Security Working Group meeting - Wednesday December 8 - results

Andrew Jeffery andrew at
Fri Dec 10 10:35:27 AEDT 2021

On Fri, 10 Dec 2021, at 04:01, Dhananjay Phadke wrote:
>>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
>>>> 4 Progress on BMC secure boot?
>>>> AST2600 hardware secure U-boot  boot, then secure booting the Linux
>>>> kernel. No additional pieces.
>>>> See the AST security guide.  How is signing-key management done?
>>>> Dhananjay to  follow up.
>>> As someone who was involved in integrating the AST2600 secure-boot support into OpenBMC, what's going on here?
>>Someone asked the question you see above, and Dhananjay tried to 
>>answer.  The consensus was that there is support for AST2600 secure 
>>booting U-Boot, support for U-Boot securely loading the Linux kernel, 
>>and no additional support.  Your summary would be appreciated.
>>Is there a document which what a system integrator needs to use this 
>>function?  Ideally it would be linked from 

There's not much documentation as yet. p10bmc can be used as an example 
of a system that enables it.

Given the lack of documentation it's probably also reviewing these 
patches in the context of the configuration above:

> Right, I noted recent submissions to U-Boot and Kernel.
> (1) HACE/ARCY support in U-Boot
> (2) OTP sysfs access for logging Secure Boot status.
> Need clarity regarding OTP programming.
> (1) There's Linux tool

I assume this refers to socsec? The socsec repo provides two tools: 
`socsec` and `otptool`. `otptool` can be used to generate the OTP image 
and exercise signature validity.

> and U-Boot patches floating somewhere.

I'm not sure what patches you're referring to here, can you clarify?

> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> boot (ABR).

There's no real preference. My intent is to add a recipe that can 
consume a platform-specific otptool json config and spit out the OTP 
binary as a build artefact. Currently I just have the config captured 
in a separate repo internally and I generate binaries from that using 

> (3) Any interest in using encryption besides SHA/RSA auth?

SHA/RSA is what IBM will ship with in current platforms, so not from us.


More information about the openbmc mailing list