Machine name in Code update
Vijay Khemka
vijaykhemka at fb.com
Fri Sep 20 04:15:21 AEST 2019
Team,
I am trying to add a feature of verifying machine name while upgrading BMC image. I have submitted a couple of patches, 1. Which adds machine name in manifest file and 2. Which verifies machine name from manifest to os-release file. Below are 2 gerrit review patch.
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/25324/
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-bmc-code-mgmt/+/25344/
I have received some valuable feedback on design approach and I agreed with some of them. Let me explain complete thought here and please provide your valuable feedback as well as new ideas.
Currently available:
================
Currently, Software updater updates image based on version reading and purpose from manifest file.
I find here a security issues of upgrading an image which was built for different machine and upgraded to BMC with different platform.
Design approach:
==============
As I see that while building image, there is a /etc/os-release file which gets created and includes version, machine name as OPENBMC_TARGET_MACHINE. This machine name is nothing but a MACHINE defined in bitbake environment. So I thought of using same MACHINE value to be appended in MANIFEST file which is being parsed by updater. And verify this against running image release file before validating image. There are following question comes here.
1. Backward compatibility : For this we can allow image upgrade if machine name is not defined in MANIFEST file or if it is defined than it should match to current running image.
2. Validation level: Current code updater supports upgrade for host, bmc and psu all firmware. So I am not sure if machine name is going to be same for all components or it is different. In my understanding, all components should have same machine name if they are part of single machine. I am open to discuss this point as I am not sure how everyone else is defining it.
Looking forward to your suggestions.
Regards
-Vijay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190919/5ce7b853/attachment-0001.htm>
More information about the openbmc
mailing list