BMC Image Signing Proposal

Andrew Jeffery andrew at aj.id.au
Mon Jan 29 16:56:45 AEDT 2018


On Thu, 2018-01-25 at 15:15 -0600, anoo wrote:
> Hi all,
> 
> During the hackaton meetup, we touched on BMC image verification and 
> signing and concluded that the community would like to see two 
> verification steps, one prior to writing the image to flash (via digital 
> signature verification), and another one by checking FIT in U-Boot prior 
> to booting from the new image.
> 
> The proposal would be to implement the digital signature verification 
> first.
> 
> At a high level, during the build:
> * A SHA-256 hash would be calculated over tbd files that make up the 
> firmware image.
> * The hash would be signed by a private key that's part of the 
> repository (community key). Companies could overwrite it with their own 
> private key when building production images.
> * The encrypted hash (digital signature) and corresponding public key 
> would be added to the firmware image.
> * Yocto may already provide a way to sign images and generate keys.

I'm starting to look into signing of artefacts as part of the build
process. Some quick searching suggests Yocto doesn't have support for
it out of the box, but there is the swupdate project[1] and the
corresponding meta-swupdate[2] Yocto layer that sound interesting.
However, it may require a rework of how we manage image updates if we
were to make use of it. I'll keep poking around, but if anyone has any
other pointers please let me know.

[1] https://github.com/sbabic/swupdate
[2] https://github.com/sbabic/meta-swupdate

> 
> On the BMC:
> * The hash would be calculated on the image files that were uploaded to 
> the BMC.
> * The signature would be decrypted using an existing public key on the 
> BMC (this validates the new public key delivered with the image is also 
> valid).
> * Accept image if both values are the same.
> 
> Any thoughts or comments?

Can you take a look at swupdate and reply with your thoughts?

Cheers,

Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180129/84d9fc5c/attachment.sig>


More information about the openbmc mailing list