Security Working Group meeting - Wednesday December 8 - results
troy_lee at aspeedtech.com
Fri Dec 10 12:49:42 AEDT 2021
> -----Original Message-----
> From: openbmc <openbmc-
> bounces+troy_lee=aspeedtech.com at lists.ozlabs.org> On Behalf Of Andrew
> Sent: Friday, December 10, 2021 7:35 AM
> To: Dhananjay Phadke <dphadke at linux.microsoft.com>; Joseph Reynolds
> <jrey at linux.ibm.com>
> Cc: openbmc at lists.ozlabs.org
> Subject: Re: Security Working Group meeting - Wednesday December 8 -
> On Fri, 10 Dec 2021, at 04:01, Dhananjay Phadke wrote:
> >>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
> >>>> 4 Progress on BMC secure boot?
> >>>> AST2600 hardware secure U-boot boot, then secure booting the Linux
> >>>> kernel. No additional pieces.
> >>>> See the AST security guide. How is signing-key management done?
> >>>> Dhananjay to follow up.
> >>> As someone who was involved in integrating the AST2600 secure-boot
> support into OpenBMC, what's going on here?
> >>Someone asked the question you see above, and Dhananjay tried to
> >>answer. The consensus was that there is support for AST2600 secure
> >>booting U-Boot, support for U-Boot securely loading the Linux kernel,
> >>and no additional support. Your summary would be appreciated.
> >>Is there a document which what a system integrator needs to use this
> >>function? Ideally it would be linked from
> There's not much documentation as yet. p10bmc can be used as an example
> of a system that enables it.
> Given the lack of documentation it's probably also reviewing these patches in
> the context of the configuration above:
> > Right, I noted recent submissions to U-Boot and Kernel.
> > (1) HACE/ARCY support in U-Boot
> > (2) OTP sysfs access for logging Secure Boot status.
> > Need clarity regarding OTP programming.
> > (1) There's Linux tool
> I assume this refers to socsec? The socsec repo provides two tools:
> `socsec` and `otptool`. `otptool` can be used to generate the OTP image and
> exercise signature validity.
> > and U-Boot patches floating somewhere.
> I'm not sure what patches you're referring to here, can you clarify?
> > (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> > boot (ABR).
> There's no real preference. My intent is to add a recipe that can consume a
> platform-specific otptool json config and spit out the OTP binary as a build
> artefact. Currently I just have the config captured in a separate repo
> internally and I generate binaries from that using make.
> > (3) Any interest in using encryption besides SHA/RSA auth?
> SHA/RSA is what IBM will ship with in current platforms, so not from us.
There is a secure boot document in review.
The secure boot hardware verifies root of trust image, i.e. u-boot-spl.bin, and chain-of-trust image (u-boot.bin and kernel/initramfs) are verified by u-boot verified boot feature.
My questions is how does root fs being verified? Are you using UBI FS authentication support for this purpose?
More information about the openbmc