Security Working Group meeting - Wednesday December 8 - results

Andrew Jeffery andrew at aj.id.au
Fri Dec 10 17:40:09 AEDT 2021



On Fri, 10 Dec 2021, at 16:25, Troy Lee wrote:
> Hi Dhananjay and Andrew,
>
>> On Fri, 10 Dec 2021, Andrew Jeffery wrote:
>> 
>> > There's not much documentation as yet. p10bmc can be used as an
>> > example of a system that enables it.
>> >
>> >
>> https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394f
>> caa63
>> > 856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
>> >
>> > Given the lack of documentation it's probably also reviewing these
>> > patches in the context of the configuration above:
>> >
>> > https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:o
>> > pen%20OR%20status:merged)
>> 
>> Thank you for the pointer, I'll comments there.
>> 
>> >> Need clarity regarding OTP programming.
>> >> (1) There's Linux tool
>> >
>> > I assume this refers to socsec? The socsec repo provides two tools:
>> > `socsec` and `otptool`. `otptool` can be used to generate the OTP
>> > image and exercise signature validity.
>> >
>> > https://github.com/AspeedTech-BMC/socsec/
>> 
>> Yes, I was referring to these tools, socsec-sign.bbclass seems to cover the
>> workflow I was looking for.
>> 
>> >
>> >> and U-Boot patches floating somewhere.
>> >
>> > I'm not sure what patches you're referring to here, can you clarify?
>> 
>> https://github.com/AspeedTech-BMC/u-boot/commits/aspeed-master-
>> v2019.04
>> 
>> cmd/otp.c has more changes compared to openbmc/u-boot.
>> 
>> >
>> >> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
>> >> boot (ABR).
>> >
>> > There's no real preference. My intent is to add a recipe that can
>> > consume a platform-specific otptool json config and spit out the OTP
>> > binary as a build artefact. Currently I just have the config captured
>> > in a separate repo internally and I generate binaries from that using
>> > make.
>> 
>> This is useful, having readable config and letting platform select behavior
>> such as alternate image in same SPI or alternate, etc.
>
> We have the recipe to generate otp-image with OpenBMC building
> process and is working on upstreaming it into OpenBMC.
> Could you help to review the recipe once we submit it into gerrit?

Yes, please push it for review.

Andrew


More information about the openbmc mailing list