Image verfication failure doesn't prevent BMC update
Lei YU
mine260309 at gmail.com
Wed Oct 9 18:37:32 AEDT 2019
It is most likely the field mode is not enabled.
See the related code at
https://github.com/openbmc/phosphor-bmc-code-mgmt/blob/85c356f76fe07db3c1253c48f5b35c5811a15c07/activation.cpp#L180
On Wed, Oct 9, 2019 at 3:32 PM rgrs <rgrs at protonmail.com> wrote:
>
> Hi All,
>
> I am trying to sign my image with OEM keys instead of default OpenBMC.priv which is part of the repo.
> When I tried to update OEM signed BMC, phosphor-image-updater logs messages related to "Signature validation failed"
> But the flashing continued and activation was successful.
>
> I expected flash procedure to fail since, default private key (OpenBMC.priv,RSA-1024,SHA256) is different from OEM private key (RSA-2048,SHA256)
>
> Log:
>
> Sep 17 09:44:50 lhost phosphor-version-software-manager[1350]: Untaring
> Sep 17 09:44:50 lhost phosphor-mapper[1135]: Found invalid association on path /xyz/openbmc_project/software/11daa823
> Sep 17 09:44:50 lhost phosphor-mapper[1135]: Found invalid association on path /xyz/openbmc_project/software/11daa823
> Sep 17 09:44:51 lhost phosphor-image-updater[1316]: BMC image activating - BMC reboots are disabled.
> Sep 17 09:44:51 lhost phosphor-image-updater[1316]: EVP_DigestVerifyFinal:Signature validation failed
> Sep 17 09:44:51 lhost phosphor-image-updater[1316]: System level Signature Validation failed
> Sep 17 09:44:51 lhost phosphor-image-updater[1316]: Error occurred during image validation
> Sep 17 09:44:51 lhost phosphor-image-updater[1316]: The operation failed internally.
> Sep 17 09:44:51 lhost phosphor-log-manager[1114]: Failed to find metadata
> Sep 17 09:44:51 lhost systemd[1]: Starting Enable a guard that blocks BMC reboot...
> Sep 17 09:44:51 lhost systemd[1]: Starting Updates the u-boot variable to point BMC version to 25904a91...
> Sep 17 09:44:51 lhost systemd[1]: Starting Set U-Boot environment variable...
> Sep 17 09:44:51 lhost systemd[1]: Created slice system-obmc\x2dflash\x2dbmc\x2dubiro\x2dremove.slice.
> Sep 17 09:44:52 lhost systemd[1]: Starting Deletes read-only and kernel ubi volume d4a39257...
> Sep 17 09:44:52 lhost systemd[1]: reboot-guard-enable.service: Succeeded.
> Sep 17 09:44:52 lhost systemd[1]: Started Enable a guard that blocks BMC reboot.
> Sep 17 09:44:54 lhost kernel: block ubiblock0_0: released
> Sep 17 09:44:54 lhost systemd[1]: media-rofs\x2dd4a39257.mount: Succeeded.
> Sep 17 09:44:55 lhost systemd[1]: obmc-flash-bmc-setenv at d4a39257.service: Succeeded.
> Sep 17 09:44:55 lhost systemd[1]: Started Set U-Boot environment variable.
> Sep 17 09:44:55 lhost systemd[1]: Created slice system-obmc\x2dflash\x2dbmc\x2dubiro.slice.
> Sep 17 09:44:55 lhost systemd[1]: Starting Store read-only images 11daa823 to BMC storage...
> Sep 17 09:44:55 lhost systemd[1]: Starting Create BMC read-write ubi volume...
> Sep 17 09:44:57 lhost systemd[1]: Starting Hostname Service...
> Sep 17 09:44:58 lhost systemd[1610]: systemd-hostnamed.service: PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.
> Sep 17 09:44:58 lhost systemd[1]: obmc-flash-bmc-ubirw.service: Succeeded.
