BMC Secure Boot - dm-verity
Patrick Williams
patrick at stwcx.xyz
Sat Feb 8 07:10:52 AEDT 2020
On Fri, Feb 07, 2020 at 01:28:18PM -0600, Adriana Kobylak wrote:
> The verity root hash value is needed to do the verification, which in
> chromeos appears to be compiled into the kernel, they don't have an
> initramfs.
> For OpenBMC, we're thinking of creating a new binding for the kernel device
> tree so that an initramfs can read the hash value and do the verification.
>
> Any opinions or suggestions?
u-boot has commands to manipulate a fdt. Does this weaken the security?
Can we put it into the initramfs itself? I don't know what is easier,
rebuilding the kernel or the initramfs.
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200207/47fc7438/attachment.sig>
More information about the openbmc
mailing list