- boot-architecture - lists.linaro.org

[DTE] May 1"th meeting notes and other meetings

by François Ozog

Hi, please find the meeting notes: https://docs.google.com/document/d/1bz3BfVlXvvHO-kKC0Y1N2SGqPjlxe5eu3dM8sKU… As a reminder: there will be two calls per month: - 2nd wednesday 2pm UTC - 4th wednesday 2pm UTC 2pm UTC currently corresponds to 7am PST / 4pm CET. Call to be added to your agendas if you did not received it by mail: Device Tree Evolution forum calls. - 2nd Wednesday of the month prime focus: system device tree and RTOS tools. - 4th Wednesday of the month prime focus: device tree life cycle, overlays, authentication and unified repository Those calls are public. Participants are advised they should not introduce topics that relate to confidential matters. https://zoom.us/j/97895025968?pwd=N0JWWFBqY0Npdi9RY2JIOFc1ZzI0UT09 join by phone: https://zoom.us/u/asu8Yfroy meeting ID: 978 9502 5968 Password: 270935 Cordially, François-Frédéric

5 years, 11 months

1
0
0 0

[EBBR PATCH] Add EFI GUID for device tree blob

by Grant Likely

None of the relevent specs (EFI, DT, EBBR) specify the GUID for passing a DTB. Add it to the EBBR document so it is documented somewhere relevant. Fixes: #45 Cc: Andrei Warkentin <awarkentin(a)vmware.com> Cc: Francois Ozog <francois.ozog(a)linaro.org> Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- source/chapter2-uefi.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index f6a5802..cf2f652 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -86,6 +86,16 @@ tables. - An Advanced Configuration and Power Interface [ACPI]_ table, or - a Devicetree [DTSPEC]_ system description +A Devicetree system description MUST be provided in Flattened Devicetree (DTB) +format version 17 or higher. +The following GUID must be used in the EFT system table to identify the DTB. + +.. code-block:: c + + #define EFI_DTB_GUID \ + EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, \ + 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0) + As stated above, EBBR systems must not provide both ACPI and Devicetree tables at the same time. Systems that support both interfaces must provide a configuration -- 2.20.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

5 years, 11 months

7
42
0 0

DT Evolution forum calls

by François Ozog

Hi, As per the results of the poll (https://docs.google.com/spreadsheets/d/1WdsXgUoS3naL_-5eap1e_Sd9t0PM60s0Ljs…), there will be two calls per month: - 2nd wednesday 2pm UTC - 4th wednesday 2pm UTC 2pm UTC currently corresponds to 7am PST / 4pm CET. Call to be added to your agendas if you did not received it by mail: Device Tree Evolution forum calls. - 2nd Wednesday of the month prime focus: system device tree and RTOS tools. - 4th Wednesday of the month prime focus: device tree life cycle, overlays, authentication and unified repository Those calls are public. Participants are advised they should not introduce topics that relate to confidential matters. https://zoom.us/j/97895025968?pwd=N0JWWFBqY0Npdi9RY2JIOFc1ZzI0UT09 join by phone: https://zoom.us/u/asu8Yfroy meeting ID: 978 9502 5968 Password: 270935 Cordially, François-Frédéric Ozog, Linaro

5 years, 11 months

1
0
0 0

[PATCH v2 1/2] Update spec to address UEFI 2.8 Errata A

by Grant Likely

UEFI 2.8 Errata A changed RuntimeServiceSupported value to be passed via an EFI_RT_PROPERTIES_TABLE instead of via a runtime variable. This is a breaking change and we should do a new EBBR release in short order to keep EBBR up to date with what is in UEFI. However, real world impact is minimal. U-Boot has already converted to the new method, and Linux only ever implemented the EFI_RT_PROPERTIES_TABLE method. Cc: Andrei Warkentin <awarkentin(a)vmware.com> Cc: Francois Ozog <francois.ozog(a)linaro.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- source/chapter2-uefi.rst | 7 ++++--- source/references.rst | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 82b1a42..c42691b 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -9,7 +9,7 @@ platforms. UEFI Version ============ -This document uses version 2.8 of the UEFI specification [UEFI]_. +This document uses version 2.8 Errata A of the UEFI specification [UEFI]_. UEFI Compliance =============== @@ -111,7 +111,7 @@ during both boot services and runtime services. However, it isn't always practical for all EFI_RUNTIME_SERVICES functions to be callable during runtime services due to hardware limitations. If any EFI_RUNTIME_SERVICES functions are only available during boot services -then firmware shall provide the global `RuntimeServicesSupported` variable to +then firmware shall provide the `EFI_RT_PROPERTIES_TABLE` to indicate which functions are available during runtime services. Functions that are not available during runtime services shall return EFI_UNSUPPORTED. @@ -202,7 +202,8 @@ If a platform does not implement modifying non-volatile variables with SetVariable() after ExitBootServices(), then firmware shall return EFI_UNSUPPORTED for any call to SetVariable(), and must advertise that SetVariable() isn't available during runtime services -via the `RuntimeServicesSupported` variable as defined in [UEFI]_ § 8.1. +via the `RuntimeServicesSupported` value in the `EFI_RT_PROPERTIES_TABLE` +as defined in [UEFI]_ § 4.6. EFI applications can read `RuntimeServicesSupported` to determine if calls to SetVariable() need to be performed before calling ExitBootServices(). diff --git a/source/references.rst b/source/references.rst index d901bb1..1eb0509 100644 --- a/source/references.rst +++ b/source/references.rst @@ -20,6 +20,6 @@ <https://static.docs.arm.com/den0044/b/DEN0044B_Server_Base_Boot_Requirement…>`_ 8 March 2016, `Arm Limited <http://arm.com>`_ -.. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 - <http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf>`_, - March 2019, `UEFI Forum <http://www.uefi.org>`_ +.. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 Errata A + <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf>`_, + February 2020, `UEFI Forum <http://www.uefi.org>`_ -- 2.20.1

