[v2,3/3] doc/bmc: Document SBE validation on P8 platforms

Message ID	20190426044306.22410-3-sam@mendozajonas.com
State	Superseded
Headers	show Return-Path: <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Samuel Mendoza-Jonas <sam@mendozajonas.com> To: skiboot@lists.ozlabs.org Date: Fri, 26 Apr 2019 14:43:06 +1000 Message-Id: <20190426044306.22410-3-sam@mendozajonas.com> In-Reply-To: <20190426044306.22410-1-sam@mendozajonas.com> References: <20190426044306.22410-1-sam@mendozajonas.com> MIME-Version: 1.0 Subject: [Skiboot] [PATCH v2 3/3] doc/bmc: Document SBE validation on P8 platforms Precedence: list Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Skiboot" <skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	[v2,1/3] include/ipmi: Fix incorrect chassis commands \| expand [v2,1/3] include/ipmi: Fix incorrect chassis commands [v2,2/3] platforms/astbmc: Check for SBE validation step [v2,3/3] doc/bmc: Document SBE validation on P8 platforms

Message ID

20190426044306.22410-3-sam@mendozajonas.com

State

Superseded

Headers

From: Samuel Mendoza-Jonas <sam@mendozajonas.com>
To: skiboot@lists.ozlabs.org
Date: Fri, 26 Apr 2019 14:43:06 +1000
Message-Id: <20190426044306.22410-3-sam@mendozajonas.com>
In-Reply-To: <20190426044306.22410-1-sam@mendozajonas.com>
References: <20190426044306.22410-1-sam@mendozajonas.com>
MIME-Version: 1.0
Subject: [Skiboot] [PATCH v2 3/3] doc/bmc: Document SBE validation on P8
	platforms
Precedence: list
Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Skiboot"
	<skiboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

[v2,1/3] include/ipmi: Fix incorrect chassis commands | expand

Checks

Context	Check	Description
snowpatch_ozlabs/apply_patch	success	Successfully applied on branch master (d318cdb3863fcf92288528bfed3b6e435cf6f0ef)
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot	success	Test snowpatch/job/snowpatch-skiboot on branch master
snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco	success	Signed-off-by present

Context

Check

Description

snowpatch_ozlabs/apply_patch

success

Successfully applied on branch master (d318cdb3863fcf92288528bfed3b6e435cf6f0ef)

snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot

success

Test snowpatch/job/snowpatch-skiboot on branch master

snowpatch_ozlabs/snowpatch_job_snowpatch-skiboot-dco

success

Signed-off-by present

Commit Message

Sam Mendoza-Jonas April 26, 2019, 4:43 a.m. UTC

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
---
 doc/bmc.rst | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/doc/bmc.rst b/doc/bmc.rst
index bbb390a7..a876aa06 100644
--- a/doc/bmc.rst
+++ b/doc/bmc.rst
@@ -53,3 +53,25 @@  Real-time clock
 
 On platforms where a real-time-clock is not available, skiboot may use the
 IPMI SEL Time as a real-time-clock device.
+
+SBE validation
+--------------
+
+On some P8 platforms with an AMI or SMC BMC (ie. astbmc) SBE validation is done
+by a tool on the BMC. This is done to inspect the SBE and detect if a malicious
+host has written to the SBE, especially in multi-tenant
+"Bare-Metal-As-A-Service" scenarios.
+
+To complicate this the SBE validation occurs at host-runtime and reads the SBE
+SEEPROM over I2C using the FSI master which will conflict with anything the
+host may be doing at the same time. To avoid this Skiboot will pause boot until
+the validation is complete.
+If SBE validation is required the BMC will communicate this to Skiboot by
+setting an IPMI System Boot Option with OEM parameter 0x62. When this flag is
+set Skiboot will pause and wait for the validation to complete and the flag to
+be cleared. This ensures the validation completes before the execution is passed
+to Petitboot and the host operating system. During this process Skiboot will
+print
+      SBE validation required, waiting for completion
+      System will be powered off if validation fails
+to the console with an update every minute until complete.

[v2,3/3] doc/bmc: Document SBE validation on P8 platforms

Checks

Commit Message

Patch