• Stars
    star
    200
  • Rank 195,325 (Top 4 %)
  • Language
    Rust
  • License
    GNU General Publi...
  • Created over 7 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

System76 Firmware Update Utility

System76 Firmware Update

System76 Firmware Update Utility, subproject of firmware-open.

Overview

We have put a good amount of effort into designing the most secure firmware delivery system possible. This has involved looking into how updates are handled by other vendors, or often mishandled: https://duo.com/assets/pdf/out-of-box-exploitation_oem-updaters.pdf. In this document, we hope to explain our method of firmware updates to build confidence in System76's ability to securely and reliably update customer machines.

You can review the public site layout that is described in this document here: https://firmware.system76.com/master/. It is self-signed to prevent use by non-technical users.

Source control

  • We have a private firmware repository where we store the firmware sources, when we can, and blobs when we cannot get source
  • This repository contains a changelog per model that is verified automatically such that changes must be documented in a user-friendly form
  • This repository is built and signed automatically
  • Each commit must (in this order, failing moves back to the first stage):
    • Be up to date with master
    • Build successfully (on duplicate build machines)
    • Have a code review by two engineers
    • Test on hardware successfully
  • After merges, builds, reviews, and tests, the commit may be merged into master

Building artifacts

  • We will be publish our build method soon as free software, before the first automatic firmware update
  • There are duplicate build servers
  • Each build server uses ECC memory
  • Each build runs in memory, in a transient docker container
  • Every build is reproducible, such that artifacts for a git revision will be identical, no matter which machine runs the build
  • Each build produces a manifest containing the build revision, artifact names, and artifact SHA384
  • This manifest is then signed by a highly secure signing server over a serial connection
  • Each manifest across multiple build servers for a specific revision must match, or else the build will fail

Signing artifacts

  • We will publish our signing method soon as free software, before the first automatic firmware update
  • Each build server has a signing server, a simple piece of hardware stored inside the case of the build server
  • The signing server has a hardware RNG, used to initialize an ED25519 signing key, when enough entropy is available.
  • The key is stored in memory, and is never accessible to any parties other than the signing server
  • The signing server communicates with fixed length, integrity checked messages over serial
  • The signing server has no other interfaces, and stores key data in memory
  • Every usage of the signing server is stored to flash memory on the signing server in a blockchain.
  • This blockchain is also reproduced independently by the build server, and can be verified manually if necessary.
  • The SHA384 of the current blockchain must be agreed upon before the next signing message can be successful

Publishing artifacts

  • We will publish our publishing method soon as free software, before the first automatic firmware update
  • There is a publishing server that collects the build artifacts
  • The publishing server verifies that all build machines produced identical outputs
  • The publishing server validates the build machine blockchains against the signing server public keys
  • The publishing server moves signed firmware files to firmware.system76.com
  • The files are moved atomically from a temporary directory to firmware.system76.com/BUILD_NUMBER
  • The firmware.system76.com/BRANCH directory is updated atomically to point to the firmware.system76.com/BUILD_NUMBER directory

Hosting artifacts

  • We will publish our hosting method soon as free software, before the first automatic firmware update
  • The artifacts are hosted in a known location with a static site nginx server
  • The only interfaces to this server is over HTTP(S) to view files or SSH with public key authentication
  • The only valid SSH key is on the publishing server

Downloading artifacts

  • Our downloading method is already published as free software, as part of the System76 driver.
  • The public key of the master signing server is published with our driver
  • The driver downloads the newest manifest.sha384.signed, which it verifies against the master key in memory
  • This verified data is the SHA384 of the current manifest
  • The driver downloads and checks the SHA384 of the manifest file
  • The driver then finds the firmware for the current hardware in the manifest file
  • The driver downloads and checks the SHA384 of the firmware
  • The driver then finds the firmware update frontend in the manifest file
  • The driver downloads and checks the SHA384 of the firmware update frontend
  • The signed SHA384 of the manifest, manifest, firmware, and firmware update frontend are copied to /boot/efi, and the frontend is set as the next boot order
  • The system is rebooted into the firmware update frontend

Installing artifacts

  • The firmware updater frontend is already published as free software, at https://github.com/system76/firmware-update
  • The frontend checks the firmware files match the current hardware
  • The frontend runs the relevant flashing tools to update the firmware. These tools perform signature checking, but are binary and cannot be trusted.
  • The frontend reboots into the host OS

