- boot-architecture - lists.linaro.org

Invitation: DTE discussion @ Mon 4 May 2020 18:00 - 19:00 (CEST) (boot-architecture@lists.linaro.org)

by François Ozog

You have been invited to the following event. Title: DTE discussion This is a one off meeting unless we find a sustainable timeslot for India participants. When: Mon 4 May 2020 18:00 – 19:00 Central European Time - Paris Joining info: Join with Google Meet https://meet.google.com/oua-wrbf-ppi Join by phone +33 1 87 40 48 87 (PIN: 588964477) More phone numbers: https://tel.meet/oua-wrbf-ppi?pin=4737911870439&hs=0 Calendar: boot-architecture(a)lists.linaro.org Who: * François Ozog- organiser * boot-architecture(a)lists.linaro.org * team-ledge * dte-all Event details: https://www.google.com/calendar/event?action=VIEW&eid=NzRkanQyMXZtOWwzc2xic… Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account boot-architecture(a)lists.linaro.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively, you can sign up for a Google Account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organiser and be added to the guest list, invite others regardless of their own invitation status or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding

5 years, 8 months

1
0
0 0

Re: DTE-8 DeviceTree lifecycle: the basics

by François Ozog

+boot architecture Le sam. 25 avr. 2020 à 19:26, François Ozog <francois.ozog(a)linaro.org> a écrit : > Hi > > I would like to start the discussion on DTE-8 as LEDGE is going to need > results soon. I'd like to keep it high level, general principles, not too > precise on implementation details. Let's take overlays and other > complications out of the discussion until we share a vision for the basics. > > When we have concluded this discussion cycle we will need to address: > - DTE-8 DeviceTree lifecycle: BL32 (BL32 may mask some devices until > given credentials...) > - DTE-8 DeviceTree lifecycle: overlays > - DTE-8 DeviceTree lifecycle: tooling > - DTE-8 DeviceTree lifecycle: chain of trust > > Is the following correct? > Is it complete on the target reduced scope? > Is the discussion series/roadmap complete, is the order right ? > > Cordially, > > François-Frédéric > > > I - Definitions > > Let's consider there are four trees used by the following entities: > - TFA which spans BL1, BL2, BL31 has a tree <TFA> which originates from > tfa.dtb > - BL32 (let's assume OP-TEE) has a tree <BL32> which originates from > bl32.dtb > - BL33 (let's assume U-Boot) has a tree <BL33> which originates from > bl33.dtb > - THING, the "thing" that is booted by BL33, has a tree <THING> which > originates from thing.dtb and manipulations from BL33. > > The THING can be a Linux kernel, a bsd kernel, grub, shim<arch>.efi, > efibootguard.efi, Xen, Hafnium or many other possibilities. > BL33 is assumed to be U-Boot but it can be EDK2, Linux Kernel, Hafnium, > Xen or other thing. > > A tree is not dtb. A tree is the result of loading a DTB with or without > manipulations. > > II - Build time assumptions > > It is assumed that TFA, BL32 and BL33 are board specific while THINGS is > board agnostic. > > As a result of this architectural decision: > - tfa.dtb, bl32.dtb and bl33.dtb can be built by the build process of the > respective entity TFA, BL32, BL33. > - thing.dtb is purely describing hardware and has no "chosen" nodes for > instance, it may contain architectural/platform/board specific > "reserved-memory". In other words, nothing that can tie it to a particular > "thing". > > All DTBs shall be derived from a single source repository. > > The bindings of a single piece of hardware, may differ depending on the > entity that needs it (there are many ways to implement that aspect, let's > not talk about implementation yet). > For instance, a display panel for BL33 can be represented as a single > small node while the same display panel can be controlled out of several > large nodes by a downstream Operating System. > > III - Lifecycle > > Out of all possible transitions, let's consider BL31->BL33 and > BL33->THING. Transitions are opportunities to pass DT information from one > entity to the other that complements the static *.dtb . For instance, > passing PSCI interface information, memory reservations, PCI IO ranges... > > III.1 BL31->BL33 > > III.1.1 nature of manipulations > typically, PSCI interface may be injected as well some memory > reservations. > > III.1.2 manipulation operational considerations > There are three possibilities for passing this information: > - BL31 manipulates the BL33 tree to add/change nodes > - BL33 asks BL31 to add/change nodes > - BL31 passes an interim tree that BL33 will merge into his. > > Current wisdom is BL31 manipulates the BL33 tree. > > III.2 BL33->THING > > III.2.1 nature of manipulations > * operational > - board information (part numbers, serial numbers...) > - memory layout (beyond the typical 4G) > - IO specifics (PCIe...) > - reserved areas for runtime services (UEFI for instance) > - os.dtb > * THING dependent elements > - chosen for "command line" or other aspects > > III.2.2 manipulation operational considerations > In the case of UEFI interface, os.dtb passed as DT artifact or a UEFI > table shall be referring to the same tree (a single tree in memory, two > access methods). > > BL33 will operate all necessary manipulations on os.dtb before passing it > to the THING. The THING (grub, efiapp, kernel) can further operate > manipulations, it is outside scope of the discussion. > > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 8 months

4
8
0 0

[RFC] Systemd-boot and EBBR

by François Ozog

Hi, I instrumented boot on my Ubuntu 18.04 server right after systemd startup and caught an access to: /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f This led to: https://systemd.io/DISCOVERABLE_PARTITIONS/ And then: https://systemd.io/BOOT_LOADER_INTERFACE/ https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/ My server is configured with Grub to boot (grub and kernel on a HD, root FS of NVME as grub do not have nvme driver for my card) but the udev is still checking those systemd-boot variables. >From a boot loader perspective, we have the following EFI applications: - Grub2 - EFIBootGuard (used by CIP) - Systemd-boot (used by ?) Regardless of the loader, I assume we need to ensure whatever option is selected by solution builders, they can implement it with our U-Boot reference implementation of UEFI. The Systemd boot-bless seems of high interest for rolling back UEFI update capsules of firmware... I'd be happy to get some feed back on : - the systemd-boot technology - whether we need to implement the above specs in our UEFI implementation - whether this has an influence on EBBR Cheers FF PS: other references https://manpages.debian.org/testing/systemd/systemd-boot.7.en.html https://manpages.debian.org/testing/systemd/systemd-bless-boot.service.8.en… http://man7.org/linux/man-pages/man1/bootctl.1.html -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 9 months

