BMC Image Signing Proposal
Yugi Mani
yupalani at microsoft.com
Sat Feb 10 12:36:16 AEDT 2018
On Thursday, February 8, 2018 12:27 PM, Adriana Kobylak wrote:
> Here are some charts with the image signing flow for comment:
>
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdri
> ve.google.com%2Ffile%2Fd%2F1IxfMYRttN8RbhRY7PwBmXsqCBvtv_yLJ
> %2Fview%3Fusp%3Dsharing&data=04%7C01%7Cyupalani%40microsoft.c
> om%7C9a2d9f45a2144c59bc5908d56f3235c7%7Cee3303d7fb734b0c8589b
> cd847f1c277%7C1%7C0%7C636537183804895636%7CUnknown%7CTWFp
> bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ
> %3D%3D%7C-
> 1&sdata=C0RBtfmjE3VHH1A8A8MwCBVFCUQyvF3WEdWH7bgjRC0%3D&
> reserved=0
Thanks for putting together a chart.
We should consider both of these requirements for image signing:
1. Update verification
2. Boot Verification
Appending signature to image meets verification during firmware update. To do verification on every boot, we need something like FIT.
https://chromium.googlesource.com/chromiumos/third_party/u-boot-next/+/chromeos-v2013.06/doc/uImage.FIT
As far as actual signing is concerned, we don't have access to private key for security reasons. We should support two models:
Model 1:
Source code has private key and signing is part of build process ("bitbake obmc-phosphor-image")
Model 2:
Source code does not have private key, Signing is done externally and some post-processing is done to add hash to image. (maybe a new task, "bitbake obmc-phosphor-image -c add_hash")
More information about the openbmc
mailing list