Author Topic: Secure Mode?  (Read 3608 times)

jas

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Secure Mode?
« on: July 29, 2022, 02:53:49 pm »
Hi.  I have a Talos II Lite system.  Is there any documentation on the 'Secure Mode' jumper, and how to setup things and enable the jumper?  It came shipped disabled and I reckon that is responsible for the following boot log output.  Did anyone try setting the jumper?  I'd rather not touch things without more information.  If someone knows what exactly it does that would be a good starting point to learn if this is something that is relevant to pursue.

Code: [Select]
  9.16916|SECURE|Security Access Bit> 0x0000000000000000
  9.16917|SECURE|Secure Mode Disable (via Jumper)> 0x8000000000000000
...
[   50.223613319,3] STB: VERSION verification FAILED. log=0xffffffffffff8160
[   51.341625520,3] STB: IMA_CATALOG verification FAILED. log=0xffffffffffff8160
[   52.027211979,3] CAPP: Error loading ucode lid. index=203d1
...
[   64.478188034,3] STB: BOOTKERNEL verification FAILED. log=0xffffffffffff8160

AdamJoseph

  • Newbie
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Secure Mode?
« Reply #1 on: July 29, 2022, 03:58:18 pm »

AdamJoseph

  • Newbie
  • *
  • Posts: 16
  • Karma: +3/-0
    • View Profile
Re: Secure Mode?
« Reply #2 on: July 29, 2022, 04:06:15 pm »
To expand a bit... various schemes for "secure boot" usually involve a "master public key" in one-time programmable memory (usually called eFUSE) which can be written to only once.  It is extremely difficult and usually impossible to obtain chips which for which these fuses haven't already been written -- even if they're written with all zeroes.

POWER9 has a much better approach: there is a tiny 64kbyte flash die inside the CPU package which holds two copies of the master signing key, as well as two copies of the earliest instructions executed by the CPU (other chips call this the MASKROM).  You can rewrite these!  But they are write-protected by default, so that malware can't replace them.

Installing the "secure mode disable" jumper un-write-protects the keys so you can change them.  You should remove the jumper to re-write-protect the keys afterwards.

The early Chromebooks implemented a similar scheme using the write-protect pin on their CPU's bootloader flash chip, and also the Embedded Controller's flash chip.  The EC flash implemented the "two copies" scheme as well.  POWER9 has it built in to the CPU.
« Last Edit: July 29, 2022, 04:11:50 pm by AdamJoseph »

jas

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Secure Mode?
« Reply #3 on: July 29, 2022, 05:15:12 pm »
Thank you for the pointer!  Case closed (unless I run into problems following those steps...).