intro: Clarify what LinuxBoot is #94
Conversation
pamolloy
force-pushed
the
pmolloy/what-is-linuxboot
branch
2 times, most recently
from
bd3b150 to
f078d3a
Compare
|
It would also be nice to not duplicate this on https://www.linuxboot.org/ under "What?" and "Why?". |
pamolloy
force-pushed
the
pmolloy/what-is-linuxboot
branch
3 times, most recently
from
aac3cb5 to
10d9f3b
Compare
pamolloy
force-pushed
the
pmolloy/what-is-linuxboot
branch
2 times, most recently
from
7175fc0 to
7cc1e45
Compare
The idea of using the Linux kernel for a boot firmware implementation is much larger than the build tool and configuration named linuxboot. Therefore focus on the importance of the idea over the implementation. Also clarify the implementation, which is confusing to newcomers. Signed-off-by: Philip Molloy <[email protected]>
pamolloy
force-pushed
the
pmolloy/what-is-linuxboot
branch
from
7cc1e45 to
dba09a0
Compare
| userland built using [u-root](https://github.com/u-root/u-root). | ||
|
|
||
| The Heads build system is more focused on local attestation and uses BusyBox | ||
| instead of Golang. |
There was a problem hiding this comment.
@tlaurion since I saw your 👍 on Daniel's comment I figured you might have a better description here? 😄
There was a problem hiding this comment.
I'm glad it's named, I would not try to define it but point to the project page instead.
There was a problem hiding this comment.
I would really like to provide some context of what Heads is. Currently, it is really hard to understand the OSFW ecosystem. My goal is to make it easier to understand the numerous projects and how they relate. How would you place Heads in the context of OSFW?
There was a problem hiding this comment.
I'm not good at this.
A draft, reminding that linuxboot is concept, more focusing on UEFI pruning and replacing DXE with u-root, where u-root could be replaced by Heads as it's Linux based payload. And where Heads focuses on being a coreboot payload, where historically, linuxboot contributed to Heads so that Heads could generate a linuxboot UEFI usable payload. Also, Heads provides complete externally flashable roms for all supported boards, where it's still not clear to me on which real physical boards linuxboot is used today, graveyard.md showing removal of past boards and reducing current boards to old, some now unablvailable boards.
Anyway, a draft:
LinuxBoot with u-root:
- u-root: Provides a set of standard Unix tools rewritten in Go, such as
ls,cp, `shutdown, etc. - Boot policy tools: Includes tools for PXE booting, booting via GRUB config, and other boot-related policies.
- Minimal initramfs: Creates a single binary root file system (initramfs) containing BusyBox-like utilities.
LinuxBoot with Heads:
- Heads: Includes a comprehensive suite of standard Linux ecosystem tools for creating a full Linux recovery environment.
- Extensive toolset: Incorporates
qrencode,hotp-verification,io386,cryptsetup,gnupg,tpm toolstack,flashprog,lvm,e2fsprogs,extfsprogs, and more. - Security features: Focuses on local attestation, TPM DUK seal/unseal operations, GPG-based security measures, and reproducible builds.
In essence, while LinuxBoot with u-root offers a streamlined and flexible boot environment with basic Unix tools, LinuxBoot with Heads provides a robust and secure boot environment with a wide range of tools necessary for a complete Linux recovery setup.
There was a problem hiding this comment.
Also note présence of other projects, like tinyboot, ownerboot and tvix, all reusing or aiming to reuse linuxboot concept (Linux as payload/linux as bootloader replacing as much opaque/proprietary/unneeded drivers with Linux) which would do it better if there was more collaboration between those projects and working together in the goal of freeing motherboards of bloat/proprietary blobs/changing the ecosystem to be freer.
But to accomplish this, it needs to be easy to build, easy to deploy and supported by vendors with transparency on what to buy how to deploy and being reproducible with simple commands, maintained and sold by oems on their supported hardware, and ideally, pushed by ODM so users don't need to be hackers and understand everything to use it.
This is what Heads try to accomplish.
There was a problem hiding this comment.
Tldr: refer to project page instead of trying to define heads, which is criticized to do too much but where OEM requires more to deploy easily, securely, with proper transfer of ownership and in transit interdiction evidence of firmware/deployed OS (mainly QubesOS).
I have difficulties to define Heads myself, hence good luck trying to define it.
A good article written by unbiased third party is all I can refer to.
There was a problem hiding this comment.
Also note https://www.linuxboot.org/page/faq/
LinuxBoot, NERF, HEADS? What’s What?
LinuxBoot is the project that replaces specific firmware functionality with a Linux kernel. LinuxBoot is agnostic to what initramfs is used with the kernel.
NERF is LinuxBoot with u-root as the initramfs. u-root contains boot policy tools in Go (e.g. PXE booting, booting via GRUB config) among standard busybox-like utilities rewritten in Go.
HEADS is a secure runtime that can be used as the initramfs for LinuxBoot. Take a look at the repository on GitHub. See osresearch.net for more documentation on HEADS.
So maybe edit faq but keep intro simple?
