From: Dhananjay Phadke <dphadke@linux.microsoft.com>
To: andrew@aj.id.au
Cc: openbmc@lists.ozlabs.org, dphadke@linux.microsoft.com,
jrey@linux.ibm.com
Subject: Re: Security Working Group meeting - Wednesday December 8 - results
Date: Thu, 9 Dec 2021 21:01:58 -0800 [thread overview]
Message-ID: <1639112518-8080-1-git-send-email-dphadke@linux.microsoft.com> (raw)
In-Reply-To: <df30fbcd-870a-4d9e-9377-80c0b1a9c3ca@www.fastmail.com>
On Fri, 10 Dec 2021, Andrew Jeffery wrote:
> There's not much documentation as yet. p10bmc can be used as an example
> of a system that enables it.
>
> https://github.com/openbmc/openbmc/blob/ade3e145ead0beedad181394fcaa63856176bdee/meta-ibm/conf/machine/p10bmc.conf#L39-L56
>
> Given the lack of documentation it's probably also reviewing these
> patches in the context of the configuration above:
>
> https://gerrit.openbmc-project.xyz/q/topic:%22secure-boot%22+(status:open%20OR%20status:merged)
Thank you for the pointer, I'll comments there.
>> Need clarity regarding OTP programming.
>> (1) There's Linux tool
>
> I assume this refers to socsec? The socsec repo provides two tools:
> `socsec` and `otptool`. `otptool` can be used to generate the OTP image
> and exercise signature validity.
>
> https://github.com/AspeedTech-BMC/socsec/
Yes, I was referring to these tools, socsec-sign.bbclass seems to cover
the workflow I was looking for.
>
>> and U-Boot patches floating somewhere.
>
> I'm not sure what patches you're referring to here, can you clarify?
https://github.com/AspeedTech-BMC/u-boot/commits/aspeed-master-v2019.04
cmd/otp.c has more changes compared to openbmc/u-boot.
>
>> (2) Any specific OTP straps preferred by OpenBMC, e.g. enabling alt
>> boot (ABR).
>
> There's no real preference. My intent is to add a recipe that can
> consume a platform-specific otptool json config and spit out the OTP
> binary as a build artefact. Currently I just have the config captured
> in a separate repo internally and I generate binaries from that using
> make.
This is useful, having readable config and letting platform select
behavior such as alternate image in same SPI or alternate, etc.
Regards,
Dhananjay
next prev parent reply other threads:[~2021-12-10 5:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-07 21:55 Security Working Group meeting - Wednesday December 8 Joseph Reynolds
2021-12-08 19:14 ` Security Working Group meeting - Wednesday December 8 - results Joseph Reynolds
2021-12-09 10:21 ` Andrew Jeffery
2021-12-09 17:13 ` Joseph Reynolds
2021-12-09 17:31 ` Dhananjay Phadke
2021-12-09 23:35 ` Andrew Jeffery
2021-12-10 1:49 ` Troy Lee
2021-12-10 5:22 ` Andrew Jeffery
2021-12-10 5:01 ` Dhananjay Phadke [this message]
2021-12-10 5:23 ` Andrew Jeffery
2021-12-10 5:55 ` Troy Lee
2021-12-10 6:40 ` Andrew Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1639112518-8080-1-git-send-email-dphadke@linux.microsoft.com \
--to=dphadke@linux.microsoft.com \
--cc=andrew@aj.id.au \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.