diff options
| author | Andrew Jeffery <andrew@aj.id.au> | 2023-08-14 05:10:35 +0300 |
|---|---|---|
| committer | Andrew Jeffery <andrew@aj.id.au> | 2023-09-01 05:46:41 +0300 |
| commit | 3596dc23c54f7c26579558a03214ef8017c8df10 (patch) | |
| tree | 89ded8c781da45ab288ec31441d5819758bb407c | |
| parent | 7c92857b506f93640474f9809bdb0f23fa45e900 (diff) | |
| download | openbmc-3596dc23c54f7c26579558a03214ef8017c8df10.tar.xz | |
meta-ibm: u-boot-aspeed-sdk: Leave key retirement unspecified
IBM observed consistent hangs in the `uart_otp` tool when programming
the OTP image into the SoC. This was root-caused by Aspeed:
> Message-ID: <TYZPR06MB677027C95FCFABCDA6F81C4D800DA@TYZPR06MB6770.apcprd06.prod.outlook.com>
> From: Neal Liu <neal_liu@aspeedtech.com>
> Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com
>
> Hi Andrew,
>
> It’s okay, I found the problem.
>
> The utility timeout is because it programs key retire bits in
> OTPCFG4[7:0] without enabling secure boot.
>
> In the case of secure boot is enabled, the hardware would detect the
> current boot up key number #id, and it can only retire the number
> which is smaller than the current boot up key #id.
> If not, the OTP status will keep busy, and the utility stocks in
> polling loop.
>
> If you still want to disable key #0 without enabling secure boot,
> OTPCFG0[5] can be another option for you.
>
> I also provide a new programmer.bin to fix this infinite loop problem
> in case user thought BMC is crashed.
>
> You can try it with this command:
>
> $ uart_otp -s 2600 -p ast2600_otp_programmer.bin /dev/ttyUSBx
>
> Thanks
>
> Best Regards,
>
> -Neal
In discussion with Chris we determined that we were not intentionally
attempting to retire the development / low-security key, rather were
just trying to be complete in the specification of our configuration.
Neal responded to our request of how to avoid programming a key
retirement in the configuration file:
> Message-ID: <TYZPR06MB67700B238DB429A51E048E328010A@TYZPR06MB6770.apcprd06.prod.outlook.com>
> From: Neal Liu <neal_liu@aspeedtech.com>
> Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com
>
> Hi Andrew,
>
> Just delete line #72 as unspecified value.
>
> Thanks
>
> Best Regards,
>
> -Neal
>>
>> From: Andrew Jeffery <andrewrj@au1.ibm.com>
>> To: Neal Liu <neal_liu@aspeedtech.com>
>> Subject: Re: Server Management technical issue by Rose.Drehmel@us.ibm.com
>>
>> Hi Neal,
>>
>> I've discussed your findings with Chris Engel, who is our platform
>> security person. We determined that we do not want to mark the low
>> security key as retired in the OTP as we're handling that via the
>> FWSPIMISO strapping pin.
>>
>> What change should I make to our OTP configuration so that we don't
>> retire key 0 during programming?
>>
>> Andrew
Line 72 in this case refers to our OTP configuration file:
https://github.com/openbmc/openbmc/blob/2a25492c13e2b768f94b864a51f84e82e4238aef/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json#L72
Leave "Keys Retire ID" unspecified to avoid leaving the OTP engine busy.
Cc: Chris Engel <cjengel@us.ibm.com>
Cc: Rose Drehmel <Rose.Drehmel@us.ibm.com>
Cc: Briana Foxworth <befoxwor@us.ibm.com>
Cc: Nicole Nett <nschwart@us.ibm.com>
Change-Id: Ib6b75a40f5debd5ba1166f0f69a07114b76d9c34
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
| -rw-r--r-- | meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json | 1 | ||||
| -rw-r--r-- | meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ips.json | 1 |
2 files changed, 0 insertions, 2 deletions
diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json index 59c92a0898..23f7bf992b 100644 --- a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json @@ -69,7 +69,6 @@ "Extra Data Write Protection Region Size": "0x0", "Erase signature data after secure boot check": false, "Erase RSA public key after secure boot check": false, - "Keys Retire ID": 0, "User define data: random number low": "0x0", "User define data: random number high": "0x0", "Manifest ID": "0x0", diff --git a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ips.json b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ips.json index 6c7a258769..622c6184ab 100644 --- a/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ips.json +++ b/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ips.json @@ -68,7 +68,6 @@ "Extra Data Write Protection Region Size": "0x0", "Erase signature data after secure boot check": false, "Erase RSA public key after secure boot check": false, - "Keys Retire ID": 0, "User define data: random number low": "0x0", "User define data: random number high": "0x0", "Manifest ID": "0x0", |