Supermicro server motherboards can be infected with unremovable malware

Original Article ↗ Hacker News Discussion ↗

Scope of the Vulnerability

  • Some argue “every modern motherboard comes with unremovable malware” in practice, because opaque flash regions and management controllers are outside user control.
  • Others stress this case is not about hidden chips, but a bug in a documented, flagship feature: signed firmware updates for the BMC/IPMI interface.

Secure Boot, Verified Boot, and Root of Trust

  • One camp claims Secure Boot (in the broad, PC sense) is currently the only widely deployed way to meaningfully resist such persistent infections.
  • Others counter that if the BMC can overwrite system firmware and has memory access, it can:
    • Re-enroll arbitrary Secure Boot keys.
    • Replace measured images after verification or fake TPM PCR measurements.
  • Consensus emerges that:
    • The true root of trust must sit before and outside the firmware the BMC can overwrite.
    • TPM measurements can at best make tampering conspicuous, not reliably prevent it.

Relation to the Bloomberg “Big Hack” Story

  • Most see this firmware issue as distinct from Bloomberg’s hardware-implant claims.
  • Debate over Bloomberg:
    • Some say the described tiny chip on BMC flash lines is technically plausible and similar to console modchips.
    • Others note no independent evidence was ever produced and vendors denied it, so it remains unproven.

“Unremovable” and Recovery Options

  • Thread distinguishes:
    • Practically unremovable via normal admin/remote means.
    • Technically removable by hardware intervention: JTAG, SPI clips, socketed SOIC chips, or desoldering.
  • Many consider desoldering or chip-level work unrealistic for normal IT, thus effectively “unremovable.”
  • Proposed mitigations:
    • Socketed or removable flash; physical write-protect jumpers/switches.
    • Dual-firmware or ROM+reflasher fallback designs.
    • Strong, independent roots of trust (e.g., Caliptra-like) and modular BMC cards (DC-SCM).

BMC Access, Networks, and Trust

  • One view: “If an attacker has BMC admin, you’ve already lost.”
  • Pushback: even admin shouldn’t be able to install irreversible hardware-level backdoors; future admins must be able to recover without board surgery.
  • Strong agreement that BMCs should live on isolated management networks, but:
    • Supermicro’s defaults that bond BMC to main NIC when its port is unused are seen as dangerous and surprising.
    • This raises concerns about tenants or rogue admins planting persistent backdoors in rented bare-metal servers.

Quality and Alternatives to BMC Firmware

  • Widespread belief that BMC stacks (across vendors) are low-quality, vulnerability-prone embedded software with poor economics for hardening and uneven patch uptake.
  • OpenBMC is viewed positively but isn’t widely used on Supermicro yet; some vendors are transitioning toward it.
  • Some note many platforms either lack enforced signatures or allow signature bypasses, enabling arbitrary firmware (including malware) to be flashed.
  • Suggestions and experiments:
    • BMC-less boards for high-security customers.
    • Fully open, vertically integrated server platforms with service processors and open firmware.
    • More formal kernels (e.g., seL4) are mentioned but seen as impractical for current BMC hardware and ecosystems.

Broader Sentiment

  • Frustration that it’s “near impossible” to buy servers without deeply privileged, opaque management backdoors.
  • Mixed reaction: some normalize it as industry-wide behavior; others see it as a fundamental, unresolved security failure.