bmcweb: Install encrypted certificate to BMC

Patrick Williams patrick at stwcx.xyz
Fri Apr 23 23:26:08 AEST 2021


On Mon, Apr 19, 2021 at 12:18:15AM -0700, Ed Tanous wrote:
> On Sat, Apr 17, 2021 at 11:56 AM Michael Richardson <mcr at sandelman.ca> wrote:
> > Zhenfei Tai <ztai at google.com> wrote:
> > If you have a daemon present that can decrypt things, then you already have a
> > private key (or symmetric key) present, and that key is subject to attack.
> > (Unless you add yet another layer of indirection via TPM chip....)
> 
> This wasn't clear in the initial email, but yes, this would be a case
> of exactly what you described in the "unless" part.  The TPM-like chip
> has a specific format that we're hoping to upload to it through the
> OOB interfaces that would give it a form of identity.
> 
> >
> > I strongly recommend that you do not invent new technology here.
> > EST (RFC7030) is considered the best technology here, with SCEP (RFC8894)
> > being a legacy choice.
> 
> I read through that spec a bit.  The issue there is that it has no
> compatibility with Redfish, so implementing that would be yet another
> subsystem to build and maintain, and wouldn't work in tandem with
> Redfish aggregators once the key was decoded.  While I wouldn't be
> against anyone implementing that on OpenBMC, that wouldn't meet the
> needs of what we're trying to accomplish;  Also, it isn't clear that
> RFC8894 has provisions for custom certificate formats, of which this
> would definitely be one.

There really isn't much in Redfish (or our dbus interfaces) about TPMs.
I think that provisioning and attestation are two big functional areas
that are coming to the forefront.  It would be nice if someone with
bandwidth and access could pave the way on the Redfish side of things
for TPM management.  I am certainly interested in the attestation end.

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210423/dd2a192c/attachment.sig>


More information about the openbmc mailing list