4
3
0 0

Re: RFC: EBBR specification update

by Heinrich Schuchardt

On 3/11/20 3:20 PM, Francois Ozog wrote: > > > On Wed, 11 Mar 2020 at 13:42, Francois Ozog <francois.ozog(a)linaro.org > <mailto:francois.ozog@linaro.org>> wrote: > > > > On Wed, 11 Mar 2020 at 12:45, Daniel Thompson > <daniel.thompson(a)linaro.org <mailto:daniel.thompson@linaro.org>> wrote: > > On Wed, Mar 11, 2020 at 11:20:17AM +0100, Francois Ozog wrote: > > On Wed, 11 Mar 2020 at 07:48, Heinrich Schuchardt > <xypron.glpk(a)gmx.de <mailto:xypron.glpk@gmx.de>> wrote: > > > On 3/11/20 12:04 AM, Heinrich Schuchardt wrote: > > > > On 3/10/20 7:37 PM, Francois Ozog wrote: > > > >> Le mar. 10 mars 2020 à 18:37, Daniel Thompson > > > >> <daniel.thompson(a)linaro.org > <mailto:daniel.thompson@linaro.org>> a écrit : > > > >>> On Tue, Mar 10, 2020 at 05:35:40PM +0100, Francois Ozog > wrote: > > > >>>> This is driven by the BL2 which is platform specific > and I am not sure > > > >>>> we can have any influence. > > > >>>> The flashimage.bin in a number of system consists of a > (blob) FIP that > > > >>>> has BL2, SCP stuff, BL31, BL32, BL33. > > > >>>> Ilias upstream U-Boot patches to change from "ADR" to > "ADRL" because > > > >>>> the code grew too much. > > > >>> > > > >>> I'm not quite sure I understand the concern here. > > > >>> > > > >>> Are you still working on systems where the boot ROM > mandates using MBR > > > >>> partitioning and attempting to put secure boot on it? > If so perhaps we > > > >>> could simply discontinue MBR support for systems with > secure boot! > > > >>> > > > >> > > > >> Well..... we want Products on the market to benefit from > EBBR compliance > > > >> rather than two years from now. So MBR is inevitable. > And is not that a > > > >> pain ;-) Of course its not as clean as we would like but > “sales first”! > > > > > > > > A typical problem is that a SoC has an entry address > within the first 17 > > > > KiB, e.g. the Allwinner CPUs want a firmware entry point > at 0x2000. If I > > > > correctly understand the UEFI standard, one might use > PartitionEntryLBA > > > > to place the GPT Partition Entry Array behind the > firmware in this case. > > > > > > > > > > In the expert mode of gdisk there is command 'j' for moving > the GPT > > > Partition Entry Array to an arbitrary sector. This will > protect the area > > > between the GPT header and the GPT Partition Entry Array > from being used > > > for a partition. The same can be done with parameter -j of > sgdisk. > > > > > > Furthermore gdisk supports creating a hybrid MBR. This > allow to have > > > GUID partition table and a MBR partion table at the same > time where the > > > MBR partition table mirrors up to three GPT partitions and > the fourth > > > MBR partition is used to protect the GUID partition table. > > > > > > So requiring GPT and having boards only supporting booting > from an MBR > > > partition (like the Raspberry) seems not to be exclusive. > > > > > > > That sounds like a great solution! > > The last time we discussed this there was *very* strong opposition > during meetings to hybrid partitioning and IIRC language was > added to > the spec to prohibit it. > > Hybrid partitioning is a problem because it imposes to difficult > to meet > constraints on partitioning tools provided by the operating system. > > In other words if we permit hybrid partitioning in order that > boot code > can find the firmware then the operating system would inherit a > duty to > not to screw up the firmware loading when it modifies the partition > tables. It is hard to express how the OS should go about that. > > Hence the current approach where we accept that MBR partitioning > offers an inferior feature set to GPT. > > > We have the following cases: > > - FW compatible with GPT (I mean firmware can be searched based on > GUID partition) > Ok > > - FW that uses offsets and can be positioned at LBA >= 33 > Ok > Need to define a protective partition > > - FW that uses offsets and can be positioned such that space between > LBA-2 and LBA-33 is used. > Ok in theory as the header states where the partition entries > location is specified in a GPT_HEADER "Starting LBA of array of > partition entries". > Linux kernel properly loads the partition entries if we push them > after 16MB. > > read_lba <https://elixir.bootlin.com/linux/latest/ident/read_lba>(state, le64_to_cpu > <https://elixir.bootlin.com/linux/latest/ident/le64_to_cpu>(gpt->partition_entry_lba) > > But I bet 2 is hardcoded in many tools... > > If I had done my homework properly, I would have seen that > U-Boot CONFIG_EFI_PARTITION_ENTRIES_OFF is just configuring that... CONFIG_EFI_PARTITION_ENTRIES_OFF is only relevant if you use U-Boot to create a GUID partition table. When reading a GPT U-Boot correctly considers the current value of PartitionEntryLBA. Best regards Heinrich > So there is some experience in playing with that.... I'd be happy to > read ;-) > > - FW that supposes LBA-1 (macchiatobin the firmware blob that > contain TF-A must be here) > > In theory OK as Linux will detect bad signature and use the > alternate GPT > > good_pgpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, GPT_PRIMARY_PARTITION_TABLE_LBA > <https://elixir.bootlin.com/linux/latest/ident/GPT_PRIMARY_PARTITION_TABLE_L…>, > &pgpt, &pptes); > if (good_pgpt) > good_agpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, > le64_to_cpu > <https://elixir.bootlin.com/linux/latest/ident/le64_to_cpu>(pgpt->alternate_lba), > &agpt, &aptes); > if (!good_agpt && force_gpt <https://elixir.bootlin.com/linux/latest/ident/force_gpt>) > good_agpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, lastlba, &agpt, &aptes); > > We loose the protective nature of GPT but it sounds like it will be > working. > > That said, we could enhance the EFI specification so that: > - we have a firmware protective partition > - the start LBA of the "GPT protective partition (0xEE)" is used to > define the GPT header placement instead of 1. > image.png > > Daniel. > > > > -- > > François-Frédéric Ozog | /Director Linaro Edge & Fog Computing Group/ > T: +33.67221.6485 > francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> > | Skype: ffozog > > > > > -- > > François-Frédéric Ozog | /Director Linaro Edge & Fog Computing Group/ > T: +33.67221.6485 > francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> | Skype: ffozog > >

5 years, 9 months

1
0
0 0

Re: RFC: EBBR specification update

by Francois Ozog

Le mar. 10 mars 2020 à 18:46, Mark Brown <broonie(a)kernel.org> a écrit : > On Tue, Mar 10, 2020 at 05:37:29PM +0000, Daniel Thompson wrote: > > On Tue, Mar 10, 2020 at 05:35:40PM +0100, Francois Ozog wrote: > > > > Thanks Leif for the links. I tend to like the ETSI one because it is > > > somewhat complete on necessary english grammar stuff. > > > But I am flexible, important we state explicitly the reference > > > document and we use the language constructs. > > > Does ETSI offer us "features" that are missing from RFC 2119. > > > Personally I would favour RFC 2119 simply because it is so much better > > known than the ETSI drafting rules. > > > If you cite RFC 2119 and I don't have to go and read anything... and > > even if I did it is super concise and quick to read. > > > Cite ETSI drafting rules, clause 3 and I have to put in a lot more > > effort. > > The RFC 2119 usage of "MUST" is also a more standard English usage (in > that people are more likely to be familiar with it) than the ETSI SHALL > so there's a bit of a comprehensibility win. RFC2119 sold on my side ;-) > > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 10 months

1
0
0 0

FYI: Intel Vulnerability Serious But Unlikely, Experts Say

by Francois Ozog

Well, if you think IIot and Edge, you have physical access and the system is thus vulnerable.... https://www.sdxcentral.com/articles/news/intel-vulnerability-serious-but-un… Cheers FF PS: Intel CSME is an auxiliary micro-controller much like the SCP but with the capability to access the whole DRAM and having some TrustZone style role. -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 10 months

1
0
0 0

Dynamic acpi

by Francois Ozog

just in case: [PATCH 000/108] RFC: dm: Add programatic generation of ACP https://lists.denx.de/pipermail/u-boot/2020-January/397886.html May be some ideas fir DT overlays... FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 11 months

