- boot-architecture - lists.linaro.org

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 14:59, Tom Rini <trini(a)konsulko.com> wrote: > > On Wed, Jun 05, 2019 at 09:17:04AM +0100, Graeme Gregory wrote: > > On Wed, 5 Jun 2019 at 07:36, Ard Biesheuvel <ard.biesheuvel(a)linaro.org> > > wrote: > > > > > On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote: > > > > > > > ... > > > > > > > It depends on what you mean by "OS provided". The DTS files come from > > > > the Linux Kernel sources, full stop. > > > > > > That is the mistake we should try to fix. > > > > > > We have DT bindings, which define the contract between the OS on one > > > side, and the platform on the other side. This means it is the > > > platform's job to present a DT description that adheres to those > > > [stable] bindings. > > > > > > Today's development model of developing DT bindings in lockstep with > > > the drivers, and then bundling DT files with the OS is completely > > > unsustainable, since it doesn't scale, and it demonstrably results in > > > DT bindings that get modified without any regard for devices that are > > > already in the field (MacchiatoBin is a good example). > > > > > > So it doesn't really matter where the kernel *sources* come from, as > > > long as the platform provides its own DT, which does not change just > > > because the kernel changes. > > > > > > It is already defined how the platform provides this DT on a UEFI > > > system, i.e., via a configuration table with a known GUID. How the > > > firmware popiulates this memory is an implementation detail: if it > > > wants to load it from a signed file in the file system, that is fine, > > > as long as it is not the OS providing this file to the firmware. > > > > > > > > I agree, people seem to be conflating where DT is stored in source control > > over where it should be supplied to OS. > > > > Just because the DT is in linux kernel git does not mean you can't build it > > into the u-boot for your board. > > > > In fact I bet u-boot maintainer would love patches for updates ;-) > > Right. But there's also confusion about where the DTB is to be found. > Whereas ACPI is "burned in" the DTB (generally) is not and will not be. > It will be loaded from storage, so in the context of this overall > thread, figuring out how to verify the signature on the DTB is a main > use case. > There is no confusion at all. On a UEFI/EBBR system, the DT shall be provided to the OS via a config table using the established GUID. How the firmware achieves that is left unspecified. The fact that it may be loaded from storage does not make it part of the packaged OS, it is still a component of the platform. But based on this discussion, I will argue going forward that - the firmware must not rely on the OS to put DT images under known names into known locations in the file system, - the firmware provides this DT regardless of which keys are loaded into the uefi secure boot keyring, IOW, if i choose to put only the RedHat certificate in db because that is all i care about, I don't want to end up with a bricked system because the DT was loaded via the secure boot stack and was signed with the Microsoft keyring. Btw, the fact that Authenticode/PE-COFF does not permit multiple signatures does not make things any easier.

6 years, 3 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 13:14, Mark Brown <broonie(a)kernel.org> wrote: > > On Wed, Jun 05, 2019 at 11:18:44AM +0100, Steve McIntyre wrote: > > > Nod. We're *way* past the time where this should have stopped. How on > > earth do we get to common DT useful for all bootloaders, OSes (etc.) > > if people still consider the bundled, changing sources in the Linux > > tree to be canonical? > > It's a chicken and egg situation - for the platforms where nobody is > actually shipping systems with a separate device tree it's easy for > people to miss accidental incompatibilities without noticing, or decide > that deliberate incompatibilites won't be noticed. If there's users > making noise that's a lot harder to do. Pushing on EBBR is going to > help there, and it'd really help if there were more hardware built with > separate boot storage :/ > > Some of the platforms *are* doing a good job of not needlessly churning > their device trees (they're just not very noticable since things just > work and they make no noise), and even without people worrying about > separately distributed DTs widely adopted in tree bindings are doing a > lot for stability due to the number of places that would need updates > for incompatibilites (and also avoiding the DMI quirk tables ACPI relies > on which is nice). I am not disagreeing with any of this. But it is helpful to keep in mind that, in the context what we are trying to achieve, the requirement/expectation that a DT lives on git.kernel.org and gets packaged and shipped by the distro makes no sense at all. The idea of EBBR is to move away from a vertically integrated model, and permit systems or appliances to use packaged OSes in the field, similar to how this is being done on servers today. The idea that it is required for, say, company X shipping product Yrev0, to upstream a new rev of the DT in order to tweak their board and ship product Yrev1 is simply ridiculous. It doesn't scale, and we shouldn't care - the DT bindings is what we care about, and if it adheres to those, the platform can provide any DT it wants, and there is no reason the kernel devs should ever need to look at it. For development, things are obviously different, I understand that. Shipping DTs for devboards makes sense, especially while the DT bindings are not set in stone yet. But imposing this model for production is unsustainable.

6 years, 3 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote: > ... > It depends on what you mean by "OS provided". The DTS files come from > the Linux Kernel sources, full stop. That is the mistake we should try to fix. We have DT bindings, which define the contract between the OS on one side, and the platform on the other side. This means it is the platform's job to present a DT description that adheres to those [stable] bindings. Today's development model of developing DT bindings in lockstep with the drivers, and then bundling DT files with the OS is completely unsustainable, since it doesn't scale, and it demonstrably results in DT bindings that get modified without any regard for devices that are already in the field (MacchiatoBin is a good example). So it doesn't really matter where the kernel *sources* come from, as long as the platform provides its own DT, which does not change just because the kernel changes. It is already defined how the platform provides this DT on a UEFI system, i.e., via a configuration table with a known GUID. How the firmware popiulates this memory is an implementation detail: if it wants to load it from a signed file in the file system, that is fine, as long as it is not the OS providing this file to the firmware. > That doesn't mean they're embedded > within the kernel image. They're usually going to be pulled from the > filesystem. > > -- > Tom

6 years, 3 months

3
2
0 0

Re: Securing the boot flow in U-Boot

by Ard Biesheuvel

On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote: > > On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote: > > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit : > > ... > > I think it may be good to validate but not provide. There is no Linux > > provided ACPI table right ? So I get the point to validate a DT. > > There's "Linux provided" ACPI tables when someone has to decompile, > fixup and re-compile their DSDT files. > > Or perhaps a better way to think of it is that yes, there's "Linux > provided ACPI tables" when vendors are developing their hardware and > correcting their ACPI tables. Same thing with DT, by and large (as > overlays and secure boot are a can of worms to worry about later). Secure boot enabled Linux does not permit this model. Side loading of DSDTs/SSDTs is disabled by the hardening patchset that all the distros carry for secure boot enabled kernels.

