Freedom and Privacy in the Datacenter

Tobias "Tomoko" Platen

Playlists: 'froscon2018' videos starting here / audio / related events

Most servers used in the Datacenter run a proprietary BIOS, the Intel Management Engine firmware and some vender specific remote management. Virtual machines are unsafe since the server
operator can automatically extract cryptographic keys from the RAM. There are some freedom respecting servers such as the Vikings D16 1U server which has OpenBMC by Raptor Engineering. Since OpenBMC is free software it can be audited for security. In August 2017, Raptor Engineering has launched a new series of workstation and server computers, called the Talos II. These are high-end systems, using the libre IBM POWER9 architecture.

Most servers use Intel or AMD processors which require multiple binary blobs
to function. There are some libre ARM systems, but those offer low performance.
High performance 64 bit ARM systems use a non-free UEFI implementation.
Both the Intel Management Engine and AMD Platform Security Processor require
proprietary firmware. However there is an older AMD system (the ASUS KGPE-D16)
that is supported by Libreboot and OpenBMC. This system does not need any
microcode updates to be usable as a server.
The new Talos II system uses up to two IBM POWER9 Sforza CPU modules and an
Aspeed AST2500 Server Management Processor. Both processors only use libre firmware.
The only proprietary blob required to use the system is the firmware for the NIC,
the Broadcom BCM5719. Since the BCM5719 is behind an IOMMU it does not have direct
access to the main memory. The Free Software Foundation will be exploring the possibility
of "Respect Your Freedom" certification on this hardware when it's ready to ship.
Since free software rarely spies on the user it can be said that those systems also
Respect Your Privacy when used in a datacenter.