On Wed, 5 Jun 2019 at 14:59, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Wed, Jun 05, 2019 at 09:17:04AM +0100, Graeme Gregory wrote:
> > On Wed, 5 Jun 2019 at 07:36, Ard Biesheuvel <ard.biesheuvel(a)linaro.org>
> > wrote:
> >
> > > On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote:
> > > >
> > > ...
> > >
> > > > It depends on what you mean by "OS provided". The DTS files come from
> > > > the Linux Kernel sources, full stop.
> > >
> > > That is the mistake we should try to fix.
> > >
> > > We have DT bindings, which define the contract between the OS on one
> > > side, and the platform on the other side. This means it is the
> > > platform's job to present a DT description that adheres to those
> > > [stable] bindings.
> > >
> > > Today's development model of developing DT bindings in lockstep with
> > > the drivers, and then bundling DT files with the OS is completely
> > > unsustainable, since it doesn't scale, and it demonstrably results in
> > > DT bindings that get modified without any regard for devices that are
> > > already in the field (MacchiatoBin is a good example).
> > >
> > > So it doesn't really matter where the kernel *sources* come from, as
> > > long as the platform provides its own DT, which does not change just
> > > because the kernel changes.
> > >
> > > It is already defined how the platform provides this DT on a UEFI
> > > system, i.e., via a configuration table with a known GUID. How the
> > > firmware popiulates this memory is an implementation detail: if it
> > > wants to load it from a signed file in the file system, that is fine,
> > > as long as it is not the OS providing this file to the firmware.
> > >
> > >
> > I agree, people seem to be conflating where DT is stored in source control
> > over where it should be supplied to OS.
> >
> > Just because the DT is in linux kernel git does not mean you can't build it
> > into the u-boot for your board.
> >
> > In fact I bet u-boot maintainer would love patches for updates ;-)
>
> Right. But there's also confusion about where the DTB is to be found.
> Whereas ACPI is "burned in" the DTB (generally) is not and will not be.
> It will be loaded from storage, so in the context of this overall
> thread, figuring out how to verify the signature on the DTB is a main
> use case.
>
There is no confusion at all. On a UEFI/EBBR system, the DT shall be
provided to the OS via a config table using the established GUID. How
the firmware achieves that is left unspecified. The fact that it may
be loaded from storage does not make it part of the packaged OS, it is
still a component of the platform.
But based on this discussion, I will argue going forward that
- the firmware must not rely on the OS to put DT images under known
names into known locations in the file system,
- the firmware provides this DT regardless of which keys are loaded
into the uefi secure boot keyring, IOW, if i choose to put only the
RedHat certificate in db because that is all i care about, I don't
want to end up with a bricked system because the DT was loaded via the
secure boot stack and was signed with the Microsoft keyring.
Btw, the fact that Authenticode/PE-COFF does not permit multiple
signatures does not make things any easier.
On Wed, 5 Jun 2019 at 13:14, Mark Brown <broonie(a)kernel.org> wrote:
>
> On Wed, Jun 05, 2019 at 11:18:44AM +0100, Steve McIntyre wrote:
>
> > Nod. We're *way* past the time where this should have stopped. How on
> > earth do we get to common DT useful for all bootloaders, OSes (etc.)
> > if people still consider the bundled, changing sources in the Linux
> > tree to be canonical?
>
> It's a chicken and egg situation - for the platforms where nobody is
> actually shipping systems with a separate device tree it's easy for
> people to miss accidental incompatibilities without noticing, or decide
> that deliberate incompatibilites won't be noticed. If there's users
> making noise that's a lot harder to do. Pushing on EBBR is going to
> help there, and it'd really help if there were more hardware built with
> separate boot storage :/
>
> Some of the platforms *are* doing a good job of not needlessly churning
> their device trees (they're just not very noticable since things just
> work and they make no noise), and even without people worrying about
> separately distributed DTs widely adopted in tree bindings are doing a
> lot for stability due to the number of places that would need updates
> for incompatibilites (and also avoiding the DMI quirk tables ACPI relies
> on which is nice).
I am not disagreeing with any of this. But it is helpful to keep in
mind that, in the context what we are trying to achieve, the
requirement/expectation that a DT lives on git.kernel.org and gets
packaged and shipped by the distro makes no sense at all.