1
0
0 0

Sense of soc bus? (was: [PATCH] base: soc: Export soc_device_to_device() helper)

by Andreas Färber

Am 12.11.19 um 08:29 schrieb Uwe Kleine-König: > On Tue, Nov 12, 2019 at 06:23:47AM +0100, Greg Kroah-Hartman wrote: >> On Mon, Nov 11, 2019 at 09:10:41PM +0100, Andreas Färber wrote: >>> Am 11.11.19 um 07:40 schrieb Greg Kroah-Hartman: >>>> On Mon, Nov 11, 2019 at 06:42:05AM +0100, Andreas Färber wrote: >>>>> Am 11.11.19 um 06:27 schrieb Greg Kroah-Hartman: >>>>>> On Mon, Nov 11, 2019 at 05:56:09AM +0100, Andreas Färber wrote: >>>>>>> Use of soc_device_to_device() in driver modules causes a build failure. >>>>>>> Given that the helper is nicely documented in include/linux/sys_soc.h, >>>>>>> let's export it as GPL symbol. >>>>>> >>>>>> I thought we were fixing the soc drivers to not need this. What >>>>>> happened to that effort? I thought I had patches in my tree (or >>>>>> someone's tree) that did some of this work already, such that this >>>>>> symbol isn't needed anymore. >>>>> >>>>> I do still see this function used in next-20191108 in drivers/soc/. >>>>> >>>>> I'll be happy to adjust my RFC driver if someone points me to how! >>>> >>>> Look at c31e73121f4c ("base: soc: Handle custom soc information sysfs >>>> entries") for how you can just use the default attributes for the soc to >>>> create the needed sysfs files, instead of having to do it "by hand" >>>> which is racy and incorrect. >>> >>> Unrelated. >>> >>>>> Given the current struct layout, a type cast might work (but ugly). >>>>> Or if we stay with my current RFC driver design, we could use the >>>>> platform_device instead of the soc_device (which would clutter the >>>>> screen more than "soc soc0:") or resort to pr_info() w/o device. >>>> >>>> Ick, no, don't cast blindly. What do you need the pointer for? Is this >>>> for in-tree code? >>> >>> No, an RFC patchset: https://patchwork.kernel.org/cover/11224261/ >>> >>> As I indicated above, I used it for a dev_info(), which I can easily >>> avoid by using pr_info() instead: >>> >>> diff --git a/drivers/soc/realtek/chip.c b/drivers/soc/realtek/chip.c >>> index e5078c6731fd..f9380e831659 100644 >>> --- a/drivers/soc/realtek/chip.c >>> +++ b/drivers/soc/realtek/chip.c >>> @@ -178,8 +178,7 @@ static int rtd_soc_probe(struct platform_device *pdev) >>> >>> platform_set_drvdata(pdev, soc_dev); >>> >>> - dev_info(soc_device_to_device(soc_dev), >>> - "%s %s (0x%08x) rev %s (0x%08x) detected\n", >>> + pr_info("%s %s (0x%08x) rev %s (0x%08x) detected\n", >>> soc_dev_attr->family, soc_dev_attr->soc_id, chip_id, >>> soc_dev_attr->revision, chip_rev); >> >> First off, the driver should not be spitting out noise for when all goes >> well like this :) > > I didn't follow the discussion closely, but I think I want to object > here a bit. While I agree that each driver emitting some stuff to the > log buffer is hardly helpful, seeing the exact SoC details is indeed > useful at times. With my Debian kernel team member hat on, I'd say > keep this information. This way the SoC details make it into kernel bug > reports without effort on our side. Seconded. For example, RTD1295 will support LSADC only from revision B00 on (and it's not the first time I'm seeing such things in the industry). So if a user complains, it will be helpful to see that information. Referencing your Amlogic review, with all due respect for its authors, the common framework here just lets that information evaporate into the deeps of sysfs. People who know can check /sys/bus/soc/devices/soc0, but ordinary users will at most upload dmesg output to a Bugzilla ticket. And it was precisely info-level boot output from the Amlogic GX driver that made me aware of this common framework and inspired me to later contribute such a driver elsewhere myself. That's not a bad effect. ;) So if anything, we should standardize that output and move it into soc_device_register(): "<family> <soc_id> [rev <revision>] detected" with suitable NULL checks? (what I did above for Realtek, minus hex) The info level seems correct to me - it allows people to use a different log_level if they only care about warnings or errors on the console; it's not debug info for that driver, except in my case the accompanying hex numbers that I'd be happy to drop in favor of standardization. Another aspect here is that the overall amount of soc_device_register() users is just an estimated one third above the analysis shared before. In particular server platforms, be it arm64 or x86_64, that potentially have more than one SoC integrated in a multi-socket configuration, don't feed into this soc bus at all! Therefore my comment that dev_info()-printed "soc soc0:" is kind of useless if there's only one SoC on those boards. I'm not aware of any tool or a more common file aggregating this information, certainly not /proc/cpuinfo and I'm not aware of any special "lssoc" tool either. And if there's no ACPI/DMI driver feeding support-relevant information into this framework to be generally useful, I don't expect the big distros to spend time on improving its usability. So if we move info output into base/soc.c, we could continue using dev_info() with "soc"-grep'able prefix in the hopes that someday we'll have more than one soc device on the bus and will need to distinguish; otherwise yes, pr_info() would change the output format for Amlogic (and so would a harmonization of the text), but does anyone really care in practice? Tools shouldn't be relying on its output format, and humans will understand equally either way. Finally, arch/arm seems unique in that it has the machine_desc mechanism that allows individual SoCs to force creating their soc_device early and using it as parent for further DT-created platform_devices. With arm64 we've lost that ability, and nios2 is not using it either. A bad side effect (with SUSE hat on) is that this parent design pattern does not allow to build such drivers as modules, which means that distro configs using arm's multi-platform, e.g., CONFIG_ARCH_MULTI_V7 will get unnecessary code creep as new platforms get added over time (beyond the basic clk, pinctrl, tty and maybe timer). Even if it were possible to call into a driver module that early, using it as parent would seem to imply that all the references by its children would not allow to unload the module, which I'd consider a flawed design for such an "optional" read-once driver. If we want the device hierarchy to have a soc root then most DT based platforms will have a /soc DT node anyway (although no device_type = "soc") that we probably could have a device registered for in common code rather than each SoC platform handling that differently? That might then make soc_register_device() not the creator of the device (if pre-existent) but the supplier of data to that core device, which should then allow to unload the data provider with just the sysfs data disappearing until re-inserted (speeding up the develop-and-test cycle on say not-so-resource-constrained platforms). On the other hand, one might argue that such information should just be parsed by EBBR-conformant bootloaders and be passed to the kernel via standard UEFI interfaces and DMI tables. But I'm not aware of Barebox having implemented any of that yet, and even for U-Boot (e.g., Realtek based consumer devices...) not everyone has the GPL sources or tools to update their bootloader. So, having the kernel we control gather information relevant to kernel developers does make some sense to me. Thoughts? Regards, Andreas P.S. Sorry that a seemingly trivial one-line 0-day fix derailed into this fundamental use case discussion. arch/arm/mach-ep93xx/core.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-imx/cpu.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-mvebu/mvebu-soc-id.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-mxs/mach-mxs.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-omap2/id.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-tegra/tegra.c: struct device *parent = tegra_soc_device_register(); arch/arm/mach-zynq/common.c: soc_dev = soc_device_register(soc_dev_attr); arch/nios2/platform/platform.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/amlogic/meson-gx-socinfo.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/amlogic/meson-mx-socinfo.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/atmel/soc.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/bcm/brcmstb/common.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/fsl/guts.c: soc_dev = soc_device_register(&soc_dev_attr); drivers/soc/imx/soc-imx-scu.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/imx/soc-imx8.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/qcom/socinfo.c: qs->soc_dev = soc_device_register(&qs->attr); drivers/soc/realtek/chip.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/renesas/renesas-soc.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/samsung/exynos-chipid.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/tegra/fuse/fuse-tegra.c: dev = soc_device_register(attr); drivers/soc/ux500/ux500-soc-id.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/versatile/soc-integrator.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/versatile/soc-realview.c: soc_dev = soc_device_register(soc_dev_attr); -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Felix Imendörffer HRB 36809 (AG Nürnberg)

