BMC Image Signing Proposal

Joel Stanley joel at jms.id.au
Tue Jan 30 17:18:57 AEDT 2018


On Tue, Jan 30, 2018 at 3:17 PM, Stewart Smith
<stewart at linux.vnet.ibm.com> wrote:
> Andrew Jeffery <andrew at aj.id.au> writes:
>> On Fri, 2018-01-26 at 14:07 +0300, Alexander Amelkin wrote:

>>> 2. U-Boot already performs image checksum validation before booting a
>>> FIT image
>>
>> Typically the rootfs is not part of the FIT, so it will not be checked.
>>     Some systems supported by OpenBMC directly mount the rootfs rather
>> than booting through an initrd, which makes rootfs authentication
>> somewhat tricky. Regardless, with signed images we should expand the
>> FIT hash check to be a full signature check.
>
> dm-verity would solve that (for a ro rootfs).

dm-verity is a worthwhile technology, but being based on device mapper
and therefore block devices, we can't use it for MTD devices, which is
all of the upstream OpenBMC machines at this moment.

I would suggest using some kind of pre-mount verification of the raw
MTD device against a stored checksum would be the way to go. This
would imply the use of an initrd (as we would need somewhere to store
the tools that do the verification). The initrd itself would be
verified by u-boot checking the FIT.

Future contributors to OpenBMC that have eMMC hardware do have the
option of using dm-verity.

Cheers,

Joel


More information about the openbmc mailing list