5 years, 11 months

1
1
0 0

[PATCH] Update spec to address UEFI 2.8 Errata A

by Grant Likely

UEFI 2.8 Errata A changed RuntimeServiceSupported value to be passed via an EFI_RT_PROPERTIES_TABLE instead of via a runtime variable. This is a breaking change and we should do a new EBBR release in short order to keep EBBR up to date with what is in UEFI. Unsure what the overall impact will be. U-Boot implements the variable method which will need to be changed to a table. It is unclear if any OSes depend heavily on it being implemented. Cc: Andrei Warkentin <awarkentin(a)vmware.com> Cc: Francois Ozog <francois.ozog(a)linaro.org> Cc: Ard Biesheuvel <ardb(a)kernel.org> Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- source/chapter2-uefi.rst | 7 ++++--- source/references.rst | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index fe03ae3..b622abe 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -9,7 +9,7 @@ platforms. UEFI Version ============ -This document uses version 2.8 of the UEFI specification [UEFI]_. +This document uses version 2.8 Errata A of the UEFI specification [UEFI]_. UEFI Compliance =============== @@ -111,7 +111,7 @@ during both boot services and runtime services. However, it isn't always practical for all EFI_RUNTIME_SERVICES functions to be callable during runtime services due to hardware limitations. If any EFI_RUNTIME_SERVICES functions are only available during boot services -then firmware shall provide the global `RuntimeServicesSupported` variable to +then firmware shall provide the `EFI_RT_PROPERTIES_TABLE` to indicate which functions are available during runtime services. Functions that are not available during runtime services shall return EFI_UNSUPPORTED. @@ -202,7 +202,8 @@ If a platform does not implement modifying non-volatile variables with SetVariable() after ExitBootServices(), then firmware shall return EFI_UNSUPPORTED for any call to SetVariable(), and must advertise that SetVariable() isn't available during runtime services -via the `RuntimeServicesSupported` variable as defined in [UEFI]_ § 8.1. +via the `RuntimeServicesSupported` value in the `EFI_RT_PROPERTIES_TABLE` +as defined in [UEFI]_ § 4.6. EFI applications can read `RuntimeServicesSupported` to determine if calls to SetVariable() need to be performed before calling ExitBootServices(). diff --git a/source/references.rst b/source/references.rst index d901bb1..1eb0509 100644 --- a/source/references.rst +++ b/source/references.rst @@ -20,6 +20,6 @@ <https://static.docs.arm.com/den0044/b/DEN0044B_Server_Base_Boot_Requirement…>`_ 8 March 2016, `Arm Limited <http://arm.com>`_ -.. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 - <http://www.uefi.org/sites/default/files/resources/UEFI_Spec_2_8_final.pdf>`_, - March 2019, `UEFI Forum <http://www.uefi.org>`_ +.. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 Errata A + <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf>`_, + February 2020, `UEFI Forum <http://www.uefi.org>`_ -- 2.20.1

5 years, 11 months

2
2
0 0

[PATCH] trivial: Fix typo in chater 3 title

by Grant Likely

Fixes: #42 Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- source/chapter3-secureworld.rst | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/source/chapter3-secureworld.rst b/source/chapter3-secureworld.rst index 4e9fa61..9c51bca 100644 --- a/source/chapter3-secureworld.rst +++ b/source/chapter3-secureworld.rst @@ -1,8 +1,8 @@ .. SPDX-License-Identifier: CC-BY-SA-4.0 -****************************** -Priviledged or Secure Firmware -****************************** +***************************** +Privileged or Secure Firmware +***************************** AArch32 Multiprocessor Startup Protocol ======================================= -- 2.20.1

5 years, 11 months

2
3
0 0

DTE call meeting notes

by François Ozog

Hi, Thank you for your participation in yesterday's call. Here are meeting notes that you can update <https://docs.google.com/document/d/13TwImAK9bta5_qY2PAFplO6pypd0hpNQNkpkI_W…>as you see fit (I think the permissions associated with this new link are correct). Survey was answered by 12 participants while there were 27 people on the call. I would be more comfortable to select a time with more responses. Cordially, François-Frédéric -- François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 11 months

1
0
0 0

DTE discussion agenda

by François Ozog

Hi, Here is the agenda for today's call <http://meet.google.com/oua-wrbf-ppi>: - DTE activities for the next cycle and overall organization - Regular meeting setup (survey <https://www.surveymonkey.com/r/F72TLPF>) - System Device Tree status and roadmap (JIRA?) this topic depends on presence of SDT stakeholders - Device Tree specification: its role in the future and short term - Device Tree lifecycle (what happens to a DT from TFA to OS): a presentation and a discussion Cheers FF

5 years, 11 months

1
0
0 0

DTE weekly

by François Ozog

Hi, I am taking over Steve to drive Device Tree Evolution project except the System Device Tree which will continue to evolve under the leadership of Nathalie and Stefano. To discuss: - lifecycle (how TFA, OP-TEE, U-Boot and Operating Systems deal with DT and pass information between them) - overlays - unified repo - summary of System DT activities I'd like to set up a weekly call starting next week. Please state the best timeslot in this poll: https://www.doodle.com/poll/k57zhwa4q9caivgy (the poll proposes the timeslot to be repeated). By next week, Joakim, Ilias and myself will have prepared some content to launch/continue debate. Cordially, François-Frédéric -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 11 months

