Secure boot for BMC
Avi Fishman
avifishman70 at gmail.com
Tue Feb 19 03:54:46 AEDT 2019
Hi Joseph, Brad and all,
We (Nuvoton) followed the Secure Boot thread discussion and want to
contribute from our experience with NPCM7xx (Poleg) BMC security.
Joseph, we believe your secure boot view is fully supported by our
Poleg and is already used in mass production.
The Poleg BMC implements Root Of Trust (RoT) in its on-chip ROM code
which is the anchor to start a Chain Of Trust (CoT) to boot up a
secure system.
The CoT starts from ROM that authenticates and boots the other parts
of the system e.g. Boot block -> UBOOT -> Linux .
The RoT framework has up to 3 x RSA keys maintained in a protected
OTP storage which are used by the ROM code to authenticate the next
stage of the boot.
The ROM code implements recovery options and configurable security
policies for un-authenticated boot scenarios (e.g. limitted
operational mode or full halt mode).
The RoT allows SW development of various security schemes such as NIST 800-193.
We have uploaded our Security generation tools to the GitHub
https://github.com/Nuvoton-Israel/igps
The tools are OpenSSL based and are capable to take a Private Key +
Image Binary and create a signed image.
An XML description flies are used to describe the layout of the flash
and the OTP, and Python scripts generates the images based on the XML
files.
We are open to discuss about BMC Secure Boot in the next Hackathon if
this is of an interest to the group.
Thanks,
Avi
On Thu, Feb 14, 2019 at 2:27 AM Joseph Reynolds <jrey at linux.ibm.com> wrote:
>
> On 2019-02-12 17:13, Andrew Jeffery wrote:
> > On Tue, 12 Feb 2019, at 11:00, Nancy Yuen wrote:
> >> We are working on secure boot, but we have a requirement for a Google
> >> HW
> >> root of trust so I'm not sure if that fits in with these discussions.
> >
> > I think it would help to have some idea of Google's requirements so the
> > project
> > can accommodate them where we can, if you can reveal any details. It
> > may also
> > help inform others (me?) on strategies to secure firmware.
>
> The OpenBMC security working group has discussed various "root of trust"
> ideas. The way I understand it, OpenBMC community members are looking
> into different solutions including
> "Secure Boot" and "Trusted Platform Module" (TPM) solutions, including
> Google's OpenTitan chip. See the meeting minutes for details:
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>
> My understanding of the "Secure Boot" concept is that some chip
> validates the boot loader's digital signature after loading it and
> before jumping into it. Then the boot loader would validate the code it
> loads before jumping into it. Etc. A validation failure could either
> (a) cause the BMC to fail to boot, or (b) boot the BMC in failsafe mode
> where it could not write to its flash or talk to its host. OpenBMC may
> also need some way to talk to the chip.
>
> My understanding of TPMs is much more limited. So we are waiting for
> proposals.
>
> - Joseph
>
> > Andrew
>
--
Regards,
Avi
More information about the openbmc
mailing list