More Repositories

1

launch

System76 Launch Configurable Keyboard
Shell
1,376
star
2

firmware-open

System76 Open Firmware
C
946
star
3

virgo

System76 Virgo Laptop Project
Python
431
star
4

thelio

Thelio Desktop by System76
426
star
5

ec

System76 Open Source Embedded Controller
C
317
star
6

docs

System76 support documentation site
Vue
302
star
7

coreboot

Fork of coreboot repo
C
161
star
8

beansbooks

A revolutionary cloud accounting platform designed for small and medium businesses.
PHP
129
star
9

thelio-io

Master repository for Thelio Io board
Rust
81
star
10

beebee

URL shortener for http://s76.co
Elixir
58
star
11

thelio-io-hardware

KiCad electrical design of Thelio Io board
Python
54
star
12

tech-docs

System76 Technical Documentation
CSS
50
star
13

laptop-suggestions

Repo to collect laptop design suggestions and feedback as issues.
41
star
14

windows-drivers

Windows Drivers for System76 Open Firmware Machines
40
star
15

certification

System76 Certification Tools
Rust
29
star
16

pop-vue

Vue components designed to look like Pop!_OS
JavaScript
26
star
17

cuda

Packaging for NVIDIA's CUDA Toolkit
CMake
21
star
18

ecflash

Flashing and querying with System76 Embedded Controllers
Rust
20
star
19

coreboot-collector

Utility for collecting valuable information for coreboot
Rust
19
star
20

recognizer

A authentication and user service
Elixir
19
star
21

firmware-desktop

Desktop Firmware
18
star
22

firmware-setup

Firmware Setup
Rust
18
star
23

thelio-io-windows

WIP Windows driver for System76 Thelio Io
Rust
17
star
24

intel-spi

Library for accessing Intel PCH SPI
Rust
13
star
25

warehouse

A microservice to encapsulate our inventory management functionality
Elixir
13
star
26

romulan

Rust library for parsing a number of firmware images
Rust
12
star
27

brand

12
star
28

thelio-io-firmware

Firmware for Thelio Io board
C
12
star
29

lxd-rs

A Rust library for controlling LXD
Rust
10
star
30

kicad-allegro

Converter from Allegro to KiCad, and Allegro extract viewer
Rust
9
star
31

bottle

Protobuf messages in a bottle
9
star
32

pihsm

Raspberry Pi Hardware Security Module
Python
9
star
33

ecsim

Simulate System76 EC with area8051 emulator
Rust
9
star
34

ecspy

System76 EC Debugger
Rust
9
star
35

firmware-smmstore

Rust EFI application for compacting coreboot SMMSTORE
Rust
8
star
36

takehome_web_be

Take home project used during our interview process for backend developer roles.
Elixir
7
star
37

GuyTuxMask

3-D and 2-D files of the Guy Tux mask
6
star
38

markdown

System76 markdown parsing for the web
JavaScript
6
star
39

system76-benchmarks

Collection of benchmarking tools developed by System76
Python
6
star
40

design

System76 styles and design related web assets
Vue
6
star
41

code-of-conduct

Code of Conduct for the System76 open source community
5
star
42

js-api

JavaScript fetch wrapper for Elixir Phoenix APIs
JavaScript
5
star
43

nuxt-appsignal

Appsignal integration with Nuxt
JavaScript
5
star
44

zendesk-app

The System76 zendesk app
Vue
5
star
45

eslint-config

System76 standard eslint linting configuration
JavaScript
5
star
46

policy

Elixir
5
star
47

assembly

An assembly management microservice
Elixir
5
star
48

thelio-io-output

Output files for Thelio Io board - from thelio-io-hardware and thelio-io-firmware
5
star
49

firmware-sign

Firmware signing/verifying process
Python
5
star
50

state_fair

State machine system for Elixir applications
Elixir
4
star
51

help_desk

A microservice for System76's Zendesk integration
Elixir
3
star
52

elixir-mcrypt

Elixir NIF wrapper around libmcrypt
Elixir
3
star
53

thelio-pwrbtn

Thelio power button PCB
Python
3
star
54

apobtool

AMD APOB debug tool
Rust
3
star
55

copy_cat

A template repository for new queue based services
Elixir
3
star
56

blog

Official System76 blog
Vue
3
star
57

smmstore

Utility for reading coreboot SMMSTORE
Rust
2
star
58

docker

A collection of docker images used at System76
Shell
2
star
59

unleash-potential

Unleash Your Potential with this awesome command line art!
Python
2
star
60

softwarefreedom_card

2
star
61

easy_post

Elixir API client for EasyPost
Elixir
2
star
62

bullhorn

A notification microservice for System76's platform
Elixir
2
star
63

smart-amp

TI Smart Amp configuration dumper and loader
C
1
star
64

launchpad

Launch Keyboard Selma Tester control application
Python
1
star
65

system76-ee

Scripts for System76 Electrical Engineering
Julia
1
star
66

ground_control

A real-time dashboard of @system76 deployments.
Elixir
1
star
67

shig

Style & Human Interface Guidelines
1
star
68

usb_ids

System76 USB ID allocation
1
star
69

thelio-prelaunch

Thelio prelaunch website
HTML
1
star
70

gop-policy

Implementation of Platform GOP Policy for Intel GOP Driver
Rust
1
star
71

roguebots

HTML
1
star
72

keyboard-layout

Rust crate to generate DXF output from keyboard-layout-editor.com data
Rust
1
star
73

logripper

Pull logs from an S3 bucket into a local database
Elixir
1
star
74

tweetflood

A twitter API client to for tweetstorm promotions
Elixir
1
star
75

s76_stripe

An Elixir API client for Stripe
Elixir
1
star
76

libpci-sys

Rust bindings for libpci
Rust
1
star
77

renovate-config

System76 presets for Renovate
1
star