6 years, 1 month

5
8
0 0

Boot Sprint proposal for Wednesday @SAN19

by Francois Ozog

Hi, following the proposal at the last Device Tree Evolution call I'd like to propose an agenda for Wednesday that Steve could complement (see below). You may want to add or remove agenda items... We need to synchronize with "kernel day" agenda as some of us need to attend both events. Cheers FF 4h: DeviceTree Lead Project - to be defined by Steve McIntyre 4h: DependableBoot Lead Project - 1h: status and deliverable planning for next cycle - EBBR specs next steps? compliance. - UEFI SecureBoot - EFI payload authentication - UEFI Secure variable handling - Linux kernel UEFI variable caching and updates (as a capsule update) - Define other ‘must-have’ UEFI features (i.e DBT??) - firmwareTPM - UEFI MeasuredBoot - 32bits UEFI support - Qemu EBBR - implications of our work on EDKII - 1h: Robust boot "research" & PoC for next cycle - anti-brickable incl. TF-A: “philosophy” and hints to implement - UEFI watchdog: when to call UEFI exit-boot-services? - 2h: overall boot architecture evolution - interdependencies between TF-A, TrustZone (SPM, OPTEE, SCPI), OS, SCMI - many things are happening and I am not sure we understand tricky interactions that may result in race conditions (for instance SCMI in OPTEE kernel and its relations with UEFI runtime services). The idea is to try to identify the hairiest issues that we should analyze post Connect. - Boot orchestration - "Contracts" / list all the assumptions -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 4 months

1
0
0 0

Re: EBBR Monthly - 4th Tuesday

by Grant Likely

Evidently I've managed to overlap the EBBR monthly with the 96Boards SC monthly meeting. Does anyone object to rescheduling the EBBR monthly to be the 1st Tuesday of each month? (starting next week). g. ________________________________________ From: Grant Likely Sent: 12 March 2019 11:38 To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger; daniel.thompson(a)linaro.org Subject: EBBR Monthly - 4th Tuesday When: 28 May 2019 15:00-16:00. Where: WebEx Biweekly EBBR status call - Online meeting: https://arm-onsite.webex.com/meet/gralik01 - Phone - Access code: 809 053 990 - 1-408-792-6300 Call-in toll number (US/Canada) - 1-877-668-4490 Call-in toll-free number (US/Canada) - 44-203-478-5285 Call-in toll number (UK) - 08-002061177 Call-in toll-free (UK) More access numbers: https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob… IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 4 months

2
5
0 0

U-Boot/EBBR plugfest at ELC-EU?

by Grant Likely

Quick poll: who would be interested in a U-Boot/EBBR plugfest event collocates with ELC-EU this year (week of 28th Oct)? In the EBBR meetings we’ve tossed around the idea of an U-Boot/EBBR plugfest to work out compatibility issues between OS distros and upstream U-Boot SBC support. The idea is to get a number of SBCs supported by mainline U-Boot with UEFI features turned on, along with U-Boot & OS developers and hold a 1 day debug sprint to work out how many platforms can work with ‘stock’ OS images. Details to be worked out if this looks viable. I’ve asked the LF folks if they have space on either Thursday 31st Oct or Friday 1st Nov. They are checking availability, but no commitments have been made. It would help to know if this date and location is feasible. What do you think? Would you come to a plug fest attached to ELC-EU? Would you be interested in helping to organise? Or, is there another time & location that would work better? Cheers, g. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 4 months

11
20
0 0

signing tool on linux?

by AKASHI Takahiro

Hi, I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7. # To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code. My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp? I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?) I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing. Thanks, -Takahiro Akashi

6 years, 6 months

3
8
0 0

hooking UEFI boot services

by Francois Ozog

I hope somebody in the kernel community is looking at making sure the piece of memory is RO: https://wikileaks.org/ciav7p1/cms/page_36896783.html Anyone knows about that? Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 6 months

2
1
0 0

Re: EBBR Monthly - 4th Tuesday

by Grant Likely

Hi All, Monthly EBBR meeting is scheduled for today. So far I've got the following agenda items: - Update on Devicetree Evolution project at Linaro (System Devicetree, separate dts repo, spec updates) - EBBR Plugfest options and planning committee - Policy on DTBs shipped with OS -- does EBBR need to address this explicitly? Email if you have any other items. g. ________________________________________ From: Grant Likely Sent: 12 March 2019 11:38 To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; daniel.thompson(a)linaro.org; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger Subject: EBBR Monthly - 4th Tuesday When: 25 June 2019 15:00-16:00. Where: WebEx Biweekly EBBR status call - Online meeting: https://arm-onsite.webex.com/meet/gralik01 - Phone - Access code: 809 053 990 - 1-408-792-6300 Call-in toll number (US/Canada) - 1-877-668-4490 Call-in toll-free number (US/Canada) - 44-203-478-5285 Call-in toll number (UK) - 08-002061177 Call-in toll-free (UK) More access numbers: https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob… IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 6 months

4
3
0 0

DT and EBBR, was: Securing the boot flow in U-Boot

by Francois Ozog

So trying to summarize the DT side track discussion in a different thread: ( Shall we organize a virtual design sprint before the end of the month? I'd like to create a section from the discussion in Boot Flows documen ) I - Current situation is: - DT provided by Linux kernel because it was “easier” and there was no upstream home - ACPI is provided by firmware (to make things simple), non secure OS can patch them in case of issues, SecureBoot prevents those patches OS provided DT is a cool developer facility in the context of floating DT bindings and lack of proper upstream project. But conceptually speaking, DT is not an OS thing and is not a firmware thing: it is a board thing that may be massaged by firmware and consumed by OS. With EBBR we seek a clean and salable solution that make the DT as simple as ACPI. II - Desired DT for EBBR policy 1) "upstream" DT 1.1) who provides DT Board vendor make a <reference DT> that describes every hardware piece, firmware provides a DT to OS, OS may be able to validate the DT but not override it in secureboot production. For security and boot latency consideration, firmware may actually need two DTs: a stripped version from <reference DT> to operate on the minimal set of devices it want to bring up the OS (say the <firmware DT>), a pruned/adapted version from <reference DT> , ie without devices firmware wants to control and conforms to EBBR spec (say the <OS DT>). 1.2) upstream <reference DT> The board reference DT> shall be valid regardless of the firmware (may be trusted firmware, uboot, edkII, linuxBoot...) not mentioning OS! There are many candidates but I start to think Linaro could host a DT and EBBR companion community project: "EBBR DTs" that will contain all the <reference DT> from every EBBR compliant board vendor. (Other boards can continue the mess, it is irrelevant EBBR, and us. SecureBoot, MeasuredBoot implementations will assume EBBR compliance) 2) who sign what with what key If we think of the following use case: Silicon Vendor provides a chip, a board vendor provides a board, ABB builds a controller, Caterpillar creates a mining truck with the controller, Rio Tinto operates the trck. One possible (just designed to show case the need of various keysets) trust chain is: - Board key db is loaded with a board vendor, ABB and caterpillar certs. - Trusted firmware: ABB doesn't want to deal with this, so the Board vendor provides and signs trusted firmware, with key_tf. - untrusted firmware: ABB selects the <firmware DT> and <OS DT> signs both DTs and firmware with key_firmware. Trusted Firmware will validate the signatures as key DB is loaded with ABB cert. - grub and the OS: Caterpillar signs them with key_os (What is signed and how it is verified is still a big discussion topic and the origin of the sidetrack on DT) - applications: Rio Tinto insurance company may be given the authority to sign hosted OPTEE applications with a different key. 3) OS payload signing and verification: was the original topic of the discussion and shall continue in the other thread. 4) operational considerations In non SecureBoot environment, DT can be patched by OS (same as ACPI). OS may decide to verify validaty of provided DT (mechanism yet to be defined) "dtb=" kernel command line parameter is still possible in non secure boot but forbiden in secureBoot. Le mer. 5 juin 2019 à 08:35, Tom Rini <trini(a)konsulko.com> a écrit : > On Wed, Jun 05, 2019 at 08:29:37AM +0200, Ard Biesheuvel wrote: > > On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote: > > > > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit : > > > > > > ... > > > > I think it may be good to validate but not provide. There is no Linux > > > > provided ACPI table right ? So I get the point to validate a DT. > > > > > > There's "Linux provided" ACPI tables when someone has to decompile, > > > fixup and re-compile their DSDT files. > > > > > > Or perhaps a better way to think of it is that yes, there's "Linux > > > provided ACPI tables" when vendors are developing their hardware and > > > correcting their ACPI tables. Same thing with DT, by and large (as > > > overlays and secure boot are a can of worms to worry about later). > > > > Secure boot enabled Linux does not permit this model. Side loading of > > DSDTs/SSDTs is disabled by the hardening patchset that all the distros > > carry for secure boot enabled kernels. > > That sounds a little broken then. It should be doable so long as the > files are signed appropriately. It's also rarer because the ACPI tables > are functionally validated before they're put into production. That's > largely the case here, except when we're talking about updating them for > new support or just like the case above, fixing a problem with them. > > -- > Tom >

