Hi
back in April we had a workshop on firmware sustainability. Since then a
number of discussions related concerns on closed source components in TF-A
and U-Boot communities. We are also approaching a technical maturity level
on SystemReady that it looks timely to revisit this aspect.
Would it be a good move to adopt the Open System Firmware check list
<https://www.opencompute.org/wiki/Open_System_Firmware/Checklist> as part
of SystemReady?
*NOTE1: believe SystemReady is at right level as it addresses compliance
of platforms. EBBR is a technical recipe to make it work for a particular
environment (like SBBR) and so not the best place to deal with
redistribution license of binary blobs and other platform owernship
aspects.*
*NOTE2/ Adoption could come in different forms: referring to it, crafting a
similar one for SystemReady scope, any other smart ways of doing it.*
Cheers
FF
--
François-Frédéric Ozog | *Director Business Development*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi Tom
Le lun. 25 oct. 2021 à 18:59, Tom Rini <trini(a)konsulko.com> a écrit :
> On Mon, Oct 25, 2021 at 05:41:44PM +0100, Daniel Thompson wrote:
> > On Mon, Oct 25, 2021 at 03:59:49PM +0200, Heinrich Schuchardt wrote:
> > > On 10/25/21 15:32, Daniel Thompson wrote:
> > > > On Mon, Oct 25, 2021 at 01:51:34PM +0200, Heinrich Schuchardt wrote:
> > > > > On 10/25/21 12:43, François Ozog wrote:
> > > > > > Hi
> > > > > >
> > > > > > back in April we had a workshop on firmware sustainability.
> Since then a
> > > > > > number of discussions related concerns on closed source
> components in TF-A
> > > > > > and U-Boot communities. We are also approaching a technical
> maturity level
> > > > >
> > > > > U-Boot is licenced under GPL. You must not include any code which
> is not
> > > > > licensed under GPL or a compatible license (cf.
> > > > > https://www.gnu.org/licenses/license-list.html) into U-Boot. This
> > > > > disqualifies any closed source component but also open source
> which is not
> > > > > GPL compatible like OpenSSL.
> > > > >
> > > > > The BSD-3 license of TF-A is compatible with GPL.
> > > > >
> > > > > For closed source TF-A components distributed with U-Boot the
> following GPL
> > > > > exception *MIGHT* apply in some cases:
> > > > >
> > > > > "However, as a special exception, the source code distributed need
> not
> > > > > include anything that is normally distributed (in either source or
> binary
> > > > > form) with the major components (compiler, kernel, and so on) of
> the
> > > > > operating system on which the executable runs, unless that
> component itself
> > > > > accompanies the executable."
> > > >
> > > > The GNU GPLv2 "mere aggregation" language must also be mentioned when
> > > > looking at the license effects here.
> > > >
> > > > If TF-A and u-boot were merely aggregated together on the same
> storage
> > > > media then the license of one would not influence the licensing of
> > > > the other.
> > > >
> > > > I am doubtful that one component being responsible for copying the
> other
> > > > into memory would change this.
> > >
> > > Think of U-Boot's UEFI variables managed by an OP-TEE module
> (Standalone
> > > MM), or U-Boot (or Linux) invoking PSCI. These are not cases of mere
> > > aggregation but come close to the operating system case. But TF-A is
> not an
> > > operating system.
> >
> > This is very much an example of "each case turns on its own facts".
> >
> > PSCI is a generic protocol. It is based on traps. Its primary purpose is
> > to decouple components that run at different trust levels. TF-A is not
> > the only implementation. U-boot is not the only client.
> >
> > Such facts make it unlikely that TF-A would become a derived work of
> > u-boot simply because u-boot gets PSCI services from TF-A.
> >
> > To be clear I agree there are definitely circumstances that could lead
> > an OP-TEE TA, OP-TEE itself or TF-A being combined with u-boot (rather
> > than aggregated alongside). A OP-TEE TA to assist with variable storage
> > could certainly reach this level, especially if it's interfaces were
> > specifically designed to match the u-boot driver model (although this
> > still may not impact TF-A).
>
> So, this might be an unpopular opinion here, but perhaps the Canonical
> or Linaro lawyers could chime in with some non-binding thoughts?
> Engineers arguing about the law tends to not be productive.
i agree. From my standpoint, there are products on the market that assemble
firmware components such as TF-A , U-Boot and OP-TEE in various ways : so
lawyers have done their job and it is possible.
My question is: can we further characterize the distributed firmware with
regards to parameters described in the checklist?
If there are binary components in the mix, how much a platform owner (in
the checklist sense) can rebuild the open source portion, include the
binaries and redistribute the result?
>
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Business Development*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
All,
We have our DT evo call today one hour earlier than normal.
2 PM UTC / 3PM UK / 10 AM US East (NY)
(in 48 min as I write this.)
Today we will talk about DTB life cycle in firmware at run time.
