Gaudi Secure Boot

Gaudi employs several security mechanisms against remote attacks. It implements a secure boot process used as a root of trust. The boot image is stored in the SPI hash and chain of trust, which U-boot and Linux use to read over PCIe.

Note

The Gaudi secure boot mechanism is required for first-gen Gaudi only. For Gaudi 3 and Gaudi 2, secure boot is enabled by default.

../../_images/enable_secure_boot.JPG

Enabling Gaudi Secure Boot Flow

The following steps describe how to enable secure boot on all available cards. To enable secure boot on a specific card, use -d argument. For more information, see Firmware Update Tool.

  1. Write OTP data to the device. The OTP data includes the hash of the public key which can be used with the device:

    hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-otp.itb
    
  2. Enable efuse power. Efuse power supply is controlled from the BMC. It is another security measure in which the host cannot program efuse without having BMC access. The power supply is turned off automatically after 5 minutes of operation. To enable the power supply for burning the efuse on all devices, run -d all:

    hl-i2c-util --efuse-wr-en off -d all
    

    Or, enable on a specific device (OAM1 for example):

    hl-i2c-util --efuse-wr-en off -d 1
    
  3. Send a request to enable security. During this stage, the device temporarily switches to secure boot mode and reboots. After passing the boot sequence successfully in secure boot mode, the efuse is consequently burnt. After the efuse is burnt, secure boot mode becomes permanently active:

    hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-security_enable.itb
    
  4. Reset the host (hypervisor). Secured Gaudi has a different PCI ID than unsecured Gaudi, therefore, after enabling security, the host (hypervisor) should be reset. After reset, the Gaudi device is identified with the secured Gaudi PCI ID.

  5. Revoke obsolete keys and security versions. After enabling secure boot mode successfully, obsolete keys and security versions need to be revoked. By using a FIT file for revocation, the device revokes all keys and security versions sequentially until the present one:

    hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-revoke_key.itb
    

Note

  • Revocation steps also use efuse, so in case of delay in the process, it is recommended to enable the efuse power again before revocation steps.

  • Secure boot mode is irreversible.

  • Keys and security versions revocation is irreversible.

Checking Gaudi Secure Boot Status

To check the secure boot status, run the following command:

sudo hl-fw-loader -f /lib/firmware/habanalabs/gaudi3/gaudi3-security_status.itb
sudo hl-fw-loader -f /lib/firmware/habanalabs/gaudi2/gaudi2-security_status.itb
hl-fw-loader -f /lib/firmware/habanalabs/gaudi/gaudi-security_status.itb

The output of hl-fw-loader contains the secure boot status:

Security:       Enabled [Permanent: True]
Keys Present:   Yes
        [0]: Valid
        [1]: Valid
        [2]: Valid
        [3]: Valid
        [4]: Valid
Minimal SVN:    0
Flash W/P:      On
Memory Clean:   No
Security:       Enabled
Keys Present:   Yes
        [0]: Valid
        [1]: Valid
        [2]: Valid
        [3]: Valid
        [4]: Valid
Minimal SVN:    0
Flash W/P:      Off