2
3
0 0

Invitation: DTE discussion @ Mon 4 May 2020 18:00 - 19:00 (CEST) (boot-architecture@lists.linaro.org)

by François Ozog

You have been invited to the following event. Title: DTE discussion This is a one off meeting unless we find a sustainable timeslot for India participants. When: Mon 4 May 2020 18:00 – 19:00 Central European Time - Paris Joining info: Join with Google Meet https://meet.google.com/oua-wrbf-ppi Join by phone +33 1 87 40 48 87 (PIN: 588964477) More phone numbers: https://tel.meet/oua-wrbf-ppi?pin=4737911870439&hs=0 Calendar: boot-architecture(a)lists.linaro.org Who: * François Ozog- organiser * boot-architecture(a)lists.linaro.org * team-ledge * dte-all Event details: https://www.google.com/calendar/event?action=VIEW&eid=NzRkanQyMXZtOWwzc2xic… Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account boot-architecture(a)lists.linaro.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively, you can sign up for a Google Account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organiser and be added to the guest list, invite others regardless of their own invitation status or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding

5 years, 11 months

1
0
0 0

Re: DTE-8 DeviceTree lifecycle: the basics

by François Ozog

+boot architecture Le sam. 25 avr. 2020 à 19:26, François Ozog <francois.ozog(a)linaro.org> a écrit : > Hi > > I would like to start the discussion on DTE-8 as LEDGE is going to need > results soon. I'd like to keep it high level, general principles, not too > precise on implementation details. Let's take overlays and other > complications out of the discussion until we share a vision for the basics. > > When we have concluded this discussion cycle we will need to address: > - DTE-8 DeviceTree lifecycle: BL32 (BL32 may mask some devices until > given credentials...) > - DTE-8 DeviceTree lifecycle: overlays > - DTE-8 DeviceTree lifecycle: tooling > - DTE-8 DeviceTree lifecycle: chain of trust > > Is the following correct? > Is it complete on the target reduced scope? > Is the discussion series/roadmap complete, is the order right ? > > Cordially, > > François-Frédéric > > > I - Definitions > > Let's consider there are four trees used by the following entities: > - TFA which spans BL1, BL2, BL31 has a tree <TFA> which originates from > tfa.dtb > - BL32 (let's assume OP-TEE) has a tree <BL32> which originates from > bl32.dtb > - BL33 (let's assume U-Boot) has a tree <BL33> which originates from > bl33.dtb > - THING, the "thing" that is booted by BL33, has a tree <THING> which > originates from thing.dtb and manipulations from BL33. > > The THING can be a Linux kernel, a bsd kernel, grub, shim<arch>.efi, > efibootguard.efi, Xen, Hafnium or many other possibilities. > BL33 is assumed to be U-Boot but it can be EDK2, Linux Kernel, Hafnium, > Xen or other thing. > > A tree is not dtb. A tree is the result of loading a DTB with or without > manipulations. > > II - Build time assumptions > > It is assumed that TFA, BL32 and BL33 are board specific while THINGS is > board agnostic. > > As a result of this architectural decision: > - tfa.dtb, bl32.dtb and bl33.dtb can be built by the build process of the > respective entity TFA, BL32, BL33. > - thing.dtb is purely describing hardware and has no "chosen" nodes for > instance, it may contain architectural/platform/board specific > "reserved-memory". In other words, nothing that can tie it to a particular > "thing". > > All DTBs shall be derived from a single source repository. > > The bindings of a single piece of hardware, may differ depending on the > entity that needs it (there are many ways to implement that aspect, let's > not talk about implementation yet). > For instance, a display panel for BL33 can be represented as a single > small node while the same display panel can be controlled out of several > large nodes by a downstream Operating System. > > III - Lifecycle > > Out of all possible transitions, let's consider BL31->BL33 and > BL33->THING. Transitions are opportunities to pass DT information from one > entity to the other that complements the static *.dtb . For instance, > passing PSCI interface information, memory reservations, PCI IO ranges... > > III.1 BL31->BL33 > > III.1.1 nature of manipulations > typically, PSCI interface may be injected as well some memory > reservations. > > III.1.2 manipulation operational considerations > There are three possibilities for passing this information: > - BL31 manipulates the BL33 tree to add/change nodes > - BL33 asks BL31 to add/change nodes > - BL31 passes an interim tree that BL33 will merge into his. > > Current wisdom is BL31 manipulates the BL33 tree. > > III.2 BL33->THING > > III.2.1 nature of manipulations > * operational > - board information (part numbers, serial numbers...) > - memory layout (beyond the typical 4G) > - IO specifics (PCIe...) > - reserved areas for runtime services (UEFI for instance) > - os.dtb > * THING dependent elements > - chosen for "command line" or other aspects > > III.2.2 manipulation operational considerations > In the case of UEFI interface, os.dtb passed as DT artifact or a UEFI > table shall be referring to the same tree (a single tree in memory, two > access methods). > > BL33 will operate all necessary manipulations on os.dtb before passing it > to the THING. The THING (grub, efiapp, kernel) can further operate > manipulations, it is outside scope of the discussion. > > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

5 years, 11 months

4
8
0 0

[RFC] Systemd-boot and EBBR

by François Ozog

Hi, I instrumented boot on my Ubuntu 18.04 server right after systemd startup and caught an access to: /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f This led to: https://systemd.io/DISCOVERABLE_PARTITIONS/ And then: https://systemd.io/BOOT_LOADER_INTERFACE/ https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT/ My server is configured with Grub to boot (grub and kernel on a HD, root FS of NVME as grub do not have nvme driver for my card) but the udev is still checking those systemd-boot variables. >From a boot loader perspective, we have the following EFI applications: - Grub2 - EFIBootGuard (used by CIP) - Systemd-boot (used by ?) Regardless of the loader, I assume we need to ensure whatever option is selected by solution builders, they can implement it with our U-Boot reference implementation of UEFI. The Systemd boot-bless seems of high interest for rolling back UEFI update capsules of firmware... I'd be happy to get some feed back on : - the systemd-boot technology - whether we need to implement the above specs in our UEFI implementation - whether this has an influence on EBBR Cheers FF PS: other references https://manpages.debian.org/testing/systemd/systemd-boot.7.en.html https://manpages.debian.org/testing/systemd/systemd-bless-boot.service.8.en… http://man7.org/linux/man-pages/man1/bootctl.1.html -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years

