validating secure boot settings

Andrew Geissler geissonator at gmail.com
Tue Feb 22 05:23:06 AEDT 2022


IBM has a feature[1] they’d like in regards to validating secure boot settings. 

The basic requirement is to utilize the new bmc-secure-boot GPIO defined
within this patch[2]. If the GPIO is found, then verify the system is in secure
mode by validating the GPIO reads 1. If it’s not a 1, then log an error.

Similarly the code will also look at a sysfs file created via this patch[3] to tell
if the system was started with secure boot enabled in the firmware. An error
will be logged if it was not.

From an IBM perspective, we only want to run these tests if we’re in what
we consider to be the manufacturing environment. What we use to determine
that will probably be something configurable with the code. There are a lot
of other things that will prevent a boot if the system has secure boot enabled
and the security checks fail. This new function is just a mechanism to
provide a quick check to our manufacturing team that they’ve enabled
everything as expected.

So, anyone else interested in something like this? If so, any votes on where
a good place for this logic to reside would be? We don’t have any obvious
security repository that I can find that seems like a good fit for this.

[1]: https://github.com/ibm-openbmc/dev/issues/3462
[2]: https://github.com/openbmc/docs/commit/d55349e10ec2432886b26b00322ef0eaff2b919a
[3]: https://lore.kernel.org/all/20220204072234.304543-1-joel@jms.id.au/

Thanks,
Andrew


More information about the openbmc mailing list