BMC Image Signing Proposal
Yugi Mani
yupalani at microsoft.com
Wed May 16 04:18:19 AEST 2018
Good point. We at MSFT are using legacy (non-UBI) layout. We have a manifest for boot verification and we append the hash to image for update verification.
I can share details about the design/implementation, if you have any specific questions.
> -----Original Message-----
> From: openbmc <openbmc-
> bounces+yupalani=microsoft.com at lists.ozlabs.org> On Behalf Of Lei YU
> Sent: Monday, May 14, 2018 7:06 PM
> To: Adriana Kobylak <anoo at linux.vnet.ibm.com>
> Cc: Stewart Smith <stewart at linux.vnet.ibm.com>; OpenBMC Maillist
> <openbmc at lists.ozlabs.org>
> Subject: Re: BMC Image Signing Proposal
>
> I'd like to bring this topic again.
>
> As I know image signing feature is completed for both BMC and PNOR:
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fopenbmc%2Fphosphor-bmc-code-
> mgmt&data=02%7C01%7Cyupalani%40microsoft.com%7C12f250ae199b4
> 32be89a08d5ba089773%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C
> 0%7C636619468424007343&sdata=GHBBgm9g9kBpfNAzYxgveFoGWXXl1
> QOr8fHwZNJNvNA%3D&reserved=0
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit
> hub.com%2Fopenbmc%2Fopenpower-pnor-code-
> mgmt&data=02%7C01%7Cyupalani%40microsoft.com%7C12f250ae199b4
> 32be89a08d5ba089773%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C
> 0%7C636619468424007343&sdata=CR2o%2FgVnHPfMr7w8fwOYeRsbOdF
> B3VMiB%2FFUCnE2aHE%3D&reserved=0
>
> However, the above repos are only for systems with UBI-FS feature.
> Most of machines are still using the "legacy" obmc flash layout, and thus
> they do not have image singing feature.
>
> So I would like to ask for ideas about how to support image signing
> feature for machines with "legacy" flash layout?
> 1. Should we use UBI-FS for machines that requires image signing
> feature?
> 2. Or should we implement image signing feature on "legacy" flash layout
> as well?
>
> Thanks!
More information about the openbmc
mailing list