Security Working Group meeting - Wednesday December 8 - results

Dhananjay Phadke dphadke at
Fri Dec 10 16:01:58 AEDT 2021

On Fri, 10 Dec 2021, Andrew Jeffery wrote:

> There's not much documentation as yet. p10bmc can be used as an example
> of a system that enables it.
> Given the lack of documentation it's probably also reviewing these
> patches in the context of the configuration above:

Thank you for the pointer, I'll comments there.

>> Need clarity regarding OTP programming.
>> (1) There's Linux tool
> I assume this refers to socsec? The socsec repo provides two tools:
> `socsec` and `otptool`. `otptool` can be used to generate the OTP image
> and exercise signature validity.

Yes, I was referring to these tools, socsec-sign.bbclass seems to cover
the workflow I was looking for.

>> and U-Boot patches floating somewhere.
> I'm not sure what patches you're referring to here, can you clarify?

cmd/otp.c has more changes compared to openbmc/u-boot.

>> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
>> boot (ABR).
> There's no real preference. My intent is to add a recipe that can
> consume a platform-specific otptool json config and spit out the OTP
> binary as a build artefact. Currently I just have the config captured
> in a separate repo internally and I generate binaries from that using
> make.

This is useful, having readable config and letting platform select
behavior such as alternate image in same SPI or alternate, etc.


More information about the openbmc mailing list