POWER systems are known to provide a highly secured server platform. POWER9 hardware and firmware are making substantial improvements to make it even more secure for Cloud deployment with the addition of Secure Bootbuilt on a host processor based chain of trust. Our previous blog addressed the Firmware Chain of Trust. Here we will describe how Partition Firmware (PFW) has extended the concept of secure boot to include the Open Firmware (FCode) drivers loaded from I/O adapters, and the access privileges at the Open Firmware prompt.
With the release of the FW940 Power System driver in 4Q2019, PFW will extend the concept of firmware secure boot to include validation of adapter boot drivers and restriction of access privileges at the Open Firmware prompt.
The secure PFW that was authenticated and measured by PHYP will extend firmware secure boot during partition IPL. All PCIe devices are probed during construction of the device tree. The probe process adds device specific information to the device tree as properties. A PCIe device that can be used to boot the operating system provides an FCode device driver in the Expansion ROM on the adapter. PFW will cryptographically authenticate the FCode device driver before loading the driver into partition memory and allowing it to execute.
All adapters that are supported for boot on POWER9 systems now provide adapter firmware images that contain the cryptographically signed FCode drivers. The images are available on Fix Central. To get the full benefit of PFW firmware secure boot, it is highly recommended that all I/O adapters be updated to the latest firmware level prior to updating the system driver to FW940 and later. Failure to do so will cause one of the following System Reference Codes (SRCs) to be logged for each device that fails the FCode validation:
Access privileges at the Open Firmware prompt must be restricted to preserve the secure boot status of the PFW code loaded on the partition. The new Restricted OF Prompt will limit input and execution to a defined set of macros. The option to access the Restricted OF Prompt will be displayed on the splash screen. You will see that the “8 = Open Firmware Prompt” option has been replaced with the “9 = Restricted Open Firmware Prompt” option.
To see the list of supported macros, type macro_help at the Restricted OF Prompt.
Have questions for the PowerVM team or want to learn more? Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions