BMC Secure Boot - dm-verity
Adriana Kobylak
anoo at linux.ibm.com
Sat Feb 8 06:28:18 AEDT 2020
Hi,
We're planning to use dm-verity to verify the rootfs on eMMC, as
mentioned in this doc update[1], following what chromeOs[2]/android[3]
have done.
The verity root hash value is needed to do the verification, which in
chromeos appears to be compiled into the kernel, they don't have an
initramfs.
For OpenBMC, we're thinking of creating a new binding for the kernel
device tree so that an initramfs can read the hash value and do the
verification.
Any opinions or suggestions?
[1] https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/28443
[2]
https://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot
[3] https://source.android.com/security/verifiedboot/dm-verity
More information about the openbmc
mailing list