The idea of EBBR is to move away from a vertically integrated model,
and permit systems or appliances to use packaged OSes in the field,
similar to how this is being done on servers today. The idea that it
is required for, say, company X shipping product Yrev0, to upstream a
new rev of the DT in order to tweak their board and ship product Yrev1
is simply ridiculous. It doesn't scale, and we shouldn't care - the DT
bindings is what we care about, and if it adheres to those, the
platform can provide any DT it wants, and there is no reason the
kernel devs should ever need to look at it.
For development, things are obviously different, I understand that.
Shipping DTs for devboards makes sense, especially while the DT
bindings are not set in stone yet. But imposing this model for
production is unsustainable.
On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote:
>
...
> It depends on what you mean by "OS provided". The DTS files come from
> the Linux Kernel sources, full stop.
That is the mistake we should try to fix.
We have DT bindings, which define the contract between the OS on one
side, and the platform on the other side. This means it is the
platform's job to present a DT description that adheres to those
[stable] bindings.
Today's development model of developing DT bindings in lockstep with
the drivers, and then bundling DT files with the OS is completely
unsustainable, since it doesn't scale, and it demonstrably results in
DT bindings that get modified without any regard for devices that are
already in the field (MacchiatoBin is a good example).
So it doesn't really matter where the kernel *sources* come from, as
long as the platform provides its own DT, which does not change just
because the kernel changes.
It is already defined how the platform provides this DT on a UEFI
system, i.e., via a configuration table with a known GUID. How the
firmware popiulates this memory is an implementation detail: if it
wants to load it from a signed file in the file system, that is fine,
as long as it is not the OS providing this file to the firmware.
> That doesn't mean they're embedded
> within the kernel image. They're usually going to be pulled from the
> filesystem.
>
> --
> Tom
On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote:
> > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> >
...
> > I think it may be good to validate but not provide. There is no Linux
> > provided ACPI table right ? So I get the point to validate a DT.
>
> There's "Linux provided" ACPI tables when someone has to decompile,
> fixup and re-compile their DSDT files.
>
> Or perhaps a better way to think of it is that yes, there's "Linux
> provided ACPI tables" when vendors are developing their hardware and
> correcting their ACPI tables. Same thing with DT, by and large (as
> overlays and secure boot are a can of worms to worry about later).
Secure boot enabled Linux does not permit this model. Side loading of
DSDTs/SSDTs is disabled by the hardening patchset that all the distros
carry for secure boot enabled kernels.
Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:25:23AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:17, Heinrich Schuchardt <xypron.glpk(a)gmx.de>
> wrote:
> >
> > >
> > >
> > > On 6/4/19 3:55 PM, Francois Ozog wrote:
> > > > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > > > wrote:
> > > >
> > > >>
> > > >>
> > > >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
> francois.ozog(a)linaro.org>
> > > >> wrote:
> > > >>
> > > >>> Hi Ard,
> > > >>>
> > > >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> > > ard.biesheuvel(a)linaro.org>
> > > >>> wrote:
> > > >>>
> > > >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > > >>>> <ilias.apalodimas(a)linaro.org> wrote:
> > > >>>>>
> > > >>>>> Hi Grant,
> > > >>>>>> I see two ways to handle this that fits with the Secure Boot
> > > >>>>>> authentication path:
> > > >>>>>>
> > > >>>>>> Option 1: Leave it to the OS loader
> > > >>>>>> We could simply say that if the OS wants to replace the DTB,
> then it
> > > >>>>>> should take care of authentication itself within the OS loader
> > > >>>> (possibly
> > > >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the
> > > >>>>>> configuration table before calling exit boot services. In this
> > > >>>> scenario,
> > > >>>>>> U-Boot doesn't authenticate the DTB at all.
> > > >>>>>>
> > > >>>>>> In fact, Option 1 is pretty close to what is required for the
> > > initrd.
> > > >>>>>>
> > > >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > > >>>> the os
> > > >>>>>> loader can use load_image to authenticate and retrieve the data
> > > >>>> without
> > > >>>>>> actually executing the image. That would allow for the DTB &
> initrd
> > > >>>> to
> > > >>>>>> be authenticated in the same way as the kernel.