> Sep 17 09:44:58 lhost systemd[1]: Started Create BMC read-write ubi volume.
> Sep 17 09:44:59 lhost systemd[1]: Started Hostname Service.
> Sep 17 09:45:00 lhost phosphor-dump-manager[1136]: Tue Sep 17 09:45:00 UTC 2019 Report is available in /var/lib/phosphor-debug-collector/dumps/3
> Sep 17 09:45:01 lhost systemd[1]: obmc-flash-bmc-ubiro-remove at d4a39257.service: Succeeded.
> Sep 17 09:45:01 lhost systemd[1]: Started Deletes read-only and kernel ubi volume d4a39257.
> Sep 17 09:45:01 lhost phosphor-dump-manager[1136]: Tue Sep 17 09:45:01 UTC 2019 Successfully completed
> Sep 17 09:45:18 lhost systemd[1]: obmc-flash-bmc-updateubootvars at 25904a91.service: Succeeded.
> Sep 17 09:45:18 lhost systemd[1]: Started Updates the u-boot variable to point BMC version to 25904a91.
> Sep 17 09:45:29 lhost systemd[1]: systemd-hostnamed.service: Succeeded.
> Sep 17 09:46:28 lhost obmc-flash-bmc[1659]: Volume ID 0, size 287 LEBs (18772096 bytes, 17.9 MiB), LEB size 65408 bytes (63.8 KiB), static, name "rofs-11daa823", alignment 1
> Sep 17 09:47:12 lhost kernel: block ubiblock0_0: created from ubi0:0(rofs-11daa823)
> Sep 17 09:47:24 lhost obmc-flash-bmc[1702]: Volume ID 1, size 37 LEBs (2420096 bytes, 2.3 MiB), LEB size 65408 bytes (63.8 KiB), static, name "kernel-11daa823", alignment 1
> Sep 17 09:47:32 lhost obmc-flash-bmc[1702]: Volume ID 2, size 37 LEBs (2420096 bytes, 2.3 MiB), LEB size 65408 bytes (63.8 KiB), static, name "kernel-11daa823", alignment 1
> Sep 17 09:47:40 lhost obmc-flash-bmc[1769]: [130B blob data]
> Sep 17 09:47:41 lhost obmc-flash-bmc[1769]: [1.9K blob data]
> Sep 17 09:47:41 lhost obmc-flash-bmc[1769]: [2.1K blob data]
> Sep 17 09:47:41 lhost systemd[1]: obmc-flash-bmc-ubiro at 11daa823.service: Succeeded.
> Sep 17 09:47:41 lhost systemd[1]: Started Store read-only images 11daa823 to BMC storage.
> Sep 17 09:47:41 lhost systemd[1]: Starting Updates the u-boot variable to point BMC version to 11daa823...
> Sep 17 09:47:41 lhost systemd[1]: Starting Set U-Boot environment variable...
> Sep 17 09:47:43 lhost systemd[1]: obmc-flash-bmc-setenv at 11daa823\x3d0.service: Succeeded.
> Sep 17 09:47:43 lhost systemd[1]: Started Set U-Boot environment variable.
> Sep 17 09:47:45 lhost systemd[1]: obmc-flash-bmc-updateubootvars at 11daa823.service: Succeeded.
> Sep 17 09:47:45 lhost systemd[1]: Started Updates the u-boot variable to point BMC version to 11daa823.
> Sep 17 09:47:45 lhost phosphor-image-updater[1316]: BMC activation has ended - BMC reboots are re-enabled.
> Sep 17 09:47:45 lhost systemd[1]: Starting Removes the guard that blocks BMC reboot...
> Sep 17 09:47:45 lhost systemd[1]: reboot-guard-disable.service: Succeeded.
> Sep 17 09:47:45 lhost systemd[1]: Started Removes the guard that blocks BMC reboot.
> Thanks,
> Raj
More information about the openbmc
mailing list