSP).
Classify the FSP modules as `mandatory` and `good to have`. Allow dropping of `good to have` FSP modules to leverage more open source coreboot libraries/drivers for platform bring-up. This effort would help to reduce FSP boundaries and eventually optimize the SPI flash footprint.
Optimizing the boot path would eventually help to achieve the ambitious goal of fast booting up the system firmware (in < 1 second boot time).

This document is to capture the progress being made to solve such ambitious challenges and provide flexibility to the boot firmware designer/developer aka users of the FSP to create their own FSP blobs (essentially could be different than what Intel “officially” uploaded into the FSP Github for each SoC product). Further sections of this document will provide more technical details about solving this challenge and how it would benefit the open-source community.

"One thing that can be clearly claimed already at the starting of this article is the big shortcoming of the current FSP delivery: the "one-binary-fits-all and eventually bloated" blob is now getting diminish with this approach where the consumers of the FSP binary have the freedom to create their own FSP binary that fits well in the open source firmware development model with coreboot."

The Planning

TL;DR: This section illustrates the design aspect of creating a custom FSP blob solution.

The “Alternative Path” section from the previous article discussed the few possibilities that the open-source firmware development approach needs to consider to optimize the usage of proprietary FSP modules over the coreboot libraries/drivers. This section illustrates the design philosophy being used to identify the mandatory FSP modules and how to eliminate them (as there might be more modules optional). This effort results in achieving the “Gain Control of Platform Initialization using native coreboot driver” which was briefly described in the previously written document.

For ease of understanding let's describe the SoC in more firmware-friendly terms: the SoC design incorporates various IPs (Intellectual Property) to provide a great set of capabilities for the different platforms to choose from.

Figure 1.0: Existing Intel SoC Reference Code Design

An IP can provide different hardware interfaces for example audio IP provides interfaces (like High-Definition Audio or HDA, Non-HDA a.k.a. I2S and Soundwire) for the target platform to eventually select and perform the configuration. The firmware being closest to the hardware is responsible for such interface selection, and the Intel SoC platform is no exception to that, where silicon reference code represents the SoC features. Figure 1.0 illustrates the relationship between SoC and silicon reference code.

The missing part in this whole evolution process is the understanding of the end-user platform requirement. Intel Silicon reference code enabling model only focuses on delivering a unified blob irrespective of the different OS-based platform needs. It’s very obvious that silicon vendors can't customize the silicon for every end-user product requirement but the minimum expectation is to allow configurable silicon reference code as per the platform need. The reference code, being designed to show all the capabilities of the new platform, usually does more than the default user actually needs (and of which a big portion is re-done in the firmware then) which in turn leads to an overloaded FSP piece after piece.

Figure 1.1: Proposed Intel SoC Reference Code Design

Based on this proposed design principle we shall provide the platform owners the opportunity to create an essential silicon reference code for the target platform. In fact, silicon reference code is not only meant to pass the board configuration parameter but also to remove unused or redundant IP initialization that resonates with the target board design. Figure 1.1 illustrates the design principle that results in optimized silicon reference code based on the target platform.

To summarise, the work items based on the design phases are:

Enhance the coreboot/open source boot firmware capability so that it can be used as a replacement for any closed source FSP module (preferably where register sets are well explained as part of the datasheet and OEM programming section ask to implement the mandatory silicon programming in the boot firmware). For example, coreboot implemented CAR using a native driver/library and helped to make the FSP-T optional starting with FSP 2.0 specification.
In the open source development model, the highest preference is to execute the native code of the open source firmware instead of calling into closed source FSP modules but at the same time needs to have a way to eliminate the unused FSP modules from the SPI Flash. This effort will help to reduce the maintenance towards incorporating FSP fixes and additionally reduce the SPI flash space occupied by the FSP binary.
Need better tooling support at the FSP side to able to achieve the #2 above.

The Execution

TL;DR: This section illustrates the stepwise approach that leads into meeting the goal.

In practice, meeting the ambitious goal of designing the custom FSP binary won’t be possible without a detailed and gradual approach to it. These approaches might be interconnected or may appear independent but eventually required altogether to meet the desired goal (for the interest of the readers and easy understanding, the numeric ordering being used here to describe the stepwise approach).

Step 1: Enhancing the Open Source Firmware capability to suppress the need for Closed Source Firmware Blobs

Since the evolution of the Intel FSP, the main goal is to reduce the effort at the boot firmware side and use the FSP blobs as a drop-in solution to create final production AP firmware. It serves to meet the goal of platform enablement taking place with pre-validated SoC code.

