Evidently I've managed to overlap the EBBR monthly with the 96Boards SC monthly meeting. Does anyone object to rescheduling the EBBR monthly to be the 1st Tuesday of each month? (starting next week).
g.
________________________________________
From: Grant Likely
Sent: 12 March 2019 11:38
To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger; daniel.thompson(a)linaro.org
Subject: EBBR Monthly - 4th Tuesday
When: 28 May 2019 15:00-16:00.
Where: WebEx
Biweekly EBBR status call
- Online meeting: https://arm-onsite.webex.com/meet/gralik01
- Phone
- Access code: 809 053 990
- 1-408-792-6300 Call-in toll number (US/Canada)
- 1-877-668-4490 Call-in toll-free number (US/Canada)
- 44-203-478-5285 Call-in toll number (UK)
- 08-002061177 Call-in toll-free (UK)
More access numbers:
https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob…
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least
verify DTB (if provided externally), initramfs and kernel modules.
1. For the kernel modules we can use kernel module signing facilities [1]
2. In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will
only be used if the authentication process succeeds. This will allow us to
verify DTBs without introducing any new functionality to U-Boot.
3. We need to verify initramfs as well. This can be accomplished in various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones but we
are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of the
functionality can be achieved with the existing code (minor adjustments might be
needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks
/Ilias
Hi Tom,
On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote:
> On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote:
> > On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote:
> > >> >
> > >> > The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
> > >> > EFI playloads
> > >>
> > >> I think that you'd better explain why you stick to *UEFI* secure boot.
> > >
> > >The main reason is distro support. Since distros use a number of different ways
> > >of booting up on arm boards, using UEFI is the obvious way to unify that (and
> > >alrady supported on some) regardless of the bootloader. UEFI secure boot
> > >provides a common approach to security instead of 'per bootloader' solutions
> >
> > Yup, absolutely (says the Debian EFI team lead) ...
>
> The other things we need to keep in mind is that (based on my own
> experience implementing UEFI secure boot on an x8664 platform), we are
> not looking at a case of "make an existing solution function on other
> architectures" but rather "there's some good concepts here and an
> implementation waiting to be figured out".
We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something
similar to #2 implemented.
I'd prefer having the option to authenticate DTB/initramfs from the 'main
bootloader', than delegating that to some EFI payload, mostly for fragmentation
reasons
Thanks
/Ilias
Hi Tom,
> >
> > > > Continuing the discussions we had on securing the boot flow and OS as much as
> > > > possible, we came up with the following idea.
> > > >
> > > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > > > This will cover the next payload (shim/grub2/shim depending on board needs).
> > > >
> > > > In order to provide better overall security for the OS we'll need to at least
> > > > verify DTB (if provided externally), initramfs and kernel modules.
> > > >
> > > > 1. For the kernel modules we can use kernel module signing facilities [1]
> > > > 2. In case someone wants to provide an external DTB, we can use FIT images
> > > > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > > > only be used if the authentication process succeeds. This will allow us to
> > > > verify DTBs without introducing any new functionality to U-Boot.
> > > > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > > > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > > > are open to suggestions.
> > >
> > > For #3, making use of FIT images should be investigated seriously that
> > > already allows for what you're asking about.
> > Sure, thanks for the heads up.
> > I had a sentence saying '#3 can deploy similar methods to #2" on my initial
> > e-mail, but removed it right before sending.
> > It makes a lot of sense to me to keep similar functionality, as long as
> > we can keep the stored keys (to verify signatures) in small numbers.
>
> Sure. One thing I want to make sure people understand is that U-Boot
> already supports a verified boot scheme including reaching out to ROM
> where applicable and has for a number of years.
I think we are exaclty on the same page here!
The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
EFI playloads and use *existing* tools for the rest doable?'. I think the answer
is yes. If it is i don't think it makes any sense at all to implement
something new
Thanks
/Ilias
Hi,
Linaro TSC validate the creation of the Dependable Lead Project.
I started to build infrastructure to be able to capture all information we
need to be as successful as possible.
Should you think one of your JIRA cards be updated to reflect its
relationship with the newly cerated DB Jira Lead Project, please do so.
Portal (documentation, meeting notes):
https://collaborate.linaro.org/display/DBS/Dependable+Boot
Kanban board:
https://projects.linaro.org/secure/RapidBoard.jspa?rapidView=257
The portal is far from complete but I preferred to share it as soon as
possible so that we can make it as useful as possible.
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi Tom,
> > Continuing the discussions we had on securing the boot flow and OS as much as
> > possible, we came up with the following idea.
> >
> > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > This will cover the next payload (shim/grub2/shim depending on board needs).
> >
> > In order to provide better overall security for the OS we'll need to at least
> > verify DTB (if provided externally), initramfs and kernel modules.