6 years, 6 months

4
4
0 0

[RFC]: Kernel lockdown & secureboot

by Francois Ozog

Hi I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back. So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827 I agree with Linus <https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1654795.html>: we should distinguish UEFI SecureBoot and how to achieve a highly secured Operating System runtime environment. 1) UEFI SecureBoot: boot chain trust My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself. 2) Trustable Linux system A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects: - iommu must be enabled to protect against DMA attacks - sysfs needs to be cleaned (access rights are not tight enough) - debugfs need to be banned (problem: some production control operations are wrongly in debugfs) -SE Linux - IMA - ... In my view, we shall not mix the goal and the means to achieve the goal.... For instance, kernel lock down prevents iopl system call which prevents UIO and UIO enabled DPDK drivers. A vendor may evaluate that the security level achieved without kernel lockdown is in line with its objectives to achieve a trustable Linux system: loadable modules disabled by the kernel, kernel embedded initramfs, IMA... As a result, UEFI SecureBoot to secure the boot chain combined with selected Linux hardening can achieve a Trustable Linux System. As per LEDGE both are highly important I would say that 1) does not need 2) to be complete. The way to achieve 2) is project dependent. The LEDGE RP will need kernel lockdown because we will allow loadable modules. SoC vendors deriving a product out of LEDGE RP, may take different provisions as per customer projects, in particular, they may derive a version without lockdown but still trustable. There is an additional twists to this. UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!! Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 6 months

5
5
0 0

EBBR: support for HII resources in LoadImage

by Heinrich Schuchardt

EBBR reqfers to chapter 2.6 "Requirements" of the UEFI spec if no special exceptions are provided. The UEFI spec requires to support HII resources in the LoadImage() boot service. If an image contains a HII resource it has to install the EFI_HII_PACKAGE_LIST_PROTOCOL on the image handle. But chapter 2.6 does not generally require support for HII protocols. It would be helpful to clarify if supporting HII resources in the LoadImage() boot service is required to be EBBR compliant. I would prefer EBBR not to require this as it adds a lot of complexity to the firmware. The UEFI spec further requires supporting loading images via the EFI_LOAD_FILE_PROTOCOL and the EFI_LOAD_FILE2_PROTOCOL. This might also be a candidate for skipping in the EBBR. Best regards Heinrich Schuchardt

