[Skiboot] [PATCH 14/15] libstb/drivers: Add ROM code driver

Stewart Smith stewart at linux.vnet.ibm.com
Wed Sep 28 13:52:18 AEST 2016

Patrick Williams <patrick at stwcx.xyz> writes:

> On Tue, Sep 20, 2016 at 06:28:11PM +1000, Stewart Smith wrote:
>> Claudio Carvalho <cclaudio at linux.vnet.ibm.com> writes:
>> > This adds a driver for the ROM verification code. The driver is compatible
>> > with 'ibm,secureboot-v1'.
>> >
>> > The presense of a verification code in the platform is indicated by the
>> > presence of the ibm,secureboot node in the device tree.
>> >
>> > The ibm,secureboot node is documented in
>> > 'doc/device-tree/ibm,secureboot.txt'
>> I think i've made the comment elsewhere but:
>> 1) is there source available for the ROM code?
> I do not believe so for P8.  For P9, it would be part of Hostboot and
> then programmed into the SBE SEEPROM.  This allows it to be replaced
> with alternative algorithms fairly easily.


>> 2) why are we calling it rather than our own SHA512 code?
>> 3) why would we not verify the ROM code result against a local SHA512
>>    implementation?
> SHA512/ECDSA are not required in the future.  Different geographies have
> different preference on the encryption / signature algorithm, so we are
> designing P9 to be replaceable.  I assume you'll want to use the
> algorithm that Hostboot leaves laying around in memory in that case.

maybe/maybe not. Having our own copy (even if it's just shared with
Hostboot implementation) means that we can easily run in sim and verify
trusted/secure boot code paths. If we exclusively rely on hostboot (or
ROM code), then we don't get that.

Stewart Smith
OPAL Architect, IBM.

More information about the Skiboot mailing list