BMC Image Signing Proposal
anoo at linux.vnet.ibm.com
Thu Feb 1 08:13:05 AEDT 2018
Thanks everybody for your thoughts so far. I'll try to comment on the
remaining open questions.
Summarizing, there are 2 different verifications that are desired, one
prior to writing the image to flash (using signature check), and one
prior to booting the image (FIT verification).
1. Signature check
> Can you take a look at swupdate and reply with your thoughts?
Yes, thanks Andrew for looking and suggesting this.
> To overcome that the public key should be stored in OTP.
> We use this method on our Nuvoton Poleg BMC.
One concern would be if the key is deemed compromised. Avi, does the
Nuvoton system have a mechanism for invalidating a key stored in OTP?
>> The "firmware update" public key in flash (and firmware update code
>> itself) would be authenticated by BMC secure boot.
Per Eugene's comment, maybe we're ok with the key in flash?
> Whatever mechanism is used to generate the signature should be able to
> be overridden by an environment variable or something.
Yes, good point Vernon.
2. FIT verification
> Regardless, with signed images we should expand the
> FIT hash check to be a full signature check.
Yes, I think there was some agreement on this statement during the
> Also - has anybody mentioned using the FIT as a firmware update install
> image, in addition to using to boot the kernel?(i.e. FIT within a FIT).
> Think the native DFU command in u-boot supports this method. Just a
Yes, ideally we'd implement FIT verification of the rootfs in addition
to the kernel to verify an image before booting.
More information about the openbmc