> > > >>>>> I asked around on this prior to the email, but i think it boils
> down
> > > to
> > > >>>>> "UEFI is intended to authenticate bootable images for the
> platform",
> > > >>>> so i doubt
> > > >>>>> this will be allowed.
> > > >>>>>
> > > >>>>
> > > >>>> The point I raised when we discussed this is that UEFI is an
> interface
> > > >>>> between the firmware and the OS, and it is up to the firmware to
> > > >>>> *provide* the DT not the other way around.
> > > >>>>
> > > >>>> Whether the firmware reuses some of the existing machinery if it
> > > >>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > > >>>> system is an implementation detail, and shouldn't be part of how
> we
> > > >>>> design the interface. The more we standardize this and the more we
> > > >>>> make it similar to how the OS loader is authenticated, the more
> likely
> > > >>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > > >>>> the OS, which is a practice we are trying very hard to move away
> from.
> > > >>>>
> > > >>>
> > > >>> I have the impression that OS provided DT is a bad solution to a
> real
> > > >>> problem:
> > > >>> There should be a Firmware hardware environment (what to
> initialize,
> > > >>> use...) and a OS hardware environment.
> > > >>> Both should be signed, and controlled by the firmware.
> > > >>> So I would try to find a way to supply firmware with two DTs, or
> more
> > > >>> likely one DT and one OS overlay (if overlays can remove some
> > > hardware).
> > > >>>
> > > >>>
> > > >>
> > > >> If the OS provides a DT to itself, what is the point of pretending
> that
> > > it
> > > >> has been authenticated to the firmware?
> > > >>
> > > > Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > > > controlled by hardware/Firmware provider. OS shall be a consumer
> only.
> > > >
> > > >
> > >
> > > In a perfect world firmware would provide the authoritative source of
> > > the device tree. The current situation has device trees developed in
> the
> > > context of Linux and U-Boot picking them up. U-Boot is lagging far
> > > behind Linux. Whenever I wanted to change a device tree in U-Boot I was
> > > told to first get that change into Linux. I see no commitment to change
> > > this process.
> > >
> > > Device-trees are provided by U-Boot to Linux as UEFI configuration
> > > tables. If a device-tree is malicious it may lead to the destruction of
> > > hardware. So whatever U-Boot provides as a device-tree to Linux should
> > > be validated.
> > >
> > In a perfect world, U-Boot shall lead and we should work towards that if
> > not in place. There is no sch a thing as a Linux validated ACPI table, so
> > why for DT?
>
> There _is_ such a thing as a validated ACPI table and functionally ACPI
> tables on x86 are validated with Windows. This is no different.
>
I think it may be good to validate but not provide. There is no Linux
provided ACPI table right ? So I get the point to validate a DT.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Le mar. 4 juin 2019 à 17:27, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:21:54AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:00, Ard Biesheuvel <ard.biesheuvel(a)linaro.org>
> > wrote:
> >
> > >
> > >
> > > On Tue, 4 Jun 2019 at 15:55, Francois Ozog <francois.ozog(a)linaro.org>
> > > wrote:
> > >
> > >>
> > >>
> > >> On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >> wrote:
> > >>
> > >>>
> > >>>
> > >>> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <francois.ozog(a)linaro.org
> >
> > >>> wrote:
> > >>>
> > >>>> Hi Ard,
> > >>>>
> > >>>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >>>> wrote:
> > >>>>
> > >>>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > >>>>> <ilias.apalodimas(a)linaro.org> wrote:
> > >>>>> >
> > >>>>> > Hi Grant,
> > >>>>> > > I see two ways to handle this that fits with the Secure Boot
> > >>>>> > > authentication path:
> > >>>>> > >
> > >>>>> > > Option 1: Leave it to the OS loader
> > >>>>> > > We could simply say that if the OS wants to replace the DTB,
> then
> > >>>>> it
> > >>>>> > > should take care of authentication itself within the OS loader
> > >>>>> (possibly
> > >>>>> > > the in-kernel UEFI stub) and install a replacement DTB in the
> > >>>>> > > configuration table before calling exit boot services. In this
> > >>>>> scenario,
> > >>>>> > > U-Boot doesn't authenticate the DTB at all.
> > >>>>> > >
> > >>>>> > > In fact, Option 1 is pretty close to what is required for the
> > >>>>> initrd.
