Security Working Group meeting - Wednesday December 8 - results

Troy Lee troy_lee at aspeedtech.com
Fri Dec 10 12:49:42 AEDT 2021


Hi,
> -----Original Message-----
> From: openbmc <openbmc-
> bounces+troy_lee=aspeedtech.com at lists.ozlabs.org> On Behalf Of Andrew
> Jeffery
> Sent: Friday, December 10, 2021 7:35 AM
> To: Dhananjay Phadke <dphadke at linux.microsoft.com>; Joseph Reynolds
> <jrey at linux.ibm.com>
> Cc: openbmc at lists.ozlabs.org
> Subject: Re: Security Working Group meeting - Wednesday December 8 -
> results
> 
> 
> 
> On Fri, 10 Dec 2021, at 04:01, Dhananjay Phadke wrote:
> >>> On Thu, 9 Dec 2021, at 05:44, Joseph Reynolds wrote:
> >>>
> >>>> 4 Progress on BMC secure boot?
> >>>>
> >>>> AST2600 hardware secure U-boot  boot, then secure booting the Linux
> >>>> kernel. No additional pieces.
> >>>>
> >>>> See the AST security guide.  How is signing-key management done?
> >>>>
> >>>> Dhananjay to  follow up.
> >>> As someone who was involved in integrating the AST2600 secure-boot
> support into OpenBMC, what's going on here?
> >>
> >>Someone asked the question you see above, and Dhananjay tried to
> >>answer.  The consensus was that there is support for AST2600 secure
> >>booting U-Boot, support for U-Boot securely loading the Linux kernel,
> >>and no additional support.  Your summary would be appreciated.
> >>
> >>Is there a document which what a system integrator needs to use this
> >>function?  Ideally it would be linked from
> >>https://github.com/openbmc/docs/blob/master/features.md
> 
> There's not much documentation as yet. p10bmc can be used as an example
> of a system that enables it.
> 
> https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394f
> caa63856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
> 
> Given the lack of documentation it's probably also reviewing these patches in
> the context of the configuration above:
> 
> https://gerrit.openbmc-project.xyz/q/topic:%22secure-
> boot%22+(status:open%20OR%20status:merged)
> 
> >
> > Right, I noted recent submissions to U-Boot and Kernel.
> > (1) HACE/ARCY support in U-Boot
> > (2) OTP sysfs access for logging Secure Boot status.
> >
> > Need clarity regarding OTP programming.
> > (1) There's Linux tool
> 
> I assume this refers to socsec? The socsec repo provides two tools:
> `socsec` and `otptool`. `otptool` can be used to generate the OTP image and
> exercise signature validity.
> 
> https://github.com/AspeedTech-BMC/socsec/
> 
> > and U-Boot patches floating somewhere.
> 
> I'm not sure what patches you're referring to here, can you clarify?
> 
> > (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> > boot (ABR).
> 
> There's no real preference. My intent is to add a recipe that can consume a
> platform-specific otptool json config and spit out the OTP binary as a build
> artefact. Currently I just have the config captured in a separate repo
> internally and I generate binaries from that using make.
> 
> > (3) Any interest in using encryption besides SHA/RSA auth?
> 
> SHA/RSA is what IBM will ship with in current platforms, so not from us.
> 
> Andrew

There is a secure boot document in review.
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/26169

The secure boot hardware verifies root of trust image, i.e. u-boot-spl.bin, and chain-of-trust image (u-boot.bin and kernel/initramfs) are verified by u-boot verified boot feature.

My questions is how does root fs being verified? Are you using UBI FS authentication support for this purpose?

Thanks,
Troy Lee


More information about the openbmc mailing list