Unfortunately, due to several reasons (for example FSP being bloated with more than required functionalities and lack of roles and responsibility) the entire FSP binary drop-in model has been unable to prove its inevitability. Over the period of time, the boot firmware has evolved and become more powerful in terms of taking more responsibility for the platform enablement without relying on the 3rd party blob solution.

Table 1.0 shows the comparison between coreboot and FSP. coreboot is one of the powerful boot firmware, which is capable of doing more than what FSP is actually expecting from the bootloader.

Table 1.0: Comparison between coreboot and FSP phases

Purpose	coreboot	FSP
Temporary Memory Init	bootblock	FSP-T
DRAM Init	romstage	FSP-M
Silicon Init	ramstage	FSP-S

For example, the primary responsibility of the FSP-Notify Phase APIs is to meet the SoC programming requirements (described in the Firmware Architecture Specification (FAS) Chapter 11, known as the `Security Guideline`). The intent of this section is to ensure all OEM designs are meeting the SoC vendor-provided security guideline requirements. This section of the FAS is purely meant for the OEM/ODM design to comply with using underlying boot firmware (in the case of ChromeOS, it applies to the coreboot) but FSP still prefers to perform those recommended chipset programming on its own which often at an execution time contradicts with the open source firmware flow.

Fact: Unfortunately, this guideline is not even true for FSP executing in dispatch mode (alternative to the API mode) used by UEFI aware bootloaders. In dispatch mode, the UEFI bootloader is not abide by the fact to use FSP-Notify Phase APIs.

The `Gain Control` proposal described in the previously written article helped to enhance the open-source firmware capabilities. Now with this approach, coreboot can eliminate the need to have multiple FSP modules due to redundant functionality. A total of 8 FSP modules from FSP-S Firmware Volume can be now dropped.
Additionally, another work item that intended to replace the FSP modules for multi-processor initialization with open-source coreboot drivers has shown that yet two more FSP modules can become optional.

Another work item that currently is in progress is to adopt open source libgfxinit to replace FSP GFX PEIM performing Pre-Boot display Initialization.

In summary, out of roughly 13 PEIM modules the FSP-S consists of, 10 modules can be eliminated. This leads to a reduction of ~80%.

Step 2: A way to eliminate the FSP modules using better tooling

The design principle of the silicon programming blob is to dynamically configure the IP interface based on the boot firmware provided inputs (as per the target board schematics). But the underrated part is the capability inside FSP to be able to statically decouple the `good to have FSP modules` from the `mandatory ones` at the source. Hence, in the present scenario, FSP doesn’t provide any option to eliminate the unused modules from the FSP blob and to reduce the SPI Flash usage. This limitation leads to keeping unused/dead binaries in the SPI Flash and eventually bearing the additional BoM cost.

The earlier section (as Step 1) illustrates the path to make a number of FSP modules possibly unused while integrating with open-source coreboot as boot firmware. But the actual benefit of boot time improvement or the SPI size reduction won’t have been achieved unless there is a scalable way to be able to drop those *claimed unused FSP modules* (without modifying the FSP source code). The fact is that most likely consumers of the FSP are directly consuming FSP binaries for their platform enablement. Hence, the most specific need is to be able to remove FSP Firmware Files (FFS) from the Firmware Volume using simple command line arguments (without modifying the source code).

Intel Firmware Module Management Tool (Intel® FMMT) is a utility that is capable of removal, addition, and replacement of FFS files in FV image binaries. This utility belongs to the open-source EDK2 github repository (link here https://github.com/tianocore/edk2/blob/a64b944942d828fe98e4843929662aad7f47bcca/BaseTools/Source/Python/FMMT/README.md).

Our target was to use the FMMT utility to be able to drop the unused modules from the given FSP blob. But the limitation of FMMT utility is that after removing an FFS file, the utility is unable to shrink the firmware volume space, which results in having the unused memory space being occupied by the firmware volume and eventually increasing the cost of the OEM devices (due to maintaining the higher SPI Flash footprint).

Good News is that with the bug being filled on the EDK2 to add the `shrink` support into the FMMT utility and the EDK2 community has responded positively by adding the shrinking support into the latest FMMT release (part of the EDK2 latest repository).

With the latest FMMT tool, we are now able to drop any “good to have” FSP file system (FFS) from the FD (Firmware Device) after following the few simple steps below:

Remove an FSP module FFS by providing the module GUID

-d < Inputfile > < TargetFvName/TargetFvGuid > < TargetFfsName > < Outputfile >

Delete the Ffs from Inputfile. TargetFfsName (Guid) is the TargetFfs which will be deleted. TargetFvName/TargetFvGuid is optional, which is the parent of TargetFfs*.*
Ex: py -3 FMMT.py -d Ovmf.fd 6938079b-b503-4e3d-9d24-b28337a25806 S3Resume2Pei output.fd

2. Shrink the FSP Firmware Volume using the newly added feature of FMMT.

-s < Inputfile > < Outputfile >

Shrink the Inputfile Firmware Volume and create the newer Outputfile
Ex: py -3 FMMT.py -s Ovmf.fd output.fd

Step 3: FSP Integration Guide to list out “good to have” FSP Modules

Since the origin of the FSP specification the entire FSP Firmware Device (FD) is considered mandatory and boot firmware is supposed to make calls into each and every entry point to let the FSP modules get a chance to execute and perform the silicon initialization. For the first time with FSP 2.0 specification, Intel has made FSP-T (aka for performing temporary memory initialization) an optional API. With this evolution, we are asking to even do more deep down inside each FSP firmware volume and classify modules inside each FSP Firmware Volume as “Mandatory” (aka Must Have, which shouldn’t be dropped as it might have an adverse effect on the platform) or “Good To Have” (aka Optional, which can be dropped as per the decision made by boot firmware).

Based on recent communication with the concerned team on the FSP side, the FSP team has now agreed to capture such a “Good To Have” module list per SoC inside the FSP integration guide. This would help the boot firmware aka consumer of the FSP, with the ability to actually decide what goes inside the FSP Firmware Volume aka FSP blob.

This Good To Have FSP module list can be used now along with the FMMT tool to be able to achieve our goal of creating our own custom FSP blob as per the target product requirements.

The Outcome

The final section of this document shows the benefit of this approach in terms of the data and other improvements that this evolution brings to the users of open-source firmware (working along with the FSP-like binary PI (platform initialization) model).

1. Having the flexibility to choose Open Source Firmware over a closed-source binary model even for silicon initialization is great freedom from the product designer side. The users of the open-source firmware would be able to appreciate it much better.

2. This evolution would help to bring more adoption towards the Hybrid Work Model (a combination of closed and open source firmware used for platform enablement) as now the users of the closed source blob have the flexibility to chop down redundant/unrequired pieces.

3. OEM/ODM firmware engineers can create their own customized FSP binary which meets their product requirements.

4. Overcoming the shortcomings of the FSP model is often described as a “single FSP binary meeting all customer need problems and very much bloated”.

5. Optimise the boot time significantly with the limited FSP modules and lesser infrastructure overheads due to UEFI.

6. Able to meet lower SPI Flash which is a product distinguishing feature. Figure 1.2 illustrates the amount of reduction that one could achieve in the SPI Flash size with the flexibility of being able to drop unused FSP modules as per the target platform's need.

Figure 1.2: Able to reduce FSP-S usage by ~500KB after dropping 10 modules

This proposal is readily available for all the latest Intel platforms starting with Alder Lake while working with coreboot in API mode.

Summary

Refining Open-Source Firmware Support for the Intel Platform had initiated the thought about defining a more open-source-friendly firmware development environment and with the “Gain Control '' proposal, the idea was to provide more flexibility while designing AP firmware using open-source boot firmware. This document has been drafted to capture the progress being made in the paths since the origination of this idea.

Additionally, so far we have only outlined the scope for improvement in FSP-S, which is the tiniest blob in the whole Open Source AP firmware FSP integration process. An actual saving in boot time and SPI Flash size could have been achieved if we were able to bring modularity in FSP-M design where platform owners are able to customize the MRC block as per their need, for example, most of Alder Lake based reference designs have shipped with LPDDR4x DIMM alone but the growth in ADL-MRC is multiple times compared to the previous generation (Tiger Lake SoC platform). We need to understand how much additional opportunity we have to be able to customize FSP-M blobs based on the final product memory type. Because remember our goal is to be able to customize the silicon reference code although we might not be able to customize the actual underlying silicon as per the target product.

post-pandemic programming party!

rminnich — Sat, 25 Jun 2022 21:13:16 GMT

"It's been two years of maybe ..." but ... we did it! We had a hackathon at TU Darmstadt. I had mentioned I'd be in the area to Felix Singer in early June, and Felix proposed a hackathon at TU Darmstadt.