6 years, 3 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Francois Ozog

Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit : > On Tue, Jun 04, 2019 at 10:25:23AM -0400, Francois Ozog wrote: > > On Tue, 4 Jun 2019 at 10:17, Heinrich Schuchardt <xypron.glpk(a)gmx.de> > wrote: > > > > > > > > > > > On 6/4/19 3:55 PM, Francois Ozog wrote: > > > > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel < > ard.biesheuvel(a)linaro.org> > > > > wrote: > > > > > > > >> > > > >> > > > >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog < > francois.ozog(a)linaro.org> > > > >> wrote: > > > >> > > > >>> Hi Ard, > > > >>> > > > >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel < > > > ard.biesheuvel(a)linaro.org> > > > >>> wrote: > > > >>> > > > >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas > > > >>>> <ilias.apalodimas(a)linaro.org> wrote: > > > >>>>> > > > >>>>> Hi Grant, > > > >>>>>> I see two ways to handle this that fits with the Secure Boot > > > >>>>>> authentication path: > > > >>>>>> > > > >>>>>> Option 1: Leave it to the OS loader > > > >>>>>> We could simply say that if the OS wants to replace the DTB, > then it > > > >>>>>> should take care of authentication itself within the OS loader > > > >>>> (possibly > > > >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the > > > >>>>>> configuration table before calling exit boot services. In this > > > >>>> scenario, > > > >>>>>> U-Boot doesn't authenticate the DTB at all. > > > >>>>>> > > > >>>>>> In fact, Option 1 is pretty close to what is required for the > > > initrd. > > > >>>>>> > > > >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so > that > > > >>>> the os > > > >>>>>> loader can use load_image to authenticate and retrieve the data > > > >>>> without > > > >>>>>> actually executing the image. That would allow for the DTB & > initrd > > > >>>> to > > > >>>>>> be authenticated in the same way as the kernel. > > > >>>>> I asked around on this prior to the email, but i think it boils > down > > > to > > > >>>>> "UEFI is intended to authenticate bootable images for the > platform", > > > >>>> so i doubt > > > >>>>> this will be allowed. > > > >>>>> > > > >>>> > > > >>>> The point I raised when we discussed this is that UEFI is an > interface > > > >>>> between the firmware and the OS, and it is up to the firmware to > > > >>>> *provide* the DT not the other way around. > > > >>>> > > > >>>> Whether the firmware reuses some of the existing machinery if it > > > >>>> chooses to load the DT it provides from an arbitrary file on the > file > > > >>>> system is an implementation detail, and shouldn't be part of how > we > > > >>>> design the interface. The more we standardize this and the more we > > > >>>> make it similar to how the OS loader is authenticated, the more > likely > > > >>>> it becomes that it will be relied upon for DTs that are bundled > with > > > >>>> the OS, which is a practice we are trying very hard to move away > from. > > > >>>> > > > >>> > > > >>> I have the impression that OS provided DT is a bad solution to a > real > > > >>> problem: > > > >>> There should be a Firmware hardware environment (what to > initialize, > > > >>> use...) and a OS hardware environment. > > > >>> Both should be signed, and controlled by the firmware. > > > >>> So I would try to find a way to supply firmware with two DTs, or > more > > > >>> likely one DT and one OS overlay (if overlays can remove some > > > hardware). > > > >>> > > > >>> > > > >> > > > >> If the OS provides a DT to itself, what is the point of pretending > that > > > it > > > >> has been authenticated to the firmware? > > > >> > > > > Agreed, that is stupid! I mispresented my idea: I talk about two DTs > > > > controlled by hardware/Firmware provider. OS shall be a consumer > only. > > > > > > > > > > > > > > In a perfect world firmware would provide the authoritative source of > > > the device tree. The current situation has device trees developed in > the > > > context of Linux and U-Boot picking them up. U-Boot is lagging far > > > behind Linux. Whenever I wanted to change a device tree in U-Boot I was > > > told to first get that change into Linux. I see no commitment to change > > > this process. > > > > > > Device-trees are provided by U-Boot to Linux as UEFI configuration > > > tables. If a device-tree is malicious it may lead to the destruction of > > > hardware. So whatever U-Boot provides as a device-tree to Linux should > > > be validated. > > > > > In a perfect world, U-Boot shall lead and we should work towards that if > > not in place. There is no sch a thing as a Linux validated ACPI table, so > > why for DT? > > There _is_ such a thing as a validated ACPI table and functionally ACPI > tables on x86 are validated with Windows. This is no different. > I think it may be good to validate but not provide. There is no Linux provided ACPI table right ? So I get the point to validate a DT. > > -- > Tom > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 3 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Francois Ozog