> >
> > 1. For the kernel modules we can use kernel module signing facilities [1]
> > 2. In case someone wants to provide an external DTB, we can use FIT images
> > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > only be used if the authentication process succeeds. This will allow us to
> > verify DTBs without introducing any new functionality to U-Boot.
> > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > are open to suggestions.
>
> For #3, making use of FIT images should be investigated seriously that
> already allows for what you're asking about.
Sure, thanks for the heads up.
I had a sentence saying '#3 can deploy similar methods to #2" on my initial
e-mail, but removed it right before sending.
It makes a lot of sense to me to keep similar functionality, as long as
we can keep the stored keys (to verify signatures) in small numbers.
>
> --
> Tom
Thanks
/Ilias
Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. Bootloader should provide this entropy and the value is
read from /chosen/rng-seed in DT.
Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org>
---
change log:
v1->v2:
* call function in early_init_dt_scan_chosen
* will add doc to devicetree-org/dt-schema on github if this is accepted
---
Documentation/devicetree/bindings/chosen.txt | 14 ++++++++++++++
drivers/of/fdt.c | 11 +++++++++++
2 files changed, 25 insertions(+)
diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt
index 45e79172a646..fef5c82672dc 100644
--- a/Documentation/devicetree/bindings/chosen.txt
+++ b/Documentation/devicetree/bindings/chosen.txt
@@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by
the Linux EFI stub (which will populate the property itself, using
EFI_RNG_PROTOCOL).
+rng-seed
+-----------
+
+This property served as an entropy to add device randomness. It is parsed
+as a byte array, e.g.
+
+/ {
+ chosen {
+ rng-seed = <0x31 0x95 0x1b 0x3c 0xc9 0xfa 0xb3 ...>;
+ };
+};
+
+This random value should be provided by bootloader.
+
stdout-path
-----------
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index de893c9616a1..96ea5eba9dd5 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -24,6 +24,7 @@
#include <linux/debugfs.h>
#include <linux/serial_core.h>
#include <linux/sysfs.h>
+#include <linux/random.h>
#include <asm/setup.h> /* for COMMAND_LINE_SIZE */
#include <asm/page.h>
@@ -1079,6 +1080,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
{
int l;
const char *p;
+ const void *rng_seed;
pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
@@ -1113,6 +1115,15 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
pr_debug("Command line is: %s\n", (char*)data);
+ rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
+ if (!rng_seed || l == 0)
+ return 1;
+
+ /* try to clear seed so it won't be found. */
+ fdt_nop_property(initial_boot_params, node, "rng-seed");
+
+ add_device_randomness(rng_seed, l);
+
/* break now */
return 1;
}
--
2.20.1
On Wed, May 8, 2019 at 10:06 AM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
>
> On Wed, May 8, 2019 at 10:04 PM Rob Herring <robh+dt(a)kernel.org> wrote:
> >
> > On Tue, May 7, 2019 at 11:08 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
> > >
> > > On Wed, May 8, 2019 at 3:47 AM Rob Herring <robh+dt(a)kernel.org> wrote:
> > > >
> > > > +boot-architecture list as there was some discussion about this IIRC.
> > > >
> > > > On Mon, May 6, 2019 at 11:54 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
> > > > >
> > > > > Introducing a chosen node, rng-seed, which is an 64 bytes entropy
> > > > > that can be passed to kernel called very early to increase device
> > > > > randomness. Bootloader should provide this entropy and the value is
> > > > > read from /chosen/rng-seed in DT.
> > > > >
> > > > > Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org>
> > > > >
> > > > > ---
> > > > > Documentation/devicetree/bindings/chosen.txt | 14 +++++++++
> > > >
> > > > Actually, this file has been converted to json-schema and lives
> > > > here[1]. I need to remove this one (or leave it with a reference to
> > > > the new one).
> > > >
> > > > > arch/arm64/kernel/setup.c | 2 ++
> > > > > drivers/of/fdt.c | 33 ++++++++++++++++++++
> > > > > include/linux/of_fdt.h | 1 +
> > > > > 4 files changed, 50 insertions(+)
> > > > >
> > > > > diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt
> > > > > index 45e79172a646..bfd360691650 100644
> > > > > --- a/Documentation/devicetree/bindings/chosen.txt
> > > > > +++ b/Documentation/devicetree/bindings/chosen.txt
> > > > > @@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by
> > > > > the Linux EFI stub (which will populate the property itself, using
> > > > > EFI_RNG_PROTOCOL).
> > > > >
> > > > > +rng-seed
> > > > > +-----------
> > > > > +
> > > > > +This property served as an entropy to add device randomness. It is parsed
> > > > > +as a 64 byte value, e.g.
> > > >
> > > > Why only 64-bytes?
