Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
meta-ibm: u-boot-aspeed-sdk: Leave key retirement unspecified
IBM observed consistent hangs in the `uart_otp` tool when programming the OTP image into the SoC. This was root-caused by Aspeed: > Message-ID: <TYZPR06MB677027C95FCFABCDA6F81C4D800DA@TYZPR06MB6770.apcprd06.prod.outlook.com> > From: Neal Liu <neal_liu@aspeedtech.com> > Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com > > Hi Andrew, > > It’s okay, I found the problem. > > The utility timeout is because it programs key retire bits in > OTPCFG4[7:0] without enabling secure boot. > > In the case of secure boot is enabled, the hardware would detect the > current boot up key number #id, and it can only retire the number > which is smaller than the current boot up key #id. > If not, the OTP status will keep busy, and the utility stocks in > polling loop. > > If you still want to disable key #0 without enabling secure boot, > OTPCFG0[5] can be another option for you. > > I also provide a new programmer.bin to fix this infinite loop problem > in case user thought BMC is crashed. > > You can try it with this command: > > $ uart_otp -s 2600 -p ast2600_otp_programmer.bin /dev/ttyUSBx > > Thanks > > Best Regards, > > -Neal In discussion with Chris we determined that we were not intentionally attempting to retire the development / low-security key, rather were just trying to be complete in the specification of our configuration. Neal responded to our request of how to avoid programming a key retirement in the configuration file: > Message-ID: <TYZPR06MB67700B238DB429A51E048E328010A@TYZPR06MB6770.apcprd06.prod.outlook.com> > From: Neal Liu <neal_liu@aspeedtech.com> > Subject: Server Management technical issue by Rose.Drehmel@us.ibm.com > > Hi Andrew, > > Just delete line #72 as unspecified value. > > Thanks > > Best Regards, > > -Neal >> >> From: Andrew Jeffery <andrewrj@au1.ibm.com> >> To: Neal Liu <neal_liu@aspeedtech.com> >> Subject: Re: Server Management technical issue by Rose.Drehmel@us.ibm.com >> >> Hi Neal, >> >> I've discussed your findings with Chris Engel, who is our platform >> security person. We determined that we do not want to mark the low >> security key as retired in the OTP as we're handling that via the >> FWSPIMISO strapping pin. >> >> What change should I make to our OTP configuration so that we don't >> retire key 0 during programming? >> >> Andrew Line 72 in this case refers to our OTP configuration file: https://github.com/openbmc/openbmc/blob/2a25492c13e2b768f94b864a51f84e82e4238aef/meta-ibm/recipes-bsp/u-boot/u-boot-aspeed-sdk/p10bmc/ibm.json#L72 Leave "Keys Retire ID" unspecified to avoid leaving the OTP engine busy. Cc: Chris Engel <cjengel@us.ibm.com> Cc: Rose Drehmel <Rose.Drehmel@us.ibm.com> Cc: Briana Foxworth <befoxwor@us.ibm.com> Cc: Nicole Nett <nschwart@us.ibm.com> Change-Id: Ib6b75a40f5debd5ba1166f0f69a07114b76d9c34 Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
- Loading branch information