Talos II Beginner's Quick Start Guide

From RCS Wiki
Jump to: navigation, search

Congratulations on your purchase of a new Raptor Computing Systems Talos II(TM) Secure Workstation!

You're just a couple steps away from being able to get up and on your new secure system. This is a tutorial intended for novices to ease the transition from the x86 to the Talos II. This tutorial is primarily intended to be targeted toward non-technical users that just wish to get their Talos II up and running fast, and prefer documentation to be presented in as non-intimidating a manner as possible.

The laptop used in this tutorial for access and provisioning of the Open Baseboard Management Controller (which is referred to as the "OpenBMC," or simply the "BMC") was a Lenovo Thinkpad X200 running OpenBSD. Your setup will likely differ from the one used to create this tutorial, so please remember to check your commands prior to entering them, as some of them may be different.

Changing The Default Factory Password

The Talos II comes with a remote management password set default from the factory. As the Baseboard Management Controller is used to control the computer out of band, it is important to change the Baseboard Management Controller's default factory password as quickly as possible to ensure security.

In this tutorial, we will do the following:

  • Power on the Talos II and load Petitboot, which is analogous to a PC's BIOS or EFI.
  • Connect a computer to the Talos II via Ethernet cable.
  • Configure a static IP address on the networking interface.
  • Configure the second computer to use a static IP address.
  • Connect the Talos II's Open Baseboard Management Controller from the other computer via Secure SHell, or ssh.
  • Generate, Record, and Change the default factory password, to prevent unauthorized remote access to the BMC.
  • Log out and reboot the Talos II.
  • Take our first steps into the territory of computing freedom!

STOP! The Talos comes with a factory password of '0penBmc' which is set by default from the factory and is publicly posted and available everywhere that the Talos manual is hosted. The Baseboard Management Controller, which is used to provision and control the mainboard, is always running whenever there is any power connected to the mainboard. NEVER IN ANY CIRCUMSTANCES connect the Talos II to any network you cannot trust absolutely without first changing the factory password! Doing so may result in a compromise of the BMC root account and allow an adversary on the network to install malicious firmware onto the Talos, which can be used as a backdoor.

If you have connected your Talos II to any untrusted network, no matter how briefly, stop immediately and refer to the section "Flashing The Firmware." (To Be Added at a later date)

Before you begin...

In addition to a functioning Talos II system, you will need the following items:

  • A computer that you consider trustworthy, with an ethernet connection. This computer is going to handle the password for the Talos' OpenBMC. Remember that the OpenBMC guards the keys to the kingdom. Protect it well!
  • An Ethernet or Crossover cable. Crossover cables are preferred, but not necessary as the Talos II supports automatic negotiation.
  • A VGA computer monitor and cable.
  • A keyboard and mouse for the Talos.

First Steps

The Talos II's OpenBMC (Open Baseboard Management Controller) has a factory password, with the explicit expectation that the user change the password immediately prior to using the device. The BMC is not normally accessible from the Petitboot, and so must be configured over the network.

STOP! There is a difference between something that is 'trusted' and something that is 'trustworthy.' Remember, if something is 'trusted' that means if it fails, it can undo all of the security you have worked so hard to build up. Ensure that the system used to provision the BMC does not capture, exfiltrate or store the password used to provision the OpenBMC. The safety of your Talos II depends on it!

Plug in the power to the Talos II and turn the switch on the power supply unit to "On." The BMC Heartbeat indicator (a small green light in the lower left corner of the motherboard, when viewed from above) will flash and begin to blink. It may take several minutes for the BMC to initialize from cold power on, so give it time. Once the BMC is initialized, open a terminal on your second, trustworthy computer. Connect one end of the Crossover or Ethernet cable to your trustworthy computer, then connect the other end to the Ethernet port on the Talos II adjacent to the USB ports on the back. This port is allowed to communicate directly to the BMC; the other cannot.

After allowing enough time for the BMC to initialize, press the Power button on the Talos. The system should start. If not, release the power button, wait a minute and attempt again. If it still does not start, check to ensure you have connected the power button between the correct pins on the front panel interface. Please note that the Talos may take a long time to initialize after initial power on. During this time, the fans on the CPU will run at full capacity for approximately one minute, and the screen will remain blank. After a minute or so, the Talos should beep and the fans should spin down. If this does not occur after several minutes, see Troubleshooting (To Be Added at a later date).

