BMC Secure Boot - dm-verity

Adriana Kobylak anoo at linux.ibm.com
Tue Feb 11 08:14:20 AEDT 2020


On 2020-02-07 14:10, Patrick Williams wrote:
> On Fri, Feb 07, 2020 at 01:28:18PM -0600, Adriana Kobylak wrote:
>> The verity root hash value is needed to do the verification, which in
>> chromeos appears to be compiled into the kernel, they don't have an
>> initramfs.
>> For OpenBMC, we're thinking of creating a new binding for the kernel 
>> device
>> tree so that an initramfs can read the hash value and do the 
>> verification.
>> 
>> Any opinions or suggestions?
> 
> u-boot has commands to manipulate a fdt.  Does this weaken the 
> security?
> 

I'll have to check if the u-boot verification of the fit image would 
fail.

> Can we put it into the initramfs itself?  I don't know what is easier,
> rebuilding the kernel or the initramfs.

That's an option. We could have the hash values in one place alongside 
the additional information that the initramfs needs to call 'dmsetup' 
and create the devices.


More information about the openbmc mailing list