BMC Image Signing Proposal

Simon Glass sjg at chromium.org
Wed Jan 31 03:20:29 AEDT 2018


Hi Joel,

On 29 January 2018 at 23:18, Joel Stanley <joel at jms.id.au> wrote:
>
> On Tue, Jan 30, 2018 at 3:17 PM, Stewart Smith
> <stewart at linux.vnet.ibm.com> wrote:
> > Andrew Jeffery <andrew at aj.id.au> writes:
> >> On Fri, 2018-01-26 at 14:07 +0300, Alexander Amelkin wrote:
>
> >>> 2. U-Boot already performs image checksum validation before booting a
> >>> FIT image
> >>
> >> Typically the rootfs is not part of the FIT, so it will not be checked.
> >>     Some systems supported by OpenBMC directly mount the rootfs rather
> >> than booting through an initrd, which makes rootfs authentication
> >> somewhat tricky. Regardless, with signed images we should expand the
> >> FIT hash check to be a full signature check.
> >
> > dm-verity would solve that (for a ro rootfs).
>
> dm-verity is a worthwhile technology, but being based on device mapper
> and therefore block devices, we can't use it for MTD devices, which is
> all of the upstream OpenBMC machines at this moment.

You could use ubi to provide a block device, I haven't tried it though.

>
> I would suggest using some kind of pre-mount verification of the raw
> MTD device against a stored checksum would be the way to go. This
> would imply the use of an initrd (as we would need somewhere to store
> the tools that do the verification). The initrd itself would be
> verified by u-boot checking the FIT.
>
> Future contributors to OpenBMC that have eMMC hardware do have the
> option of using dm-verity.

Are you saying that dm-verity does not work with eMMC, or something else?

Regards,
SImon


More information about the openbmc mailing list