4
3
0 0

Re: RFC: EBBR specification update

by Heinrich Schuchardt

On 3/11/20 3:20 PM, Francois Ozog wrote: > > > On Wed, 11 Mar 2020 at 13:42, Francois Ozog <francois.ozog(a)linaro.org > <mailto:francois.ozog@linaro.org>> wrote: > > > > On Wed, 11 Mar 2020 at 12:45, Daniel Thompson > <daniel.thompson(a)linaro.org <mailto:daniel.thompson@linaro.org>> wrote: > > On Wed, Mar 11, 2020 at 11:20:17AM +0100, Francois Ozog wrote: > > On Wed, 11 Mar 2020 at 07:48, Heinrich Schuchardt > <xypron.glpk(a)gmx.de <mailto:xypron.glpk@gmx.de>> wrote: > > > On 3/11/20 12:04 AM, Heinrich Schuchardt wrote: > > > > On 3/10/20 7:37 PM, Francois Ozog wrote: > > > >> Le mar. 10 mars 2020 à 18:37, Daniel Thompson > > > >> <daniel.thompson(a)linaro.org > <mailto:daniel.thompson@linaro.org>> a écrit : > > > >>> On Tue, Mar 10, 2020 at 05:35:40PM +0100, Francois Ozog > wrote: > > > >>>> This is driven by the BL2 which is platform specific > and I am not sure > > > >>>> we can have any influence. > > > >>>> The flashimage.bin in a number of system consists of a > (blob) FIP that > > > >>>> has BL2, SCP stuff, BL31, BL32, BL33. > > > >>>> Ilias upstream U-Boot patches to change from "ADR" to > "ADRL" because > > > >>>> the code grew too much. > > > >>> > > > >>> I'm not quite sure I understand the concern here. > > > >>> > > > >>> Are you still working on systems where the boot ROM > mandates using MBR > > > >>> partitioning and attempting to put secure boot on it? > If so perhaps we > > > >>> could simply discontinue MBR support for systems with > secure boot! > > > >>> > > > >> > > > >> Well..... we want Products on the market to benefit from > EBBR compliance > > > >> rather than two years from now. So MBR is inevitable. > And is not that a > > > >> pain ;-) Of course its not as clean as we would like but > “sales first”! > > > > > > > > A typical problem is that a SoC has an entry address > within the first 17 > > > > KiB, e.g. the Allwinner CPUs want a firmware entry point > at 0x2000. If I > > > > correctly understand the UEFI standard, one might use > PartitionEntryLBA > > > > to place the GPT Partition Entry Array behind the > firmware in this case. > > > > > > > > > > In the expert mode of gdisk there is command 'j' for moving > the GPT > > > Partition Entry Array to an arbitrary sector. This will > protect the area > > > between the GPT header and the GPT Partition Entry Array > from being used > > > for a partition. The same can be done with parameter -j of > sgdisk. > > > > > > Furthermore gdisk supports creating a hybrid MBR. This > allow to have > > > GUID partition table and a MBR partion table at the same > time where the > > > MBR partition table mirrors up to three GPT partitions and > the fourth > > > MBR partition is used to protect the GUID partition table. > > > > > > So requiring GPT and having boards only supporting booting > from an MBR > > > partition (like the Raspberry) seems not to be exclusive. > > > > > > > That sounds like a great solution! > > The last time we discussed this there was *very* strong opposition > during meetings to hybrid partitioning and IIRC language was > added to > the spec to prohibit it. > > Hybrid partitioning is a problem because it imposes to difficult > to meet > constraints on partitioning tools provided by the operating system. > > In other words if we permit hybrid partitioning in order that > boot code > can find the firmware then the operating system would inherit a > duty to > not to screw up the firmware loading when it modifies the partition > tables. It is hard to express how the OS should go about that. > > Hence the current approach where we accept that MBR partitioning > offers an inferior feature set to GPT. > > > We have the following cases: > > - FW compatible with GPT (I mean firmware can be searched based on > GUID partition) > Ok > > - FW that uses offsets and can be positioned at LBA >= 33 > Ok > Need to define a protective partition > > - FW that uses offsets and can be positioned such that space between > LBA-2 and LBA-33 is used. > Ok in theory as the header states where the partition entries > location is specified in a GPT_HEADER "Starting LBA of array of > partition entries". > Linux kernel properly loads the partition entries if we push them > after 16MB. > > read_lba <https://elixir.bootlin.com/linux/latest/ident/read_lba>(state, le64_to_cpu > <https://elixir.bootlin.com/linux/latest/ident/le64_to_cpu>(gpt->partition_entry_lba) > > But I bet 2 is hardcoded in many tools... > > If I had done my homework properly, I would have seen that > U-Boot CONFIG_EFI_PARTITION_ENTRIES_OFF is just configuring that... CONFIG_EFI_PARTITION_ENTRIES_OFF is only relevant if you use U-Boot to create a GUID partition table. When reading a GPT U-Boot correctly considers the current value of PartitionEntryLBA. Best regards Heinrich > So there is some experience in playing with that.... I'd be happy to > read ;-) > > - FW that supposes LBA-1 (macchiatobin the firmware blob that > contain TF-A must be here) > > In theory OK as Linux will detect bad signature and use the > alternate GPT > > good_pgpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, GPT_PRIMARY_PARTITION_TABLE_LBA > <https://elixir.bootlin.com/linux/latest/ident/GPT_PRIMARY_PARTITION_TABLE_L…>, > &pgpt, &pptes); > if (good_pgpt) > good_agpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, > le64_to_cpu > <https://elixir.bootlin.com/linux/latest/ident/le64_to_cpu>(pgpt->alternate_lba), > &agpt, &aptes); > if (!good_agpt && force_gpt <https://elixir.bootlin.com/linux/latest/ident/force_gpt>) > good_agpt = is_gpt_valid > <https://elixir.bootlin.com/linux/latest/ident/is_gpt_valid>(state, lastlba, &agpt, &aptes); > > We loose the protective nature of GPT but it sounds like it will be > working. > > That said, we could enhance the EFI specification so that: > - we have a firmware protective partition > - the start LBA of the "GPT protective partition (0xEE)" is used to > define the GPT header placement instead of 1. > image.png > > Daniel. > > > > -- > > François-Frédéric Ozog | /Director Linaro Edge & Fog Computing Group/ > T: +33.67221.6485 > francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> > | Skype: ffozog > > > > > -- > > François-Frédéric Ozog | /Director Linaro Edge & Fog Computing Group/ > T: +33.67221.6485 > francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> | Skype: ffozog > >

