<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:PMingLiU;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:PMingLiU;
panose-1:2 1 6 1 0 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:24.0pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:0cm;
mso-para-margin-left:2.0gd;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:88429001;
mso-list-type:hybrid;
mso-list-template-ids:247338540 796664276 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:ideograph-traditional;
mso-level-text:%2\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:48.0pt;
text-indent:-24.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:72.0pt;
text-indent:-24.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:96.0pt;
text-indent:-24.0pt;}
@list l0:level5
{mso-level-number-format:ideograph-traditional;
mso-level-text:%5\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:120.0pt;
text-indent:-24.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:144.0pt;
text-indent:-24.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:168.0pt;
text-indent:-24.0pt;}
@list l0:level8
{mso-level-number-format:ideograph-traditional;
mso-level-text:%8\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:192.0pt;
text-indent:-24.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:216.0pt;
text-indent:-24.0pt;}
@list l1
{mso-list-id:480200177;
mso-list-type:hybrid;
mso-list-template-ids:1973950360 -615735384 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:ideograph-traditional;
mso-level-text:%2\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:66.0pt;
text-indent:-24.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-24.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:114.0pt;
text-indent:-24.0pt;}
@list l1:level5
{mso-level-number-format:ideograph-traditional;
mso-level-text:%5\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:138.0pt;
text-indent:-24.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:162.0pt;
text-indent:-24.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:186.0pt;
text-indent:-24.0pt;}
@list l1:level8
{mso-level-number-format:ideograph-traditional;
mso-level-text:%8\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:210.0pt;
text-indent:-24.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:234.0pt;
text-indent:-24.0pt;}
@list l2
{mso-list-id:942147320;
mso-list-type:hybrid;
mso-list-template-ids:246174188 1921308258 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-number-format:ideograph-traditional;
mso-level-text:%2\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:66.0pt;
text-indent:-24.0pt;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:90.0pt;
text-indent:-24.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:114.0pt;
text-indent:-24.0pt;}
@list l2:level5
{mso-level-number-format:ideograph-traditional;
mso-level-text:%5\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:138.0pt;
text-indent:-24.0pt;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:162.0pt;
text-indent:-24.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:186.0pt;
text-indent:-24.0pt;}
@list l2:level8
{mso-level-number-format:ideograph-traditional;
mso-level-text:%8\3001;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:210.0pt;
text-indent:-24.0pt;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:234.0pt;
text-indent:-24.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-TW" link="#0563C1" vlink="#954F72" style="word-wrap:break-word;text-justify-trim:punctuation">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi OpenBMC team<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I have some questions about OTP image creation in OpenBMC. To support AST2600 RoT(Root of Trust, AST2600 ROM code verified SPL), users should program “A public key” in OTP and uses “A private key” with SPL image to create
signature and place it in SPL.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The SOCESEC tool help user to create OTP and SPL images for AST2600 secure boot support.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The following are my questions and solutions<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:-18.0pt;mso-para-margin-left:0gd;mso-list:l0 level1 lfo1">
<span lang="EN-US">There was a socsec-sign.bbclass in OpenBMC and it is used for SPL image generation with SOCSEC tool. Do you agree if I modify socsec-sign.bbclass to create OTP image?<o:p></o:p></span></li></ol>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US">If no, I will try to use solution 2.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US"><o:p> </o:p></span></p>
<ol style="margin-top:0cm" start="2" type="1">
<li class="MsoListParagraph" style="margin-left:-18.0pt;mso-para-margin-left:0gd;mso-list:l0 level1 lfo1">
<span lang="EN-US">I will create a new recipe to create OTP image and this recipe will be placed in meta-aspeed/recipes-aspeed/otp/otp.bb<o:p></o:p></span></li></ol>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US">To successfully build the OTP and SPL images, we should create the
<b>key-pair </b>one for OTP(public key) and another for SPL(private key).<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US">Do you have any suggestion to place these keys in where?<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-para-margin-left:0gd;mso-list:l2 level1 lfo3">
<span lang="EN-US">So far, we placed both private key and public keys here, <a href="https://github.com/openbmc/openbmc/tree/master/meta-aspeed/recipes-bsp/u-boot/files">
https://github.com/openbmc/openbmc/tree/master/meta-aspeed/recipes-bsp/u-boot/files</a><o:p></o:p></span></li></ol>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US">How to get the public key in OTP recipe?<b> It seems I need to place public key,
<a href="https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_pub_oem_dss_key.pem">
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_pub_oem_dss_key.pem</a><o:p></o:p></b></span></p>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><b><span lang="EN-US">in meta-aspeed/recipes-aspeed/otp/files and private key in u-boot,
<a href="https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_oem_dss_key.pem">
https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_oem_dss_key.pem</a>
<o:p></o:p></span></b></p>
<ol style="margin-top:0cm" start="2" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-para-margin-left:0gd;mso-list:l2 level1 lfo3">
<span lang="EN-US">The socsec tool settings should be consistent. For example: If user set the algorithm “RSA4096_SHA512” in SPL, it is required to use the corresponding *.json config in OTP.<o:p></o:p></span></li></ol>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US"><a href="https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass#L8">https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass#L8</a><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US">By default, it set SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512" to create SPL, it is required to use
<a href="https://github.com/AspeedTech-BMC/openbmc/blob/aspeed-master/meta-aspeed-sdk/recipes-aspeed/security/aspeed-secure-config/configs/ast2600/security/otp/evbA3_RSA4096_SHA512.json">
<span style="color:windowtext">https://github.com/AspeedTech-BMC/openbmc/blob/aspeed-master/meta-aspeed-sdk/recipes-aspeed/security/aspeed-secure-config/configs/ast2600/security/otp/evbA3_RSA4096_SHA512.json</span></a> for OTP image generation.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US"> How to share the environment variable between u-boot and otp recipes?<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US"> Do you prefer to add “SOCSEC_SIGN_ALGO” in machine configuration file, so this variable can be recognized between otp and u-boot recipes.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:18.0pt;mso-para-margin-left:0gd"><span lang="EN-US"> Do you have any suggestion?<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="3" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-para-margin-left:0gd;mso-list:l2 level1 lfo3">
<span lang="EN-US">How to trigger the build process to build create OTP image if user only issues “bitbake obmc-phosphor-image”?<o:p></o:p></span></li></ol>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US"><a href="https://github.com/AspeedTech-BMC/openbmc/blob/aspeed-master/meta-aspeed-sdk/classes/image_types_phosphor_aspeed.bbclass#L84">https://github.com/AspeedTech-BMC/openbmc/blob/aspeed-master/meta-aspeed-sdk/classes/image_types_phosphor_aspeed.bbclass#L84</a><o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US">Our solution set the do_generate_static_tar task dependencies. So, build process create the otp image first, then run do_generate_static_tar task.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:36.0pt;mso-para-margin-left:0gd"><span lang="EN-US">Do you have any suggestion? Do I need to modify this bbclass,
<a href="https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/image_types_phosphor.bbclass">
https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/image_types_phosphor.bbclass</a> ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks-Jamin<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">************* Email Confidentiality Notice ********************<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">DISCLAIMER:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This message (and any attachments) may contain legally privileged and/or other confidential information. If you have received it in error, please notify the sender by reply e-mail and immediately delete the e-mail and
any attachments without copying or disclosing the contents. Thank you.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</body>
</html>