BMC Image Signing Proposal

Yugi Mani yupalani at
Sat Feb 10 12:36:16 AEDT 2018

On Thursday, February 8, 2018 12:27 PM, Adriana Kobylak wrote:
> Here are some charts with the image signing flow for comment:
> %2Fview%3Fusp%3Dsharing&data=04%7C01%7Cyupalani%40microsoft.c
> om%7C9a2d9f45a2144c59bc5908d56f3235c7%7Cee3303d7fb734b0c8589b
> cd847f1c277%7C1%7C0%7C636537183804895636%7CUnknown%7CTWFp
> bGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ
> %3D%3D%7C-
> 1&sdata=C0RBtfmjE3VHH1A8A8MwCBVFCUQyvF3WEdWH7bgjRC0%3D&
> reserved=0

Thanks for putting together a chart. 

We should consider both of these requirements for image signing:
1. Update verification
2. Boot Verification

Appending signature to image meets verification during firmware update. To do verification on every boot, we need something like FIT.

As far as actual signing is concerned, we don't have access to private key for security reasons. We should support two models:
Model 1:
Source code has private key and signing is part of build process ("bitbake obmc-phosphor-image")

Model 2:
Source code does not have private key, Signing is done externally and some post-processing is done to add hash to image.  (maybe a new task, "bitbake obmc-phosphor-image -c add_hash")

More information about the openbmc mailing list