Re: Security Working Group meeting - Wednesday February 2

[Michael Richardson <mcr+ietf@sandelman.ca>]

[-- Attachment #1: Type: text/plain, Size: 1430 bytes --]


Andrew Jeffery <andrew@aj.id.au> wrote:
    > On Fri, 4 Feb 2022, at 05:43, Michael Richardson wrote:
    >> Thanks for the great notes!
    >>

    > You might also be interested in chapters 9 and 10 of https://github.com/AspeedTech-BMC/openbmc/releases/download/v08.00/SDK_User_Guide_v08.00.pdf :)

So, not completely under NDA then.
Thank you for pointing at that.
I wish I could edit the missing articles into that document.

I saw that the section after socsec is about boot from uart, which requires a
jumper to be moved.

I see a place for an RSA private key as well as the public ones to validate
the boot image.  Multiple OTP headers, up to 64k bits (8K bytes I guess) is
available.

Is anyone out there using this *today* for signing evidence for a measured
boot?  Or for including an IDevID into the system?   You can unicast me if
you prefer.

Getting manufacturer signed IDevIDs in is critical to getting better
onboarding story for BMCs.  I would love to work with someone to prototype this.

(Ah, xmodem/ymodem brings back many memories.  How much zmodem kicked their
ass.  And telebit trailblazers..)

I wonder if the OpenBMC project cares about the case of the name... as ASPEED
has "OpenBmc" everywhere.  Some people care... It's a bit like Brown M&Ms :-)
(e.g., RFC4301 says it is "IPsec" and not "IPSec")


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-




[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 658 bytes --]