Le mar. 4 juin 2019 à 17:27, Tom Rini <trini(a)konsulko.com> a écrit : > On Tue, Jun 04, 2019 at 10:21:54AM -0400, Francois Ozog wrote: > > On Tue, 4 Jun 2019 at 10:00, Ard Biesheuvel <ard.biesheuvel(a)linaro.org> > > wrote: > > > > > > > > > > > On Tue, 4 Jun 2019 at 15:55, Francois Ozog <francois.ozog(a)linaro.org> > > > wrote: > > > > > >> > > >> > > >> On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel < > ard.biesheuvel(a)linaro.org> > > >> wrote: > > >> > > >>> > > >>> > > >>> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <francois.ozog(a)linaro.org > > > > >>> wrote: > > >>> > > >>>> Hi Ard, > > >>>> > > >>>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel < > ard.biesheuvel(a)linaro.org> > > >>>> wrote: > > >>>> > > >>>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas > > >>>>> <ilias.apalodimas(a)linaro.org> wrote: > > >>>>> > > > >>>>> > Hi Grant, > > >>>>> > > I see two ways to handle this that fits with the Secure Boot > > >>>>> > > authentication path: > > >>>>> > > > > >>>>> > > Option 1: Leave it to the OS loader > > >>>>> > > We could simply say that if the OS wants to replace the DTB, > then > > >>>>> it > > >>>>> > > should take care of authentication itself within the OS loader > > >>>>> (possibly > > >>>>> > > the in-kernel UEFI stub) and install a replacement DTB in the > > >>>>> > > configuration table before calling exit boot services. In this > > >>>>> scenario, > > >>>>> > > U-Boot doesn't authenticate the DTB at all. > > >>>>> > > > > >>>>> > > In fact, Option 1 is pretty close to what is required for the > > >>>>> initrd. > > >>>>> > > > > >>>>> > > I wonder if it is possible to wrap the DTB with a PE/COFF so > that > > >>>>> the os > > >>>>> > > loader can use load_image to authenticate and retrieve the data > > >>>>> without > > >>>>> > > actually executing the image. That would allow for the DTB & > > >>>>> initrd to > > >>>>> > > be authenticated in the same way as the kernel. > > >>>>> > I asked around on this prior to the email, but i think it boils > down > > >>>>> to > > >>>>> > "UEFI is intended to authenticate bootable images for the > platform", > > >>>>> so i doubt > > >>>>> > this will be allowed. > > >>>>> > > > >>>>> > > >>>>> The point I raised when we discussed this is that UEFI is an > interface > > >>>>> between the firmware and the OS, and it is up to the firmware to > > >>>>> *provide* the DT not the other way around. > > >>>>> > > >>>>> Whether the firmware reuses some of the existing machinery if it > > >>>>> chooses to load the DT it provides from an arbitrary file on the > file > > >>>>> system is an implementation detail, and shouldn't be part of how we > > >>>>> design the interface. The more we standardize this and the more we > > >>>>> make it similar to how the OS loader is authenticated, the more > likely > > >>>>> it becomes that it will be relied upon for DTs that are bundled > with > > >>>>> the OS, which is a practice we are trying very hard to move away > from. > > >>>>> > > >>>> > > >>>> I have the impression that OS provided DT is a bad solution to a > real > > >>>> problem: > > >>>> There should be a Firmware hardware environment (what to initialize, > > >>>> use...) and a OS hardware environment. > > >>>> Both should be signed, and controlled by the firmware. > > >>>> So I would try to find a way to supply firmware with two DTs, or > more > > >>>> likely one DT and one OS overlay (if overlays can remove some > hardware). > > >>>> > > >>>> > > >>> > > >>> If the OS provides a DT to itself, what is the point of pretending > that > > >>> it has been authenticated to the firmware? > > >>> > > >> Agreed, that is stupid! I mispresented my idea: I talk about two DTs > > >> controlled by hardware/Firmware provider. OS shall be a consumer only. > > >> > > >> > > >> > > > But my point remains the same. If we are accommodating a model where > the > > > DT is shipped with the OS, the OS can deal with authenticating the DTB > > > files. If the firmware provides the DT, it is a firmware implementation > > > detail how and where it keeps the DTB files internally, as long as it > uses > > > the official way (i.e., via a UEFI config table) to expose the DT to > the OS. > > > > > > Rolling all of this into secure boot support (which deals with > > > authenticating OS components/loaders to the firmware) is something we > > > should avoid. > > > > > Agreed. There is no such a thing as an OS provided ACPI table.... yet we > > allow that for DT... strange isn't it? > > I think we're getting a bit side tracked. And, depending on what you > want to call people having to fixup and recompile DSDT to fix issues... > :) > > The Linux Kernel happens to be the (generally) authoritative source of > DT files, rather than the hardware manufacturer. > To me it looks like walking on the head. I don’t see any OS providing an ACPI table. I think I understand why it happened. But to me it looks like a wrong solution to a real use case: firmware hardware execution environnement is different (probably smaller) than os execution environment. I think this is more about EBBR and it’s compliance. What shall be the right policy ? And then we refine EBBR. > > > So as a reference platform we can say that an OS provided DT is NOT part > of > > the picture. Yet if a vendor still wants to do it, it will be able to. We > > just don't care. > > > > Now, in the context of standard OTA across SoCs, what shall be > standardized > > to support the two DTs (for firmware execution and for OS execution). Are > > we considering UBoot firmware as a "blob" that embeds those two DTs? > Might > > be good enough. > > The common case is NOT going to be that the DT is provided embedded > within the hardware, please keep that in mind. > EBBR says: “Similarly, devices retained by firmware (i.e., not discoverable by the OS) shall not be accessed by the OS.” so an OS provided DT is a recipe for failure. > > -- > Tom > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 3 months

1
0
0 0

Securing the boot flow in U-Boot

by Ilias Apalodimas

Hello all, Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea. We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. This will cover the next payload (shim/grub2/shim depending on board needs). In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules. 1. For the kernel modules we can use kernel module signing facilities [1] 2. In case someone wants to provide an external DTB, we can use FIT images to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot. 3. We need to verify initramfs as well. This can be accomplished in various ways. Packing kernel + initramfs or using dm-verity are the two obvious ones but we are open to suggestions. This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though). What do you think? [1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html Thanks /Ilias

6 years, 3 months

9
34
0 0

Re: Securing the boot flow in U-Boot

by Ilias Apalodimas

Hi Tom, On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote: > On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote: > > On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote: > > >> > > > >> > The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the > > >> > EFI playloads > > >> > > >> I think that you'd better explain why you stick to *UEFI* secure boot. > > > > > >The main reason is distro support. Since distros use a number of different ways > > >of booting up on arm boards, using UEFI is the obvious way to unify that (and > > >alrady supported on some) regardless of the bootloader. UEFI secure boot > > >provides a common approach to security instead of 'per bootloader' solutions > > > > Yup, absolutely (says the Debian EFI team lead) ... > > The other things we need to keep in mind is that (based on my own > experience implementing UEFI secure boot on an x8664 platform), we are > not looking at a case of "make an existing solution function on other > architectures" but rather "there's some good concepts here and an > implementation waiting to be figured out". We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something similar to #2 implemented. I'd prefer having the option to authenticate DTB/initramfs from the 'main bootloader', than delegating that to some EFI payload, mostly for fragmentation reasons Thanks /Ilias

6 years, 3 months

3
2
0 0

Re: Securing the boot flow in U-Boot

by Ilias Apalodimas

Hi Tom, > > > > > > Continuing the discussions we had on securing the boot flow and OS as much as > > > > possible, we came up with the following idea. > > > > > > > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. > > > > This will cover the next payload (shim/grub2/shim depending on board needs). > > > > > > > > In order to provide better overall security for the OS we'll need to at least > > > > verify DTB (if provided externally), initramfs and kernel modules. > > > > > > > > 1. For the kernel modules we can use kernel module signing facilities [1] > > > > 2. In case someone wants to provide an external DTB, we can use FIT images > > > > to secure that. The FIT images will contain the DTB(s) we need. Those will > > > > only be used if the authentication process succeeds. This will allow us to > > > > verify DTBs without introducing any new functionality to U-Boot. > > > > 3. We need to verify initramfs as well. This can be accomplished in various ways. > > > > Packing kernel + initramfs or using dm-verity are the two obvious ones but we > > > > are open to suggestions. > > > > > > For #3, making use of FIT images should be investigated seriously that > > > already allows for what you're asking about. > > Sure, thanks for the heads up. > > I had a sentence saying '#3 can deploy similar methods to #2" on my initial > > e-mail, but removed it right before sending. > > It makes a lot of sense to me to keep similar functionality, as long as > > we can keep the stored keys (to verify signatures) in small numbers. > > Sure. One thing I want to make sure people understand is that U-Boot > already supports a verified boot scheme including reaching out to ROM > where applicable and has for a number of years. I think we are exaclty on the same page here! The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the EFI playloads and use *existing* tools for the rest doable?'. I think the answer is yes. If it is i don't think it makes any sense at all to implement something new Thanks /Ilias

6 years, 3 months

3
3
0 0

Dependable Boot lead project setup

by Francois Ozog

Hi, Linaro TSC validate the creation of the Dependable Lead Project. I started to build infrastructure to be able to capture all information we need to be as successful as possible. Should you think one of your JIRA cards be updated to reflect its relationship with the newly cerated DB Jira Lead Project, please do so. Portal (documentation, meeting notes): https://collaborate.linaro.org/display/DBS/Dependable+Boot Kanban board: https://projects.linaro.org/secure/RapidBoard.jspa?rapidView=257 The portal is far from complete but I preferred to share it as soon as possible so that we can make it as useful as possible. Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 3 months