View from my hotel window. A beautiful town.

I've never been to Darmstadt. Now I wish I could live there. It is a beautiful city, and TU Darmstadt was very welcoming. The actual space itself was perfect for a hackathon: a pleasant, usually shaded, courtyard; and a room with all the power you need at each of 12 or so tables. We had plenty of snacks and even a barbecue grill.

View from the courtyard of the hackathon

Felix also arranged for a tent, which did need a bit of assembly! But a tent is no challenge to coreboot hackers, right?

Felix gave us a tent to build, and 9elements supplied the Oscar banner, which (look closely!) you can see high up on the railing. Occupy TU!

From there we got down to work and it started to look like a coreboot hackathon:

It's a hackathon: everything's disassembled, yet somehow it all works. Note the very nice power outlet that comes from the ceiling.

Few boards can resists the power of the DediProg!

I lost the paperclip I use to push the reset switch. This all-natural, 100% organic reset device served just fine. And Daniel Maslowski got oreboot working!

In addition to coreboot, we worked on oreboot on the RISC-V boards, and by the end of the hackathon, a lot of problems were fixed and things just about worked, including LinuxBoot in SPI! This includes DRAM startup on the Allwinner D1.

Thanks to Felix and everyone at TU Darmstadt for a perfect hackathon!

CCC Darmstadt, which is an established college group at TU, played a very essential role, including making the indoor space open to us. Without them, we would have not had a space to work in.

Also, thanks to 9elements for their generous support – they continue to keep open source firmware moving forward and well fed! And, finally, thanks to Google for the pizza dinner and barbecue food.

See that broom? Felix spent about 8 hours cleaning up after we were done. Be sure to thank him!

Refining Open-Source Firmware Support for the Intel Platform

Subrata Banik — Fri, 03 Jun 2022 16:21:12 GMT

System Firmware Development on the latest SoC platforms has been limited to the proprietary firmware and the Intel® SoC platform is not an exception. This proprietary firmware is the essential slice for bringing silicon to life and defining its stability. Over the years, the state of closed-source blobs used for platform bring-up hasn’t improved, in the sense of leading towards openness. The exhaustive Outline section highlights the IA-SoC-based system firmware SPI flash layout (Figure 1-3) and Table 1-1 shows the challenges in the current approach.

TL;DR challenges with rapid growth in proprietary firmware from a platform enabling standpoint are:

Dependency on SoC vendors to own the bug and provide the fix, finally sharing the release cadence might not fit well with open-source project milestones.
Limited engineering effort at silicon vendor side where else the broad open-source ecosystem is unable to contribute even if they have the intention to contribute.
One-binary-fits-all requirements make it bloated and unnecessary feature inclusion without the particular product interest and might increase platform security risk.

Reduce Firmware Support Package (FSP) boundary on Intel® SoC Platform

This proposal is intended to discuss a path forward towards getting openness in system firmware development with Intel SoC (which primarily uses FSP blobs for Silicon and Platform Initialization).

Primary Objectives

Improve the platform enabling model better by balancing out the `binary blob model` (include if *mandatory* and can’t be open-source) and focusing on bringing openness in silicon code by leveraging open-source boot firmware e.g. coreboot.
Reduce the boundaries of proprietary firmware running on Host CPU Firmware a.k.a Intel Firmware Support Package (FSP).

Secondary Objectives

Achieving the ambitious goal of fast booting (< 1 second boot time) up the system firmware.
Drop unused FSP modules to reduce FSP boundaries to eventually optimize the SPI flash footprint.

Non-goals

This is moreover an initiative to overcome the problem that the open-source firmware community is facing, additionally, hearing from ODM/OEM partners and representatives[1] working on the Intel SoC platform, etc.

Key Features and/or Requirements

Share a Platform Initialization (PI) vision that utilizes more openness.
Consistently in the gen-over-gen SoC platform, be able to meet the system firmware boot time requirement of < 1 second.
Define a fixed SPINOR size requirement that applies to all product guidelines.

Design ideas

This design document shares emerging ideas to solve this longstanding problem of proprietary firmware for Open Source Firmware (OSF) Development. This section is specifically written to meet the primary objectives listed above. Additionally, the ideas are listed below in merit of exclusive study (on the Intel platform, additionally, based on some comparative study on other SoC platforms) and in-house proof of concept performed on the latest Intel platform.