6 years, 1 month

1
0
0 0

Re: RFC: EBBR specification update

by Francois Ozog

Le mar. 10 mars 2020 à 18:46, Mark Brown <broonie(a)kernel.org> a écrit : > On Tue, Mar 10, 2020 at 05:37:29PM +0000, Daniel Thompson wrote: > > On Tue, Mar 10, 2020 at 05:35:40PM +0100, Francois Ozog wrote: > > > > Thanks Leif for the links. I tend to like the ETSI one because it is > > > somewhat complete on necessary english grammar stuff. > > > But I am flexible, important we state explicitly the reference > > > document and we use the language constructs. > > > Does ETSI offer us "features" that are missing from RFC 2119. > > > Personally I would favour RFC 2119 simply because it is so much better > > known than the ETSI drafting rules. > > > If you cite RFC 2119 and I don't have to go and read anything... and > > even if I did it is super concise and quick to read. > > > Cite ETSI drafting rules, clause 3 and I have to put in a lot more > > effort. > > The RFC 2119 usage of "MUST" is also a more standard English usage (in > that people are more likely to be familiar with it) than the ETSI SHALL > so there's a bit of a comprehensibility win. RFC2119 sold on my side ;-) > > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 1 month

1
0
0 0

FYI: Intel Vulnerability Serious But Unlikely, Experts Say

by Francois Ozog

Well, if you think IIot and Edge, you have physical access and the system is thus vulnerable.... https://www.sdxcentral.com/articles/news/intel-vulnerability-serious-but-un… Cheers FF PS: Intel CSME is an auxiliary micro-controller much like the SCP but with the capability to access the whole DRAM and having some TrustZone style role. -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 1 month

1
0
0 0

Dynamic acpi

by Francois Ozog

just in case: [PATCH 000/108] RFC: dm: Add programatic generation of ACP https://lists.denx.de/pipermail/u-boot/2020-January/397886.html May be some ideas fir DT overlays... FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 2 months

1
0
0 0

Sense of soc bus? (was: [PATCH] base: soc: Export soc_device_to_device() helper)