1
0
0 0

Re: Securing the boot flow in U-Boot

by Ilias Apalodimas

Hi Tom, > > Continuing the discussions we had on securing the boot flow and OS as much as > > possible, we came up with the following idea. > > > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. > > This will cover the next payload (shim/grub2/shim depending on board needs). > > > > In order to provide better overall security for the OS we'll need to at least > > verify DTB (if provided externally), initramfs and kernel modules. > > > > 1. For the kernel modules we can use kernel module signing facilities [1] > > 2. In case someone wants to provide an external DTB, we can use FIT images > > to secure that. The FIT images will contain the DTB(s) we need. Those will > > only be used if the authentication process succeeds. This will allow us to > > verify DTBs without introducing any new functionality to U-Boot. > > 3. We need to verify initramfs as well. This can be accomplished in various ways. > > Packing kernel + initramfs or using dm-verity are the two obvious ones but we > > are open to suggestions. > > For #3, making use of FIT images should be investigated seriously that > already allows for what you're asking about. Sure, thanks for the heads up. I had a sentence saying '#3 can deploy similar methods to #2" on my initial e-mail, but removed it right before sending. It makes a lot of sense to me to keep similar functionality, as long as we can keep the stored keys (to verify signatures) in small numbers. > > -- > Tom Thanks /Ilias

6 years, 3 months

1
0
0 0

[PATCH v2 1/2] fdt: add support for rng-seed

by Hsin-Yi Wang

Introducing a chosen node, rng-seed, which is an entropy that can be passed to kernel called very early to increase initial device randomness. Bootloader should provide this entropy and the value is read from /chosen/rng-seed in DT. Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org> --- change log: v1->v2: * call function in early_init_dt_scan_chosen * will add doc to devicetree-org/dt-schema on github if this is accepted --- Documentation/devicetree/bindings/chosen.txt | 14 ++++++++++++++ drivers/of/fdt.c | 11 +++++++++++ 2 files changed, 25 insertions(+) diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt index 45e79172a646..fef5c82672dc 100644 --- a/Documentation/devicetree/bindings/chosen.txt +++ b/Documentation/devicetree/bindings/chosen.txt @@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by the Linux EFI stub (which will populate the property itself, using EFI_RNG_PROTOCOL). +rng-seed +----------- + +This property served as an entropy to add device randomness. It is parsed +as a byte array, e.g. + +/ { + chosen { + rng-seed = <0x31 0x95 0x1b 0x3c 0xc9 0xfa 0xb3 ...>; + }; +}; + +This random value should be provided by bootloader. + stdout-path ----------- diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c index de893c9616a1..96ea5eba9dd5 100644 --- a/drivers/of/fdt.c +++ b/drivers/of/fdt.c @@ -24,6 +24,7 @@ #include <linux/debugfs.h> #include <linux/serial_core.h> #include <linux/sysfs.h> +#include <linux/random.h> #include <asm/setup.h> /* for COMMAND_LINE_SIZE */ #include <asm/page.h> @@ -1079,6 +1080,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname, { int l; const char *p; + const void *rng_seed; pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname); @@ -1113,6 +1115,15 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname, pr_debug("Command line is: %s\n", (char*)data); + rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l); + if (!rng_seed || l == 0) + return 1; + + /* try to clear seed so it won't be found. */ + fdt_nop_property(initial_boot_params, node, "rng-seed"); + + add_device_randomness(rng_seed, l); + /* break now */ return 1; } -- 2.20.1

6 years, 4 months

5
13
0 0

Re: [PATCH] arm64: add support for rng-seed

by Rob Herring

On Wed, May 8, 2019 at 10:06 AM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote: > > On Wed, May 8, 2019 at 10:04 PM Rob Herring <robh+dt(a)kernel.org> wrote: > > > > On Tue, May 7, 2019 at 11:08 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote: > > > > > > On Wed, May 8, 2019 at 3:47 AM Rob Herring <robh+dt(a)kernel.org> wrote: > > > > > > > > +boot-architecture list as there was some discussion about this IIRC. > > > > > > > > On Mon, May 6, 2019 at 11:54 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote: > > > > > > > > > > Introducing a chosen node, rng-seed, which is an 64 bytes entropy > > > > > that can be passed to kernel called very early to increase device > > > > > randomness. Bootloader should provide this entropy and the value is > > > > > read from /chosen/rng-seed in DT. > > > > > > > > > > Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org> > > > > > > > > > > --- > > > > > Documentation/devicetree/bindings/chosen.txt | 14 +++++++++ > > > > > > > > Actually, this file has been converted to json-schema and lives > > > > here[1]. I need to remove this one (or leave it with a reference to > > > > the new one). > > > > > > > > > arch/arm64/kernel/setup.c | 2 ++ > > > > > drivers/of/fdt.c | 33 ++++++++++++++++++++ > > > > > include/linux/of_fdt.h | 1 + > > > > > 4 files changed, 50 insertions(+) > > > > > > > > > > diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt > > > > > index 45e79172a646..bfd360691650 100644 > > > > > --- a/Documentation/devicetree/bindings/chosen.txt > > > > > +++ b/Documentation/devicetree/bindings/chosen.txt > > > > > @@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by > > > > > the Linux EFI stub (which will populate the property itself, using > > > > > EFI_RNG_PROTOCOL). > > > > > > > > > > +rng-seed > > > > > +----------- > > > > > + > > > > > +This property served as an entropy to add device randomness. It is parsed > > > > > +as a 64 byte value, e.g. > > > > > > > > Why only 64-bytes? > > > We can also not specify size and read what bootloader can provide. > > > > > > > > > + > > > > > +/ { > > > > > + chosen { > > > > > + rng-seed = <0x31951b3c 0xc9fab3a5 0xffdf1660 ...> > > > > > + }; > > > > > +}; > > > > > + > > > > > +This random value should be provided by bootloader. > > > > > + > > > > > stdout-path > > > > > ----------- > > > > > > > > > > diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c > > > > > index 413d566405d1..ade4261516dd 100644 > > > > > --- a/arch/arm64/kernel/setup.c > > > > > +++ b/arch/arm64/kernel/setup.c > > > > > @@ -292,6 +292,8 @@ void __init setup_arch(char **cmdline_p) > > > > > early_fixmap_init(); > > > > > early_ioremap_init(); > > > > > > > > > > + early_init_dt_rng_seed(__fdt_pointer); > > > > > + > > > > > > > > I'm trying to reduce or eliminate all these early_init_dt_* calls. > > > > > > > > Why is this arch specific and why can't this be done after > > > > unflattening? It doesn't look like add_device_randomness() needs > > > > anything early. > > > Currently unflattening is called after setup_machine_fdt(), which > > > called fixmap_remap_fdt() //__fixmap_remap_fdt(dt_phys, &size, > > > PAGE_KERNEL_RO), and we can't modify DT after that since it's read > > > only. But we need to clear (eg. write 0 to it) the rng-seed after > > > reading from DT. > > > > Why do you need to clear it? That wasn't necessary for kaslr-seed. > I think it's for security purpose. If we know the random seed, it's > more likely we can predict randomness. > Currently on arm64, kaslr-seed will be wiped out (in > arch/arm64/kernel/kaslr.c#get_kaslr_seed(), it's set to 0) so we can't > read from sysfs (eg. /sys/firmware/devicetree/.../kaslr-seed) > I'm not sure on other arch if it will be wiped out. The difference is if I have the kaslr seed, I can calculate the kernel base address. In your case, you are feeding an RNG which continually has entropy added to it. I can't see that knowing one piece of the entropy data is a security hole. It looks more like you've just copied what what done for kaslr-seed. > > Why not change the mapping to RW? It would be nice if this worked on > > more than one arch. Still wondering on this question. Mapping it R/W would mean rng-seed could be handled later and completely out of the arch code and so could the zeroing of the kaslr-seed. Also, we generally assume the FDT is modifiable for any fixups. This happens on arm32 and powerpc, but I guess we haven't needed that yet on arm64. Rob

