Security Working Group meeting - Wednesday December 8 - results
Dhananjay Phadke
dphadke at linux.microsoft.com
Fri Dec 10 04:31:37 AEDT 2021
>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>
>>> 4 Progress on BMC secure boot?
>>>
>>> AST2600 hardware secure U-boot boot, then secure booting the Linux
>>> kernel. No additional pieces.
>>>
>>> See the AST security guide. How is signing-key management done?
>>>
>>> Dhananjay to follow up.
>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>
>Someone asked the question you see above, and Dhananjay tried to
>answer. The consensus was that there is support for AST2600 secure
>booting U-Boot, support for U-Boot securely loading the Linux kernel,
>and no additional support. Your summary would be appreciated.
>
>Is there a document which what a system integrator needs to use this
>function? Ideally it would be linked from
>https://github.com/openbmc/docs/blob/master/features.md
Right, I noted recent submissions to U-Boot and Kernel.
(1) HACE/ARCY support in U-Boot
(2) OTP sysfs access for logging Secure Boot status.
Need clarity regarding OTP programming.
(1) There's Linux tool and U-Boot patches floating somewhere.
(2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
boot (ABR).
(3) Any interest in using encryption besides SHA/RSA auth?
Signing of FIT is handled by Yocto/poky anyway.
Dhananjay
More information about the openbmc
mailing list