Secure boot for BMC

Andrew Jeffery andrew at aj.id.au
Fri Feb 15 10:19:38 AEDT 2019


On Thu, 14 Feb 2019, at 11:04, Joseph Reynolds wrote:
> On 2019-02-12 17:13, Andrew Jeffery wrote:
> > On Tue, 12 Feb 2019, at 11:00, Nancy Yuen wrote:
> >> We are working on secure boot, but we have a requirement for a Google 
> >> HW
> >> root of trust so I'm not sure if that fits in with these discussions.
> > 
> > I think it would help to have some idea of Google's requirements so the 
> > project
> > can accommodate them where we can, if you can reveal any details. It 
> > may also
> > help inform others (me?) on strategies to secure firmware.
> 
> The OpenBMC security working group has discussed various "root of trust" 
> ideas.  The way I understand it, OpenBMC community members are looking 
> into different solutions including
> "Secure Boot" and "Trusted Platform Module" (TPM) solutions, including 
> Google's OpenTitan chip.  See the meeting minutes for details:
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
> 
> My understanding of the "Secure Boot" concept is that some chip 
> validates the boot loader's digital signature after loading it and 
> before jumping into it.  Then the boot loader would validate the code it 
> loads before jumping into it.  Etc.  A validation failure could either 
> (a) cause the BMC to fail to boot, or (b) boot the BMC in failsafe mode 
> where it could not write to its flash or talk to its host.  OpenBMC may 
> also need some way to talk to the chip.
> 
> My understanding of TPMs is much more limited.  So we are waiting for 
> proposals.

On OpenPOWER systems I think we need the TPM approach, as we can't
restrict our customers by burning e.g. IBM keys into the ASPEED OTP key
slots (... in the 2600).

Andrew


More information about the openbmc mailing list