82 lines
3.2 KiB
ReStructuredText
82 lines
3.2 KiB
ReStructuredText
OPAL <--> BMC interactions
|
|
==========================
|
|
|
|
This document provides information about some of the user-visible interactions
|
|
that skiboot performs with the BMC.
|
|
|
|
IPMI sensors
|
|
------------
|
|
|
|
OPAL will interact with a few IPMI sensors during the boot process. These
|
|
are:
|
|
|
|
* Boot Count [type 0xc3: OEM reserved]
|
|
* FW Boot progress [type 0x0f: System Firmware Progress]
|
|
|
|
Boot Count: assertion type. When OPAL reaches a late stage of boot, it sets the
|
|
boot count sensor to 0x02. This is intended to allow the BMC detect a failed
|
|
or aborted boot, for switching to a known-good firmware image.
|
|
|
|
FW Boot Progress: assertion type. During boot, skiboot will update this sensor
|
|
to one of the IPMI-defined progress codes. The codes use by skiboot are:
|
|
|
|
* PCI Resource configuration (0x01)
|
|
* asserted as the PCI devices have been probed and resources allocated
|
|
* Motherboard init (0x14)
|
|
* asserted as the platform-specific components have been initialised
|
|
* OS boot (0x13)
|
|
* asserted after skiboot has loaded the PAYLOAD image, and is about to
|
|
boot it.
|
|
|
|
Chassis control messages
|
|
------------------------
|
|
|
|
OPAL uses chassis control messages to instruct the BMC to remove power from
|
|
the host. These messages are sent during graceful reboot and shutdown processes
|
|
initiated by the host.
|
|
|
|
For a BMC-initiated graceful power-down (or reboot), the BMC is expected to send
|
|
an OEM-defined SEL message, using a SMS_ATN to trigger a BMC-to-host
|
|
notification. This SEL has a type of 0xc0, and command of 0x04. The data0 field
|
|
of the SEL indicates shutdown (0x0) or reboot (0x1).
|
|
|
|
|
|
Watchdog support
|
|
----------------
|
|
|
|
OPAL supports a BMC watchdog during the boot process. This will be disabled
|
|
before entering the OS.
|
|
|
|
|
|
Real-time clock
|
|
---------------
|
|
|
|
On platforms where a real-time-clock is not available, skiboot may use the
|
|
IPMI SEL Time as a real-time-clock device.
|
|
|
|
SBE validation
|
|
--------------
|
|
|
|
On some P8 platforms with an AMI or SMC BMC (ie. astbmc) SBE validation is done
|
|
by a tool on the BMC. This is done to inspect the SBE and detect if a malicious
|
|
host has written to the SBE, especially in multi-tenant
|
|
"Bare-Metal-As-A-Service" scenarios.
|
|
|
|
To complicate this the SBE validation occurs at host-runtime and reads the SBE
|
|
SEEPROM over I2C using the FSI master which will conflict with anything the
|
|
host may be doing at the same time. To avoid this Skiboot will pause boot until
|
|
the validation is complete.
|
|
If SBE validation is required the BMC will communicate this to Skiboot by
|
|
setting an IPMI System Boot Option with OEM parameter 0x62. When this flag is
|
|
set Skiboot will pause and wait for the validation to complete and the flag to
|
|
be cleared. This ensures the validation completes before the execution is passed
|
|
to Petitboot and the host operating system and any conflicts could occur. During
|
|
this process Skiboot will print
|
|
SBE validation required, waiting for completion
|
|
System will be powered off if validation fails
|
|
to the console with an update every minute until complete.
|
|
|
|
Unfortunately the validation performed by the BMC leaves the SBE in a bad
|
|
state. Once the validation is complete Skiboot will reboot to reset everything
|
|
to a good state and normal booting can resume. No such reboot is required if
|
|
the flag is not set and validation doesn't occur.
|