6 years, 4 months

5
6
0 0

Re: [PATCH] arm64: add support for rng-seed

by Rob Herring

+boot-architecture list as there was some discussion about this IIRC. On Mon, May 6, 2019 at 11:54 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote: > > Introducing a chosen node, rng-seed, which is an 64 bytes entropy > that can be passed to kernel called very early to increase device > randomness. Bootloader should provide this entropy and the value is > read from /chosen/rng-seed in DT. > > Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org> > > --- > Documentation/devicetree/bindings/chosen.txt | 14 +++++++++ Actually, this file has been converted to json-schema and lives here[1]. I need to remove this one (or leave it with a reference to the new one). > arch/arm64/kernel/setup.c | 2 ++ > drivers/of/fdt.c | 33 ++++++++++++++++++++ > include/linux/of_fdt.h | 1 + > 4 files changed, 50 insertions(+) > > diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt > index 45e79172a646..bfd360691650 100644 > --- a/Documentation/devicetree/bindings/chosen.txt > +++ b/Documentation/devicetree/bindings/chosen.txt > @@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by > the Linux EFI stub (which will populate the property itself, using > EFI_RNG_PROTOCOL). > > +rng-seed > +----------- > + > +This property served as an entropy to add device randomness. It is parsed > +as a 64 byte value, e.g. Why only 64-bytes? > + > +/ { > + chosen { > + rng-seed = <0x31951b3c 0xc9fab3a5 0xffdf1660 ...> > + }; > +}; > + > +This random value should be provided by bootloader. > + > stdout-path > ----------- > > diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c > index 413d566405d1..ade4261516dd 100644 > --- a/arch/arm64/kernel/setup.c > +++ b/arch/arm64/kernel/setup.c > @@ -292,6 +292,8 @@ void __init setup_arch(char **cmdline_p) > early_fixmap_init(); > early_ioremap_init(); > > + early_init_dt_rng_seed(__fdt_pointer); > + I'm trying to reduce or eliminate all these early_init_dt_* calls. Why is this arch specific and why can't this be done after unflattening? It doesn't look like add_device_randomness() needs anything early. > setup_machine_fdt(__fdt_pointer); > > parse_early_param(); > diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c > index de893c9616a1..74e2c0c80b91 100644 > --- a/drivers/of/fdt.c > +++ b/drivers/of/fdt.c > @@ -22,6 +22,7 @@ > #include <linux/slab.h> > #include <linux/libfdt.h> > #include <linux/debugfs.h> > +#include <linux/random.h> > #include <linux/serial_core.h> > #include <linux/sysfs.h> > > @@ -1117,6 +1118,38 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname, > return 1; > } > > +extern void *__init __fixmap_remap_fdt(phys_addr_t dt_phys, int *size, > + pgprot_t prot); > + > +void __init early_init_dt_rng_seed(u64 dt_phys) > +{ > + void *fdt; > + int node, size, i; > + fdt64_t *prop; > + u64 rng_seed[8]; > + > + fdt = __fixmap_remap_fdt(dt_phys, &size, PAGE_KERNEL); > + if (!fdt) > + return; > + > + node = fdt_path_offset(fdt, "/chosen"); > + if (node < 0) > + return; > + > + prop = fdt_getprop_w(fdt, node, "rng-seed", &size); > + if (!prop || size != sizeof(u64) * 8) > + return; > + > + for (i = 0; i < 8; i++) { > + rng_seed[i] = fdt64_to_cpu(*(prop + i)); > + /* clear seed so it won't be found. */ > + *(prop + i) = 0; > + } > + add_device_randomness(rng_seed, size); > + > + return; > +} > + > #ifndef MIN_MEMBLOCK_ADDR > #define MIN_MEMBLOCK_ADDR __pa(PAGE_OFFSET) > #endif > diff --git a/include/linux/of_fdt.h b/include/linux/of_fdt.h > index a713e5d156d8..a4548dd6351e 100644 > --- a/include/linux/of_fdt.h > +++ b/include/linux/of_fdt.h > @@ -71,6 +71,7 @@ extern uint32_t of_get_flat_dt_phandle(unsigned long node); > > extern int early_init_dt_scan_chosen(unsigned long node, const char *uname, > int depth, void *data); > +extern void early_init_dt_rng_seed(u64 dt_phys); > extern int early_init_dt_scan_memory(unsigned long node, const char *uname, > int depth, void *data); > extern int early_init_dt_scan_chosen_stdout(void); > -- > 2.20.1 >

6 years, 4 months

2
3
0 0

RE: EFIBootGuard for CIP and SecureBoot

by daniel.sangorrin＠toshiba.co.jp

Hello Francois, Jan, Christian, and all Sorry for the late reply, I was waiting for the administrator of the Boot Architecture mailing list to accept my subscription request, but it seems it will take a bit more time. I will send this reply and hope it will not be blocked. I have also added the u-boot mailing list to Cc, as Tom suggested (although I'm not a member), the CIP mailing list, Jan Kiszka (one of the main developers of Efibootguard) and Christian (an expert in software updates). Background: during the last Linaro connect in Bangkok I was told that Linaro Edge (LEDGE) were working on a secure software update mechanism based on UEFI capsules that would flash firmware updates from a UEFI application, instead of using a Linux agent such as SWUpdate. Then, I had an online meeting with Francois, director of LEDGE. I explained to Francois that in CIP we are using the Linux agent approach right now, and we are also considering the use of a UEFI application (Efibootguard) to arm a watchdog and deal with the state-machine variables (installed, testing, ok, failed..) needed for A/B software updates. Efibootguard sounds like an excellent place to collaborate with Linaro (particularly on the watchdog drivers front) because it does not strictly depend on where the firmware is flashed (UEFI capsule or Linux agent). > On Fri, Apr 19, 2019 at 12:48:51PM +0200, Francois Ozog wrote: > > Hi Daniel, > > > > We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot. > > > > As we are working on UEFI SecureBoot implementation in U-Boot, how do > > you expect the boot process to be secured? Would U-Boot UEFI > > SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will > > check either grub or Linux signature? > > > > Please elaborate on your vision of a secured boot process. Efibootguard is composed of two parts. - A UEFI application that can arm a watchdog and decide what environment (kernel, boot args, etc.) to use next depending on a set of variables (update status, highest revision, etc.) stored in FAT16 partitions. - A Linux application that can read and set those variables from Linux (similar to u-boot's fw_setenv). This functionality is also available in the form of a library. As far as I know, there is no concept of "Secure Booting" in Efibootguard at the moment. Adding signature checks before booting into the selected kernel would be a possible solution. Thanks, Daniel