by Andreas Färber

Am 12.11.19 um 08:29 schrieb Uwe Kleine-König: > On Tue, Nov 12, 2019 at 06:23:47AM +0100, Greg Kroah-Hartman wrote: >> On Mon, Nov 11, 2019 at 09:10:41PM +0100, Andreas Färber wrote: >>> Am 11.11.19 um 07:40 schrieb Greg Kroah-Hartman: >>>> On Mon, Nov 11, 2019 at 06:42:05AM +0100, Andreas Färber wrote: >>>>> Am 11.11.19 um 06:27 schrieb Greg Kroah-Hartman: >>>>>> On Mon, Nov 11, 2019 at 05:56:09AM +0100, Andreas Färber wrote: >>>>>>> Use of soc_device_to_device() in driver modules causes a build failure. >>>>>>> Given that the helper is nicely documented in include/linux/sys_soc.h, >>>>>>> let's export it as GPL symbol. >>>>>> >>>>>> I thought we were fixing the soc drivers to not need this. What >>>>>> happened to that effort? I thought I had patches in my tree (or >>>>>> someone's tree) that did some of this work already, such that this >>>>>> symbol isn't needed anymore. >>>>> >>>>> I do still see this function used in next-20191108 in drivers/soc/. >>>>> >>>>> I'll be happy to adjust my RFC driver if someone points me to how! >>>> >>>> Look at c31e73121f4c ("base: soc: Handle custom soc information sysfs >>>> entries") for how you can just use the default attributes for the soc to >>>> create the needed sysfs files, instead of having to do it "by hand" >>>> which is racy and incorrect. >>> >>> Unrelated. >>> >>>>> Given the current struct layout, a type cast might work (but ugly). >>>>> Or if we stay with my current RFC driver design, we could use the >>>>> platform_device instead of the soc_device (which would clutter the >>>>> screen more than "soc soc0:") or resort to pr_info() w/o device. >>>> >>>> Ick, no, don't cast blindly. What do you need the pointer for? Is this >>>> for in-tree code? >>> >>> No, an RFC patchset: https://patchwork.kernel.org/cover/11224261/ >>> >>> As I indicated above, I used it for a dev_info(), which I can easily >>> avoid by using pr_info() instead: >>> >>> diff --git a/drivers/soc/realtek/chip.c b/drivers/soc/realtek/chip.c >>> index e5078c6731fd..f9380e831659 100644 >>> --- a/drivers/soc/realtek/chip.c >>> +++ b/drivers/soc/realtek/chip.c >>> @@ -178,8 +178,7 @@ static int rtd_soc_probe(struct platform_device *pdev) >>> >>> platform_set_drvdata(pdev, soc_dev); >>> >>> - dev_info(soc_device_to_device(soc_dev), >>> - "%s %s (0x%08x) rev %s (0x%08x) detected\n", >>> + pr_info("%s %s (0x%08x) rev %s (0x%08x) detected\n", >>> soc_dev_attr->family, soc_dev_attr->soc_id, chip_id, >>> soc_dev_attr->revision, chip_rev); >> >> First off, the driver should not be spitting out noise for when all goes >> well like this :) > > I didn't follow the discussion closely, but I think I want to object > here a bit. While I agree that each driver emitting some stuff to the > log buffer is hardly helpful, seeing the exact SoC details is indeed > useful at times. With my Debian kernel team member hat on, I'd say > keep this information. This way the SoC details make it into kernel bug > reports without effort on our side. Seconded. For example, RTD1295 will support LSADC only from revision B00 on (and it's not the first time I'm seeing such things in the industry). So if a user complains, it will be helpful to see that information. Referencing your Amlogic review, with all due respect for its authors, the common framework here just lets that information evaporate into the deeps of sysfs. People who know can check /sys/bus/soc/devices/soc0, but ordinary users will at most upload dmesg output to a Bugzilla ticket. And it was precisely info-level boot output from the Amlogic GX driver that made me aware of this common framework and inspired me to later contribute such a driver elsewhere myself. That's not a bad effect. ;) So if anything, we should standardize that output and move it into soc_device_register(): "<family> <soc_id> [rev <revision>] detected" with suitable NULL checks? (what I did above for Realtek, minus hex) The info level seems correct to me - it allows people to use a different log_level if they only care about warnings or errors on the console; it's not debug info for that driver, except in my case the accompanying hex numbers that I'd be happy to drop in favor of standardization. Another aspect here is that the overall amount of soc_device_register() users is just an estimated one third above the analysis shared before. In particular server platforms, be it arm64 or x86_64, that potentially have more than one SoC integrated in a multi-socket configuration, don't feed into this soc bus at all! Therefore my comment that dev_info()-printed "soc soc0:" is kind of useless if there's only one SoC on those boards. I'm not aware of any tool or a more common file aggregating this information, certainly not /proc/cpuinfo and I'm not aware of any special "lssoc" tool either. And if there's no ACPI/DMI driver feeding support-relevant information into this framework to be generally useful, I don't expect the big distros to spend time on improving its usability. So if we move info output into base/soc.c, we could continue using dev_info() with "soc"-grep'able prefix in the hopes that someday we'll have more than one soc device on the bus and will need to distinguish; otherwise yes, pr_info() would change the output format for Amlogic (and so would a harmonization of the text), but does anyone really care in practice? Tools shouldn't be relying on its output format, and humans will understand equally either way. Finally, arch/arm seems unique in that it has the machine_desc mechanism that allows individual SoCs to force creating their soc_device early and using it as parent for further DT-created platform_devices. With arm64 we've lost that ability, and nios2 is not using it either. A bad side effect (with SUSE hat on) is that this parent design pattern does not allow to build such drivers as modules, which means that distro configs using arm's multi-platform, e.g., CONFIG_ARCH_MULTI_V7 will get unnecessary code creep as new platforms get added over time (beyond the basic clk, pinctrl, tty and maybe timer). Even if it were possible to call into a driver module that early, using it as parent would seem to imply that all the references by its children would not allow to unload the module, which I'd consider a flawed design for such an "optional" read-once driver. If we want the device hierarchy to have a soc root then most DT based platforms will have a /soc DT node anyway (although no device_type = "soc") that we probably could have a device registered for in common code rather than each SoC platform handling that differently? That might then make soc_register_device() not the creator of the device (if pre-existent) but the supplier of data to that core device, which should then allow to unload the data provider with just the sysfs data disappearing until re-inserted (speeding up the develop-and-test cycle on say not-so-resource-constrained platforms). On the other hand, one might argue that such information should just be parsed by EBBR-conformant bootloaders and be passed to the kernel via standard UEFI interfaces and DMI tables. But I'm not aware of Barebox having implemented any of that yet, and even for U-Boot (e.g., Realtek based consumer devices...) not everyone has the GPL sources or tools to update their bootloader. So, having the kernel we control gather information relevant to kernel developers does make some sense to me. Thoughts? Regards, Andreas P.S. Sorry that a seemingly trivial one-line 0-day fix derailed into this fundamental use case discussion. arch/arm/mach-ep93xx/core.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-imx/cpu.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-mvebu/mvebu-soc-id.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-mxs/mach-mxs.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-omap2/id.c: soc_dev = soc_device_register(soc_dev_attr); arch/arm/mach-tegra/tegra.c: struct device *parent = tegra_soc_device_register(); arch/arm/mach-zynq/common.c: soc_dev = soc_device_register(soc_dev_attr); arch/nios2/platform/platform.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/amlogic/meson-gx-socinfo.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/amlogic/meson-mx-socinfo.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/atmel/soc.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/bcm/brcmstb/common.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/fsl/guts.c: soc_dev = soc_device_register(&soc_dev_attr); drivers/soc/imx/soc-imx-scu.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/imx/soc-imx8.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/qcom/socinfo.c: qs->soc_dev = soc_device_register(&qs->attr); drivers/soc/realtek/chip.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/renesas/renesas-soc.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/samsung/exynos-chipid.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/tegra/fuse/fuse-tegra.c: dev = soc_device_register(attr); drivers/soc/ux500/ux500-soc-id.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/versatile/soc-integrator.c: soc_dev = soc_device_register(soc_dev_attr); drivers/soc/versatile/soc-realview.c: soc_dev = soc_device_register(soc_dev_attr); -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Felix Imendörffer HRB 36809 (AG Nürnberg)

