BMC Image Signing Proposal

Adriana Kobylak anoo at
Thu Feb 1 08:13:05 AEDT 2018

Thanks everybody for your thoughts so far. I'll try to comment on the 
remaining open questions.

Summarizing, there are 2 different verifications that are desired, one 
prior to writing the image to flash (using signature check), and one 
prior to booting the image (FIT verification).

1. Signature check

> Can you take a look at swupdate and reply with your thoughts?
Yes, thanks Andrew for looking and suggesting this.

> To overcome that the public key should be stored in OTP.
> We use this method on our Nuvoton Poleg BMC.
One concern would be if the key is deemed compromised. Avi, does the 
Nuvoton system have a mechanism for invalidating a key stored in OTP?
>> The "firmware update" public key in flash (and firmware update code 
>> itself) would be authenticated by BMC secure boot.
Per Eugene's comment, maybe we're ok with the key in flash?

> Whatever mechanism is used to generate the signature should be able to 
> be overridden by an environment variable or something.
Yes, good point Vernon.

2. FIT verification

> Regardless, with signed images we should expand the
> FIT hash check to be a full signature check.
Yes, I think there was some agreement on this statement during the 

> Also - has anybody mentioned using the FIT as a firmware update install 
> image, in addition to using to boot the kernel?(i.e. FIT within a FIT). 
> Think the native DFU command in u-boot supports this method. Just a 
> thought
Yes, ideally we'd implement FIT verification of the rootfs in addition 
to the kernel to verify an image before booting.

More information about the openbmc mailing list