6 years, 4 months

8
13
0 0

StandaloneMM discussion

by Ilias Apalodimas

Hi all, This started as an internal discussion for U-Booa and SSL which quickly span out of control, so the mailing list is a better suited place for this discussion. Akashi-san had an interesting idea. Since we will try to implement StandaloneMM as an OP-TEE TA, why not add payload authentication capabilities on it. Since it's already doing variable authentication on the secure side, the needed changes would be minimal (at least that's what i think, please correct me if i am wrong), since most of the code should already be there. This means that the payload authentication will be moved to the secure world. Although doing the authentication in secure world won't offer any security enhancements, the common code across firmware implementations is probably nice to have. The obvious drawback is that you limit the payload authentication capabilities, since running StMM will become obligatory for image that. Thanks /Ilias

6 years, 4 months

7
14
0 0

EBBR Plugfest at ELC and/or ELC-E

by Grant Likely

Hi Bill and Peter, [cc'ing boot-architecture to trawl for additional volunteers] As discussed during EBBR monthly call today, we should have an EBBR plugfest at ELC and/or ELC-E this year with the goal of working out compatibility issues between platforms+firmware and OS images (distro images, OpenEmbedded, Buildroot, Yocto builds, etc). My initial thought is to run a full day event that is part hacking sprint and part plugfest. We could ask participants to either bring a platform (SBC with firmware installed) or an OS images and then set up a test matrix for each OS to test on each board. After an initial set of attempts the rest of the day could be a hacking sprint to solve problems and squash bugs. I'm only going to be at ELC this year (Aug 21-23rd in San Diego). I might be able to get the LF to provide a co-located room Tuesday the 20th. ELC-E will be in late October. If we do this at both events, then someone will need to take the lead on organizing the European version. Thoughts? g.

6 years, 4 months

2
1
0 0

Shutting down arm.ebbr-discuss@arm.com mailing list

by Grant Likely

As discussed at Linaro Connect BKK19 in early April, the arm.ebbr-discuss mailing list isn't very functional because it doesn't have a public archive and non-Arm folks cannot subscribe themselves. I'm shutting down the arm.ebbr-discuss mailing list. From this date all EBBR discussion will be held on the boot-architecture(a)linaro.org mailing list. g.

6 years, 4 months

1
0
0 0

EBBR Monthly Meeting - 23 April 2019

by Grant Likely

Hi all, The EBBR monthly meeting is later today. We're in the quiet period after releasing EBBR v1.0 and are unlikely to add new content immediately. Instead, we'll use the monthly meeting to track and discuss progress on Secure Boot with U-Boot, TF-A, and OP-TEE, as well as other desired EBBR features. As those features mature, we'll add language to EBBR to match. Dial in details below. g. --- There is a monthly conference call to discuss EBBR topics on the 4th Tuesday of the month at 15:00 UTC/BST, 7:00 PST/PDT, 23:00/22:00 CST (following UTC/BST daylight savings time shifts). Anyone is welcome to join. Online meeting: https://arm-onsite.webex.com/meet/gralik01 Phone 1-408-792-6300 Call-in toll number (US/Canada) 1-877-668-4490 Call-in toll-free number (US/Canada) 44-203-478-5285 Call-in toll number (UK) 08-002061177 Call-in toll-free (UK) More access numbers: webex-global-numbers Access code: 809 053 990

6 years, 4 months

1
0
0 0

Re: EFIBootGuard for CIP and SecureBoot

by Heinrich Schuchardt

On Fri Apr 19 10:48:51 UTC 2019 François Ozog <francois.ozog(a)linaro.org> wrote > We will be conducting a UEFI gap analysis to support EFIBootGuard in > U-Boot. > > As we are working on UEFI SecureBoot implementation in U-Boot, how do > you expect the boot process to be secured? Would U-Boot UEFI > SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will > check either grub or Linux signature? > > Please elaborate on your vision of a secured boot process. The UEFI spec is quite clear about this: An implementation of SecureBoot will check the signature of any EFI binary before starting it. StartImage() will return EFI_SECURITY_VIOLATION when trying to start an image that is neither correctly signed nor whose hash is known. As we use StartImage() for starting any image the signature of EFIBootGuard would be checked first and then any of the child applications it starts. You will not be able to start GRUB or the Linux kernel if their signature are not added to U-Boot's key database. Of cause you could implement inside EFIBootGuard your own mechanism to start a loaded image without calling StartImage(). In this case U-Boot cannot protect you from invalid images. Best regards Heinrich

6 years, 4 months

3
2
0 0

EFIBootGuard for CIP and SecureBoot

by Francois Ozog

Hi Daniel, We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot. As we are working on UEFI SecureBoot implementation in U-Boot, how do you expect the boot process to be secured? Would U-Boot UEFI SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will check either grub or Linux signature? Please elaborate on your vision of a secured boot process. Cheers FF PS: you may want to subscribe to the boot-architecture mailing list in Linaro.

