Basic understanding of OPAL

Software > Firmware

(1/2) > >>

cchinicz:
Hi everyone,

I'm trying to understand what OPAL does and how it works. I noticed the memory I see on "host" OS is about 0.5GB smaller than actual physical memory and I wonder OPAL works as a tier 1 "hypervisor" for what we call "host" OS (Fedora 32 in my case), which is kind of para virtualized.

Besides memory, what else OPAL provides to the OS? CPU scheduler, PCI devices, NICs, USB, and HDMI (through BMC in my case with Blackbird)?

If this is so, it can be good from a security point of view (besides providing standard interfaces for any OS) since any reboot will bring up a fresh and clean OPAL, regardless of what happened before. If so, also important to keep firmware up to date, which I have not done since I got the machine on May 2020.

Any input is appreciated.

Regards,
Claudio

ClassicHasClass:
I guess you could think of it as a sort of hypervisor, but what it's actually doing is serving as an abstraction layer (hence the acronym) to give a common entry point for doing necessary low-level services. OPAL is part of Skiboot, so as you update your firmware, OPAL is updated as well.

The full list of OPAL calls by number defines its services. It largely concerns itself with low-level functions like PCI devices and interrupts. Here's one such list maintained in FreeBSD: http://fxr.watson.org/fxr/source/powerpc/powernv/opal.h

cchinicz:
Hey ClassicHasClass, thank you for the input. I've followed your lead and found the OPAL API reference link here https://open-power.github.io/skiboot/doc/opal-api/

Now it has became a lot clearer.

Cheers!

cchinicz:
By the way, does OPAL "harden" the security of openpower systems by moving to firmware (stateless) hardware related activities? Would it help prevent Evil Maid attacks on USB? Or at the driver level with all devices?

ClassicHasClass:
That's not really its purpose; its purpose is to make implementation differences between systems appear unified to an OS running at a higher level. Things like USB and hardware attacks are probably best approached from the OS itself by simply disabling the conduits for those attacks, which certainly could be done through OPAL calls and thus will work on any class of OpenPOWER machine. But the role it serves is far more general than that.

Navigation

[0] Message Index

[#] Next page

Go to full version