[Skiboot] [PATCH 14/15] libstb/drivers: Add ROM code driver

Patrick Williams patrick at stwcx.xyz
Wed Sep 21 07:42:00 AEST 2016


On Tue, Sep 20, 2016 at 06:28:11PM +1000, Stewart Smith wrote:
> Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
> > This adds a driver for the ROM verification code. The driver is compatible
> > with 'ibm,secureboot-v1'.
> >
> > The presense of a verification code in the platform is indicated by the
> > presence of the ibm,secureboot node in the device tree.
> >
> > The ibm,secureboot node is documented in
> > 'doc/device-tree/ibm,secureboot.txt'
> 
> I think i've made the comment elsewhere but:
> 1) is there source available for the ROM code?

I do not believe so for P8.  For P9, it would be part of Hostboot and
then programmed into the SBE SEEPROM.  This allows it to be replaced
with alternative algorithms fairly easily.

> 2) why are we calling it rather than our own SHA512 code?
> 3) why would we not verify the ROM code result against a local SHA512
>    implementation?

SHA512/ECDSA are not required in the future.  Different geographies have
different preference on the encryption / signature algorithm, so we are
designing P9 to be replaceable.  I assume you'll want to use the
algorithm that Hostboot leaves laying around in memory in that case.

> 
> Are future processors going to follow this model? If not, then let's
> just bring in the SHA512 code now and be done with it rather than carry
> both?
> 
-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/skiboot/attachments/20160920/3dbb75bb/attachment-0001.sig>


More information about the Skiboot mailing list