The "naming" article provides a lot of detail that is better left to the individual project documentation or is captured more succinctly by the glossary. The note about LinuxBoot as a concept has also been moved into the intro. Signed-off-by: Philip Molloy <[email protected]>
Signed-off-by: Philip Molloy <[email protected]>
Signed-off-by: Philip Molloy <[email protected]>
pamolloy
force-pushed
the
pmolloy/what-is-linuxboot
branch
from
546ed33 to
346fbb4
Compare
|
There was a problem hiding this comment.
History of Firmware
BIOS
BIOS (Basic Input/Output System) is the traditional firmware interface used for initializing hardware platforms and booting operating systems in the pre-UEFI era. It is a binary program stored on a chip on the motherboard, responsible for performing the Power-On Self-Test (POST), initializing CPU and memory, and loading the bootloader from a hard-coded position on the Master Boot Record (MBR) of the first disk drive. While often described as "inscrutable" and "unstructured," BIOS was a standardized solution for decades, providing essential services for system startup.
Despite its historical significance, BIOS has been largely replaced by UEFI over the past 20 years due to its limitations, such as operating in 16-bit mode and supporting only drives up to 2.2TB. UEFI offers advantages like support for larger drives, faster boot times, and enhanced security features like Secure Boot. However, many UEFI implementations still offer a "BIOS compatibility mode," which allows them to behave like traditional BIOS systems.
It's important to note that "BIOS" is often misused as a generic term for system firmware. While you may hear "BIOS" in reference to any system firmware, including UEFI or LinuxBoot, it specifically refers to this older type of firmware.
LinuxBIOS and Coreboot
The LinuxBIOS project was created in 1999 by Ron Minnich, Stefan Reinauer, and others with the innovative idea of using Linux as firmware. This concept was ahead of its time, as Linux was not yet mature enough for widespread use in hardware initialization. Despite this, LinuxBIOS found success in performance- and reliability-critical environments but did not achieve mass adoption.
In 2008, LinuxBIOS evolved into coreboot. Coreboot is an open-source project that aims to replace proprietary firmware with a lightweight alternative that performs minimal hardware initialization before handing control to a payload. Coreboot's design allows it to support various payloads such as SeaBIOS, GRUB, or LinuxBoot, providing flexibility in booting different operating systems. It focuses on speed and security through transparency and open-source development.
LinuxBoot
LinuxBoot originated from Google's NERF project in 2017. NERF stands for Non-Extensible Reduced Firmware and was developed as a more compact and secure alternative to UEFI by integrating Linux into UEFI images along with u-root. The goal was to reduce complexity by limiting extensibility while maintaining essential functionality.
LinuxBoot serves as a payload that can be used with coreboot or UEFI. It provides a Linux environment post-hardware initialization for tasks like PCI device enumeration and loading the bootloader or kernel. While it complements coreboot by handling these tasks, it does not replace coreboot's essential role in early hardware initialization.
Heads
Heads is an open-source firmware project created by Trammell Hudson (a.k.a. osresearch) aimed at enhancing platform security for laptops and servers. It is currently maintained by Thierry Laurion and focuses on providing strong security features through open-source transparency and TPM secret sealing/unsealing to attest of the firmware state as well as a safe space to type TPM disk unlock key passphrase that will unseal and unlock OS LUKS containers automatically, only if the firmware, runtime, OS boot components are as per sealed state.
Heads doesn't reinvent the wheel. It reuses busybox, alongside of standard Linux tools to create an initramfs environment containing the tools commonly used to do the job, including tpm tools, bash, lvm, cryptsetup, gpg and kexec to the desired final OS without exposing any secret to possible eavesdropper who would expect decryption key passphrase typed there to boot to be the same permitting to access encrypted content on a cloned drive. Heads also produces reproducible rom images for each of its commit, directly from Continuous Integration platform making those firmware images available to download, let it be from pull requests or the main branch for everyone to use.
Basically Heads is a small Linux environment that can be trusted enough to type secrets into, prior it booting the final OS, reusing the Linux kernel and commonly used tools in a controlled flow which if broken, won't release any secret.
Open Platform Firmware
Open Platform Firmware (OPF), formerly known as Open System Firmware (OSF), is an official subproject of the Open Compute Project (OCP). OPF promotes open-source system firmware development with guidelines contributed by companies like Microsoft, Google, Facebook, Intel, 9elements, Two Sigma, and others.
OPF is a project name rather than an implementation or idea. Implementations like LinuxBoot or OpenEDK2 can be OPF-compliant if they adhere to these guidelines. Currently, OPF has two main work streams: LinuxBoot, led by Google, Facebook, 9elements, ITRenew, Two Sigma, and others; and OpenEDK II, led by Microsoft and Intel.
Thanks Ron! I have Friday until Jan. 2nd off, so I should be able to revisit this soon |
The idea of replacing proprietary and monstrous corporate open source firmware with a Linux kernel based solution is much larger than the build tool and configuration named
linuxboot. Therefore focus on the importance of the idea over the implementation.Also clarify the implementation since it is confusing to newcomers what LinuxBoot refers to and how u-root is related. Is LinuxBoot and idea or the tool in the Github repository? The u-root cpu command is referenced as a LinuxBoot utility. And LinuxBoot using coreboot, u-root and systemboot talks about how to build a "LinuxBoot firmware based on coreboot, u-root and systemboot".