Unless this design discussion materializes now, the current state of Open Source firmware development using proprietary firmware on IA SoC platforms won’t improve in the future.

An “Alternative Path” forward towards Open Source Firmware

This section highlights an alternative approach where SoC vendors are not committed to open-sourcing silicon reference code, and at times, it’s critical for the open-source community and products that derived out using OSF for their business commitment. Gaining more control over the platform initialization is the major theme for this proposal that empowers the open-source firmware developers.

Due to a lack of a minimal FSP design guide, the roles and responsibility boundaries between FSP and bootloader (i.e. coreboot) are not very clear as FSP (PEI phase) is intended to do more things to supplement UEFI bootloader. For example, lockdown configuration done as part of FSP is ideally a primary bootloader's responsibility.

The Key Performance Indicator (KPI) defines critical criteria for product quality. FSP is used for production as silicon reference code doesn’t have responsiveness KPI. As a result, while integrated with the bootloader it is difficult to debug any responsiveness issue in case the final product responsiveness KPI is not met.

Additionally, any issue being fixed into the Intel FSP development trunk has several weeks latency (between 2-6 weeks in some cases) to make the fixed FSP externally available for consumption. Having only read access to FSP GitHub limits the external Intel FSP development community (i.e., open-source firmware development engineers) to being unable to continue into the code even if the fix is known.

Gain Control of Platform Initialization using native coreboot driver

This approach states the specific route that coreboot platform initialization implementation had explored in the past and would also like to explore, knowing the lack of open source silicon initialization commitment.

In the past with FSP 2.0 specification, coreboot decided to make FSP-T optional as it relies on open source cache-as-ram (CAR) implementation and is updated periodically to add new SoC support.

This section highlights the short term and long term plan in this approach, along with a few design assumptions:

Drop FSP APIs and use coreboot native driver with the below characteristics:

Chipset programming is documented as part of external datasheets (processor/pch).
Implement only the Intel recommended chipset programming steps for ODM/OEMs, for example, Alder Lake FAS chapter 12 specifies the Security Configuration, ideally, all host-firmware running on Alder Lake SoC should comply with this recommendation.
Programming steps and outcome expectations are well captured in White Paper/BWG/FAS (non-confidential document).
Only focus on IP programming that is applicable for targeted platforms (example: RAS, RST, etc. are irrelevant for CrOS devices).

A consideration while implementing chipset programming recommendations in coreboot:

Design APIs-based implementation based on the underlying IP.
Implemented using a common code library and have hooks for SoC/mainboards(variants) to override if required. Ideally, we would like to avoid overrides because it might make things harder while debugging. The idea is to have a more compatible design approach reflected in firmware and software, and how it appears in hardware in general (like reusable IP across different SoC with up-rev IP versions).

Figure 1-1 presents the current plan of action for implementing the gain control proposal in the scope of coreboot, which eventually helps to reduce the dependency on FSP-APIs.

Figure 1-1. FSP footprint reduction between Tiger Lake to Alder Lake

Here are the benefits of this approach

A thinner FSP footprint with reduced FSP APIs reduces the baggage of proprietary firmware in the Open Source System firmware stack.
Feasible to open-source the majority of FSP code using coreboot native implementation.
Improved flexibility while debugging and feature implementation without getting locked into Silicon program milestones and unable to support feature requests even with potential business reasons[2].
Efficient tooling can also help to reduce FSP binary size after removing unused FSP APIs (example: Removal of FSP-S associate APIs would help to get any size savings by 3x times due to Chrome AP firmware SPI layout).

Below code changes landed into upstream coreboot to get rid of FSP Notify Phase APIs[3] (as proposed in Figure 1-1) for Alder Lake SoC-based platform.

Description	Code Changes	Comments
Skip FSP-Notify Phase 1 APIs	https://review.coreboot.org/q/topic:DROP_FSP_NOTIFY1_API	FSP Notify Phase 1 API is designed to lock down chipset registers before executing 3rd party code during platform initialization.
Skip FSP-Notify Phase 2 APIs	https://review.coreboot.org/q/topic:b:211954778	FSP Notify Phase 2 APIs are a combination of two internal APIs to keep the hardware controllers into the specific mode designed for it and/or put into low-power mode prior to handing off to payload/OS.

