Security Working Group meeting - Wednesday December 8 - results
troy_lee at aspeedtech.com
Fri Dec 10 16:55:32 AEDT 2021
Hi Dhananjay and Andrew,
> On Fri, 10 Dec 2021, Andrew Jeffery wrote:
> > There's not much documentation as yet. p10bmc can be used as an
> > example of a system that enables it.
> > 856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
> > Given the lack of documentation it's probably also reviewing these
> > patches in the context of the configuration above:
> > https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:o
> > pen%20OR%20status:merged)
> Thank you for the pointer, I'll comments there.
> >> Need clarity regarding OTP programming.
> >> (1) There's Linux tool
> > I assume this refers to socsec? The socsec repo provides two tools:
> > `socsec` and `otptool`. `otptool` can be used to generate the OTP
> > image and exercise signature validity.
> > https://github.com/AspeedTech-BMC/socsec/
> Yes, I was referring to these tools, socsec-sign.bbclass seems to cover the
> workflow I was looking for.
> >> and U-Boot patches floating somewhere.
> > I'm not sure what patches you're referring to here, can you clarify?
> cmd/otp.c has more changes compared to openbmc/u-boot.
> >> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
> >> boot (ABR).
> > There's no real preference. My intent is to add a recipe that can
> > consume a platform-specific otptool json config and spit out the OTP
> > binary as a build artefact. Currently I just have the config captured
> > in a separate repo internally and I generate binaries from that using
> > make.
> This is useful, having readable config and letting platform select behavior
> such as alternate image in same SPI or alternate, etc.
We have the recipe to generate otp-image with OpenBMC building
process and is working on upstreaming it into OpenBMC.
Could you help to review the recipe once we submit it into gerrit?
More information about the openbmc