Create AST2600 OTP image
jamin_lin at aspeedtech.com
Thu Dec 16 17:41:37 AEDT 2021
Hi OpenBMC team
I have some questions about OTP image creation in OpenBMC. To support AST2600 RoT(Root of Trust, AST2600 ROM code verified SPL), users should program "A public key" in OTP and uses "A private key" with SPL image to create signature and place it in SPL.
The SOCESEC tool help user to create OTP and SPL images for AST2600 secure boot support.
The following are my questions and solutions
1. There was a socsec-sign.bbclass in OpenBMC and it is used for SPL image generation with SOCSEC tool. Do you agree if I modify socsec-sign.bbclass to create OTP image?
If no, I will try to use solution 2.
1. I will create a new recipe to create OTP image and this recipe will be placed in meta-aspeed/recipes-aspeed/otp/otp.bb
To successfully build the OTP and SPL images, we should create the key-pair one for OTP(public key) and another for SPL(private key).
Do you have any suggestion to place these keys in where?
1. So far, we placed both private key and public keys here, https://github.com/openbmc/openbmc/tree/master/meta-aspeed/recipes-bsp/u-boot/files
How to get the public key in OTP recipe? It seems I need to place public key, https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_pub_oem_dss_key.pem
in meta-aspeed/recipes-aspeed/otp/files and private key in u-boot, https://github.com/openbmc/openbmc/blob/master/meta-aspeed/recipes-bsp/u-boot/files/rsa_oem_dss_key.pem
1. The socsec tool settings should be consistent. For example: If user set the algorithm "RSA4096_SHA512" in SPL, it is required to use the corresponding *.json config in OTP.
By default, it set SOCSEC_SIGN_ALGO ?= "RSA4096_SHA512" to create SPL, it is required to use https://github.com/AspeedTech-BMC/openbmc/blob/aspeed-master/meta-aspeed-sdk/recipes-aspeed/security/aspeed-secure-config/configs/ast2600/security/otp/evbA3_RSA4096_SHA512.json for OTP image generation.
How to share the environment variable between u-boot and otp recipes?
Do you prefer to add "SOCSEC_SIGN_ALGO" in machine configuration file, so this variable can be recognized between otp and u-boot recipes.
Do you have any suggestion?
1. How to trigger the build process to build create OTP image if user only issues "bitbake obmc-phosphor-image"?
Our solution set the do_generate_static_tar task dependencies. So, build process create the otp image first, then run do_generate_static_tar task.
Do you have any suggestion? Do I need to modify this bbclass, https://github.com/openbmc/openbmc/blob/master/meta-phosphor/classes/image_types_phosphor.bbclass ?
************* Email Confidentiality Notice ********************
This message (and any attachments) may contain legally privileged and/or other confidential information. If you have received it in error, please notify the sender by reply e-mail and immediately delete the e-mail and any attachments without copying or disclosing the contents. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openbmc