Note: Reduction of FSP Notify Phase APIs is just a tiny step toward the right direction where the idea is to get rid of most non-mandatory FSP APIs (FSP-Silicon Init aka. FSP-S) with native coreboot drivers. Figure 1-2 illustrates the proposed FSP-API view for future SoC platforms (which is possible to achieve with help of the open-source community while co-working) that integrate with open-source coreboot boot firmware.

The proposed design solution and implementation is very much generic and can be applicable even for other SoC designs that inherit the FSP framework, for example, AMD's latest SoC platform adopts FSP.

Figure 1-2. Proposed FSP footprint with “only” mandatory FSP APIs for Intel SoC platform

Exhaustive Outline

Figure 1-3. IA-SoC based System Firmware SPI Flash Layout

Firmware components used on IA SoC based design can typically divide into three categories as:

1. Proprietary/Closed Source Firmware running on Coprocessors:

All firmware components that reside outside the “coreboot” region belong to this category, for example: CSE, PMC, TCSS etc.

2. Proprietary/Closed Source Firmware running on Host CPU:

Firmware components are part of “coreboot” region and colored GRAY belong to this category, for example: Intel FSP and associated binaries into it.

3. Open Source Firmware running on Host CPU:

The only open source block in this entire Firmware stack is “coreboot” but unfortunately it relies on proprietary blobs ABI (Application Binary Interface) to perform the platform initialization (PI).

In the matrix of open-source readiness on system firmware with IA-SoC, the score is < 50%[4] (incorporating #1 and #2 from above, ~13MB/24MB SPI layout is occupied by closed-source firmware).

Table 1-1, describes the challenges due to proprietary firmware during platform enabling.

Security	Less Code Audit Opportunities and no traceability about incorporating security audit concerns back into the firmware. Current industry trend is about 1 defect/1kLOC, hence, unaudited closed source code is always a risk.
Platform Enabling	Platform enabling also demands SoC vendor support due to multiple binary blob dependencies even during bringup. Recent ODM summit Q&A session also brought such concern about the validation aspect of closed source binaries prior release externally.
Limited Open Initiatives	Lesser engagement from the open source community and ODM engineers due to not having required documentation access, code visibility etc. Community engineers also brought such concern, how to get more visibility into those required documents early for development and debugging.
Debugging	Debugging and bug fixes are difficult for closed source binary without having access to the source code. Limited debug functionality due to non-uniform debug, postcode, timestamp etc. libraries between open and closed source firmware components. For example: Intel FSP development is an unique scenario where FSP debug libraries have standalone implementation without leverage from the boot firmware, results into `cbmem -c` doesn’t include FSP debug along with coreboot serial log, furthermore, `cbmem -t` doesn’t include FSP module timestamp while debugging boot time issues.
Ungoverned Growth in FW blobs	Unaccountable growth in SPINOR size and boot time impact in Year over Year (YoY) SoC platforms. Between Skylake to Tiger Lake the FSP binary size has almost increased by 2x times.

Summary

Proprietary Closed Source Silicon Reference Code is the most used approach in modern host firmware development to support restricted SoC platforms. Open Source Firmware development model is expected to see more openness towards platform enablement solutions but still sensitive towards silicon vendors business model hence adopted the hybrid model to balance out the business in front of certain limitations in the current open-sourcing approach. Going forward the expectation is to have zero or absolute essential binary blobs, that are reduced in size, easy to configure, and flexible enough to build using a software development kit (SDK), which would bring more code visibility to the public. Additionally, allow users to build and integrate the essential binary blobs with pure open-source boot firmware for creating the system firmware for the targeted embedded system.

Looking forward to your feedback and thoughts to improve the current platform enabling using an open-source firmware development model to innovate in the future.

References

[1] Open Source Firmware Community is asking about Intel’s commitment towards PI open-source https://mobile.twitter.com/_zaolin_/status/1497237365135491072

[2] Need to compromise on Firmware Boot time on Alder Lake-P platform due to program milestone concerns https://review.coreboot.org/c/coreboot/+/61447

[3] Intel FSP 2.1 specification release email to coreboot mailing list highlights that FSP dispatch mode is also not using FSP-NotifyPhase APIs natively implemented in PEI phase. https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/WCGVZABKXYYSWBSLORIKIHY4JE5VWCGM/

[4] Source: Brya ChromeOS.fmd https://github.com/coreboot/coreboot/blob/master/src/mainboard/google/brya/chromeos.fmd