6 years, 5 months

1
0
0 0

Re: Standalone MM interface on U-Boot

by Francois Ozog

Hi, I suggest we move the discussion to https://lists.linaro.org/mailman/listinfo/boot-architecture I am sending the subscription link to BKK19 boot sprint attendees. Cheers FF On Thu, 11 Apr 2019 at 10:31, Francois Ozog <francois.ozog(a)linaro.org> wrote: > > > On Thu, 11 Apr 2019 at 10:23, AKASHI, Takahiro <takahiro.akashi(a)linaro.org> > wrote: > >> On Thu, 11 Apr 2019 at 16:49, Joakim Bech <joakim.bech(a)linaro.org> wrote: >> > >> > Hi, >> > >> > @Takahiro, thanks for teaching me what is right and wrong :) >> >> No, no. Everything is right, but some are only suitable for a specific >> relationship :) >> >> > @Ilias, @FF, replies inline below. >> > >> > On Thu, 11 Apr 2019 at 09:22, Francois Ozog <francois.ozog(a)linaro.org> >> wrote: >> >> >> >> >> >> >> >> On Thu, 11 Apr 2019 at 08:51, Ilias Apalodimas < >> ilias.apalodimas(a)linaro.org> wrote: >> >>> >> >>> Hi Akashi-san, >> >>> >> >>> > > I'm just drafting a new card for running the Standalone MM >> >>> > > as Trusted Application in OP-TEE. The use case as I understand >> >>> > > it is to call this TA from U-Boot environment (and when Linux is >> >>> > > up and running). >> >>> > >> >>> > I heard the almost same thing from Francois. >> >>> > I don't mind how the service will be implemented in secure world. >> What I'd >> >>> > like to do here is to add an interface for communicating with >> secure world >> >>> > on U-Boot side (normal world). >> >>> Can we try and avoid double and triple Jira epics, while still giving >> credit to >> >>> SIGs/Groups doing the work? >> >>> We already have an initiative up for u-boot relasted issues. >> >>> https://projects.linaro.org/browse/LEDGE-134 >> >>> >> >> >> >> My proposal is that EPICS related to OPTEE are owned by SWG, even if >> they are resourced by LEDGE. >> >> For instance, I can task a LEDGE assignee to do the OPTEE work under >> Joakim guidance and reporting on a SWG EPIC. >> > >> > This is inline with my thoughts. >> > >> >> >> >> LEDGE Initiative would include an EPIC link to the SWG EPIC: LEDGE can >> then track the many tasks done in KWG and SWG. >> >> Actually I proposed the creation of a lead project: dependable boot. >> >> >> >> For the time being, lets create all the Jira cards we think we need to >> address. Lets check each other iniatives to ensure we have identified all >> pieces of work. >> >> https://projects.linaro.org/browse/LEDGE-151 >> >> https://projects.linaro.org/browse/LEDGE-134 >> > >> > As we're speaking I'm drafting the work for a Standalone MM OP-TEE as >> well as the fTPM stuff: >> > https://projects.linaro.org/browse/SWG-372 (I'm going to add more >> details here after having a chat with Ard ... who is travelling to US for >> the moment). >> > https://projects.linaro.org/browse/SWG-373 >> > >> > Note that I'll more and more start creating Initiatives instead of >> Epics, since I believe the consensus after TSC voting is that our current >> Initiatives are too broad containing unrelated features. Having that said, >> beneath the Initiatives I'll split up sub-tasks as Epics. >> >> Let me make clear; I started my UEFI-related tasks almost >> independently from other groups' activities. In this sense, my >> 'initiative' is KWG-339 (I don't care much though). KWG-403 is >> a card where I want to keep my status updated. >> >> >> >> >> >> >>> >> >>> > >> >>> > Yes, I remember that we discussed lots about running Standalone MM >> as >> >>> > OP-TEE application, and what I'm asking is >> >>> > - do you have any chance to use Standalone MM service on SPM, or >> >>> > - do you want to use it solely as OP-TEE application. >> >>> For the moment all LEDGE platforms we know of are based on u-boot. >> >>> The only platform we have that not u-boot based is the SynQuacer box, >> but Ard >> >>> has already finished his StandaloneMM in SPM on that. >> >> >> >> >> >> SPM does not work with ST32MP1 which is a LEDGE 32 bit target platform >> and, AFAIK, will not work with virtualization in trustzone. >> >> So SPD is our way to go. >> > >> > Yes, and IIRC, this is why we need to make Ard's current Standalone MM >> implementation possible to run as an OP-TEE Trusted Application (basically >> SWG-372). It's even useful on Armv8 devices until we have support for >> running multiple SP's. >> >> So even for some sort of prototyping or POC, you won't use Standalone >> MM services >> in the current form and will be willing to wait for the completion of >> SWG-372? >> >> I think we can swap very easily the protocol used between u-boot and the > Standalone MM. You can surely do a first iteration with SPM version as it > exists today and you can just add the u-boot part. > This allows working in parrallel on different aspects of the > implementation. > We will focus on the SPD part. > > I heard from Ard that some assignee has finished porting Standalone MM >> services >> to qemu, and so I will be able to work on it integrating it into my >> current secure boot patch. >> >> > Sounds perfect! > > >> In addition, in my previous e-mail, I think that I raised some topic >> that we should >> discuss, image authentication as well as rolls of secure world and >> non-secure world. >> This will have impacts on my secure boot patch; in some scenario, my >> current work will >> make almost no sense. >> >> That needs proper discussion: > shall we use the boot-arch mail alias as the mailing list so that we reach > a broad community for comments? > shall we setup a weekly call ? (most attendees are europe to asia time > zones I believe) > > >> Thanks, >> -Takahiro Akashi >> >> >> >> >> >>> >> >>> Cheers >> >>> /Ilias >> > >> > >> > Regards, >> > Joakim >> > > > -- > [image: Linaro] > <https://www.linaro.org/assets/content/RGB-Linaro_Standard.png> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > -- [image: Linaro] <https://www.linaro.org/assets/content/RGB-Linaro_Standard.png> François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