6 years, 6 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Francois Ozog

I introduced the discussion topic to LEDGE Steering Committee today. Linaro will focus on the use case where the DT is provided by the firmware. Other use cases may be considered at a later stage. On Thu, 6 Jun 2019 at 11:10, Tom Rini <trini(a)konsulko.com> wrote: > On Thu, Jun 06, 2019 at 09:08:25AM +0200, Ard Biesheuvel wrote: > > On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > On Wed, Jun 05, 2019 at 08:30:12PM +0200, Ard Biesheuvel wrote: > > > > On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > > > > > On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote: > > > > > > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote: > > > > > > > > > > > > > The idea of EBBR is to move away from a vertically integrated > model, > > > > > > > and permit systems or appliances to use packaged OSes in the > field, > > > > > > > similar to how this is being done on servers today. The idea > that it > > > > > > > is required for, say, company X shipping product Yrev0, to > upstream a > > > > > > > new rev of the DT in order to tweak their board and ship > product Yrev1 > > > > > > > is simply ridiculous. It doesn't scale, and we shouldn't care > - the DT > > > > > > > bindings is what we care about, and if it adheres to those, the > > > > > > > platform can provide any DT it wants, and there is no reason > the > > > > > > > kernel devs should ever need to look at it. > > > > > > > > > > > > I don't think anyone is particularly suggesting that (at least > not in > > > > > > the portions of the thread I read properly, I have to confess I > was > > > > > > skimming a bunch of it)? > > > > > > > > > > Just so we're all on the same page, we do understand that someone > > > > > somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we > > > > > expecting someone to be run-time fixing up Yboard.dtb for rev0 vs > rev1 > > > > > vs .. ? > > > > > > > > Let me put it like this: company X is not interested in having to > > > > engage with the distros to get Yrev1.dtb into the OS, nor do they > want > > > > to be forced to start from an official DTB and apply deltas to make > it > > > > correct. You ship a board with some description of the board that the > > > > OS can understand - this is how the OS identifies which hardware it > > > > runs on: the DT description. > > > > > > Where does this description that's coming with the board come from? > > > That _matters_ if you want to have any idea what will be able to use > it. > > > > From the platform, not from the OS. How the firmware achieves that is > > left unspecified by EBBR, it only mandates that it is passed to the OS > > via a config table. > > But it's part of the OS. > > > > > > > > For development, things are obviously different, I understand > that. > > > > > > > Shipping DTs for devboards makes sense, especially while the DT > > > > > > > bindings are not set in stone yet. But imposing this model for > > > > > > > production is unsustainable. > > > > > > > > > > > > I don't think I've particularly seen anyone trying to do that for > > > > > > anything other than devboards, like Tom says people with actual > products > > > > > > usually don't even consider it. It's more that there is this > devboard > > > > > > case where the DTs are currently in kernel and a lot of the > people > > > > > > hacking on things are using devboards if only for want of > anything else > > > > > > so they naturally end up caring about that case. > > > > > > > > > > Keep in mind that the in-kernel dev board ones _are_ important as > that's > > > > > what you start your custom platform from, 9 times out of 10. It's > quite > > > > > often the case of "OK, $vendor gave us schematics for EVB, lets > cut what > > > > > we don't need and tweak" with a matching set of cuts and tweaks to > the > > > > > dts for the EVB. In the case of carrier+SOM it's just adding to, > if > > > > > using the stock carrier, or again adapting things for the custom > > > > > carrier. > > > > > > > > Of course. But how is this relevant? I am not saying DTs have to be > > > > truly original works, just that the OS should not be the one > providing > > > > it. > > > > > > Because we've been talking about where the device tree comes from, and > I > > > keep trying to point out that we are no where near a proven record of > > > "DTB is always valid and functional with the Linux Kernel from here > > > on out". There's not the tooling nor review to enforce that and > there's > > > a few examples every year (of just in-tree device trees, not custom end > > > products) where it gets broken. > > > > So now, you are saying companies should only ship products with > > devices trees that have been reviewed by the kernel community? > > No, but I am saying that intentions and reality disagree on "DTB + any > kernel that supports those bindings" always resulting in "Everything > continues to function as expected". > > > This makes no sense to me whatsoever: the DT *bindings* are the > > contract that we have with the platforms. If someone ships a DT that > > adheres to the bindings, we are on the hook to fix it. If someone > > ships a broken DT, it is their problem and they are fix it in their OS > > fork, or they issue a firmware update that fixes it. > > I'm saying the DT binding contracts get broken, have a track record of > getting broken and will continue to be broken. The DTB is part of the > OS. > > > > > > But maybe it's just me that's confused about what "shipping" means > in > > > > > this context. Almost no one bothers "shipping" the DTS files for a > > > > > custom product to mainline Linux as no one is supposed to be > running > > > > > anything other than the provided software on the custom device and > so it > > > > > goes where ever it goes for that products needs and support plans. > > > > > Rarely does a board, devboard or finished end-user product, ship > with a > > > > > DTB file stored stand-alone in a flash chip, that is intended as > the > > > > > final forever DTB. It's just another part of > > > > > firmware-by-which-I-mean-the-whole-software-stack. > > > > > > > > Who said anything about the DT being stored in a flash chip? I > already > > > > explained more than once that it is up to the firmware to decide > *how* > > > > it stores the DT, and the filesystem is fine if it does not care > about > > > > security or if it implements some form of authentication. > > > > > > It's been stated I believe in other parts of this thread or perhaps I'm > > > just thinking of the many other times people have talked about hardware > > > shipping a device tree. If the hardware is shipping the DTB to use, > > > it's often stored someplace other than normal storage so that it's not > > > overwritten by accident. Similar to ACPI tables :) > > > > > > > The point is that we are trying to move from this custom device model > > > > to a model where you can run a generic distro, without having to put > > > > the burden on the OS vendor to bundle a DT for every platform that it > > > > will ever run on, which is especially tricky if those platforms do > not > > > > exist yet. > > > > > > So we are, or are not trying to come up with recommendations for > > > shipping a DTB file for hardware? > > > > I'm not sure i understand the question, but EBBR is not just a > > recommendation. If you want to claim EBBR compliance, your platform > > should be able to boot an OS that comes without bundled DTB images. > > No, that's not right. You are either OS+ACPI or OS+DTB. In the case of > ACPI, other specifications deal with that. In the case of DTB there is > not a specification that deals with these expectations, so EBBR needs to > say something. > > > > > > Which is why my whole point here has been that the DTB needs to be > > > > > treated and signature checked just like any other part of what's > being > > > > > loaded (kernel, initrd, grub and grub.conf OR systemd-boot and > > > > > systemd-boot.conf, etc, etc). > > > > > > > > > > > > > Again, I am not arguing that the DT should be linked into the > firmware > > > > executable, I am only saying that UEFI secure boot is not appropriate > > > > for authenticating it (and that the OS should not be providing it) > > > > > > Are you just saying "the DT exists in the config table GUID, it is > good" > > > and ignoring the question of how the DT is put into the config table > and > > > any sort of "it is good" test? > > > > So now we are policing the DT as well, and checking whether it is > > 'good' or not? The platform knows best how to describe the hardware, > > so it is the hardware that provides the DT period. If a crappy product > > provides a crappy DT, then you will get a crappy experience, just as > > you might expect. > > I don't know why this keeps coming up. In this context, which is > "secure boot", good means "we have done some form of cryptographic > validation that this blob has been signed". > > > > Finally, is UEFI secure boot appropriate for authentication of the > > > initrd? The bootloader config files? > > > > No. initrd is a file system interpreted by the Linux kernel, and we > > already have ways to authenticate that (unless you build it into the > > kernel image, in which case you get it for free) > > How are you seeing the initrd being authenticated, if not via the UEFI > secure boot hooks? > > > bootloader config files are an implementation detail of the > > bootloader, and the same reasoning applies: UEFI secure boot > > authenticates the OS to the platform, not the other way around. If the > > firmware wants to sign its config files, it can, and it might even > > reuse some of the crypto code that UEFI secure boot uses. But it is > > not part of UEFI secure boot. > > I disagree. > > -- > Tom > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 7 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Steve McIntyre

[ Snipping again ] On Thu, Jun 06, 2019 at 11:10:07AM -0400, Tom Rini wrote: >On Thu, Jun 06, 2019 at 09:08:25AM +0200, Ard Biesheuvel wrote: >> On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote: >> > >> > Where does this description that's coming with the board come from? >> > That _matters_ if you want to have any idea what will be able to use it. >> >> From the platform, not from the OS. How the firmware achieves that is >> left unspecified by EBBR, it only mandates that it is passed to the OS >> via a config table. > >But it's part of the OS. And this is is the crux of the argument. The DT is *not* part of the OS, it's a description of the *hardware* that *any* OS (or bootloader, or whatever) should be able to use. That's the whole point. ... >> > Because we've been talking about where the device tree comes from, and I >> > keep trying to point out that we are no where near a proven record of >> > "DTB is always valid and functional with the Linux Kernel from here >> > on out". There's not the tooling nor review to enforce that and there's >> > a few examples every year (of just in-tree device trees, not custom end >> > products) where it gets broken. >> >> So now, you are saying companies should only ship products with >> devices trees that have been reviewed by the kernel community? > >No, but I am saying that intentions and reality disagree on "DTB + any >kernel that supports those bindings" always resulting in "Everything >continues to function as expected". > >> This makes no sense to me whatsoever: the DT *bindings* are the >> contract that we have with the platforms. If someone ships a DT that >> adheres to the bindings, we are on the hook to fix it. If someone >> ships a broken DT, it is their problem and they are fix it in their OS >> fork, or they issue a firmware update that fixes it. > >I'm saying the DT binding contracts get broken, have a track record of >getting broken and will continue to be broken. The DTB is part of the >OS. Contracts will continue to be broken as long as people think there is the flexibility to break them. It's never going to improve like this! Including the DT with the kernel was only ever intended to be a short-term bootstrap solution until vendors caught up and started shipping working DTBs in their firmware. Cheers, -- Steve McIntyre steve.mcintyre(a)linaro.org <http://www.linaro.org/> Linaro.org | Open source software for ARM SoCs

