Security Working Group meeting - Wednesday December 8 - results

Andrew Jeffery andrew at aj.id.au
Fri Dec 10 10:35:27 AEDT 2021 


On Fri, 10 Dec 2021, at 04:01, Dhananjay Phadke wrote:
>>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>>
>>>> 4 Progress on BMC secure boot?
>>>>
>>>> AST2600 hardware secure U-boot  boot, then secure booting the Linux
>>>> kernel. No additional pieces.
>>>>
>>>> See the AST security guide.  How is signing-key management done?
>>>>
>>>> Dhananjay to  follow up.
>>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>>
>>Someone asked the question you see above, and Dhananjay tried to 
>>answer.  The consensus was that there is support for AST2600 secure 
>>booting U-Boot, support for U-Boot securely loading the Linux kernel, 
>>and no additional support.  Your summary would be appreciated.
>>
>>Is there a document which what a system integrator needs to use this 
>>function?  Ideally it would be linked from 
>>https://github.com/openbmc/docs/blob/master/features.md

There's not much documentation as yet. p10bmc can be used as an example 
of a system that enables it.

https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394fcaa63856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56

Given the lack of documentation it's probably also reviewing these 
patches in the context of the configuration above:

https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:open%20OR%20status:merged)

>
> Right, I noted recent submissions to U-Boot and Kernel.
> (1) HACE/ARCY support in U-Boot
> (2) OTP sysfs access for logging Secure Boot status.
>
> Need clarity regarding OTP programming.
> (1) There's Linux tool

I assume this refers to socsec? The socsec repo provides two tools: 
`socsec` and `otptool`. `otptool` can be used to generate the OTP image 
and exercise signature validity.

https://github.com/AspeedTech-BMC/socsec/

> and U-Boot patches floating somewhere.

I'm not sure what patches you're referring to here, can you clarify?

> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> boot (ABR).

There's no real preference. My intent is to add a recipe that can 
consume a platform-specific otptool json config and spit out the OTP 
binary as a build artefact. Currently I just have the config captured 
in a separate repo internally and I generate binaries from that using 
make.

> (3) Any interest in using encryption besides SHA/RSA auth?

SHA/RSA is what IBM will ship with in current platforms, so not from us.

Andrew

More information about the openbmc mailing list