RE: BMC Image Signing Proposal

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stewart Smith <stewart@linux.vnet.ibm.com>
To: Yugi Mani <yupalani@microsoft.com>,
	Adriana Kobylak <anoo@linux.vnet.ibm.com>,
	"openbmc\@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Subject: RE: BMC Image Signing Proposal
Date: Fri, 23 Feb 2018 12:44:16 +1100	[thread overview]
Message-ID: <877er4pjin.fsf@linux.vnet.ibm.com> (raw)
In-Reply-To: <MWHPR21MB086454F2C875043A3B7FCBF9D6F10@MWHPR21MB0864.namprd21.prod.outlook.com>

Yugi Mani <yupalani@microsoft.com> writes:
> We should consider both of these requirements for image signing:
> 1. Update verification
> 2. Boot Verification
>
> Appending signature to image meets verification during firmware update. To do verification on every boot, we need something like FIT.  
> https://chromium.googlesource.com/chromiumos/third_party/u-boot-next/+/chromeos-v2013.06/doc/uImage.FIT
>
> As far as actual signing is concerned, we don't have access to private key for security reasons. We should support two models:
> Model 1:
> Source code has private key and signing is part of build process ("bitbake obmc-phosphor-image")
>
> Model 2:
> Source code does not have private key, Signing is done externally and
> some post-processing is done to add hash to image.  (maybe a new task,
> "bitbake obmc-phosphor-image -c add_hash")

For reference, for OpenPOWER host firmware, we support three models:

Local mode (a.k.a. development mode) — Build the container and sign
using locally available private keys. Signatures are generated using
simple openssl operations. Because the private keys are exposed on the
local system (the build machine), this mode should be used only for
development signing, or when the user is confident that the build
machine is secure against unauthorized access.

Independent mode — Generate the signing requests locally and export the
requests for signing externally. External signing is by user's method of
choice: any method capable of generating a ECDSA p521 signature (the
built-in support uses openssl). Resulting signatures are re-imported to
the container build process, to create the completed container. No
private or privileged information is exposed at the build machine.

Production mode — Build the container locally and interface with the
remote signframework to retrieve signatures and (public) keys as
needed. Signing is done remotely on a secure signing server using a
hardware security module (HSM). Private keys are stored securely in the
HSM and never exposed. Completed signatures are returned by the
signframework and integrated into the container.

(gratuitously copy&pasted from Nick's great docs up at
https://github.com/open-power/sb-signing-utils/wiki )

-- 
Stewart Smith
OPAL Architect, IBM.

next prev parent reply	other threads:[~2018-02-23  1:45 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-25 21:15 BMC Image Signing Proposal anoo
2018-01-26 11:07 ` Alexander Amelkin
2018-01-29  6:30   ` Andrew Jeffery
2018-01-29 15:50     ` Simon Glass
2018-01-29 20:59       ` Vernon Mauery
2018-01-30  4:47     ` Stewart Smith
2018-01-30  6:18       ` Joel Stanley
2018-01-30 16:20         ` Simon Glass
2018-01-30 23:53         ` Stewart Smith
2018-01-31 21:13           ` Adriana Kobylak
2018-02-08 20:27             ` Adriana Kobylak
2018-02-10  1:36               ` Yugi Mani
2018-02-13 22:33                 ` Adriana Kobylak
2018-02-13 22:34                   ` Adriana Kobylak
2018-02-15  4:07                     ` Joel Stanley
2018-02-19 21:04                       ` Adriana Kobylak
2018-02-23  1:44                 ` Stewart Smith [this message]
2018-02-23 20:30                   ` Vernon Mauery
2018-02-15  4:10               ` Joel Stanley
2018-02-23  1:47               ` Stewart Smith
2018-02-27 22:13                 ` Adriana Kobylak
2018-05-15  2:06                   ` Lei YU
2018-05-15 18:18                     ` Yugi Mani
2018-05-15 23:03                       ` Stewart Smith
2018-05-16 16:02                       ` Vernon Mauery
2018-05-18  3:33                         ` Lei YU
2018-05-18 16:01                           ` Adriana Kobylak
2018-05-18 21:02                             ` Vernon Mauery
2018-05-22  6:46                               ` Lei YU
2018-05-22 15:30                                 ` Vernon Mauery
2018-05-22 18:28                                   ` Vernon Mauery
2018-05-24 17:12                                     ` Adriana Kobylak
2018-05-24 19:34                                       ` Vernon Mauery
2018-05-25  7:03                                       ` Lei YU
2018-05-15 20:00                     ` Stewart Smith
2018-01-30  4:39   ` Stewart Smith
2018-01-29  5:56 ` Andrew Jeffery
2018-01-29 21:07   ` Vernon Mauery
2018-01-29 10:44 ` Avi Fishman
2018-01-29 14:40   ` Eugene.Cho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877er4pjin.fsf@linux.vnet.ibm.com \
    --to=stewart@linux.vnet.ibm.com \
    --cc=anoo@linux.vnet.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=yupalani@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.