> > >>>>> > >
> > >>>>> > > I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > >>>>> the os
> > >>>>> > > loader can use load_image to authenticate and retrieve the data
> > >>>>> without
> > >>>>> > > actually executing the image. That would allow for the DTB &
> > >>>>> initrd to
> > >>>>> > > be authenticated in the same way as the kernel.
> > >>>>> > I asked around on this prior to the email, but i think it boils
> down
> > >>>>> to
> > >>>>> > "UEFI is intended to authenticate bootable images for the
> platform",
> > >>>>> so i doubt
> > >>>>> > this will be allowed.
> > >>>>> >
> > >>>>>
> > >>>>> The point I raised when we discussed this is that UEFI is an
> interface
> > >>>>> between the firmware and the OS, and it is up to the firmware to
> > >>>>> *provide* the DT not the other way around.
> > >>>>>
> > >>>>> Whether the firmware reuses some of the existing machinery if it
> > >>>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > >>>>> system is an implementation detail, and shouldn't be part of how we
> > >>>>> design the interface. The more we standardize this and the more we
> > >>>>> make it similar to how the OS loader is authenticated, the more
> likely
> > >>>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > >>>>> the OS, which is a practice we are trying very hard to move away
> from.
> > >>>>>
> > >>>>
> > >>>> I have the impression that OS provided DT is a bad solution to a
> real
> > >>>> problem:
> > >>>> There should be a Firmware hardware environment (what to initialize,
> > >>>> use...) and a OS hardware environment.
> > >>>> Both should be signed, and controlled by the firmware.
> > >>>> So I would try to find a way to supply firmware with two DTs, or
> more
> > >>>> likely one DT and one OS overlay (if overlays can remove some
> hardware).
> > >>>>
> > >>>>
> > >>>
> > >>> If the OS provides a DT to itself, what is the point of pretending
> that
> > >>> it has been authenticated to the firmware?
> > >>>
> > >> Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > >> controlled by hardware/Firmware provider. OS shall be a consumer only.
> > >>
> > >>
> > >>
> > > But my point remains the same. If we are accommodating a model where
> the
> > > DT is shipped with the OS, the OS can deal with authenticating the DTB
> > > files. If the firmware provides the DT, it is a firmware implementation
> > > detail how and where it keeps the DTB files internally, as long as it
> uses
> > > the official way (i.e., via a UEFI config table) to expose the DT to
> the OS.
> > >
> > > Rolling all of this into secure boot support (which deals with
> > > authenticating OS components/loaders to the firmware) is something we
> > > should avoid.
> > >
> > Agreed. There is no such a thing as an OS provided ACPI table.... yet we
> > allow that for DT... strange isn't it?
>
> I think we're getting a bit side tracked. And, depending on what you
> want to call people having to fixup and recompile DSDT to fix issues...
> :)
>
> The Linux Kernel happens to be the (generally) authoritative source of
> DT files, rather than the hardware manufacturer.
>
To me it looks like walking on the head. I don’t see any OS providing an
ACPI table. I think I understand why it happened. But to me it looks like a
wrong solution to a real use case: firmware hardware execution
environnement is different (probably smaller) than os execution environment.
I think this is more about EBBR and it’s compliance. What shall be the
right policy ? And then we refine EBBR.
>
> > So as a reference platform we can say that an OS provided DT is NOT part
> of
> > the picture. Yet if a vendor still wants to do it, it will be able to. We
> > just don't care.
> >
> > Now, in the context of standard OTA across SoCs, what shall be
> standardized
> > to support the two DTs (for firmware execution and for OS execution). Are
> > we considering UBoot firmware as a "blob" that embeds those two DTs?
> Might
> > be good enough.
>
> The common case is NOT going to be that the DT is provided embedded
> within the hardware, please keep that in mind.
>
EBBR says: “Similarly, devices retained by firmware (i.e., not discoverable
by the OS) shall not be accessed by the OS.” so an OS provided DT is a
recipe for failure.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least
verify DTB (if provided externally), initramfs and kernel modules.
1. For the kernel modules we can use kernel module signing facilities [1]
2. In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will
only be used if the authentication process succeeds. This will allow us to
verify DTBs without introducing any new functionality to U-Boot.
3. We need to verify initramfs as well. This can be accomplished in various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones but we
are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of the
functionality can be achieved with the existing code (minor adjustments might be
needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks
/Ilias
