BMC Secure Boot - dm-verity

Patrick Williams patrick at
Sat Feb 8 07:10:52 AEDT 2020

On Fri, Feb 07, 2020 at 01:28:18PM -0600, Adriana Kobylak wrote:
> The verity root hash value is needed to do the verification, which in
> chromeos appears to be compiled into the kernel, they don't have an
> initramfs.
> For OpenBMC, we're thinking of creating a new binding for the kernel device
> tree so that an initramfs can read the hash value and do the verification.
> Any opinions or suggestions?

u-boot has commands to manipulate a fdt.  Does this weaken the security?

Can we put it into the initramfs itself?  I don't know what is easier,
rebuilding the kernel or the initramfs.

Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the openbmc mailing list