First of all love it that someone is thinking about bootloaders. Thank you and I hope you're successful in this project.
I think that the article though is only targeted towards desktop PC/laptop/servers and mobile phones. Also not sure whether the it is talking about first level bootloader vulnerabilities or of second level bootloader vulnerabilities.
In the embedded world there often is no second stage loading, there are simply bootloaders. There are many, many bootloaders and opensource is the most popular option here, both first and second level.
Here's a table of hardware filtered by the booloaders used
I think we can use the research done opensource router os like openwrt[1] to design a BIOS that works across all devices. One interesting point to note here is that in many routers entire bootloader can be replaced easily using network booting. It takes seconds to flash the ROM (network booting is in-secure in theory but secure in practical since you need physical connectivity to book via a network).
While many modern machines support network booting,replacing the first level bootloader (BIOS) is (impossibly) hard.
Distributions of linux use GRUB which is nice and also opensource. But again its a second stage bootloader that comes into play after BIOS (first stage bootloader) has been executed.
I'd love to see more development in u-boot as they have already done the hard work of supporting multiple devices [2] and amazingly they also support direct booting from an SD card (not an sd card adapter via a usb stick).
Here is the list of architectures supported
/arc
/arm
/m68k
/microblaze
/mips
/nds32
/nios2
/openrisc
/powerpc
/riscv
/sandbox
/sh
/x86
Another key point to note is as a user there is very little control that I have on my bootloader (first level). Since it is loaded from a ROM which I can't replace/rewrite even if opensource firmware exists I can't use it. While I can install a new operating system I have not found any easy way to switch firmwares. Unless a project like linux foundation takes it up and brings together the stake holders to use an opensource firmware I think it will be really difficult to get adoption.
On the other hand bootloader is probably the only piece of software left that gives device manufactures some kind of control over their hardware. What's in it for them to use a free opensource technology?
Just the other day I tried the build system[1] for openwrt
and I was amazed to find how easy it is to create a custom image for a platform of your choice. And not just the kernel you can also build specific packages ,if they are not already supported by the package repository or are outdated.
Everything can be done from a graphical interface. Just a few stokes of keyboard and you have your own custom build. Really impressive stuff.
>Imo PC-based solutions are overkill, but yes, you may end up with a more open solution that way.
Yes exactly! If you look at it from the point of view of functionality to price ratio a pc might just be the best router there is.
- Its modular
- Its easily repairable
- Its portable (in the form of mini pc or a laptop)
- You can buy a second hand PC
Finally if you're taking the trouble of installing openwrt on a router it is a reasonable assumption that you want to do more with it. And in that case you're severely limited by the hardware that you choose.
To get the best of both worlds we can have a dedicated PC as a main router. And other cheap routers as your network extenders.
> An awful lot of devices these days ship with firmware that is actually OpenWRT (often v10-v15) based.
This is a great explanation and it answers some of my questions as well. But I have one more. I have not worked with the devices that you mention but I was thinking that if they already have openwrt what is stopping an end user to simply update to the latest version?
Is there some kind of hardware incompatibility or maybe disabled updates?
Versions of OpenWRT are tied to different Kernel versions, it's an entire distro, not just a layer above the Kernel.
So the QCA NSS drivers, for example, are kernel modules. The source is fully open and available, but trying to get it to build on the 4.14.x kernel used by OpenWRT is an exercise in futility unless you know the linux networking code inside out, as well as understand what the drivers are doing.
Work is ongoing and some progress is being made for the IPQ8064, and some mediatek SoC's not have full hardware offloading, but taking vendor provided code and massaging it into something acceptable either by OpenWRT (they are loathe to do as it's a huge job) or the upstream Kernel is a huge effort.
The manufacturer usually modifies OpenWRT/QSDK to support their device. AFAIK, most of the time individual components from the device (CPU, Ethernet switch, wireless chip) are already supported in OpenWRT, it's just that the specific combo that the device contains just isn't there yet. This configuration is done with the device tree. On top of that, some manufacturers (Tp-Link, for example) don't use the standard OpenWRT sysupgrade image format, so the device rejects the new firmware that you try to flash.
I just found out about Turris Omnia. Its not open source but its modular like a PC. But its a router. I know it does not make sense so please take a look yourself
Not of this particular presentation. But there are quite a few other videos talking about openwrt on the website (you'll find them under previous summits menu)
There is a good book about this that discusses the problem you just mentioned [1]. Not only do we need to find a way to replace oil as energy source we also need to find a way to replace it in all the other consumables. Or at least find viable substitutes.
I had to look up what buffer bloat was. Here's a link in case any one else wants to know
https://en.wikipedia.org/wiki/Bufferbloat