6 years, 5 months

1
0
0 0

Re: [Arm.ebbr-discuss] [EXT] Re: EBBR SC meeting on-site at Connect

by AKASHI Takahiro

# My apology if this kind of discussion is not appropriate in this ML. On Tue, Apr 09, 2019 at 04:20:48PM +0100, Yang Zhang wrote: > On Tue, 9 Apr 2019 at 16:18, Udit Kumar <udit.kumar(a)nxp.com> wrote: > > > Thanks for information AKASHI > > > > IMO for EBBR, we need to define subset of test-cases, which are required > > in EBBR specs. > > > > +1 Since I have been away from SCT long time, I almost forgot details of how SCT runs but at the first glance, it would be quite simple and straightforward as SCT already has a feature to run only a specific list of test cases (through TestCase.ini file). * create a list of test cases (TestCase.ini is automatically generated by SCT if we want to run all.) * check/mark only interested cases (There are always two types of tests: conformance and function.) * run SCT with this list The issue would be who maintain this list and where :) and I don't know that the 'granularity' of each test case would fit well for our subset. > > > I expect some fail in u-boot. > > Also need to find a better way to build uefi-sct > > > > +1 I used pre-built binary of SCT. -Takahiro Akashi > > > > Regards > > Udit > > > > > -----Original Message----- > > > From: AKASHI Takahiro <takahiro.akashi(a)linaro.org> > > > Sent: Tuesday, April 9, 2019 10:53 AM > > > To: Grant Likely <Grant.Likely(a)arm.com> > > > Cc: Udit Kumar <udit.kumar(a)nxp.com>; Dong Wei <Dong.Wei(a)arm.com>; Eric > > > FINCO <eric.finco(a)st.com>; Robert Oshana <robert.oshana(a)nxp.com>; Tony > > > Wu <tonywu(a)realtek.com>; boot-architecture(a)lists.linaro.org; arm.ebbr- > > > discuss <arm.ebbr-discuss(a)arm.com>; LEDGE SC <ledge-sc(a)linaro.org>; > > Varis, > > > Pekka <p-varis(a)ti.com>; nd <nd(a)arm.com> > > > Subject: [EXT] Re: EBBR SC meeting on-site at Connect > > > > > > WARNING: This email was created outside of NXP. DO NOT CLICK links or > > > attachments unless you recognize the sender and know the content is safe. > > > > > > > > > > > > On Sat, Apr 06, 2019 at 07:42:46PM +0000, Grant Likely wrote: > > > > Hi Udit, > > > > > > > > We talked about testing. We generally agreed that UEFI-SCT is > > > > important, even though it is limited. LuvOS (which includes UEFI-SCT) > > > > is a good candidate to do more complete testing, and we also talked > > > > about getting UEFI test cases into the U-Boot CI testing. > > > > > > Just FYI, it was last July that I ran UEFI SCT with U-Boot on qemu. > > > Here is a summary of the result: > > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.goo > > > gle.com%2Fspreadsheets%2Fd%2F17e45yojM2nLdRovx0gcgHIAmvv9b_yc9iIUjZ > > > 2LY22c%2Fedit%3Fusp%3Dsharing&data=02%7C01%7Cudit.kumar%40nxp. > > > com%7Cc5b24ae4bd26466e1a7008d6bcab1c5c%7C686ea1d3bc2b4c6fa92cd99 > > > c5c301635%7C0%7C0%7C636903840436702643&sdata=00NOqcpsKPi8DkJ > > > u8y%2F7mLqSI8qQGFSGqzBhbpo3bbE%3D&reserved=0 > > > (Please note that this is not for public review, but just informative.) > > > > > > In my experience, I saw lots of failure cases (some or most of them are > > trivial > > > and can be duplicated ones though), and running through all the test > > cases took > > > a whole week. This is partly because SCT crashes occasionally and I > > needed to > > > restart it next morning :) > > > > > > So I'm not sure that U-Boot UEFI is ready for automated testing with SCT. > > > (We made lots of improvements recently, but I have had no time to re-run > > SCT > > > these days. Give me a fast machine :) > > > > > > -Takahiro Akashi > > > > > > > Linaro LEDGE is looking at adding U-Boot testing to their backlog, but > > > > they don't have any engineering resources who can be assigned to the > > > > work right now. I'm also going to try and resource this from Arm. > > > > > > > > g. > > > > > > > > On 04/04/2019 16:08, Udit Kumar wrote: > > > > > Hi Grant > > > > > > > > > >>>- other business > > > > > > > > > > See, if you can add compliance test suits for EBBR, or subset of > > > > > UEFI-SCT is enough ? > > > > > > > > > > Regards > > > > > > > > > > Udit > > > > > > > > > > *From:* arm.ebbr-discuss-bounces(a)arm.com > > > > > <arm.ebbr-discuss-bounces(a)arm.com> *On Behalf Of *Grant Likely > > > > > *Sent:* Wednesday, April 3, 2019 12:49 PM > > > > > *To:* Dong Wei <Dong.Wei(a)arm.com>; Eric FINCO <eric.finco(a)st.com>; > > > > > Robert Oshana <robert.oshana(a)nxp.com>; Tony Wu > > > <tonywu(a)realtek.com>; > > > > > boot-architecture(a)lists.linaro.org; arm.ebbr-discuss > > > > > <arm.ebbr-discuss(a)arm.com>; LEDGE SC <ledge-sc(a)linaro.org>; Varis, > > > > > Pekka <p-varis(a)ti.com> > > > > > *Subject:* Re: [Arm.ebbr-discuss] EBBR SC meeting on-site at Connect > > > > > > > > > > Agenda for today: > > > > > > > > > > - EBBR v1.0 released (yay!) > > > > > > > > > > - goals for v1.1 or v2.0 > > > > > > > > > > - other issues > > > > > > > > > > - secure world interfaces > > > > > > > > > > - non-block storage > > > > > > > > > > - identification of protected blocks > > > > > > > > > > - other business > > > > > > > > > > --- > > > > > > > > > > Grant Likely > > > > > > > > > > Sr. Technical Director SW Engineering > > > > > > > > > > -------------------------------------------------------------------- > > > > > ---- > > > > > > > > > > *From:*Grant Likely > > > > > *Sent:* Wednesday, April 3, 2019 1:49:23 PM > > > > > *To:* Dong Wei; Eric FINCO; robert.oshana(a)nxp.com; Tony Wu; > > > > > boot-architecture(a)lists.linaro.org; arm.ebbr-discuss; LEDGE SC; > > > > > Varis, Pekka > > > > > *Subject:* Re: EBBR SC meeting on-site at Connect > > > > > > > > > > details for those who had trouble with the calendar invite: > > > > > > > > > > Room: Lotus 5-6 > > > > > > > > > > Time: 5:00pm > > > > > > > > > > Sorry for those of you who aren’t here. I’m not going to have a dial > > > > > in, but I’ll take good notes. > > > > > > > > > > g. > > > > > > > > > > > > > _______________________________________________ > > > > boot-architecture mailing list > > > > boot-architecture(a)lists.linaro.org > > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > > > > s.linaro.org%2Fmailman%2Flistinfo%2Fboot- > > > architecture&data=02%7C01 > > > > > > > %7Cudit.kumar%40nxp.com%7Cc5b24ae4bd26466e1a7008d6bcab1c5c%7C686 > > > ea1d3b > > > > > > > c2b4c6fa92cd99c5c301635%7C0%7C0%7C636903840436702643&sdata=F > > > Rd8%2B > > > > nzRF827ZMG1fYeDwEr90V%2BZHvIHbFiIPAhBFiQ%3D&reserved=0 > > > > _______________________________________________ > > Arm.ebbr-discuss mailing list > > Arm.ebbr-discuss(a)arm.com

6 years, 5 months

1
0
0 0

Re: EBBR SC meeting on-site at Connect

by Grant Likely

details for those who had trouble with the calendar invite: Room: Lotus 5-6 Time: 5:00pm Sorry for those of you who aren’t here. I’m not going to have a dial in, but I’ll take good notes. g. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 5 months

4
8
0 0

Re: [edk2] [edk2-announce] ATTN: List Transition Begins Today

by Leif Lindholm

FYI: EDK2 development mailing list changing to devel(a)edk2.groups.io This will give us some better flexibility with regards to whitelisting non-subscribers and suchlike currently not possible through 01.org. On Wed, Apr 03, 2019 at 10:59:31AM -0500, stephano wrote: > tl;dr > If you're sending emails to this list, now would be a good time to switch > over to the new list: https://edk2.groups.io/g/devel > > > We will be transitioning to Groups.io today for our devel mailing list. At > some point today, this email will begin to bounce any incoming messages. > I'll be working on getting the archive of old emails uploaded to Groups.io. > When I have a timetable for the archives I'll update the new list. > > Cheers, > Stephano > _______________________________________________ > edk2-devel mailing list > edk2-devel(a)lists.01.org > https://lists.01.org/mailman/listinfo/edk2-devel

6 years, 5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture