1# Secure Flash Update Mechanism 2 3This document describes the OpenBmc software implementing the secure flash 4update mechanism. 5 6The primary details are 7[here](https://github.com/openbmc/docs/blob/master/designs/firmware-update-via-blobs.md). 8 9## Building and using the host-tool 10 11This repo contains a host-tool implementation for talking to the corresponding 12BMC blob handler. 13 14### Building the host-tool 15 16The host-tool depends on ipmi-blob-tool and pciutils. 17 18#### Building libpciaccess 19 20Check out the 21[xorg-macros source](https://gitlab.freedesktop.org/xorg/util/macros). 22 23Then run these commands in the source directory. 24 25``` 26./autogen.sh --prefix=/usr 27make install 28``` 29 30Check out the 31[libpciaccess source](https://gitlab.freedesktop.org/xorg/lib/libpciaccess). 32 33Then run these commands in the source directory. 34 35``` 36./autogen.sh 37make 38make install 39``` 40 41#### Building ipmi-blob-tool 42 43Check out the 44[ipmi-blob-tool source](https://github.com/openbmc/ipmi-blob-tool). 45 46Then run these commands in the source directory. 47 48``` 49./bootstrap.sh 50./configure 51make 52make install 53``` 54 55#### Building stdplus 56 57Check out the [stdplus source](https://github.com/openbmc/stdplus). 58 59Then run these commands in the source directory. 60 61``` 62meson setup -Dexamples=false -Dtests=disabled builddir 63ninja -C builddir 64ninja -C builddir install 65``` 66 67#### Building burn_my_bmc (the host-tool) 68 69Check out the 70[phosphor-ipmi-flash source](https://github.com/openbmc/phosphor-ipmi-flash). 71 72Then run these commands in the source directory. 73 74``` 75./bootstrap.sh 76./configure --disable-build-bmc-blob-handler 77make 78make install 79``` 80 81_NOTE:_ When building from the OpenBMC SDK your configuration call will be: 82 83``` 84./configure --enable-oe-sdk --host "$(uname -m)" --disable-build-bmc-blob-handler AR=x86_64-openbmc-linux-gcc-ar RANLIB=x86_64-openbmc-linux-gcc-ranlib 85``` 86 87### Parameters 88 89The host-tool has parameters that let the caller specify every required detail. 90 91The required parameters are: 92 93| Parameter | Options | Meaning | 94| ----------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | 95| `command` | `update` | The tool should try to update the BMC firmware. | 96| `interface` | `ipmibt`, `ipmilpc`, `ipmipci`, `ipminet`, `ipmipci-skip-bridge-disable` | The data transport mechanism, typically `ipmilpc`. The `ipmipci-skip-bridge-disable` is `ipmipci` but does not disable the bridge after. | 97| `image` | path | The BMC firmware image file (or tarball) | 98| `sig` | path | The path to a signature file to send to the BMC along with the image file. | 99| `type` | blob ending | The ending of the blob id. For instance `/flash/image` becomes a type of `image`. | 100 101If you're using an LPC data transfer mechanism, you'll need two additional 102parameters: `address` and `length`. These values indicate where on the host 103you've reserved memory to be used for the transfer window. 104 105If you're using a net data transfer mechanism, you'll also need two additional 106parameters: `hostname` and `port`. These specify which address and port the tool 107should attempt to connect to the BMC using. If unspecified, the `port` option 108defaults to 623, the same port as IPMI LAN+. 109 110## Introduction 111 112This supports three methods of providing the image to stage. You can send the 113file over IPMI packets, which is a very slow process. A 32-MiB image can take ~3 114hours to send via this method. This can be done in <1 minutes via the PCI or net 115bridge, or just a few minutes via LPC depending on the size of the mapped area. 116 117This is implemented as a phosphor blob handler. 118 119The image must be signed via the production or development keys, the former 120being required for production builds. The image itself and the image signature 121are separately sent to the BMC for verification. The verification package source 122is beyond the scope of this design. 123 124Basically the IPMI OEM handler receives the image in one fashion or another and 125then triggers the `verify_image` service. Then, the user polls until the result 126is reported. This is because the image verification process can exceed 10 127seconds. 128 129### Using Legacy Images 130 131The image flashing mechanism itself is the initramfs stage during reboot. It 132will check for files named "`image-*`" and flash them appropriately for each 133name to section. The IPMI command creates a file `/run/initramfs/bmc-image` and 134writes the contents there. It was found that writing it in /tmp could cause OOM 135errors moving it on low memory systems, whereas renaming a file within the same 136folder seems to only update the directory inode's contents. 137 138### Using UBI 139 140The staging file path can be controlled via software configuration. The image is 141assumed to be the tarball contents and is written into `/tmp/{tarball_name}.gz` 142 143TODO: Flesh out the UBI approach. 144 145## Configuration 146 147To use `phosphor-ipmi-flash` a platform must provide a configuration. A platform 148can configure multiple interfaces, such as both lpc and pci. However, a platform 149should only configure either static layout updates, or ubi. If enabling lpc, the 150platform must specify either aspeed or nuvoton. The system also supports 151receiving BIOS updates. 152 153The following are the two primary configuration options, which control how the 154update is treated. 155 156| Option | Meaning | 157| ------------------------ | ------------------------------------------------------- | 158| `--enable-static-layout` | Enable treating the update as a static layout update. | 159| `--enable-tarball-ubi` | Enable treating the update as a tarball for UBI update. | 160| `--enable-host-bios` | Enable receiving the update for a host bios update. | 161 162The following are configuration options for how the host and BMC are meant to 163transfer the data. By default, the data-in-IPMI mechanism is enabled. 164 165There are three configurable data transport mechanisms, either staging the bytes 166via the LPC memory region, the PCI-to-AHB memory region, or sending over a 167network connection. Because there is only one `MAPPED_ADDRESS` variable at 168present, a platform should not configure LPC and P2A at the same time. The 169platform's device-tree may have the region locked to a specific driver 170(lpc-aspeed-ctrl), preventing the region from other use. 171 172**_NOTE:_** It will likely be possible to configure both LPC and P2A in the near 173future. 174 175| Variable | Default | Meaning | 176| ---------------- | ------- | -------------------------------------------------------------------- | 177| `MAPPED_ADDRESS` | 0 | The address used for mapping P2A or LPC into the BMC's memory-space. | 178 179If a platform enables p2a as the transport mechanism, a specific vendor must be 180selected via the following configuration option. Currently, only one is 181supported. 182 183| Option | Meaning | 184| --------------------- | ---------------------- | 185| `--enable-aspeed-p2a` | Use with ASPEED parts. | 186 187If a platform enables lpc as the transport mechanism, a specific vendor must be 188selected via the following configuration option. Currently, only two are 189supported. 190 191| Option | Meaning | 192| ---------------------- | ----------------------- | 193| `--enable-aspeed-lpc` | Use with ASPEED parts. | 194| `--enable-nuvoton-lpc` | Use with Nuvoton parts. | 195 196A platform may also enable the network transport mechanism. 197 198NOTE: This mechanism is only intended to be used in-band and not exposed 199externally, as it doesn't implement any encryption or integrity verification. 200 201| Option | Meaning | 202| --------------------- | --------------------------- | 203| `--enable-net-bridge` | Enable net transport bridge | 204 205There are also options to control an optional clean up mechanism. 206 207| Option | Meaning | 208| ------------------------- | ------------------------------------------------ | 209| `--enable-cleanup-delete` | Provide a simple blob id that deletes artifacts. | 210 211If the update mechanism desired is simply a BMC reboot, a platform can just 212enable that directly. 213 214| Option | Meaning | 215| ------------------------ | -------------------------------------- | 216| `--enable-reboot-update` | Enable use of reboot update mechanism. | 217 218If you would like the update status to be tracked with a status file, this 219option can be enabled. Note that `--enable-update-status` option and the above 220`--enable-reboot-update` option cannot be enabled at the same time. 221 222| Option | Meaning | 223| ------------------------ | --------------------------------- | 224| `--enable-update-status` | Enable use of update status file. | 225 226If you would like to use host memory access to update on a PPC platform, this 227configuration option needs to be enabled. 228 229| Option | Meaning | 230| -------------- | ------------------------------ | 231| `--enable-ppc` | Enable PPC host memory access. | 232 233### Internal Configuration Details 234 235The following variables can be set to whatever you wish, however they have 236usable default values. 237 238| Variable | Default | Meaning | 239| ----------------------------- | ----------------------------------------- | ------------------------------------------------------------------------- | 240| `STATIC_HANDLER_STAGED_NAME` | `/run/initramfs/bmc-image` | The filename where to write the staged firmware image for static updates. | 241| `TARBALL_STAGED_NAME` | `/tmp/image-update.tar` | The filename where to write the UBI update tarball. | 242| `HASH_FILENAME` | `/tmp/bmc.sig` | The file to use for the hash provided. | 243| `PREPARATION_DBUS_SERVICE` | `phosphor-ipmi-flash-bmc-prepare.target` | The systemd target started when the host starts to send an update. | 244| `VERIFY_STATUS_FILENAME` | `/tmp/bmc.verify` | The file checked for the verification status. | 245| `VERIFY_DBUS_SERVICE` | `phosphor-ipmi-flash-bmc-verify.target` | The systemd target started for verification. | 246| `UPDATE_DBUS_SERVICE` | `phosphor-ipmi-flash-bmc-update.target` | The systemd target started for updating the BMC. | 247| `UPDATE_STATUS_FILENAME` | `/tmp/bmc.update` | The file checked for the update status. | 248| `BIOS_STAGED_NAME` | `/tmp/bios-image` | The file to use for staging the bios firmware update. | 249| `BIOS_VERIFY_STATUS_FILENAME` | `/tmp/bios.verify` | The file checked for the verification status. | 250| `PREPARATION_BIOS_TARGET` | `phosphor-ipmi-flash-bios-prepare.target` | The systemd target when the host starts to send an update. | 251| `VERIFY_BIOS_TARGET` | `phosphor-ipmi-flash-bios-verify.target` | The systemd target started for verification. | 252| `UPDATE_BIOS_TARGET` | `phosphor-ipmi-flash-bios-update.target` | The systemd target started for updating the BIOS. | 253 254## JSON Configuration 255 256Read the [details](bmc_json_config.md) of the json configuration. The json 257configurations are used to configure the BMC's flash handler behaviors. 258 259## Flash State Machine Details 260 261[This document](ipmi_flash.md) describes the details of the state machine 262implemented and how different interactions with it will respond. This also 263describes how a host-side tool is expected to talk to it (triggering different 264states and actions). 265