Security Working Group meeting - Wednesday December 8 - results

Troy Lee troy_lee at aspeedtech.com
Fri Dec 10 16:55:32 AEDT 2021


Hi Dhananjay and Andrew,

> On Fri, 10 Dec 2021, Andrew Jeffery wrote:
> 
> > There's not much documentation as yet. p10bmc can be used as an
> > example of a system that enables it.
> >
> >
> https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394f
> caa63
> > 856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
> >
> > Given the lack of documentation it's probably also reviewing these
> > patches in the context of the configuration above:
> >
> > https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:o
> > pen%20OR%20status:merged)
> 
> Thank you for the pointer, I'll comments there.
> 
> >> Need clarity regarding OTP programming.
> >> (1) There's Linux tool
> >
> > I assume this refers to socsec? The socsec repo provides two tools:
> > `socsec` and `otptool`. `otptool` can be used to generate the OTP
> > image and exercise signature validity.
> >
> > https://github.com/AspeedTech-BMC/socsec/
> 
> Yes, I was referring to these tools, socsec-sign.bbclass seems to cover the
> workflow I was looking for.
> 
> >
> >> and U-Boot patches floating somewhere.
> >
> > I'm not sure what patches you're referring to here, can you clarify?
> 
> https://github.com/AspeedTech-BMC/u-boot/commits/aspeed-master-
> v2019.04
> 
> cmd/otp.c has more changes compared to openbmc/u-boot.
> 
> >
> >> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> >> boot (ABR).
> >
> > There's no real preference. My intent is to add a recipe that can
> > consume a platform-specific otptool json config and spit out the OTP
> > binary as a build artefact. Currently I just have the config captured
> > in a separate repo internally and I generate binaries from that using
> > make.
> 
> This is useful, having readable config and letting platform select behavior
> such as alternate image in same SPI or alternate, etc.

We have the recipe to generate otp-image with OpenBMC building
process and is working on upstreaming it into OpenBMC.
Could you help to review the recipe once we submit it into gerrit?

> 
> Regards,
> Dhananjay

Thanks,
Troy Lee


More information about the openbmc mailing list