6 years, 7 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote: > > On Wed, Jun 05, 2019 at 08:30:12PM +0200, Ard Biesheuvel wrote: > > On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote: > > > > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote: > > > > > > > > > The idea of EBBR is to move away from a vertically integrated model, > > > > > and permit systems or appliances to use packaged OSes in the field, > > > > > similar to how this is being done on servers today. The idea that it > > > > > is required for, say, company X shipping product Yrev0, to upstream a > > > > > new rev of the DT in order to tweak their board and ship product Yrev1 > > > > > is simply ridiculous. It doesn't scale, and we shouldn't care - the DT > > > > > bindings is what we care about, and if it adheres to those, the > > > > > platform can provide any DT it wants, and there is no reason the > > > > > kernel devs should ever need to look at it. > > > > > > > > I don't think anyone is particularly suggesting that (at least not in > > > > the portions of the thread I read properly, I have to confess I was > > > > skimming a bunch of it)? > > > > > > Just so we're all on the same page, we do understand that someone > > > somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we > > > expecting someone to be run-time fixing up Yboard.dtb for rev0 vs rev1 > > > vs .. ? > > > > Let me put it like this: company X is not interested in having to > > engage with the distros to get Yrev1.dtb into the OS, nor do they want > > to be forced to start from an official DTB and apply deltas to make it > > correct. You ship a board with some description of the board that the > > OS can understand - this is how the OS identifies which hardware it > > runs on: the DT description. > > Where does this description that's coming with the board come from? > That _matters_ if you want to have any idea what will be able to use it. > >From the platform, not from the OS. How the firmware achieves that is left unspecified by EBBR, it only mandates that it is passed to the OS via a config table. > > > > > For development, things are obviously different, I understand that. > > > > > Shipping DTs for devboards makes sense, especially while the DT > > > > > bindings are not set in stone yet. But imposing this model for > > > > > production is unsustainable. > > > > > > > > I don't think I've particularly seen anyone trying to do that for > > > > anything other than devboards, like Tom says people with actual products > > > > usually don't even consider it. It's more that there is this devboard > > > > case where the DTs are currently in kernel and a lot of the people > > > > hacking on things are using devboards if only for want of anything else > > > > so they naturally end up caring about that case. > > > > > > Keep in mind that the in-kernel dev board ones _are_ important as that's > > > what you start your custom platform from, 9 times out of 10. It's quite > > > often the case of "OK, $vendor gave us schematics for EVB, lets cut what > > > we don't need and tweak" with a matching set of cuts and tweaks to the > > > dts for the EVB. In the case of carrier+SOM it's just adding to, if > > > using the stock carrier, or again adapting things for the custom > > > carrier. > > > > Of course. But how is this relevant? I am not saying DTs have to be > > truly original works, just that the OS should not be the one providing > > it. > > Because we've been talking about where the device tree comes from, and I > keep trying to point out that we are no where near a proven record of > "DTB is always valid and functional with the Linux Kernel from here > on out". There's not the tooling nor review to enforce that and there's > a few examples every year (of just in-tree device trees, not custom end > products) where it gets broken. > So now, you are saying companies should only ship products with devices trees that have been reviewed by the kernel community? This makes no sense to me whatsoever: the DT *bindings* are the contract that we have with the platforms. If someone ships a DT that adheres to the bindings, we are on the hook to fix it. If someone ships a broken DT, it is their problem and they are fix it in their OS fork, or they issue a firmware update that fixes it. > > > But maybe it's just me that's confused about what "shipping" means in > > > this context. Almost no one bothers "shipping" the DTS files for a > > > custom product to mainline Linux as no one is supposed to be running > > > anything other than the provided software on the custom device and so it > > > goes where ever it goes for that products needs and support plans. > > > Rarely does a board, devboard or finished end-user product, ship with a > > > DTB file stored stand-alone in a flash chip, that is intended as the > > > final forever DTB. It's just another part of > > > firmware-by-which-I-mean-the-whole-software-stack. > > > > Who said anything about the DT being stored in a flash chip? I already > > explained more than once that it is up to the firmware to decide *how* > > it stores the DT, and the filesystem is fine if it does not care about > > security or if it implements some form of authentication. > > It's been stated I believe in other parts of this thread or perhaps I'm > just thinking of the many other times people have talked about hardware > shipping a device tree. If the hardware is shipping the DTB to use, > it's often stored someplace other than normal storage so that it's not > overwritten by accident. Similar to ACPI tables :) > > > The point is that we are trying to move from this custom device model > > to a model where you can run a generic distro, without having to put > > the burden on the OS vendor to bundle a DT for every platform that it > > will ever run on, which is especially tricky if those platforms do not > > exist yet. > > So we are, or are not trying to come up with recommendations for > shipping a DTB file for hardware? > I'm not sure i understand the question, but EBBR is not just a recommendation. If you want to claim EBBR compliance, your platform should be able to boot an OS that comes without bundled DTB images. > > > Which is why my whole point here has been that the DTB needs to be > > > treated and signature checked just like any other part of what's being > > > loaded (kernel, initrd, grub and grub.conf OR systemd-boot and > > > systemd-boot.conf, etc, etc). > > > > > > > Again, I am not arguing that the DT should be linked into the firmware > > executable, I am only saying that UEFI secure boot is not appropriate > > for authenticating it (and that the OS should not be providing it) > > Are you just saying "the DT exists in the config table GUID, it is good" > and ignoring the question of how the DT is put into the config table and > any sort of "it is good" test? > So now we are policing the DT as well, and checking whether it is 'good' or not? The platform knows best how to describe the hardware, so it is the hardware that provides the DT period. If a crappy product provides a crappy DT, then you will get a crappy experience, just as you might expect. > Finally, is UEFI secure boot appropriate for authentication of the > initrd? The bootloader config files? > No. initrd is a file system interpreted by the Linux kernel, and we already have ways to authenticate that (unless you build it into the kernel image, in which case you get it for free) bootloader config files are an implementation detail of the bootloader, and the same reasoning applies: UEFI secure boot authenticates the OS to the platform, not the other way around. If the firmware wants to sign its config files, it can, and it might even reuse some of the crypto code that UEFI secure boot uses. But it is not part of UEFI secure boot.

6 years, 7 months

2
1
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote: > > On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote: > > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote: > > > > > The idea of EBBR is to move away from a vertically integrated model, > > > and permit systems or appliances to use packaged OSes in the field, > > > similar to how this is being done on servers today. The idea that it > > > is required for, say, company X shipping product Yrev0, to upstream a > > > new rev of the DT in order to tweak their board and ship product Yrev1 > > > is simply ridiculous. It doesn't scale, and we shouldn't care - the DT > > > bindings is what we care about, and if it adheres to those, the > > > platform can provide any DT it wants, and there is no reason the > > > kernel devs should ever need to look at it. > > > > I don't think anyone is particularly suggesting that (at least not in > > the portions of the thread I read properly, I have to confess I was > > skimming a bunch of it)? > > Just so we're all on the same page, we do understand that someone > somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we > expecting someone to be run-time fixing up Yboard.dtb for rev0 vs rev1 > vs .. ? > Let me put it like this: company X is not interested in having to engage with the distros to get Yrev1.dtb into the OS, nor do they want to be forced to start from an official DTB and apply deltas to make it correct. You ship a board with some description of the board that the OS can understand - this is how the OS identifies which hardware it runs on: the DT description. > > > For development, things are obviously different, I understand that. > > > Shipping DTs for devboards makes sense, especially while the DT > > > bindings are not set in stone yet. But imposing this model for > > > production is unsustainable. > > > > I don't think I've particularly seen anyone trying to do that for > > anything other than devboards, like Tom says people with actual products > > usually don't even consider it. It's more that there is this devboard > > case where the DTs are currently in kernel and a lot of the people > > hacking on things are using devboards if only for want of anything else > > so they naturally end up caring about that case. > > Keep in mind that the in-kernel dev board ones _are_ important as that's > what you start your custom platform from, 9 times out of 10. It's quite > often the case of "OK, $vendor gave us schematics for EVB, lets cut what > we don't need and tweak" with a matching set of cuts and tweaks to the > dts for the EVB. In the case of carrier+SOM it's just adding to, if > using the stock carrier, or again adapting things for the custom > carrier. > Of course. But how is this relevant? I am not saying DTs have to be truly original works, just that the OS should not be the one providing it. > But maybe it's just me that's confused about what "shipping" means in > this context. Almost no one bothers "shipping" the DTS files for a > custom product to mainline Linux as no one is supposed to be running > anything other than the provided software on the custom device and so it > goes where ever it goes for that products needs and support plans. > Rarely does a board, devboard or finished end-user product, ship with a > DTB file stored stand-alone in a flash chip, that is intended as the > final forever DTB. It's just another part of > firmware-by-which-I-mean-the-whole-software-stack. > Who said anything about the DT being stored in a flash chip? I already explained more than once that it is up to the firmware to decide *how* it stores the DT, and the filesystem is fine if it does not care about security or if it implements some form of authentication. The point is that we are trying to move from this custom device model to a model where you can run a generic distro, without having to put the burden on the OS vendor to bundle a DT for every platform that it will ever run on, which is especially tricky if those platforms do not exist yet. > Which is why my whole point here has been that the DTB needs to be > treated and signature checked just like any other part of what's being > loaded (kernel, initrd, grub and grub.conf OR systemd-boot and > systemd-boot.conf, etc, etc). > Again, I am not arguing that the DT should be linked into the firmware executable, I am only saying that UEFI secure boot is not appropriate for authenticating it (and that the OS should not be providing it)

