Gaudi Secure Boot

Gaudi employs several security mechanisms against remote attacks. It implements a secure boot process used as a root of trust. The boot image is stored in the SPI hash and chain of trust, which U-boot and Linux use to read over PCIe.

Note

The Gaudi Secure Boot security mechanism is required only for first-gen Gaudi. For Gaudi 2, the mechanism is enabled by default.

Enabling Gaudi Secure Boot Diagram

../../_images/enable_secure_boot.JPG

Enabling Gaudi Secure Boot Flow

The following steps describe how to enable secure boot on Gaudi devices. The commands below are suitable for enabling secure boot on all cards attached to the host. To enable secure boot on a specific card, use -d argument. For more information, see Firmware Update Tool.

  1. Write OTP data to the device. The OTP data includes the hash of the public key which can be used with the device:

hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-otp.itb

  1. Enable efuse power. Efuse power supply is controlled from the BMC. It is another security measure in which the host cannot program efuse without having BMC access. The power supply is turned off automatically after 5 minutes of operation. To enable the power supply for burning the efuse on all devices, run -d all. See the example below:

hl-i2c-util --efuse-wr-en off -d all

Or enable on a specific device (OAM1 for example):

hl-i2c-util --efuse-wr-en off -d 1

  1. Send request for enabling security:

hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-security_enable.itb

During this stage, the device temporarily switches to secure boot mode and reboots. After passing the boot sequence successfully in secure boot mode, the efuse is consequently burnt. After the efuse is burnt, secure boot mode becomes permanently active.

  1. Reset the host (hypervisor). Secured Gaudi has a different PCI ID than unsecured Gaudi, therefore, after enabling security, the host (hypervisor) should be reset. After reset, the Gaudi device is identified with the secured Gaudi PCI ID.

  2. Revoke obsolete keys. After enabling secure boot mode successfully, obsolete keys need to be revoked. By using a FIT file for revocation, the device revokes all keys sequentially until the present key:

hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-revoke_key.itb

  1. Revoke obsolete security versions. After enabling secure boot mode successfully, obsolete security versions need to be revoked. By using a FIT file for revocation, the device revokes all security versions until the present key:

hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-revoke_key.itb

Note

Revocation steps also use efuse, so in case of delay in the process, it is recommended to enable the efuse power again before revocation steps.

Note

  • Secure boot mode is irreversible.

  • Keys revocation is irreversible.

  • Security versions revocation is irreversible.

Checking Gaudi Secure Boot Status

To check the secure boot status, run the following command:

hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-security_status.itb

The output of hl-fw-loader contains the secure boot status:

Security:       Enabled
Keys Present:   Yes
          [0]: Valid
          [1]: Valid
          [2]: Valid
          [3]: Valid
          [4]: Valid
Minimal SVN:    0
Flash W/P:      Off