Heads Up! By default, the Talos assumes that you are booting the computer remotely via the BMC, rather than standing at the computer pushing the button. This is a use case that is typical for when the Talos is operating in a secured environment like a datacenter or a physically locked and secured server rack, and you cannot simply walk in and plug a monitor into it to see it boot. The first time you boot it, the screen will be completely black until the Petitboot loads. If you would like to see the boot log on startup displayed on the monitor plugged into the integrated Video Graphics Adapter (as would be the case typical of a home use or desktop use machine), rather than sent to a serial console, you can change this option under the System configuration menu in the next section.

Preparing the Talos

Normally, the BMC will request an IP address from a DHCP server. Due to the state of router security (or rather, the lack of it), this should be best avoided for security reasons until the BMC has a password. The next step is to configure the Talos with a Static IP address.

Heads Up! If you do not see the Petitboot screen come up after several minutes, and you have ensured your display is functioning properly, ensure you have not disabled the integrated VGA via the jumper. By default, the integrated VGA adapter comes enabled from the factory. See the manual for reference.

You should see a screen that resembles this:


	Petitboot (v1.7.1-p836d356)
	____________________________________________

	*
	 System information
	 System configuration
	 System status log
	 Language
	 Rescan devices
	 Retrieve config from URL
	 Plugins (0)
	 Exit to shell

	____________________________________________

Use the arrow keys to navigate to "Exit to Shell" to bring up the command shell on the Petitboot. From here, we'll configure the network interface to use a static IP.

Stop! Both the OpenBMC and the Petitboot are very much full fledged operating systems. The BMC is essentially a small computer, within your computer, and has its own persistent storage. Changes you make in the OpenBMC remain set until you either unset them, reset the BMC, or flash the BMC. Carelessly abusing the BMC or the Petitboot can result in damage to the firmware files of your computer and necessitate a re-flash to restore damaged files. Double check each command as you enter it, and be careful.

Once you leave the petitboot to escape to a shell, you'll be presented with a prompt.

	Exiting petitboot. Type 'exit' to return.
	You may now run 'pb-sos' to gather diagnostic data
	/#

Welcome to the command shell of hostboot! The Talos is now ready to be set up.

The BMC comes with ipmitool, a utility for managing networking. First, we're going to see which local area network interfaces are available to the BMC, with "lan print" and "1" to signify the interface "1". The BMC only has one network-enabled interface.

Please note that older releases of BMC firmware had an issue where the IP could not be set. If you run the commands listed below but the IP information does not change (and you cannot work with the factory defaults), upgrade your BMC as explained in https://wiki.raptorcs.com/wiki/Talos_II/Firmware.

	/# ipmitool lan print 1
	Set in Progress: Set Complete
	Auth Type Support: MD5
	Auth Type Enable: Callback 	: MD5
			: User		: MD5
			: Operator	: MD5
			: Admin		: MD5
			: OEM		: MD5
	IP Address Source: DHCP Address
 	IP Address: ███.███.███.███
	Subnet Mask: ███.███.███.███
	Default Gateway IP: ███.███.███.███

You will also see some information below for VLAN ID, Cipher Suite, and Bad Password threshold. We will not be using these for now.

This should return some diagnostics information about the interface itself. Take note of the field marked "IP Address Source" We will first change it to set the computer to use a static IP using ipmitool.

	/# ipmitool lan set 1 ipsrc static

Normally, when the IP address source is set to DHCP, a DHCP server (many home routers will fill this role automatically) will provide it with an IP address. However, because your secondary computer will (most likely) not be running a DHCP server, we will then change LAN 1's IP address to a static IP. This way, it already will have its own address on the network and will not need to rely on DHCP to auto-configure one.

Next, we provide it with the IP address we would like it to use. In this case, we're going to use 192.168.0.43 for the secondary computer, and 192.168.0.42 for the Talos BMC.

	/# ipmitool lan set 1 ipaddr 192.168.0.42
	Setting LAN IP address to 192.168.0.42

From here, we set the Subnet mask. Both computers must be on the same subnet, so we'll pick 255.255.255.0. Keep these numbers in mind, as we will be setting them on the secondary computer later.

	/# ipmitool lan 1 set netmask 255.255.255.0
	Setting LAN Subnet Mask to 255.255.255.0

Next, we set the default gateway. Under normal circumstances, this would be your router. There are two ways this can be done, either by the mac address of your router, or your IP address. In this case, we're going to use 192.168.1.1.

	/# ipmitool lan set 1 set defgw ipaddr 192.168.1.1
	Setting Default Gateway IP to 192.168.1.1

If you decide to use your router's MAC address, then substitute "ipaddr" with "macaddr" after which you will need to enter the mac address instead of the IP address. Lastly, check to ensure that the computer recognized your settings with "ipmitool lan print 1"

	/# ipmitool lan print 1
	Set in Progress: Set Complete
	Auth Type Support: MD5
	Auth Type Enable: Callback 	: MD5
			: User		: MD5
			: Operator	: MD5
			: Admin		: MD5
			: OEM		: MD5
	IP Address Source: DHCP Address
 	IP Address: 192.168.0.42
	Subnet Mask: 255.255.255.0
	Default Gateway IP: 192.168.1.1

The OpenBMC is now ready to be connected to via Secure Shell.

Preparing The Client

Return to the trustworthy computer that you wish to use to set the BMC Password. If you are unfamiliar with the networking interfaces on your computer, you can try to list them by entering ifconfig without any other arguments. Since configuration of the network interfaces is capable of affecting the whole computer, we must first "substitute user" to root and try the "ifconfig" command without any arguments to list all of the network interfaces the computer can utilize, and look for the one labelled "Ethernet."

	root@laptop:~# ifconfig

	em0: flags=█████████<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONFIG>, mtu 1500
		lladdr ██:██:██:██:██:██
		index 1 priority 0 llprio 3 
		media: Ethernet autoselect (████████████████████████)
		status: active
		inet6: ████::████::████::████:████%em0 prefixlen 64 scopeid 0x1
		inet 192.168.█.██ netmask █x█████████ broadcast 192.168.█.███

	root@laptop:~#

You may see other entries, such as iwn0 for wireless, or lo0, for loopback. We will not be using these. Take note of the interface named in the upper left corner that lists "Ethernet." In this example, em0 will be the interface we will configure to use a static IP address, to reach the Talos.

From there, we need to use ifconfig to set the network address to something easily memorable. In this case, we will set the laptop's Local Area Network IP address to be 192.168.0.43, and use a netmask of 255.255.255.0. For this, we will use ifconfig, point it to em0, and supply our desired IP address and network mask. On an x200 laptop running OpenBSD, the command looks like this:

	root@laptop:~# ifconfig em0 inet 192.168.0.43 netmask 255.255.255.0
	root@laptop:~#

The command should immediately return to a prompt once complete. Once we're done, we can leave the root account on the laptop and return to a regular user account.

	root@laptop:~# exit
	user@laptop:~$

We will now connect to the BMC using your laptop. Most Linux distributions come with ssh installed. If yours does not, stop now and consult your operating system's documentation on how to install the SSH client. Package names may be something like "openssh", "openssh-client", "ssh2", or "dropbear".

Connecting to the BMC

You're now ready to remotely manage your Talos II, and set the default password. SSH, with the right practices, allows a user to securely establish a confidential and authenticated encrypted channel between a pair of computers and control the host remotely. There are several ways to authenticate yourself to the computer that you will be running the commands on, including using a password which is then sent to the server through the encrypted tunnel, or through the use of cryptography. Using cryptography is stronger, safer, and more convenient, but requires that the user first transfer the digital certificates and keys to the computer being accessed.

Bring up the terminal on your secondary computer and recall that the IP address of the Talos is 192.168.0.43. We want to log in as the root user, so we pass that onto the ssh command using -l to let it know that we have a specific login username that we would like to authenticate as (hence, the -l is for "login"), the name of the login, and the destination.

	user@laptop:~$ ssh -l root 192.168.0.42

The following error message will be produced the first time.

	The authenticity of host `192.168.0.42' can't be established. ECDSA key fingerprint is SHA256:[.......] 
	Are you sure you want to continue connecting? (yes/no)?

This tutorial assumes that we are using SSH over a network that consists of a relatively short Ethernet cable we can see the entirety of, between two computers that are both in a physically trustworthy environment such as your private home. However, the majority of uses for SSH normally assume that the two computers are not in this comfortably convenient and safe arrangement. They could be located away, potentially in other countries, and connected only over the untrusted Internet. SSH uses cryptography, but because the keys and certificates themselves cannot be encrypted, how do we know that the keys and certificates themselves are the genuine ones, and not replaced by an attacker (such as a misconfigured ISP's router that is configured to intercept, decrypt, inspect and then re-encrypt and transparently pass on SSL traffic as an antispam measure) which could capture, store, then possibly leak the password?

In a situation where the computer would be located on the other side of the Internet, to ensure that the password is not stolen by an attacker impersonating the computer to us, we would first verify that this is the computer's real and genuine key fingerprint. This could be as simple as making a phone call to the system administrator working at the place where the computer is installed, or physically travelling to the location to compare the digital fingerprint with our own eyes. If the codes match exactly, it is mathematical proof that the certificate is real, and has not been tampered with or replaced during delivery by an active adversary that will impersonate the client to the server, and vice versa, an attack commonly known as a "man in the middle" attack.

