PowerVM

POWER9 Firmware Secure Boot Partition Firmware Extensions on PowerVM

By Colleen Stouffer posted Tue June 16, 2020 09:45 AM

  
Figure 1


POWER systems are known to provide a highly secured server platform. POWER9 hardware and firmware are making substantial improvements to make it even more secure for Cloud deployment with the addition of Secure Bootbuilt on a host processor based chain of trust. Our previous blog addressed the Firmware Chain of Trust. Here we will describe how Partition Firmware (PFW) has extended the concept of secure boot to include the Open Firmware (FCode) drivers loaded from I/O adapters, and the access privileges at the Open Firmware prompt.

With the release of the FW940 Power System driver in 4Q2019, PFW will extend the concept of firmware secure boot to include validation of adapter boot drivers and restriction of access privileges at the Open Firmware prompt.  

Open Firmware Device Drivers

The secure PFW that was authenticated and measured by PHYP will extend firmware secure boot during partition IPL.  All PCIe devices are probed during construction of the device tree.  The probe process adds device specific information to the device tree as properties.  A PCIe device that can be used to boot the operating system provides an FCode device driver in the Expansion ROM on the adapter.  PFW will cryptographically authenticate the FCode device driver before loading the driver into partition memory and allowing it to execute.  

All adapters that are supported for boot on POWER9 systems now provide adapter firmware images that contain the cryptographically signed FCode drivers.  The images are available on Fix Central.  To get the full benefit of PFW firmware secure boot, it is highly recommended that all I/O adapters be updated to the latest firmware level prior to updating the system driver to FW940 and later.  Failure to do so will cause one of the following System Reference Codes (SRCs) to be logged for each device that fails the FCode validation:

 

SRC Explanation
BA5400A5 Firmware device driver has failed Secure Boot validation for the specified device function. The boot driver from the adapter is not trusted, therefore a trusted substitute version from system firmware was loaded in its place. This driver version may not be the latest version available. The log entry provides the location code of the failed PCI device function. The SMS menus can be used to see more detail regarding firmware device driver validation failures.
BA5400A6 Firmware device driver has failed Secure Boot validation for the specified device function. A trusted version of the driver is not available from system firmware, therefore the failed adapter driver was loaded. As a result, the Secure Boot feature may be compromised for the partition. The log entry provides the location code of the failed PCI device function. The SMS menus can be used to see more detail regarding firmware device driver validation failures.

Open Firmware Prompt

Access privileges at the Open Firmware prompt must be restricted to preserve the secure boot status of the PFW code loaded on the partition.  The new Restricted OF Prompt will limit input and execution to a defined set of macros.  The option to access the Restricted OF Prompt will be displayed on the splash screen.  You will see that the “8 = Open Firmware Prompt” option has been replaced with the “9 = Restricted Open Firmware Prompt” option.

 

Figure 2

To see the list of supported macros, type  macro_help at the Restricted OF Prompt.

Figure 3
Figure 4

For a more detailed description of the macros see the Restricted OF Prompt Users Guide.

Contacting the PowerVM Team

Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions


#powervmblog
#powervm
0 comments
53 views

Permalink