Image verfication failure doesn't prevent BMC update

rgrs rgrs at protonmail.com
Wed Oct 9 19:13:32 AEDT 2019 

Ah, yes. You're correct, field mode was not enabled.
It is working as expected once it is set.

Thanks,
Raj

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, October 9, 2019 1:07 PM, Lei YU <mine260309 at gmail.com> wrote:

> It is most likely the field mode is not enabled.
> See the related code at
> https://github.com/openbmc/phosphor-bmc-code-mgmt/blob/85c356f76fe07db3c1253c48f5b35c5811a15c07/activation.cpp#L180
>
> On Wed, Oct 9, 2019 at 3:32 PM rgrs rgrs at protonmail.com wrote:
>
> > Hi All,
> > I am trying to sign my image with OEM keys instead of default OpenBMC.priv which is part of the repo.
> > When I tried to update OEM signed BMC, phosphor-image-updater logs messages related to "Signature validation failed"
> > But the flashing continued and activation was successful.
> > I expected flash procedure to fail since, default private key (OpenBMC.priv,RSA-1024,SHA256) is different from OEM private key (RSA-2048,SHA256)
> > Log:
> > Sep 17 09:44:50 lhost phosphor-version-software-manager[1350]: Untaring
> > Sep 17 09:44:50 lhost phosphor-mapper[1135]: Found invalid association on path /xyz/openbmc_project/software/11daa823
> > Sep 17 09:44:50 lhost phosphor-mapper[1135]: Found invalid association on path /xyz/openbmc_project/software/11daa823
> > Sep 17 09:44:51 lhost phosphor-image-updater[1316]: BMC image activating - BMC reboots are disabled.
> > Sep 17 09:44:51 lhost phosphor-image-updater[1316]: EVP_DigestVerifyFinal:Signature validation failed
> > Sep 17 09:44:51 lhost phosphor-image-updater[1316]: System level Signature Validation failed
> > Sep 17 09:44:51 lhost phosphor-image-updater[1316]: Error occurred during image validation
> > Sep 17 09:44:51 lhost phosphor-image-updater[1316]: The operation failed internally.
> > Sep 17 09:44:51 lhost phosphor-log-manager[1114]: Failed to find metadata
> > Sep 17 09:44:51 lhost systemd[1]: Starting Enable a guard that blocks BMC reboot...
> > Sep 17 09:44:51 lhost systemd[1]: Starting Updates the u-boot variable to point BMC version to 25904a91...
> > Sep 17 09:44:51 lhost systemd[1]: Starting Set U-Boot environment variable...
> > Sep 17 09:44:51 lhost systemd[1]: Created slice system-obmc\x2dflash\x2dbmc\x2dubiro\x2dremove.slice.
> > Sep 17 09:44:52 lhost systemd[1]: Starting Deletes read-only and kernel ubi volume d4a39257...
> > Sep 17 09:44:52 lhost systemd[1]: reboot-guard-enable.service: Succeeded.
> > Sep 17 09:44:52 lhost systemd[1]: Started Enable a guard that blocks BMC reboot.
> > Sep 17 09:44:54 lhost kernel: block ubiblock0_0: released
> > Sep 17 09:44:54 lhost systemd[1]: media-rofs\x2dd4a39257.mount: Succeeded.
> > Sep 17 09:44:55 lhost systemd[1]: obmc-flash-bmc-setenv at d4a39257.service: Succeeded.
> > Sep 17 09:44:55 lhost systemd[1]: Started Set U-Boot environment variable.
> > Sep 17 09:44:55 lhost systemd[1]: Created slice system-obmc\x2dflash\x2dbmc\x2dubiro.slice.
> > Sep 17 09:44:55 lhost systemd[1]: Starting Store read-only images 11daa823 to BMC storage...
> > Sep 17 09:44:55 lhost systemd[1]: Starting Create BMC read-write ubi volume...