However, since we are physically at the location of the computer and the two computers are physically plugged into each other over a cable, with no middleman between, it is unlikely that the certificate will be counterfeit. So, we will simply trust the certificate by typing in "yes."

You will then be prompted for the password. In this case, it is simply "0penBmc" exactly as typed (without quotes).

	root@192.168.0.43's password: *******

If all goes well, you'll find a familiar screen!

	Petitboot (v1.7.1-p836d356)
	____________________________________________

	*
	 System information
	 System configuration
	 System status log
	 Language
	 Rescan devices
	 Retrieve config from URL
	 Plugins (0)
	 Exit to shell

	____________________________________________

Welcome back to Petitboot! Here, we will now set the password. Scroll down to "Exit to Shell" or press and release "x" to escape back to the commandline.

	/#

You are now ready to change the password.

If instead of petitboot screen you are greeted by a command line prompt "root@talos:~#", then run "passwd" from there directly (and do not run "obmc-console-client").

Changing The Password

Recall the golden rules of password safety:

  • Passwords should never be shared with anyone except between the two owners of the mutually agreed-upon secret password. In this case, the password will be shared between you and the BMC, and should never be disclosed to anything else, and only used from a computer you absolutely trust not to capture or steal it.
  • Passwords must never be reused even between parties you trust, as that trust relationship can change with no warning and often, without your knowledge.
  • Spent passwords must be disposed of carefully.
  • If the password is ever exposed (such as typing the wrong password into the wrong computer or the into the wrong form), change the password immediately by starting over. When in doubt, change it out. Never wait for a compromise to occur before taking action if you suspect the password has been compromised.
  • It is much safer and more convenient to have a cryptographically strong long-term password that you can memorize, than a short one that you will need to change every 90 days.
  • Complexity and randomness of the password is important. Never use a password that was derived from a previous one or any other by any 'clever' algorithm or obscure scheme. You do not know the flaws in your own scheme and will very likely be the last person to learn of them when they are found.

Ideally, stop thinking of a password, and start to think of a pass phrase. Remember that in terms of password strength, although there are only 52 characters you can type from a keyboard, there are more than 51,000 words in the pocket edition of the Oxford English Dictionary. Thus, if we assume the use of a 10-digit, "perfectly random" password (please note that simply closing your eyes and mashing keys is not "perfectly random" as the locations of the keys are predictable based on the fact their positions are known, and the patterns your hands can take are statistically predictable to someone with a copy of Microsoft Excel, a bit of time, and basic math), this gives us a password strength of 52^10, or roughly 1.4E17 combinations. However, a six-word passphrase consisting of six "perfectly random" words chosen from the compact edition of the Oxford English dictionary will yield 51000^6, or roughly 1.8E28 combinations, more than ten orders of magnitude more difficult to guess, much easier to type, and easier to record and check for typographical errors. Backronyms or memory aids may help with the memorization.

You may wish to write down the password on a sheet of cardboard you will keep on your person until it has been fully committed to memory, then once it has, either place the ticket in a physically secured area only you have access to, or destroy it.

To change the password, at the prompt, type:

	/# passwd

You will be prompted by the system to enter a password, then confirm it. Once that is done, you will be returned to the prompt.

STOP! Do not log out yet. Ensure that the password change worked successfully and that you have not managed to mistype the same password twice. Open up another terminal window on your client machine and ssh back into your Talos II by repeating step 4, in a different instance. Make sure that the password is tested and verified to be working. If you mistype the password, the BMC will be permanently locked and must be flashed to reset it or the BMC chip replaced entirely. If the password to the BMC is lost, forgotten, or mis-set, the BMC will be rendered inaccessible to you until it is reprovisioned.

When you are finished, the password is verified to be working and the old password no longer works, you may continue to explore the Talos II's OpenBMC and Petitboot at your leisure, or leave the secure shell with the exit command, which is:

	/# exit

If you wish to restart the Talos II via the BMC, simply type "reboot." The Talos II will power its CPUs down, and restart them. The BMC will remain functioning so long as there is power going to the mainboard even when the CPUs are off, so you should not be worried about being disconnected from the server.

Congratulations. You are now ready to connect the Talos II to an untrusted network, and begin installing your operating system!

Installing The Operating System

[To Be Added]

Patching, Compiling, and Installing Your Kernel

[To Be Added]

Virtual Machines

[To Be Added]