> > > We can also not specify size and read what bootloader can provide.
> > > >
> > > > > +
> > > > > +/ {
> > > > > + chosen {
> > > > > + rng-seed = <0x31951b3c 0xc9fab3a5 0xffdf1660 ...>
> > > > > + };
> > > > > +};
> > > > > +
> > > > > +This random value should be provided by bootloader.
> > > > > +
> > > > > stdout-path
> > > > > -----------
> > > > >
> > > > > diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
> > > > > index 413d566405d1..ade4261516dd 100644
> > > > > --- a/arch/arm64/kernel/setup.c
> > > > > +++ b/arch/arm64/kernel/setup.c
> > > > > @@ -292,6 +292,8 @@ void __init setup_arch(char **cmdline_p)
> > > > > early_fixmap_init();
> > > > > early_ioremap_init();
> > > > >
> > > > > + early_init_dt_rng_seed(__fdt_pointer);
> > > > > +
> > > >
> > > > I'm trying to reduce or eliminate all these early_init_dt_* calls.
> > > >
> > > > Why is this arch specific and why can't this be done after
> > > > unflattening? It doesn't look like add_device_randomness() needs
> > > > anything early.
> > > Currently unflattening is called after setup_machine_fdt(), which
> > > called fixmap_remap_fdt() //__fixmap_remap_fdt(dt_phys, &size,
> > > PAGE_KERNEL_RO), and we can't modify DT after that since it's read
> > > only. But we need to clear (eg. write 0 to it) the rng-seed after
> > > reading from DT.
> >
> > Why do you need to clear it? That wasn't necessary for kaslr-seed.
> I think it's for security purpose. If we know the random seed, it's
> more likely we can predict randomness.
> Currently on arm64, kaslr-seed will be wiped out (in
> arch/arm64/kernel/kaslr.c#get_kaslr_seed(), it's set to 0) so we can't
> read from sysfs (eg. /sys/firmware/devicetree/.../kaslr-seed)
> I'm not sure on other arch if it will be wiped out.
The difference is if I have the kaslr seed, I can calculate the kernel
base address.
In your case, you are feeding an RNG which continually has entropy
added to it. I can't see that knowing one piece of the entropy data is
a security hole. It looks more like you've just copied what what done
for kaslr-seed.
> > Why not change the mapping to RW? It would be nice if this worked on
> > more than one arch.
Still wondering on this question. Mapping it R/W would mean rng-seed
could be handled later and completely out of the arch code and so
could the zeroing of the kaslr-seed. Also, we generally assume the FDT
is modifiable for any fixups. This happens on arm32 and powerpc, but I
guess we haven't needed that yet on arm64.
Rob
Hello Francois, Jan, Christian, and all
Sorry for the late reply, I was waiting for the administrator of the Boot Architecture mailing list to accept my subscription request, but it seems it will take a bit more time. I will send this reply and hope it will not be blocked. I have also added the u-boot mailing list to Cc, as Tom suggested (although I'm not a member), the CIP mailing list, Jan Kiszka (one of the main developers of Efibootguard) and Christian (an expert in software updates).
Background: during the last Linaro connect in Bangkok I was told that Linaro Edge (LEDGE) were working on a secure software update mechanism based on UEFI capsules that would flash firmware updates from a UEFI application, instead of using a Linux agent such as SWUpdate. Then, I had an online meeting with Francois, director of LEDGE. I explained to Francois that in CIP we are using the Linux agent approach right now, and we are also considering the use of a UEFI application (Efibootguard) to arm a watchdog and deal with the state-machine variables (installed, testing, ok, failed..) needed for A/B software updates. Efibootguard sounds like an excellent place to collaborate with Linaro (particularly on the watchdog drivers front) because it does not strictly depend on where the firmware is flashed (UEFI capsule or Linux agent).
> On Fri, Apr 19, 2019 at 12:48:51PM +0200, Francois Ozog wrote:
> > Hi Daniel,
> >
> > We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot.
> >
> > As we are working on UEFI SecureBoot implementation in U-Boot, how do
> > you expect the boot process to be secured? Would U-Boot UEFI
> > SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will
> > check either grub or Linux signature?
> >
> > Please elaborate on your vision of a secured boot process.
Efibootguard is composed of two parts.
- A UEFI application that can arm a watchdog and decide what environment (kernel, boot args, etc.) to use next depending on a set of variables (update status, highest revision, etc.) stored in FAT16 partitions.
- A Linux application that can read and set those variables from Linux (similar to u-boot's fw_setenv). This functionality is also available in the form of a library.
As far as I know, there is no concept of "Secure Booting" in Efibootguard at the moment. Adding signature checks before booting into the selected kernel would be a possible solution.
Thanks,
Daniel
