Security Working Group meeting - Wednesday December 8 - results
Dhananjay Phadke
dphadke at linux.microsoft.com
Fri Dec 10 16:01:58 AEDT 2021
On Fri, 10 Dec 2021, Andrew Jeffery wrote:
> There's not much documentation as yet. p10bmc can be used as an example
> of a system that enables it.
>
> https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394fcaa63856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
>
> Given the lack of documentation it's probably also reviewing these
> patches in the context of the configuration above:
>
> https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:open%20OR%20status:merged)
Thank you for the pointer, I'll comments there.
>> Need clarity regarding OTP programming.
>> (1) There's Linux tool
>
> I assume this refers to socsec? The socsec repo provides two tools:
> `socsec` and `otptool`. `otptool` can be used to generate the OTP image
> and exercise signature validity.
>
> https://github.com/AspeedTech-BMC/socsec/
Yes, I was referring to these tools, socsec-sign.bbclass seems to cover
the workflow I was looking for.
>
>> and U-Boot patches floating somewhere.
>
> I'm not sure what patches you're referring to here, can you clarify?
https://github.com/AspeedTech-BMC/u-boot/commits/aspeed-master-v2019.04
cmd/otp.c has more changes compared to openbmc/u-boot.
>
>> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
>> boot (ABR).
>
> There's no real preference. My intent is to add a recipe that can
> consume a platform-specific otptool json config and spit out the OTP
> binary as a build artefact. Currently I just have the config captured
> in a separate repo internally and I generate binaries from that using
> make.
This is useful, having readable config and letting platform select
behavior such as alternate image in same SPI or alternate, etc.
Regards,
Dhananjay
More information about the openbmc
mailing list