Future features of phosphor-ipmi-flash
venture at google.com
Wed Jul 3 13:04:16 AEST 2019
Uploading the BIOs via phosphor-ipmi-flash is available for review,
but it's not tied into another daemon. One must provide a
verification service, and an update service.
I'd like to provide the option to leverage phosphor-bmc-code-mgmt. It
looks like in this codebase there is a notion of a signed image, but
the signature is attached. It also looks like, there's some version
information that's meant to parsable and involved. I haven't had a
chance to play with it.
With phosphor-ipmi-flash the hash file portion is optional. Because
phosphor-ipmi-flash doesn't define anything beyond the sequence of
calls, one could use burn_my_bmc and send the hash down separately and
then the verification target could trigger something that concatenates
and triggers the bmc code mgmt signature check.
It should be somewhat straightforward to tie the two codebases
together (as an optional usage).
If someone has experience with programming against
phosphor-bmc-code-mgmt and wants to help with this or at least point
me at what I need to know, I'd be more than happy.
>From reading the docs with the dbus interface definitions, I think I
have the general idea -- drop the file into the place it expects the
file (a configuration option) and then call the dbus methods.
More information about the openbmc