Over the last three decades, the opensource movement has been pushing to open every piece of closed-source software. Linux & BSDs successfully proved that opensource can provide state-of-the-art operating systems: Internet, clouds or large infrastructures couldn't work without OSS. Having control over the operating system doesn't mean servers and the infrastructure are totally open, OSS won a battle but not the war. Criteo will present its vision to break the last barriers and open the last bits of proprietary software running in modern infrastructure and the challenges that go with it.

1. Opening the last bits
of the infrastructure
Low-level Software Engineer
Erwan Velu

2. • Worked for 3 Linux Distributions
• Part of the OSS world for 20 years
• Founder of Embedded & Kernel Recipes
• Syslinux contributor (pci, dmi, cpuid & HDT)
• Co-designed an In-Flight Entertainment System
• Member of the Hardware team at Criteo

3. What's open
in the infrastructure today?

4. 4
What's open in the infrastructure today?
• Operating Systems
• Linux is everywhere in infrastructures & clouds
• Orchestrators, hypervisors, config management
• Kubernetes, Mesos,
• KVM , Xen
• Ansible, Puppet, Chef
• Storage and big data
• Software Defined Storage (SDS)
• Ceph run at peta scale (CERN did a ~30PB in test & 9PB in production
• Networking
• Software Defined Network (SDN)
• OpenDaylight, Open vSwitch
• Widely used on clouds
• Server / Rack
• Open Compute (OCP)

5. The next bits to open,
what can be open soon?

6. 6
The next bits to open, BMC
• Another computer in your server
• Remote
• Power On/Off
• Sensor Monitoring
• Serial / VGA Console
• Bios & Firmware flashing

7. 7
The next bits to open
• Switches & Routers
• Were mostly hardware at the beginning
• Became specialized Linux hosts
• Core devices in an infrastructure
• BIOS
• Initialize low-level components
• CPU, RAM, ..
• Initiate the Operating System
• UEFI 1.8M SLOC (1/10th of Linux Kernel)
Control interface of the first ARPANET router,
Interface Message Processor delivered to UCLA August 30, 1969

8. But closed-source software
is everywhere

9. 9
Closed-source is everywhere
• Hardware is operated by firm^w^woftware
• Firmware is everywhere
• Network Card
• Storage Adapter
• BIOS
• Micro-controller
• Managing Engine
• BMC
• Storage device
• Processor
• Power Supply
• PDU
• Input devices

10. 10
Closed-source is everywhere
• Firmware is a badly written closed-source software
• Firmware runs in high privilege mode
• Has access to your data
• Firmware runs prehistoric code
• old Linux kernel
• openSSL or all other system libraries/tools
• Full of security issues
• Some have a very low security level
• Hardcoded & easy to guess root/password credentials → BMC
• ssh / telnet / webui

11. 11
Closed-source is everywhere
• Unsecured devices are good targets to hack a system
• BMC have full access to the local system
• Disk's firmware can store encrypted keys
• no one will notice
• Switches / Routers
• The software part managing the specific hardware is mostly Linux based
• Another ghost in your infra
• How to fix them?
• You can't
• Need vendor / integrator to cooperate, good luck with that
• Binary patching
• Risky
• Signing issue
• "Trust me and close your eyes"

12. Regain control

13. 13
Regain control, BMC
• BMCs are what Linux was 20 years ago
• "I can't open that"
• "Too complex"
• "Security Issue!"
• System
• AST chip
• Linux
• Device Tree
• Monitoring
• We already know how to do that on our systems
• So let's put AMI stuff out of order
• Use OSS only
• OpenBMC, µBMC
• Build at home
• Debug as "usual"
• Community driven development model

14. 14
Regain control, BMC
• Opening the BMC code was initiated by OCP & big ones
• We can all benefit from that
• Criteo has started working on OpenBMC
• Flatten the differences between vendors
• Flatten the differences between generations for a same vendor
• Security auditing is possible
• Adding custom code inside the BMC
• Fix bugs by ourselves
• We already contribute to OSS software & we have the required skills to do it
• Moving away from a polling-model to a push-mode
• Using custom endpoints : a server reports a hardware fault by opening a ticket for a repair
• Avoid workarounds & additional software layers
• We expect to have the first units in production by 2020

15. 15
Regain control, Network devices
• A switch/router is a Linux host with a specific hardware (ASIC)
• Adding features by { containers | processes }
• Switches become servers
• Deployment
• ZTP : PXE-Like
• Security
• Features
• Versioning
• Release upstream available at https://github.com/Azure/SONiC
• Feedback from Criteo
• 1.5 year of human work invested by Criteo as of today
• 1 data center in production
• First replacing OS from known hardware
• Then, adding more hardware diversity
• No { functional |performance } regression
• Need to have local resources (devops) instead of trusting vendor support
• Feel much more empowered if a trouble occurs

16. Winning the war

17. 17
Winning the war, the {mid|long}-term goals
• Let's open every piece of software of our infrastructures
• Network Cards
• Firmware (Some did it recently like CoreNIC, but more to come)
• BIOS
• LinuxBoot
• Coreboot
• RAID Controllers
• Why not ?
• Processors
• FSP ?
• Ucode ?
• Embedded Controllers
• Management Engine

18. 18
Winning the war - Timeframe
1
9
8
0
1
9
9
0
2
0
0
0
2
0
1
0
2
0
2
0
Linux
Linuxbios Linuxboot & Coreboot
OpenBMC
SONiC
Maturity, industry massive
adoption
Possible industry massive
adoption
Criteo adoption
Open Source

19. 19
Winning the war, TOGETHER
• Vendors also wins to open more
• Code is better audited (security, bugs)
• More developers means more task force
• Experienced end users can offer patches rather than ranting on support
• We already contribute with vendors on other opensource software, why not on firmware?
• Let hardware vendors focus more on what they do best, hardware
• Let's create a community
• Ranting on vendors is not enough to make this happening
• Industry must provide support to this opensource initiative
• Join us to support them and create a community to have opensource everywhere in the infra
• Don't be shy, that works on production!
Open your infrastructure!

20. e.velu@criteo.com
erwan_taf on freenode/oftc
Thank you!