6 years, 5 months

5
8
0 0

Boot Sprint proposal for Wednesday @SAN19

by Francois Ozog

Hi, following the proposal at the last Device Tree Evolution call I'd like to propose an agenda for Wednesday that Steve could complement (see below). You may want to add or remove agenda items... We need to synchronize with "kernel day" agenda as some of us need to attend both events. Cheers FF 4h: DeviceTree Lead Project - to be defined by Steve McIntyre 4h: DependableBoot Lead Project - 1h: status and deliverable planning for next cycle - EBBR specs next steps? compliance. - UEFI SecureBoot - EFI payload authentication - UEFI Secure variable handling - Linux kernel UEFI variable caching and updates (as a capsule update) - Define other ‘must-have’ UEFI features (i.e DBT??) - firmwareTPM - UEFI MeasuredBoot - 32bits UEFI support - Qemu EBBR - implications of our work on EDKII - 1h: Robust boot "research" & PoC for next cycle - anti-brickable incl. TF-A: “philosophy” and hints to implement - UEFI watchdog: when to call UEFI exit-boot-services? - 2h: overall boot architecture evolution - interdependencies between TF-A, TrustZone (SPM, OPTEE, SCPI), OS, SCMI - many things are happening and I am not sure we understand tricky interactions that may result in race conditions (for instance SCMI in OPTEE kernel and its relations with UEFI runtime services). The idea is to try to identify the hairiest issues that we should analyze post Connect. - Boot orchestration - "Contracts" / list all the assumptions -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 7 months

1
0
0 0

Re: EBBR Monthly - 4th Tuesday

by Grant Likely

Evidently I've managed to overlap the EBBR monthly with the 96Boards SC monthly meeting. Does anyone object to rescheduling the EBBR monthly to be the 1st Tuesday of each month? (starting next week). g. ________________________________________ From: Grant Likely Sent: 12 March 2019 11:38 To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger; daniel.thompson(a)linaro.org Subject: EBBR Monthly - 4th Tuesday When: 28 May 2019 15:00-16:00. Where: WebEx Biweekly EBBR status call - Online meeting: https://arm-onsite.webex.com/meet/gralik01 - Phone - Access code: 809 053 990 - 1-408-792-6300 Call-in toll number (US/Canada) - 1-877-668-4490 Call-in toll-free number (US/Canada) - 44-203-478-5285 Call-in toll number (UK) - 08-002061177 Call-in toll-free (UK) More access numbers: https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob… IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 7 months

2
5
0 0

U-Boot/EBBR plugfest at ELC-EU?

by Grant Likely

Quick poll: who would be interested in a U-Boot/EBBR plugfest event collocates with ELC-EU this year (week of 28th Oct)? In the EBBR meetings we’ve tossed around the idea of an U-Boot/EBBR plugfest to work out compatibility issues between OS distros and upstream U-Boot SBC support. The idea is to get a number of SBCs supported by mainline U-Boot with UEFI features turned on, along with U-Boot & OS developers and hold a 1 day debug sprint to work out how many platforms can work with ‘stock’ OS images. Details to be worked out if this looks viable. I’ve asked the LF folks if they have space on either Thursday 31st Oct or Friday 1st Nov. They are checking availability, but no commitments have been made. It would help to know if this date and location is feasible. What do you think? Would you come to a plug fest attached to ELC-EU? Would you be interested in helping to organise? Or, is there another time & location that would work better? Cheers, g. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 8 months

11
20
0 0

signing tool on linux?

by AKASHI Takahiro

Hi, I'm now working on implementing UEFI secure boot on U-boot, in particular, adding "dbt" (timestamp-based revocation) support as described in UEFI specification, section 32.5.1 paragraph#7. # To be honest, the description is quite hard for me to understand. # I've got what it means only after reading corresponding EDK2 code. My question is: Is there any signing tool on linux, with which we can directly "timestamp" a PE image with RFC3161-compliant timestamp? I know that "signtool" in Microsoft's Windows SDK has this feature, but I wonder what tool major distros use for this purpose. (They also need to use windows for creating their own distributions?) I don't think it is very difficult to add the feature to existing tools like "sbsign," but it would be nice to use "proven" tools for testing. Thanks, -Takahiro Akashi

6 years, 9 months

3
8
0 0

hooking UEFI boot services

by Francois Ozog

I hope somebody in the kernel community is looking at making sure the piece of memory is RO: https://wikileaks.org/ciav7p1/cms/page_36896783.html Anyone knows about that? Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 9 months

2
1
0 0

Re: EBBR Monthly - 4th Tuesday

by Grant Likely

Hi All, Monthly EBBR meeting is scheduled for today. So far I've got the following agenda items: - Update on Devicetree Evolution project at Linaro (System Devicetree, separate dts repo, spec updates) - EBBR Plugfest options and planning committee - Policy on DTBs shipped with OS -- does EBBR need to address this explicitly? Email if you have any other items. g. ________________________________________ From: Grant Likely Sent: 12 March 2019 11:38 To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; daniel.thompson(a)linaro.org; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger Subject: EBBR Monthly - 4th Tuesday When: 25 June 2019 15:00-16:00. Where: WebEx Biweekly EBBR status call - Online meeting: https://arm-onsite.webex.com/meet/gralik01 - Phone - Access code: 809 053 990 - 1-408-792-6300 Call-in toll number (US/Canada) - 1-877-668-4490 Call-in toll-free number (US/Canada) - 44-203-478-5285 Call-in toll number (UK) - 08-002061177 Call-in toll-free (UK) More access numbers: https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob… IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 9 months

