BMC Image Signing Proposal

Alexander Amelkin a.amelkin at yadro.com
Fri Jan 26 22:07:25 AEDT 2018 

Hi, Anoo!

The thoughts are as follows:

1. BMC usually runs in a secured environment where probability of 
tampering with flash IC contents by means other than BMC's firmware 
itself is negligible.

2. U-Boot already performs image checksum validation before booting a 
FIT image

3. User input really needs validation, at least to make the system 
fool-proof

Having said that, I suggest that the only thing that really needs doing 
is signing (and checking) of the overall firmware image file that is 
supplied by the user (admin) during the firmware upgrade procedure. 
Applying asymmetric cryptography to a digest hash looks to me like a 
good idea as it indeed allows for verifying the supplier of the firmware 
image.

Regards,
Alexander Amelkin
YADRO

26.01.2018 00:15, anoo wrote:
> Hi all,
>
> During the hackaton meetup, we touched on BMC image verification and 
> signing and concluded that the community would like to see two 
> verification steps, one prior to writing the image to flash (via 
> digital signature verification), and another one by checking FIT in 
> U-Boot prior to booting from the new image.
>
> The proposal would be to implement the digital signature verification 
> first.
>
> At a high level, during the build:
> * A SHA-256 hash would be calculated over tbd files that make up the 
> firmware image.
> * The hash would be signed by a private key that's part of the 
> repository (community key). Companies could overwrite it with their 
> own private key when building production images.
> * The encrypted hash (digital signature) and corresponding public key 
> would be added to the firmware image.
> * Yocto may already provide a way to sign images and generate keys.
>
> On the BMC:
> * The hash would be calculated on the image files that were uploaded 
> to the BMC.
> * The signature would be decrypted using an existing public key on the 
> BMC (this validates the new public key delivered with the image is 
> also valid).
> * Accept image if both values are the same.
>
> Any thoughts or comments?
>

More information about the openbmc mailing list