Security Working Group meeting - Wednesday December 8 - results

Dhananjay Phadke dphadke at
Fri Dec 10 04:31:37 AEDT 2021

>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>> 4 Progress on BMC secure boot?
>>> AST2600 hardware secure U-boot  boot, then secure booting the Linux
>>> kernel. No additional pieces.
>>> See the AST security guide.  How is signing-key management done?
>>> Dhananjay to  follow up.
>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>Someone asked the question you see above, and Dhananjay tried to 
>answer.  The consensus was that there is support for AST2600 secure 
>booting U-Boot, support for U-Boot securely loading the Linux kernel, 
>and no additional support.  Your summary would be appreciated.
>Is there a document which what a system integrator needs to use this 
>function?  Ideally it would be linked from 

Right, I noted recent submissions to U-Boot and Kernel.
(1) HACE/ARCY support in U-Boot
(2) OTP sysfs access for logging Secure Boot status.

Need clarity regarding OTP programming.
(1) There's Linux tool and U-Boot patches floating somewhere.
(2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
boot (ABR).
(3) Any interest in using encryption besides SHA/RSA auth?

Signing of FIT is handled by Yocto/poky anyway.


More information about the openbmc mailing list