4
3
0 0

DT and EBBR, was: Securing the boot flow in U-Boot

by Francois Ozog

So trying to summarize the DT side track discussion in a different thread: ( Shall we organize a virtual design sprint before the end of the month? I'd like to create a section from the discussion in Boot Flows documen ) I - Current situation is: - DT provided by Linux kernel because it was “easier” and there was no upstream home - ACPI is provided by firmware (to make things simple), non secure OS can patch them in case of issues, SecureBoot prevents those patches OS provided DT is a cool developer facility in the context of floating DT bindings and lack of proper upstream project. But conceptually speaking, DT is not an OS thing and is not a firmware thing: it is a board thing that may be massaged by firmware and consumed by OS. With EBBR we seek a clean and salable solution that make the DT as simple as ACPI. II - Desired DT for EBBR policy 1) "upstream" DT 1.1) who provides DT Board vendor make a <reference DT> that describes every hardware piece, firmware provides a DT to OS, OS may be able to validate the DT but not override it in secureboot production. For security and boot latency consideration, firmware may actually need two DTs: a stripped version from <reference DT> to operate on the minimal set of devices it want to bring up the OS (say the <firmware DT>), a pruned/adapted version from <reference DT> , ie without devices firmware wants to control and conforms to EBBR spec (say the <OS DT>). 1.2) upstream <reference DT> The board reference DT> shall be valid regardless of the firmware (may be trusted firmware, uboot, edkII, linuxBoot...) not mentioning OS! There are many candidates but I start to think Linaro could host a DT and EBBR companion community project: "EBBR DTs" that will contain all the <reference DT> from every EBBR compliant board vendor. (Other boards can continue the mess, it is irrelevant EBBR, and us. SecureBoot, MeasuredBoot implementations will assume EBBR compliance) 2) who sign what with what key If we think of the following use case: Silicon Vendor provides a chip, a board vendor provides a board, ABB builds a controller, Caterpillar creates a mining truck with the controller, Rio Tinto operates the trck. One possible (just designed to show case the need of various keysets) trust chain is: - Board key db is loaded with a board vendor, ABB and caterpillar certs. - Trusted firmware: ABB doesn't want to deal with this, so the Board vendor provides and signs trusted firmware, with key_tf. - untrusted firmware: ABB selects the <firmware DT> and <OS DT> signs both DTs and firmware with key_firmware. Trusted Firmware will validate the signatures as key DB is loaded with ABB cert. - grub and the OS: Caterpillar signs them with key_os (What is signed and how it is verified is still a big discussion topic and the origin of the sidetrack on DT) - applications: Rio Tinto insurance company may be given the authority to sign hosted OPTEE applications with a different key. 3) OS payload signing and verification: was the original topic of the discussion and shall continue in the other thread. 4) operational considerations In non SecureBoot environment, DT can be patched by OS (same as ACPI). OS may decide to verify validaty of provided DT (mechanism yet to be defined) "dtb=" kernel command line parameter is still possible in non secure boot but forbiden in secureBoot. Le mer. 5 juin 2019 à 08:35, Tom Rini <trini(a)konsulko.com> a écrit : > On Wed, Jun 05, 2019 at 08:29:37AM +0200, Ard Biesheuvel wrote: > > On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote: > > > > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit : > > > > > > ... > > > > I think it may be good to validate but not provide. There is no Linux > > > > provided ACPI table right ? So I get the point to validate a DT. > > > > > > There's "Linux provided" ACPI tables when someone has to decompile, > > > fixup and re-compile their DSDT files. > > > > > > Or perhaps a better way to think of it is that yes, there's "Linux > > > provided ACPI tables" when vendors are developing their hardware and > > > correcting their ACPI tables. Same thing with DT, by and large (as > > > overlays and secure boot are a can of worms to worry about later). > > > > Secure boot enabled Linux does not permit this model. Side loading of > > DSDTs/SSDTs is disabled by the hardening patchset that all the distros > > carry for secure boot enabled kernels. > > That sounds a little broken then. It should be doable so long as the > files are signed appropriately. It's also rarer because the ACPI tables > are functionally validated before they're put into production. That's > largely the case here, except when we're talking about updating them for > new support or just like the case above, fixing a problem with them. > > -- > Tom >

6 years, 9 months

4
4
0 0

[RFC]: Kernel lockdown & secureboot

by Francois Ozog

Hi I was tasked to come back to Linaro TSC with an answer on Linaro and kernel lockdown for UEFI SecureBoot, hence the call for feed back. So I did some research... The kernel lockdown does not seem to be a full consensus yet: https://news.ycombinator.com/item?id=16761827 I agree with Linus <https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1654795.html>: we should distinguish UEFI SecureBoot and how to achieve a highly secured Operating System runtime environment. 1) UEFI SecureBoot: boot chain trust My understanding is that UEFI SecureBoot ensures that the booted UEFI payload is trusted. Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to the UEFI SecureBoot itself. 2) Trustable Linux system A trustable Linux system is UEFI SecureBoot loaded and make addition precautions to avoid attacks and attacks to the boot chain. If we think of a highly secured Linux, the kernel lockdown is certainly highly desirable but just as many other aspects: - iommu must be enabled to protect against DMA attacks - sysfs needs to be cleaned (access rights are not tight enough) - debugfs need to be banned (problem: some production control operations are wrongly in debugfs) -SE Linux - IMA - ... In my view, we shall not mix the goal and the means to achieve the goal.... For instance, kernel lock down prevents iopl system call which prevents UIO and UIO enabled DPDK drivers. A vendor may evaluate that the security level achieved without kernel lockdown is in line with its objectives to achieve a trustable Linux system: loadable modules disabled by the kernel, kernel embedded initramfs, IMA... As a result, UEFI SecureBoot to secure the boot chain combined with selected Linux hardening can achieve a Trustable Linux System. As per LEDGE both are highly important I would say that 1) does not need 2) to be complete. The way to achieve 2) is project dependent. The LEDGE RP will need kernel lockdown because we will allow loadable modules. SoC vendors deriving a product out of LEDGE RP, may take different provisions as per customer projects, in particular, they may derive a version without lockdown but still trustable. There is an additional twists to this. UEFI SecureBoot does not mandate Microsoft signed keys. But if you use Microsoft keys, I was warned that Microsoft may revoke certificates for non locked down systems. This warning illustrate the absolute need for independence related to UEFI SecureBoot: I can't imagine a system in Europe (particularly in military) prevented to boot because Microsoft revoked a certificate!!! Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 10 months

5
5
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture