Security Working Group meeting - Wednesday December 8 - results

Dhananjay Phadke dphadke at linux.microsoft.com
Fri Dec 10 04:31:37 AEDT 2021


>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>
>>> 4 Progress on BMC secure boot?
>>>
>>> AST2600 hardware secure U-boot  boot, then secure booting the Linux
>>> kernel. No additional pieces.
>>>
>>> See the AST security guide.  How is signing-key management done?
>>>
>>> Dhananjay to  follow up.
>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>
>Someone asked the question you see above, and Dhananjay tried to 
>answer.  The consensus was that there is support for AST2600 secure 
>booting U-Boot, support for U-Boot securely loading the Linux kernel, 
>and no additional support.  Your summary would be appreciated.
>
>Is there a document which what a system integrator needs to use this 
>function?  Ideally it would be linked from 
>https://github.com/openbmc/docs/blob/master/features.md

Right, I noted recent submissions to U-Boot and Kernel.
(1) HACE/ARCY support in U-Boot
(2) OTP sysfs access for logging Secure Boot status.

Need clarity regarding OTP programming.
(1) There's Linux tool and U-Boot patches floating somewhere.
(2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
boot (ABR).
(3) Any interest in using encryption besides SHA/RSA auth?

Signing of FIT is handled by Yocto/poky anyway.

Dhananjay



More information about the openbmc mailing list