OPAL <–> BMC interactions

This document provides information about some of the user-visible interactions that skiboot performs with the BMC.

IPMI sensors

OPAL will interact with a few IPMI sensors during the boot process. These are:

  • Boot Count [type 0xc3: OEM reserved]

  • FW Boot progress [type 0x0f: System Firmware Progress]

Boot Count: assertion type. When OPAL reaches a late stage of boot, it sets the boot count sensor to 0x02. This is intended to allow the BMC detect a failed or aborted boot, for switching to a known-good firmware image.

FW Boot Progress: assertion type. During boot, skiboot will update this sensor to one of the IPMI-defined progress codes. The codes use by skiboot are:

  • PCI Resource configuration (0x01)
    • asserted as the PCI devices have been probed and resources allocated

  • Motherboard init (0x14)
    • asserted as the platform-specific components have been initialised

  • OS boot (0x13)
    • asserted after skiboot has loaded the PAYLOAD image, and is about to boot it.

Chassis control messages

OPAL uses chassis control messages to instruct the BMC to remove power from the host. These messages are sent during graceful reboot and shutdown processes initiated by the host.

For a BMC-initiated graceful power-down (or reboot), the BMC is expected to send an OEM-defined SEL message, using a SMS_ATN to trigger a BMC-to-host notification. This SEL has a type of 0xc0, and command of 0x04. The data0 field of the SEL indicates shutdown (0x0) or reboot (0x1).

Watchdog support

OPAL supports a BMC watchdog during the boot process. This will be disabled before entering the OS.

Real-time clock

On platforms where a real-time-clock is not available, skiboot may use the IPMI SEL Time as a real-time-clock device.

SBE validation

On some P8 platforms with an AMI or SMC BMC (ie. astbmc) SBE validation is done by a tool on the BMC. This is done to inspect the SBE and detect if a malicious host has written to the SBE, especially in multi-tenant “Bare-Metal-As-A-Service” scenarios.

To complicate this the SBE validation occurs at host-runtime and reads the SBE SEEPROM over I2C using the FSI master which will conflict with anything the host may be doing at the same time. To avoid this Skiboot will pause boot until the validation is complete. If SBE validation is required the BMC will communicate this to Skiboot by setting an IPMI System Boot Option with OEM parameter 0x62. When this flag is set Skiboot will pause and wait for the validation to complete and the flag to be cleared. This ensures the validation completes before the execution is passed to Petitboot and the host operating system and any conflicts could occur. During this process Skiboot will print:

SBE validation required, waiting for completion
System will be powered off if validation fails

to the console with an update every minute until complete.

Unfortunately the validation performed by the BMC leaves the SBE in a bad state. Once the validation is complete Skiboot will reboot to reset everything to a good state and normal booting can resume. No such reboot is required if the flag is not set and validation doesn’t occur.