We might get an update from Simon of DTB signatures.
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
Yep I see your info. Thanks for the bug report :)
-- Bill
On 10/5/21 12:02 PM, Simon Glass wrote:
> OK that worked, I think.
>
> - Simon
>
> On Mon, 4 Oct 2021 at 19:19, Bill Mills <bill.mills(a)linaro.org> wrote:
>>
>> Sorry wrong link.
>> Please try this one:
>> https://doodle.com/meeting/participate/id/mepQEZNa
>>
>> On 10/4/21 6:19 PM, Bill Mills wrote:
>>> All,
>>>
>>> If you normally attend the Devicetree evolution call,
>>> Please fill out this poll:
>>> https://doodle.com/meeting/organize/id/mepQEZNa
>>>
>>> Thanks,
>>> Bill
>>>
>>> --
>>> Bill Mills
>>> Principal Technical Consultant, Linaro
>>> +1-240-643-0836
>>> TZ: US Eastern
>>> Work Schedule: Tues/Wed/Thur
>>
>> --
>> Bill Mills
>> Principal Technical Consultant, Linaro
>> +1-240-643-0836
>> TZ: US Eastern
>> Work Schedule: Tues/Wed/Thur
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
All,
If you normally attend the Devicetree evolution call,
Please fill out this poll:
https://doodle.com/meeting/organize/id/mepQEZNa
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
All,
I have recordings and automated transcripts of all the meetings in 2021.
So far I have not made these public.
*** Is there any objection to making them public? ***
I don't imagine many people will go back and look but it is sometimes
nice to know that you could.
Please let me know if you have any concern. I will take no action until
next week.
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
All,
Today we discussed Simon's slides [1] about DTB signatures.
Simmons points (as I understand them)
* U-boot has used signatures in FIT format for years
* The technique used for FIT is actually generic to any DTB
* Such a signed DTB could still be passed to kernel
* even an old one like 4.4
* Suggest we adopt this for signing individual DTBs
Discussion:
* General interest in idea, no strong objections
* multiple people want to see the worked example to know for sure
* Which nodes do we want to sign?
* Should we sign in a way that allows the kernel to recheck
the signature?
* would require we exclude from hashing anything that will get fixed
up by u-boot at run time, such as mac addrs and chosen
* If u-boot applies any non-trivial DTBO's, the kernel won't be able
to check the result, is it worth the effort for the simple case?
* If we really want the kernel to verify, we should pass on a set of
dtbs: a base and set of overlays, one overlay would be the fixup
data. kernel could check each dtb and then verify that fixup data
only touches the stuff that it should
* Joakim worked with a student to do things very similar to what Simon
is talking about. see [2]
Other comments:
* verifying 10 rsa signatures on 10 hashes is more expensive than
verifying 1 rsa signature of 10 strong hashes. (RSA signatures on the
actual data itself would be VERY expensive.)
* We should be careful about boot time in all these discussions.
* If all the DTB data is internal to u-boot, just use FIT and have
one signature for all the various hashes.
* Is it OK to use the "exploded" rsa public key data in all cases?
* Is the exploded for faster or just less code?
* Can we supply the plan/std pub key AND the exploded version?
* implementations that care about speed and code size can use the
exploded ver, while things that need to standard key structure
can use that. We would need a offline tool to verify both.
* UEFI secure boot will have public keys installed.
Can we explode the key on install for internal storage?
Actions:
* Simon to work up an example of signing just one dtb
We also introduced the topics of DT lifecycle at firmware level:
A) Source level lifecycle, keeping things in sync
A1) Golden source repo
A2: Golden source for platforms that opt-in
A3) auto checker but manual fixup
A4) remove DT from sub projects and rely on B2 model
Pretty sure this is a NOPE!
A5) do nothing and trust platforms maintainers to do the right
thing (despite evidence that many are not currently).
B) runtime life-cycle
B1) each component has its own DTB
B2) DTB is only present in "first" firmware and is
passed along from there
B3) mixture of B1 & B2 at different firmware stages
Actions:
* Bill to make slides so we can discuss properly on Oct 18.
[1]
https://drive.google.com/file/d/1PA5aQ2rISOrdNbqElfIWXaSrCG28Rqx4/view?usp=…
[2]
https://github.com/marianomarciello/Device_Tree_Verification/tree/e0b2fc989…
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
Hello,
We have our DT evo call in just a bit.
Today I would like to talk about DT lifecycle and flow "with in" firmware.
Up till this point we have focused on firmware to "OS layer" hand off.
That topic is not done but I think we need to start exploring the flow
within firmware as people seem to have very different views.
We need to figure out what models are valid (2 seems plenty) and how we
can talk about them.
I don't have slides today but we can start the discussion.
Thanks,
Bill
--
Bill Mills
Principal Technical Consultant, Linaro
+1-240-643-0836
TZ: US Eastern
Work Schedule: Tues/Wed/Thur
