Security Working Group meeting - Wednesday December 8 - results
andrew at aj.id.au
Fri Dec 10 10:35:27 AEDT 2021
On Fri, 10 Dec 2021, at 04:01, Dhananjay Phadke wrote:
>>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>>> 4 Progress on BMC secure boot?
>>>> AST2600 hardware secure U-boot boot, then secure booting the Linux
>>>> kernel. No additional pieces.
>>>> See the AST security guide. How is signing-key management done?
>>>> Dhananjay to follow up.
>>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>>Someone asked the question you see above, and Dhananjay tried to
>>answer. The consensus was that there is support for AST2600 secure
>>booting U-Boot, support for U-Boot securely loading the Linux kernel,
>>and no additional support. Your summary would be appreciated.
>>Is there a document which what a system integrator needs to use this
>>function? Ideally it would be linked from
There's not much documentation as yet. p10bmc can be used as an example
of a system that enables it.
Given the lack of documentation it's probably also reviewing these
patches in the context of the configuration above:
> Right, I noted recent submissions to U-Boot and Kernel.
> (1) HACE/ARCY support in U-Boot
> (2) OTP sysfs access for logging Secure Boot status.
> Need clarity regarding OTP programming.
> (1) There's Linux tool
I assume this refers to socsec? The socsec repo provides two tools:
`socsec` and `otptool`. `otptool` can be used to generate the OTP image
and exercise signature validity.
> and U-Boot patches floating somewhere.
I'm not sure what patches you're referring to here, can you clarify?
> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> boot (ABR).
There's no real preference. My intent is to add a recipe that can
consume a platform-specific otptool json config and spit out the OTP
binary as a build artefact. Currently I just have the config captured
in a separate repo internally and I generate binaries from that using
> (3) Any interest in using encryption besides SHA/RSA auth?
SHA/RSA is what IBM will ship with in current platforms, so not from us.
More information about the openbmc