BMC Image Signing Proposal

Stewart Smith stewart at linux.vnet.ibm.com
Wed Jan 31 10:53:53 AEDT 2018


Joel Stanley <joel at jms.id.au> writes:
> On Tue, Jan 30, 2018 at 3:17 PM, Stewart Smith
> <stewart at linux.vnet.ibm.com> wrote:
>> Andrew Jeffery <andrew at aj.id.au> writes:
>>> On Fri, 2018-01-26 at 14:07 +0300, Alexander Amelkin wrote:
>
>>>> 2. U-Boot already performs image checksum validation before booting a
>>>> FIT image
>>>
>>> Typically the rootfs is not part of the FIT, so it will not be checked.
>>>     Some systems supported by OpenBMC directly mount the rootfs rather
>>> than booting through an initrd, which makes rootfs authentication
>>> somewhat tricky. Regardless, with signed images we should expand the
>>> FIT hash check to be a full signature check.
>>
>> dm-verity would solve that (for a ro rootfs).
>
> dm-verity is a worthwhile technology, but being based on device mapper
> and therefore block devices, we can't use it for MTD devices, which is
> all of the upstream OpenBMC machines at this moment.
>
> I would suggest using some kind of pre-mount verification of the raw
> MTD device against a stored checksum would be the way to go. This
> would imply the use of an initrd (as we would need somewhere to store
> the tools that do the verification). The initrd itself would be
> verified by u-boot checking the FIT.

mtdblock could end up being okay for the dm-verity case? There's no
writes there at least... although I haven't spent much/any time thinking
of any implications to that - you're the bigger expert there than I.

-- 
Stewart Smith
OPAL Architect, IBM.



More information about the openbmc mailing list