| #
3596dc23 |
| 13-Aug-2023 |
Andrew Jeffery <andrew@aj.id.au> |
meta-ibm: u-boot-aspeed-sdk: Leave key retirement unspecified
IBM observed consistent hangs in the `uart_otp` tool when programming
the OTP image into the SoC. This was root-caused by Aspeed:
> Mes
meta-ibm: u-boot-aspeed-sdk: Leave key retirement unspecified
IBM observed consistent hangs in the `uart_otp` tool when programming
the OTP image into the SoC. This was root-caused by Aspeed:
> Message-ID: <TYZPR06MB677027C95FCFABCDA6F81C4D800DA@TYZPR06MB6770.apcprd06.prod.outlook.com>
> From: Neal Liu <neal_liu@aspeedtech.com>
> Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com
>
> Hi Andrew,
>
> It’s okay, I found the problem.
>
> The utility timeout is because it programs key retire bits in
> OTPCFG4[7:0] without enabling secure boot.
>
> In the case of secure boot is enabled, the hardware would detect the
> current boot up key number #id, and it can only retire the number
> which is smaller than the current boot up key #id.
> If not, the OTP status will keep busy, and the utility stocks in
> polling loop.
>
> If you still want to disable key #0 without enabling secure boot,
> OTPCFG0[5] can be another option for you.
>
> I also provide a new programmer.bin to fix this infinite loop problem
> in case user thought BMC is crashed.
>
> You can try it with this command:
>
> $ uart_otp -s 2600 -p ast2600_otp_programmer.bin /dev/ttyUSBx
>
> Thanks
>
> Best Regards,
>
> -Neal
In discussion with Chris we determined that we were not intentionally
attempting to retire the development / low-security key, rather were
just trying to be complete in the specification of our configuration.
Neal responded to our request of how to avoid programming a key
retirement in the configuration file:
> Message-ID: <TYZPR06MB67700B238DB429A51E048E328010A@TYZPR06MB6770.apcprd06.prod.outlook.com>
> From: Neal Liu <neal_liu@aspeedtech.com>
> Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com
>
> Hi Andrew,
>
> Just delete line #72 as unspecified value.
>
> Thanks
>
> Best Regards,
>
> -Neal
>>
>> From: Andrew Jeffery <andrewrj@au1.ibm.com>
>> To: Neal Liu <neal_liu@aspeedtech.com>
>> Subject: Re: Server Management technical issue by Rose.Drehmel@us.ibm.com
>>
>> Hi Neal,
>>
>> I've discussed your findings with Chris Engel, who is our platform
>> security person. We determined that we do not want to mark the low
>> security key as retired in the OTP as we're handling that via the
>> FWSPIMISO strapping pin.
>>
>> What change should I make to our OTP configuration so that we don't
>> retire key 0 during programming?
>>
>> Andrew
Line 72 in this case refers to our OTP configuration file:
https://github.com/openbmc/openbmc/blob/2a25492c13e2b768f94b864a51f84e82e4238aef/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json#L72
Leave "Keys Retire ID" unspecified to avoid leaving the OTP engine busy.
Cc: Chris Engel <cjengel@us.ibm.com>
Cc: Rose Drehmel <Rose.Drehmel@us.ibm.com>
Cc: Briana Foxworth <befoxwor@us.ibm.com>
Cc: Nicole Nett <nschwart@us.ibm.com>
Change-Id: Ib6b75a40f5debd5ba1166f0f69a07114b76d9c34
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
show more ...
|
| #
115f49a6 |
| 08-Aug-2022 |
Andrew Jeffery <andrew@aj.id.au> |
meta-ibm: p10bmc: Rename otptool config
Better communicate whose P10 systems are the target of the
configuration.
Change-Id: I561750df9b32512753d9ce644088c2130ebb6a55
Signed-off-by: Andrew Jeffery
meta-ibm: p10bmc: Rename otptool config
Better communicate whose P10 systems are the target of the
configuration.
Change-Id: I561750df9b32512753d9ce644088c2130ebb6a55
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
show more ...
|