> > Sep 17 09:44:57 lhost systemd[1]: Starting Hostname Service...
> > Sep 17 09:44:58 lhost systemd[1610]: systemd-hostnamed.service: PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.
> > Sep 17 09:44:58 lhost systemd[1]: obmc-flash-bmc-ubirw.service: Succeeded.
> > Sep 17 09:44:58 lhost systemd[1]: Started Create BMC read-write ubi volume.
> > Sep 17 09:44:59 lhost systemd[1]: Started Hostname Service.
> > Sep 17 09:45:00 lhost phosphor-dump-manager[1136]: Tue Sep 17 09:45:00 UTC 2019 Report is available in /var/lib/phosphor-debug-collector/dumps/3
> > Sep 17 09:45:01 lhost systemd[1]: obmc-flash-bmc-ubiro-remove at d4a39257.service: Succeeded.
> > Sep 17 09:45:01 lhost systemd[1]: Started Deletes read-only and kernel ubi volume d4a39257.
> > Sep 17 09:45:01 lhost phosphor-dump-manager[1136]: Tue Sep 17 09:45:01 UTC 2019 Successfully completed
> > Sep 17 09:45:18 lhost systemd[1]: obmc-flash-bmc-updateubootvars at 25904a91.service: Succeeded.
> > Sep 17 09:45:18 lhost systemd[1]: Started Updates the u-boot variable to point BMC version to 25904a91.
> > Sep 17 09:45:29 lhost systemd[1]: systemd-hostnamed.service: Succeeded.
> > Sep 17 09:46:28 lhost obmc-flash-bmc[1659]: Volume ID 0, size 287 LEBs (18772096 bytes, 17.9 MiB), LEB size 65408 bytes (63.8 KiB), static, name "rofs-11daa823", alignment 1
> > Sep 17 09:47:12 lhost kernel: block ubiblock0_0: created from ubi0:0(rofs-11daa823)
> > Sep 17 09:47:24 lhost obmc-flash-bmc[1702]: Volume ID 1, size 37 LEBs (2420096 bytes, 2.3 MiB), LEB size 65408 bytes (63.8 KiB), static, name "kernel-11daa823", alignment 1
> > Sep 17 09:47:32 lhost obmc-flash-bmc[1702]: Volume ID 2, size 37 LEBs (2420096 bytes, 2.3 MiB), LEB size 65408 bytes (63.8 KiB), static, name "kernel-11daa823", alignment 1
> > Sep 17 09:47:40 lhost obmc-flash-bmc[1769]: [130B blob data]
> > Sep 17 09:47:41 lhost obmc-flash-bmc[1769]: [1.9K blob data]
> > Sep 17 09:47:41 lhost obmc-flash-bmc[1769]: [2.1K blob data]
> > Sep 17 09:47:41 lhost systemd[1]: obmc-flash-bmc-ubiro at 11daa823.service: Succeeded.
> > Sep 17 09:47:41 lhost systemd[1]: Started Store read-only images 11daa823 to BMC storage.
> > Sep 17 09:47:41 lhost systemd[1]: Starting Updates the u-boot variable to point BMC version to 11daa823...
> > Sep 17 09:47:41 lhost systemd[1]: Starting Set U-Boot environment variable...
> > Sep 17 09:47:43 lhost systemd[1]: obmc-flash-bmc-setenv at 11daa823\x3d0.service: Succeeded.
> > Sep 17 09:47:43 lhost systemd[1]: Started Set U-Boot environment variable.
> > Sep 17 09:47:45 lhost systemd[1]: obmc-flash-bmc-updateubootvars at 11daa823.service: Succeeded.
> > Sep 17 09:47:45 lhost systemd[1]: Started Updates the u-boot variable to point BMC version to 11daa823.
> > Sep 17 09:47:45 lhost phosphor-image-updater[1316]: BMC activation has ended - BMC reboots are re-enabled.
> > Sep 17 09:47:45 lhost systemd[1]: Starting Removes the guard that blocks BMC reboot...
> > Sep 17 09:47:45 lhost systemd[1]: reboot-guard-disable.service: Succeeded.
> > Sep 17 09:47:45 lhost systemd[1]: Started Removes the guard that blocks BMC reboot.
> > Thanks,
> > Raj

More information about the openbmc mailing list