6 years, 7 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 14:59, Tom Rini <trini(a)konsulko.com> wrote: > > On Wed, Jun 05, 2019 at 09:17:04AM +0100, Graeme Gregory wrote: > > On Wed, 5 Jun 2019 at 07:36, Ard Biesheuvel <ard.biesheuvel(a)linaro.org> > > wrote: > > > > > On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > > ... > > > > > > > It depends on what you mean by "OS provided". The DTS files come from > > > > the Linux Kernel sources, full stop. > > > > > > That is the mistake we should try to fix. > > > > > > We have DT bindings, which define the contract between the OS on one > > > side, and the platform on the other side. This means it is the > > > platform's job to present a DT description that adheres to those > > > [stable] bindings. > > > > > > Today's development model of developing DT bindings in lockstep with > > > the drivers, and then bundling DT files with the OS is completely > > > unsustainable, since it doesn't scale, and it demonstrably results in > > > DT bindings that get modified without any regard for devices that are > > > already in the field (MacchiatoBin is a good example). > > > > > > So it doesn't really matter where the kernel *sources* come from, as > > > long as the platform provides its own DT, which does not change just > > > because the kernel changes. > > > > > > It is already defined how the platform provides this DT on a UEFI > > > system, i.e., via a configuration table with a known GUID. How the > > > firmware popiulates this memory is an implementation detail: if it > > > wants to load it from a signed file in the file system, that is fine, > > > as long as it is not the OS providing this file to the firmware. > > > > > > > > I agree, people seem to be conflating where DT is stored in source control > > over where it should be supplied to OS. > > > > Just because the DT is in linux kernel git does not mean you can't build it > > into the u-boot for your board. > > > > In fact I bet u-boot maintainer would love patches for updates ;-) > > Right. But there's also confusion about where the DTB is to be found. > Whereas ACPI is "burned in" the DTB (generally) is not and will not be. > It will be loaded from storage, so in the context of this overall > thread, figuring out how to verify the signature on the DTB is a main > use case. > There is no confusion at all. On a UEFI/EBBR system, the DT shall be provided to the OS via a config table using the established GUID. How the firmware achieves that is left unspecified. The fact that it may be loaded from storage does not make it part of the packaged OS, it is still a component of the platform. But based on this discussion, I will argue going forward that - the firmware must not rely on the OS to put DT images under known names into known locations in the file system, - the firmware provides this DT regardless of which keys are loaded into the uefi secure boot keyring, IOW, if i choose to put only the RedHat certificate in db because that is all i care about, I don't want to end up with a bricked system because the DT was loaded via the secure boot stack and was signed with the Microsoft keyring. Btw, the fact that Authenticode/PE-COFF does not permit multiple signatures does not make things any easier.

6 years, 7 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 13:14, Mark Brown <broonie(a)kernel.org> wrote: > > On Wed, Jun 05, 2019 at 11:18:44AM +0100, Steve McIntyre wrote: > > > Nod. We're *way* past the time where this should have stopped. How on > > earth do we get to common DT useful for all bootloaders, OSes (etc.) > > if people still consider the bundled, changing sources in the Linux > > tree to be canonical? > > It's a chicken and egg situation - for the platforms where nobody is > actually shipping systems with a separate device tree it's easy for > people to miss accidental incompatibilities without noticing, or decide > that deliberate incompatibilites won't be noticed. If there's users > making noise that's a lot harder to do. Pushing on EBBR is going to > help there, and it'd really help if there were more hardware built with > separate boot storage :/ > > Some of the platforms *are* doing a good job of not needlessly churning > their device trees (they're just not very noticable since things just > work and they make no noise), and even without people worrying about > separately distributed DTs widely adopted in tree bindings are doing a > lot for stability due to the number of places that would need updates > for incompatibilites (and also avoiding the DMI quirk tables ACPI relies > on which is nice). I am not disagreeing with any of this. But it is helpful to keep in mind that, in the context what we are trying to achieve, the requirement/expectation that a DT lives on git.kernel.org and gets packaged and shipped by the distro makes no sense at all. The idea of EBBR is to move away from a vertically integrated model, and permit systems or appliances to use packaged OSes in the field, similar to how this is being done on servers today. The idea that it is required for, say, company X shipping product Yrev0, to upstream a new rev of the DT in order to tweak their board and ship product Yrev1 is simply ridiculous. It doesn't scale, and we shouldn't care - the DT bindings is what we care about, and if it adheres to those, the platform can provide any DT it wants, and there is no reason the kernel devs should ever need to look at it. For development, things are obviously different, I understand that. Shipping DTs for devboards makes sense, especially while the DT bindings are not set in stone yet. But imposing this model for production is unsustainable.

6 years, 7 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote: > ... > It depends on what you mean by "OS provided". The DTS files come from > the Linux Kernel sources, full stop. That is the mistake we should try to fix. We have DT bindings, which define the contract between the OS on one side, and the platform on the other side. This means it is the platform's job to present a DT description that adheres to those [stable] bindings. Today's development model of developing DT bindings in lockstep with the drivers, and then bundling DT files with the OS is completely unsustainable, since it doesn't scale, and it demonstrably results in DT bindings that get modified without any regard for devices that are already in the field (MacchiatoBin is a good example). So it doesn't really matter where the kernel *sources* come from, as long as the platform provides its own DT, which does not change just because the kernel changes. It is already defined how the platform provides this DT on a UEFI system, i.e., via a configuration table with a known GUID. How the firmware popiulates this memory is an implementation detail: if it wants to load it from a signed file in the file system, that is fine, as long as it is not the OS providing this file to the firmware. > That doesn't mean they're embedded > within the kernel image. They're usually going to be pulled from the > filesystem. > > -- > Tom

6 years, 7 months

3
2
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote: > > On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote: > > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit : > > ... > > I think it may be good to validate but not provide. There is no Linux > > provided ACPI table right ? So I get the point to validate a DT. > > There's "Linux provided" ACPI tables when someone has to decompile, > fixup and re-compile their DSDT files. > > Or perhaps a better way to think of it is that yes, there's "Linux > provided ACPI tables" when vendors are developing their hardware and > correcting their ACPI tables. Same thing with DT, by and large (as > overlays and secure boot are a can of worms to worry about later). Secure boot enabled Linux does not permit this model. Side loading of DSDTs/SSDTs is disabled by the hardening patchset that all the distros carry for secure boot enabled kernels.

6 years, 7 months

1
0
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture