Hi,
following the proposal at the last Device Tree Evolution call I'd like to
propose an agenda for Wednesday that Steve could complement (see below).
You may want to add or remove agenda items...
We need to synchronize with "kernel day" agenda as some of us need to
attend both events.
Cheers
FF
4h: DeviceTree Lead Project
-
to be defined by Steve McIntyre
4h: DependableBoot Lead Project
-
1h: status and deliverable planning for next cycle
-
EBBR specs next steps? compliance.
-
UEFI SecureBoot
-
EFI payload authentication
-
UEFI Secure variable handling
-
Linux kernel UEFI variable caching and updates (as a capsule
update)
-
Define other ‘must-have’ UEFI features (i.e DBT??)
-
firmwareTPM
-
UEFI MeasuredBoot
-
32bits UEFI support
-
Qemu EBBR
-
implications of our work on EDKII
-
1h: Robust boot "research" & PoC for next cycle
-
anti-brickable incl. TF-A: “philosophy” and hints to implement
-
UEFI watchdog: when to call UEFI exit-boot-services?
-
2h: overall boot architecture evolution
-
interdependencies between TF-A, TrustZone (SPM, OPTEE, SCPI), OS,
SCMI - many things are happening and I am not sure we understand tricky
interactions that may result in race conditions (for instance
SCMI in OPTEE
kernel and its relations with UEFI runtime services). The idea
is to try to
identify the hairiest issues that we should analyze post Connect.
-
Boot orchestration
-
"Contracts" / list all the assumptions
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Evidently I've managed to overlap the EBBR monthly with the 96Boards SC monthly meeting. Does anyone object to rescheduling the EBBR monthly to be the 1st Tuesday of each month? (starting next week).
g.
________________________________________
From: Grant Likely
Sent: 12 March 2019 11:38
To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei; perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com; nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu; tom.rini(a)konsulko.com; Yang Zhang; Nicusor Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones; Mark Brown; Matthias Brugger; daniel.thompson(a)linaro.org
Subject: EBBR Monthly - 4th Tuesday
When: 28 May 2019 15:00-16:00.
Where: WebEx
Biweekly EBBR status call
- Online meeting: https://arm-onsite.webex.com/meet/gralik01
- Phone
- Access code: 809 053 990
- 1-408-792-6300 Call-in toll number (US/Canada)
- 1-877-668-4490 Call-in toll-free number (US/Canada)
- 44-203-478-5285 Call-in toll number (UK)
- 08-002061177 Call-in toll-free (UK)
More access numbers:
https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob…
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Quick poll: who would be interested in a U-Boot/EBBR plugfest event collocates with ELC-EU this year (week of 28th Oct)?
In the EBBR meetings we’ve tossed around the idea of an U-Boot/EBBR plugfest to work out compatibility issues between OS distros and upstream U-Boot SBC support. The idea is to get a number of SBCs supported by mainline U-Boot with UEFI features turned on, along with U-Boot & OS developers and hold a 1 day debug sprint to work out how many platforms can work with ‘stock’ OS images. Details to be worked out if this looks viable.
I’ve asked the LF folks if they have space on either Thursday 31st Oct or Friday 1st Nov. They are checking availability, but no commitments have been made. It would help to know if this date and location is feasible.
What do you think? Would you come to a plug fest attached to ELC-EU? Would you be interested in helping to organise? Or, is there another time & location that would work better?
Cheers,
g.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I'm now working on implementing UEFI secure boot on U-boot,
in particular, adding "dbt" (timestamp-based revocation) support
as described in UEFI specification, section 32.5.1 paragraph#7.
# To be honest, the description is quite hard for me to understand.
# I've got what it means only after reading corresponding EDK2 code.
My question is: Is there any signing tool on linux, with which
we can directly "timestamp" a PE image with RFC3161-compliant timestamp?
I know that "signtool" in Microsoft's Windows SDK has this feature,
but I wonder what tool major distros use for this purpose.
(They also need to use windows for creating their own distributions?)
I don't think it is very difficult to add the feature to existing
tools like "sbsign," but it would be nice to use "proven" tools
for testing.
Thanks,
-Takahiro Akashi
I hope somebody in the kernel community is looking at making sure the piece
of memory is RO:
https://wikileaks.org/ciav7p1/cms/page_36896783.html
Anyone knows about that?
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi All,
Monthly EBBR meeting is scheduled for today. So far I've got the
following agenda items:
- Update on Devicetree Evolution project at Linaro (System Devicetree,
separate dts repo, spec updates)
- EBBR Plugfest options and planning committee
- Policy on DTBs shipped with OS -- does EBBR need to address this
explicitly?
Email if you have any other items.
g.
________________________________________
From: Grant Likely
Sent: 12 March 2019 11:38
To: rob.herring(a)linaro.org; Ben Eckermann; Dong Wei;
perobins(a)redhat.com; ryan.harkin(a)linaro.org; Udit Kumar; wmills(a)ti.com;
nicolas.dechesne(a)linaro.org; Tom Rini; Peter Robinson; Tony Wu;
tom.rini(a)konsulko.com; Yang Zhang; daniel.thompson(a)linaro.org; Nicusor
Penisoara; Andreas Färber; Michal Simek; David Rusling; Peter Jones;
Mark Brown; Matthias Brugger
Subject: EBBR Monthly - 4th Tuesday
When: 25 June 2019 15:00-16:00.
Where: WebEx
Biweekly EBBR status call
- Online meeting: https://arm-onsite.webex.com/meet/gralik01
- Phone
- Access code: 809 053 990
- 1-408-792-6300 Call-in toll number (US/Canada)
- 1-877-668-4490 Call-in toll-free number (US/Canada)
- 44-203-478-5285 Call-in toll number (UK)
- 08-002061177 Call-in toll-free (UK)
More access numbers:
https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob…
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
So trying to summarize the DT side track discussion in a different thread:
(
Shall we organize a virtual design sprint before the end of the month?
I'd like to create a section from the discussion in Boot Flows documen
)
I - Current situation is:
- DT provided by Linux kernel because it was “easier” and there was no
upstream home
- ACPI is provided by firmware (to make things simple), non secure OS can
patch them in case of issues, SecureBoot prevents those patches
OS provided DT is a cool developer facility in the context of floating DT
bindings and lack of proper upstream project. But conceptually speaking, DT
is not an OS thing and is not a firmware thing: it is a board thing that
may be massaged by firmware and consumed by OS.
With EBBR we seek a clean and salable solution that make the DT as simple
as ACPI.
II - Desired DT for EBBR policy
1) "upstream" DT
1.1) who provides DT
Board vendor make a <reference DT> that describes every hardware piece,
firmware provides a DT to OS, OS may be able to validate the DT but not
override it in secureboot production. For security and boot latency
consideration, firmware may actually need two DTs: a stripped version from
<reference DT> to operate on the minimal set of devices it want to bring up
the OS (say the <firmware DT>), a pruned/adapted version from <reference
DT> , ie without devices firmware wants to control and conforms to EBBR
spec (say the <OS DT>).
1.2) upstream <reference DT>
The board reference DT> shall be valid regardless of the firmware (may be
trusted firmware, uboot, edkII, linuxBoot...) not mentioning OS! There are
many candidates but I start to think Linaro could host a DT and EBBR
companion community project: "EBBR DTs" that will contain all the
<reference DT> from every EBBR compliant board vendor.
(Other boards can continue the mess, it is irrelevant EBBR, and us.
SecureBoot, MeasuredBoot implementations will assume EBBR compliance)
2) who sign what with what key
If we think of the following use case: Silicon Vendor provides a chip, a
board vendor provides a board, ABB builds a controller, Caterpillar creates
a mining truck with the controller, Rio Tinto operates the trck.
One possible (just designed to show case the need of various keysets) trust
chain is:
- Board key db is loaded with a board vendor, ABB and caterpillar certs.
- Trusted firmware: ABB doesn't want to deal with this, so the Board
vendor provides and signs trusted firmware, with key_tf.
- untrusted firmware: ABB selects the <firmware DT> and <OS DT> signs
both DTs and firmware with key_firmware. Trusted Firmware will validate the
signatures as key DB is loaded with ABB cert.
- grub and the OS: Caterpillar signs them with key_os (What is signed
and how it is verified is still a big discussion topic and the origin of
the sidetrack on DT)
- applications: Rio Tinto insurance company may be given the authority
to sign hosted OPTEE applications with a different key.
3) OS payload signing and verification: was the original topic of the
discussion and shall continue in the other thread.
4) operational considerations
In non SecureBoot environment, DT can be patched by OS (same as ACPI).
OS may decide to verify validaty of provided DT (mechanism yet to be
defined)
"dtb=" kernel command line parameter is still possible in non secure boot
but forbiden in secureBoot.
Le mer. 5 juin 2019 à 08:35, Tom Rini <trini(a)konsulko.com> a écrit :
> On Wed, Jun 05, 2019 at 08:29:37AM +0200, Ard Biesheuvel wrote:
> > On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote:
> > >
> > > On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote:
> > > > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> > > >
> > ...
> > > > I think it may be good to validate but not provide. There is no Linux
> > > > provided ACPI table right ? So I get the point to validate a DT.
> > >
> > > There's "Linux provided" ACPI tables when someone has to decompile,
> > > fixup and re-compile their DSDT files.
> > >
> > > Or perhaps a better way to think of it is that yes, there's "Linux
> > > provided ACPI tables" when vendors are developing their hardware and
> > > correcting their ACPI tables. Same thing with DT, by and large (as
> > > overlays and secure boot are a can of worms to worry about later).
> >
> > Secure boot enabled Linux does not permit this model. Side loading of
> > DSDTs/SSDTs is disabled by the hardening patchset that all the distros
> > carry for secure boot enabled kernels.
>
> That sounds a little broken then. It should be doable so long as the
> files are signed appropriately. It's also rarer because the ACPI tables
> are functionally validated before they're put into production. That's
> largely the case here, except when we're talking about updating them for
> new support or just like the case above, fixing a problem with them.
>
> --
> Tom
>
Hi
I was tasked to come back to Linaro TSC with an answer on Linaro and kernel
lockdown for UEFI SecureBoot, hence the call for feed back.
So I did some research... The kernel lockdown does not seem to be a full
consensus yet:
https://news.ycombinator.com/item?id=16761827
I agree with Linus
<https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1654795.html>:
we should distinguish UEFI SecureBoot and how to achieve a highly secured
Operating System runtime environment.
1) UEFI SecureBoot: boot chain trust
My understanding is that UEFI SecureBoot ensures that the booted UEFI
payload is trusted.
Should the UEFI payload (a Linux OS) not be that secure it is irrelevant to
the UEFI SecureBoot itself.
2) Trustable Linux system
A trustable Linux system is UEFI SecureBoot loaded and make addition
precautions to avoid attacks and attacks to the boot chain.
If we think of a highly secured Linux, the kernel lockdown is certainly
highly desirable but just as many other aspects:
- iommu must be enabled to protect against DMA attacks
- sysfs needs to be cleaned (access rights are not tight enough)
- debugfs need to be banned (problem: some production control operations
are wrongly in debugfs)
-SE Linux
- IMA
- ...
In my view, we shall not mix the goal and the means to achieve the goal....
For instance, kernel lock down prevents iopl system call which prevents UIO
and UIO enabled DPDK drivers.
A vendor may evaluate that the security level achieved without kernel
lockdown is in line with its objectives to achieve a trustable Linux
system: loadable modules disabled by the kernel, kernel embedded initramfs,
IMA...
As a result, UEFI SecureBoot to secure the boot chain combined with
selected Linux hardening can achieve a Trustable Linux System.
As per LEDGE both are highly important I would say that 1) does not need
2) to be complete.
The way to achieve 2) is project dependent.
The LEDGE RP will need kernel lockdown because we will allow loadable
modules.
SoC vendors deriving a product out of LEDGE RP, may take different
provisions as per customer projects, in particular, they may derive a
version without lockdown but still trustable.
There is an additional twists to this.
UEFI SecureBoot does not mandate Microsoft signed keys.
But if you use Microsoft keys, I was warned that Microsoft may revoke
certificates for non locked down systems.
This warning illustrate the absolute need for independence related to UEFI
SecureBoot: I can't imagine a system in Europe (particularly in
military) prevented to boot because Microsoft revoked a certificate!!!
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
EBBR reqfers to chapter 2.6 "Requirements" of the UEFI spec if no
special exceptions are provided.
The UEFI spec requires to support HII resources in the LoadImage() boot
service. If an image contains a HII resource it has to install the
EFI_HII_PACKAGE_LIST_PROTOCOL on the image handle. But chapter 2.6 does
not generally require support for HII protocols.
It would be helpful to clarify if supporting HII resources in the
LoadImage() boot service is required to be EBBR compliant. I would
prefer EBBR not to require this as it adds a lot of complexity to the
firmware.
The UEFI spec further requires supporting loading images via the
EFI_LOAD_FILE_PROTOCOL and the EFI_LOAD_FILE2_PROTOCOL. This might also
be a candidate for skipping in the EBBR.
Best regards
Heinrich Schuchardt
I introduced the discussion topic to LEDGE Steering Committee today.
Linaro will focus on the use case where the DT is provided by the firmware.
Other use cases may be considered at a later stage.
On Thu, 6 Jun 2019 at 11:10, Tom Rini <trini(a)konsulko.com> wrote:
> On Thu, Jun 06, 2019 at 09:08:25AM +0200, Ard Biesheuvel wrote:
> > On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote:
> > >
> > > On Wed, Jun 05, 2019 at 08:30:12PM +0200, Ard Biesheuvel wrote:
> > > > On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote:
> > > > >
> > > > > On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote:
> > > > > > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote:
> > > > > >
> > > > > > > The idea of EBBR is to move away from a vertically integrated
> model,
> > > > > > > and permit systems or appliances to use packaged OSes in the
> field,
> > > > > > > similar to how this is being done on servers today. The idea
> that it
> > > > > > > is required for, say, company X shipping product Yrev0, to
> upstream a
> > > > > > > new rev of the DT in order to tweak their board and ship
> product Yrev1
> > > > > > > is simply ridiculous. It doesn't scale, and we shouldn't care
> - the DT
> > > > > > > bindings is what we care about, and if it adheres to those, the
> > > > > > > platform can provide any DT it wants, and there is no reason
> the
> > > > > > > kernel devs should ever need to look at it.
> > > > > >
> > > > > > I don't think anyone is particularly suggesting that (at least
> not in
> > > > > > the portions of the thread I read properly, I have to confess I
> was
> > > > > > skimming a bunch of it)?
> > > > >
> > > > > Just so we're all on the same page, we do understand that someone
> > > > > somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we
> > > > > expecting someone to be run-time fixing up Yboard.dtb for rev0 vs
> rev1
> > > > > vs .. ?
> > > >
> > > > Let me put it like this: company X is not interested in having to
> > > > engage with the distros to get Yrev1.dtb into the OS, nor do they
> want
> > > > to be forced to start from an official DTB and apply deltas to make
> it
> > > > correct. You ship a board with some description of the board that the
> > > > OS can understand - this is how the OS identifies which hardware it
> > > > runs on: the DT description.
> > >
> > > Where does this description that's coming with the board come from?
> > > That _matters_ if you want to have any idea what will be able to use
> it.
> >
> > From the platform, not from the OS. How the firmware achieves that is
> > left unspecified by EBBR, it only mandates that it is passed to the OS
> > via a config table.
>
> But it's part of the OS.
>
> > > > > > > For development, things are obviously different, I understand
> that.
> > > > > > > Shipping DTs for devboards makes sense, especially while the DT
> > > > > > > bindings are not set in stone yet. But imposing this model for
> > > > > > > production is unsustainable.
> > > > > >
> > > > > > I don't think I've particularly seen anyone trying to do that for
> > > > > > anything other than devboards, like Tom says people with actual
> products
> > > > > > usually don't even consider it. It's more that there is this
> devboard
> > > > > > case where the DTs are currently in kernel and a lot of the
> people
> > > > > > hacking on things are using devboards if only for want of
> anything else
> > > > > > so they naturally end up caring about that case.
> > > > >
> > > > > Keep in mind that the in-kernel dev board ones _are_ important as
> that's
> > > > > what you start your custom platform from, 9 times out of 10. It's
> quite
> > > > > often the case of "OK, $vendor gave us schematics for EVB, lets
> cut what
> > > > > we don't need and tweak" with a matching set of cuts and tweaks to
> the
> > > > > dts for the EVB. In the case of carrier+SOM it's just adding to,
> if
> > > > > using the stock carrier, or again adapting things for the custom
> > > > > carrier.
> > > >
> > > > Of course. But how is this relevant? I am not saying DTs have to be
> > > > truly original works, just that the OS should not be the one
> providing
> > > > it.
> > >
> > > Because we've been talking about where the device tree comes from, and
> I
> > > keep trying to point out that we are no where near a proven record of
> > > "DTB is always valid and functional with the Linux Kernel from here
> > > on out". There's not the tooling nor review to enforce that and
> there's
> > > a few examples every year (of just in-tree device trees, not custom end
> > > products) where it gets broken.
> >
> > So now, you are saying companies should only ship products with
> > devices trees that have been reviewed by the kernel community?
>
> No, but I am saying that intentions and reality disagree on "DTB + any
> kernel that supports those bindings" always resulting in "Everything
> continues to function as expected".
>
> > This makes no sense to me whatsoever: the DT *bindings* are the
> > contract that we have with the platforms. If someone ships a DT that
> > adheres to the bindings, we are on the hook to fix it. If someone
> > ships a broken DT, it is their problem and they are fix it in their OS
> > fork, or they issue a firmware update that fixes it.
>
> I'm saying the DT binding contracts get broken, have a track record of
> getting broken and will continue to be broken. The DTB is part of the
> OS.
>
> > > > > But maybe it's just me that's confused about what "shipping" means
> in
> > > > > this context. Almost no one bothers "shipping" the DTS files for a
> > > > > custom product to mainline Linux as no one is supposed to be
> running
> > > > > anything other than the provided software on the custom device and
> so it
> > > > > goes where ever it goes for that products needs and support plans.
> > > > > Rarely does a board, devboard or finished end-user product, ship
> with a
> > > > > DTB file stored stand-alone in a flash chip, that is intended as
> the
> > > > > final forever DTB. It's just another part of
> > > > > firmware-by-which-I-mean-the-whole-software-stack.
> > > >
> > > > Who said anything about the DT being stored in a flash chip? I
> already
> > > > explained more than once that it is up to the firmware to decide
> *how*
> > > > it stores the DT, and the filesystem is fine if it does not care
> about
> > > > security or if it implements some form of authentication.
> > >
> > > It's been stated I believe in other parts of this thread or perhaps I'm
> > > just thinking of the many other times people have talked about hardware
> > > shipping a device tree. If the hardware is shipping the DTB to use,
> > > it's often stored someplace other than normal storage so that it's not
> > > overwritten by accident. Similar to ACPI tables :)
> > >
> > > > The point is that we are trying to move from this custom device model
> > > > to a model where you can run a generic distro, without having to put
> > > > the burden on the OS vendor to bundle a DT for every platform that it
> > > > will ever run on, which is especially tricky if those platforms do
> not
> > > > exist yet.
> > >
> > > So we are, or are not trying to come up with recommendations for
> > > shipping a DTB file for hardware?
> >
> > I'm not sure i understand the question, but EBBR is not just a
> > recommendation. If you want to claim EBBR compliance, your platform
> > should be able to boot an OS that comes without bundled DTB images.
>
> No, that's not right. You are either OS+ACPI or OS+DTB. In the case of
> ACPI, other specifications deal with that. In the case of DTB there is
> not a specification that deals with these expectations, so EBBR needs to
> say something.
>
> > > > > Which is why my whole point here has been that the DTB needs to be
> > > > > treated and signature checked just like any other part of what's
> being
> > > > > loaded (kernel, initrd, grub and grub.conf OR systemd-boot and
> > > > > systemd-boot.conf, etc, etc).
> > > > >
> > > >
> > > > Again, I am not arguing that the DT should be linked into the
> firmware
> > > > executable, I am only saying that UEFI secure boot is not appropriate
> > > > for authenticating it (and that the OS should not be providing it)
> > >
> > > Are you just saying "the DT exists in the config table GUID, it is
> good"
> > > and ignoring the question of how the DT is put into the config table
> and
> > > any sort of "it is good" test?
> >
> > So now we are policing the DT as well, and checking whether it is
> > 'good' or not? The platform knows best how to describe the hardware,
> > so it is the hardware that provides the DT period. If a crappy product
> > provides a crappy DT, then you will get a crappy experience, just as
> > you might expect.
>
> I don't know why this keeps coming up. In this context, which is
> "secure boot", good means "we have done some form of cryptographic
> validation that this blob has been signed".
>
> > > Finally, is UEFI secure boot appropriate for authentication of the
> > > initrd? The bootloader config files?
> >
> > No. initrd is a file system interpreted by the Linux kernel, and we
> > already have ways to authenticate that (unless you build it into the
> > kernel image, in which case you get it for free)
>
> How are you seeing the initrd being authenticated, if not via the UEFI
> secure boot hooks?
>
> > bootloader config files are an implementation detail of the
> > bootloader, and the same reasoning applies: UEFI secure boot
> > authenticates the OS to the platform, not the other way around. If the
> > firmware wants to sign its config files, it can, and it might even
> > reuse some of the crypto code that UEFI secure boot uses. But it is
> > not part of UEFI secure boot.
>
> I disagree.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
[ Snipping again ]
On Thu, Jun 06, 2019 at 11:10:07AM -0400, Tom Rini wrote:
>On Thu, Jun 06, 2019 at 09:08:25AM +0200, Ard Biesheuvel wrote:
>> On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote:
>> >
>> > Where does this description that's coming with the board come from?
>> > That _matters_ if you want to have any idea what will be able to use it.
>>
>> From the platform, not from the OS. How the firmware achieves that is
>> left unspecified by EBBR, it only mandates that it is passed to the OS
>> via a config table.
>
>But it's part of the OS.
And this is is the crux of the argument. The DT is *not* part of the
OS, it's a description of the *hardware* that *any* OS (or bootloader, or
whatever) should be able to use. That's the whole point.
...
>> > Because we've been talking about where the device tree comes from, and I
>> > keep trying to point out that we are no where near a proven record of
>> > "DTB is always valid and functional with the Linux Kernel from here
>> > on out". There's not the tooling nor review to enforce that and there's
>> > a few examples every year (of just in-tree device trees, not custom end
>> > products) where it gets broken.
>>
>> So now, you are saying companies should only ship products with
>> devices trees that have been reviewed by the kernel community?
>
>No, but I am saying that intentions and reality disagree on "DTB + any
>kernel that supports those bindings" always resulting in "Everything
>continues to function as expected".
>
>> This makes no sense to me whatsoever: the DT *bindings* are the
>> contract that we have with the platforms. If someone ships a DT that
>> adheres to the bindings, we are on the hook to fix it. If someone
>> ships a broken DT, it is their problem and they are fix it in their OS
>> fork, or they issue a firmware update that fixes it.
>
>I'm saying the DT binding contracts get broken, have a track record of
>getting broken and will continue to be broken. The DTB is part of the
>OS.
Contracts will continue to be broken as long as people think there is
the flexibility to break them. It's never going to improve like this!
Including the DT with the kernel was only ever intended to be a
short-term bootstrap solution until vendors caught up and started
shipping working DTBs in their firmware.
Cheers,
--
Steve McIntyre steve.mcintyre(a)linaro.org
<http://www.linaro.org/> Linaro.org | Open source software for ARM SoCs
On Wed, 5 Jun 2019 at 21:28, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Wed, Jun 05, 2019 at 08:30:12PM +0200, Ard Biesheuvel wrote:
> > On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote:
> > >
> > > On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote:
> > > > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote:
> > > >
> > > > > The idea of EBBR is to move away from a vertically integrated model,
> > > > > and permit systems or appliances to use packaged OSes in the field,
> > > > > similar to how this is being done on servers today. The idea that it
> > > > > is required for, say, company X shipping product Yrev0, to upstream a
> > > > > new rev of the DT in order to tweak their board and ship product Yrev1
> > > > > is simply ridiculous. It doesn't scale, and we shouldn't care - the DT
> > > > > bindings is what we care about, and if it adheres to those, the
> > > > > platform can provide any DT it wants, and there is no reason the
> > > > > kernel devs should ever need to look at it.
> > > >
> > > > I don't think anyone is particularly suggesting that (at least not in
> > > > the portions of the thread I read properly, I have to confess I was
> > > > skimming a bunch of it)?
> > >
> > > Just so we're all on the same page, we do understand that someone
> > > somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we
> > > expecting someone to be run-time fixing up Yboard.dtb for rev0 vs rev1
> > > vs .. ?
> >
> > Let me put it like this: company X is not interested in having to
> > engage with the distros to get Yrev1.dtb into the OS, nor do they want
> > to be forced to start from an official DTB and apply deltas to make it
> > correct. You ship a board with some description of the board that the
> > OS can understand - this is how the OS identifies which hardware it
> > runs on: the DT description.
>
> Where does this description that's coming with the board come from?
> That _matters_ if you want to have any idea what will be able to use it.
>
>From the platform, not from the OS. How the firmware achieves that is
left unspecified by EBBR, it only mandates that it is passed to the OS
via a config table.
> > > > > For development, things are obviously different, I understand that.
> > > > > Shipping DTs for devboards makes sense, especially while the DT
> > > > > bindings are not set in stone yet. But imposing this model for
> > > > > production is unsustainable.
> > > >
> > > > I don't think I've particularly seen anyone trying to do that for
> > > > anything other than devboards, like Tom says people with actual products
> > > > usually don't even consider it. It's more that there is this devboard
> > > > case where the DTs are currently in kernel and a lot of the people
> > > > hacking on things are using devboards if only for want of anything else
> > > > so they naturally end up caring about that case.
> > >
> > > Keep in mind that the in-kernel dev board ones _are_ important as that's
> > > what you start your custom platform from, 9 times out of 10. It's quite
> > > often the case of "OK, $vendor gave us schematics for EVB, lets cut what
> > > we don't need and tweak" with a matching set of cuts and tweaks to the
> > > dts for the EVB. In the case of carrier+SOM it's just adding to, if
> > > using the stock carrier, or again adapting things for the custom
> > > carrier.
> >
> > Of course. But how is this relevant? I am not saying DTs have to be
> > truly original works, just that the OS should not be the one providing
> > it.
>
> Because we've been talking about where the device tree comes from, and I
> keep trying to point out that we are no where near a proven record of
> "DTB is always valid and functional with the Linux Kernel from here
> on out". There's not the tooling nor review to enforce that and there's
> a few examples every year (of just in-tree device trees, not custom end
> products) where it gets broken.
>
So now, you are saying companies should only ship products with
devices trees that have been reviewed by the kernel community?
This makes no sense to me whatsoever: the DT *bindings* are the
contract that we have with the platforms. If someone ships a DT that
adheres to the bindings, we are on the hook to fix it. If someone
ships a broken DT, it is their problem and they are fix it in their OS
fork, or they issue a firmware update that fixes it.
> > > But maybe it's just me that's confused about what "shipping" means in
> > > this context. Almost no one bothers "shipping" the DTS files for a
> > > custom product to mainline Linux as no one is supposed to be running
> > > anything other than the provided software on the custom device and so it
> > > goes where ever it goes for that products needs and support plans.
> > > Rarely does a board, devboard or finished end-user product, ship with a
> > > DTB file stored stand-alone in a flash chip, that is intended as the
> > > final forever DTB. It's just another part of
> > > firmware-by-which-I-mean-the-whole-software-stack.
> >
> > Who said anything about the DT being stored in a flash chip? I already
> > explained more than once that it is up to the firmware to decide *how*
> > it stores the DT, and the filesystem is fine if it does not care about
> > security or if it implements some form of authentication.
>
> It's been stated I believe in other parts of this thread or perhaps I'm
> just thinking of the many other times people have talked about hardware
> shipping a device tree. If the hardware is shipping the DTB to use,
> it's often stored someplace other than normal storage so that it's not
> overwritten by accident. Similar to ACPI tables :)
>
> > The point is that we are trying to move from this custom device model
> > to a model where you can run a generic distro, without having to put
> > the burden on the OS vendor to bundle a DT for every platform that it
> > will ever run on, which is especially tricky if those platforms do not
> > exist yet.
>
> So we are, or are not trying to come up with recommendations for
> shipping a DTB file for hardware?
>
I'm not sure i understand the question, but EBBR is not just a
recommendation. If you want to claim EBBR compliance, your platform
should be able to boot an OS that comes without bundled DTB images.
> > > Which is why my whole point here has been that the DTB needs to be
> > > treated and signature checked just like any other part of what's being
> > > loaded (kernel, initrd, grub and grub.conf OR systemd-boot and
> > > systemd-boot.conf, etc, etc).
> > >
> >
> > Again, I am not arguing that the DT should be linked into the firmware
> > executable, I am only saying that UEFI secure boot is not appropriate
> > for authenticating it (and that the OS should not be providing it)
>
> Are you just saying "the DT exists in the config table GUID, it is good"
> and ignoring the question of how the DT is put into the config table and
> any sort of "it is good" test?
>
So now we are policing the DT as well, and checking whether it is
'good' or not? The platform knows best how to describe the hardware,
so it is the hardware that provides the DT period. If a crappy product
provides a crappy DT, then you will get a crappy experience, just as
you might expect.
> Finally, is UEFI secure boot appropriate for authentication of the
> initrd? The bootloader config files?
>
No. initrd is a file system interpreted by the Linux kernel, and we
already have ways to authenticate that (unless you build it into the
kernel image, in which case you get it for free)
bootloader config files are an implementation detail of the
bootloader, and the same reasoning applies: UEFI secure boot
authenticates the OS to the platform, not the other way around. If the
firmware wants to sign its config files, it can, and it might even
reuse some of the crypto code that UEFI secure boot uses. But it is
not part of UEFI secure boot.
On Wed, 5 Jun 2019 at 19:30, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote:
> > On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote:
> >
> > > The idea of EBBR is to move away from a vertically integrated model,
> > > and permit systems or appliances to use packaged OSes in the field,
> > > similar to how this is being done on servers today. The idea that it
> > > is required for, say, company X shipping product Yrev0, to upstream a
> > > new rev of the DT in order to tweak their board and ship product Yrev1
> > > is simply ridiculous. It doesn't scale, and we shouldn't care - the DT
> > > bindings is what we care about, and if it adheres to those, the
> > > platform can provide any DT it wants, and there is no reason the
> > > kernel devs should ever need to look at it.
> >
> > I don't think anyone is particularly suggesting that (at least not in
> > the portions of the thread I read properly, I have to confess I was
> > skimming a bunch of it)?
>
> Just so we're all on the same page, we do understand that someone
> somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we
> expecting someone to be run-time fixing up Yboard.dtb for rev0 vs rev1
> vs .. ?
>
Let me put it like this: company X is not interested in having to
engage with the distros to get Yrev1.dtb into the OS, nor do they want
to be forced to start from an official DTB and apply deltas to make it
correct. You ship a board with some description of the board that the
OS can understand - this is how the OS identifies which hardware it
runs on: the DT description.
> > > For development, things are obviously different, I understand that.
> > > Shipping DTs for devboards makes sense, especially while the DT
> > > bindings are not set in stone yet. But imposing this model for
> > > production is unsustainable.
> >
> > I don't think I've particularly seen anyone trying to do that for
> > anything other than devboards, like Tom says people with actual products
> > usually don't even consider it. It's more that there is this devboard
> > case where the DTs are currently in kernel and a lot of the people
> > hacking on things are using devboards if only for want of anything else
> > so they naturally end up caring about that case.
>
> Keep in mind that the in-kernel dev board ones _are_ important as that's
> what you start your custom platform from, 9 times out of 10. It's quite
> often the case of "OK, $vendor gave us schematics for EVB, lets cut what
> we don't need and tweak" with a matching set of cuts and tweaks to the
> dts for the EVB. In the case of carrier+SOM it's just adding to, if
> using the stock carrier, or again adapting things for the custom
> carrier.
>
Of course. But how is this relevant? I am not saying DTs have to be
truly original works, just that the OS should not be the one providing
it.
> But maybe it's just me that's confused about what "shipping" means in
> this context. Almost no one bothers "shipping" the DTS files for a
> custom product to mainline Linux as no one is supposed to be running
> anything other than the provided software on the custom device and so it
> goes where ever it goes for that products needs and support plans.
> Rarely does a board, devboard or finished end-user product, ship with a
> DTB file stored stand-alone in a flash chip, that is intended as the
> final forever DTB. It's just another part of
> firmware-by-which-I-mean-the-whole-software-stack.
>
Who said anything about the DT being stored in a flash chip? I already
explained more than once that it is up to the firmware to decide *how*
it stores the DT, and the filesystem is fine if it does not care about
security or if it implements some form of authentication.
The point is that we are trying to move from this custom device model
to a model where you can run a generic distro, without having to put
the burden on the OS vendor to bundle a DT for every platform that it
will ever run on, which is especially tricky if those platforms do not
exist yet.
> Which is why my whole point here has been that the DTB needs to be
> treated and signature checked just like any other part of what's being
> loaded (kernel, initrd, grub and grub.conf OR systemd-boot and
> systemd-boot.conf, etc, etc).
>
Again, I am not arguing that the DT should be linked into the firmware
executable, I am only saying that UEFI secure boot is not appropriate
for authenticating it (and that the OS should not be providing it)
On Wed, 5 Jun 2019 at 14:59, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Wed, Jun 05, 2019 at 09:17:04AM +0100, Graeme Gregory wrote:
> > On Wed, 5 Jun 2019 at 07:36, Ard Biesheuvel <ard.biesheuvel(a)linaro.org>
> > wrote:
> >
> > > On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote:
> > > >
> > > ...
> > >
> > > > It depends on what you mean by "OS provided". The DTS files come from
> > > > the Linux Kernel sources, full stop.
> > >
> > > That is the mistake we should try to fix.
> > >
> > > We have DT bindings, which define the contract between the OS on one
> > > side, and the platform on the other side. This means it is the
> > > platform's job to present a DT description that adheres to those
> > > [stable] bindings.
> > >
> > > Today's development model of developing DT bindings in lockstep with
> > > the drivers, and then bundling DT files with the OS is completely
> > > unsustainable, since it doesn't scale, and it demonstrably results in
> > > DT bindings that get modified without any regard for devices that are
> > > already in the field (MacchiatoBin is a good example).
> > >
> > > So it doesn't really matter where the kernel *sources* come from, as
> > > long as the platform provides its own DT, which does not change just
> > > because the kernel changes.
> > >
> > > It is already defined how the platform provides this DT on a UEFI
> > > system, i.e., via a configuration table with a known GUID. How the
> > > firmware popiulates this memory is an implementation detail: if it
> > > wants to load it from a signed file in the file system, that is fine,
> > > as long as it is not the OS providing this file to the firmware.
> > >
> > >
> > I agree, people seem to be conflating where DT is stored in source control
> > over where it should be supplied to OS.
> >
> > Just because the DT is in linux kernel git does not mean you can't build it
> > into the u-boot for your board.
> >
> > In fact I bet u-boot maintainer would love patches for updates ;-)
>
> Right. But there's also confusion about where the DTB is to be found.
> Whereas ACPI is "burned in" the DTB (generally) is not and will not be.
> It will be loaded from storage, so in the context of this overall
> thread, figuring out how to verify the signature on the DTB is a main
> use case.
>
There is no confusion at all. On a UEFI/EBBR system, the DT shall be
provided to the OS via a config table using the established GUID. How
the firmware achieves that is left unspecified. The fact that it may
be loaded from storage does not make it part of the packaged OS, it is
still a component of the platform.
But based on this discussion, I will argue going forward that
- the firmware must not rely on the OS to put DT images under known
names into known locations in the file system,
- the firmware provides this DT regardless of which keys are loaded
into the uefi secure boot keyring, IOW, if i choose to put only the
RedHat certificate in db because that is all i care about, I don't
want to end up with a bricked system because the DT was loaded via the
secure boot stack and was signed with the Microsoft keyring.
Btw, the fact that Authenticode/PE-COFF does not permit multiple
signatures does not make things any easier.
On Wed, 5 Jun 2019 at 13:14, Mark Brown <broonie(a)kernel.org> wrote:
>
> On Wed, Jun 05, 2019 at 11:18:44AM +0100, Steve McIntyre wrote:
>
> > Nod. We're *way* past the time where this should have stopped. How on
> > earth do we get to common DT useful for all bootloaders, OSes (etc.)
> > if people still consider the bundled, changing sources in the Linux
> > tree to be canonical?
>
> It's a chicken and egg situation - for the platforms where nobody is
> actually shipping systems with a separate device tree it's easy for
> people to miss accidental incompatibilities without noticing, or decide
> that deliberate incompatibilites won't be noticed. If there's users
> making noise that's a lot harder to do. Pushing on EBBR is going to
> help there, and it'd really help if there were more hardware built with
> separate boot storage :/
>
> Some of the platforms *are* doing a good job of not needlessly churning
> their device trees (they're just not very noticable since things just
> work and they make no noise), and even without people worrying about
> separately distributed DTs widely adopted in tree bindings are doing a
> lot for stability due to the number of places that would need updates
> for incompatibilites (and also avoiding the DMI quirk tables ACPI relies
> on which is nice).
I am not disagreeing with any of this. But it is helpful to keep in
mind that, in the context what we are trying to achieve, the
requirement/expectation that a DT lives on git.kernel.org and gets
packaged and shipped by the distro makes no sense at all.
The idea of EBBR is to move away from a vertically integrated model,
and permit systems or appliances to use packaged OSes in the field,
similar to how this is being done on servers today. The idea that it
is required for, say, company X shipping product Yrev0, to upstream a
new rev of the DT in order to tweak their board and ship product Yrev1
is simply ridiculous. It doesn't scale, and we shouldn't care - the DT
bindings is what we care about, and if it adheres to those, the
platform can provide any DT it wants, and there is no reason the
kernel devs should ever need to look at it.
For development, things are obviously different, I understand that.
Shipping DTs for devboards makes sense, especially while the DT
bindings are not set in stone yet. But imposing this model for
production is unsustainable.
On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote:
>
...
> It depends on what you mean by "OS provided". The DTS files come from
> the Linux Kernel sources, full stop.
That is the mistake we should try to fix.
We have DT bindings, which define the contract between the OS on one
side, and the platform on the other side. This means it is the
platform's job to present a DT description that adheres to those
[stable] bindings.
Today's development model of developing DT bindings in lockstep with
the drivers, and then bundling DT files with the OS is completely
unsustainable, since it doesn't scale, and it demonstrably results in
DT bindings that get modified without any regard for devices that are
already in the field (MacchiatoBin is a good example).
So it doesn't really matter where the kernel *sources* come from, as
long as the platform provides its own DT, which does not change just
because the kernel changes.
It is already defined how the platform provides this DT on a UEFI
system, i.e., via a configuration table with a known GUID. How the
firmware popiulates this memory is an implementation detail: if it
wants to load it from a signed file in the file system, that is fine,
as long as it is not the OS providing this file to the firmware.
> That doesn't mean they're embedded
> within the kernel image. They're usually going to be pulled from the
> filesystem.
>
> --
> Tom
On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote:
> > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> >
...
> > I think it may be good to validate but not provide. There is no Linux
> > provided ACPI table right ? So I get the point to validate a DT.
>
> There's "Linux provided" ACPI tables when someone has to decompile,
> fixup and re-compile their DSDT files.
>
> Or perhaps a better way to think of it is that yes, there's "Linux
> provided ACPI tables" when vendors are developing their hardware and
> correcting their ACPI tables. Same thing with DT, by and large (as
> overlays and secure boot are a can of worms to worry about later).
Secure boot enabled Linux does not permit this model. Side loading of
DSDTs/SSDTs is disabled by the hardening patchset that all the distros
carry for secure boot enabled kernels.
Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:25:23AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:17, Heinrich Schuchardt <xypron.glpk(a)gmx.de>
> wrote:
> >
> > >
> > >
> > > On 6/4/19 3:55 PM, Francois Ozog wrote:
> > > > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > > > wrote:
> > > >
> > > >>
> > > >>
> > > >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
> francois.ozog(a)linaro.org>
> > > >> wrote:
> > > >>
> > > >>> Hi Ard,
> > > >>>
> > > >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> > > ard.biesheuvel(a)linaro.org>
> > > >>> wrote:
> > > >>>
> > > >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > > >>>> <ilias.apalodimas(a)linaro.org> wrote:
> > > >>>>>
> > > >>>>> Hi Grant,
> > > >>>>>> I see two ways to handle this that fits with the Secure Boot
> > > >>>>>> authentication path:
> > > >>>>>>
> > > >>>>>> Option 1: Leave it to the OS loader
> > > >>>>>> We could simply say that if the OS wants to replace the DTB,
> then it
> > > >>>>>> should take care of authentication itself within the OS loader
> > > >>>> (possibly
> > > >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the
> > > >>>>>> configuration table before calling exit boot services. In this
> > > >>>> scenario,
> > > >>>>>> U-Boot doesn't authenticate the DTB at all.
> > > >>>>>>
> > > >>>>>> In fact, Option 1 is pretty close to what is required for the
> > > initrd.
> > > >>>>>>
> > > >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > > >>>> the os
> > > >>>>>> loader can use load_image to authenticate and retrieve the data
> > > >>>> without
> > > >>>>>> actually executing the image. That would allow for the DTB &
> initrd
> > > >>>> to
> > > >>>>>> be authenticated in the same way as the kernel.
> > > >>>>> I asked around on this prior to the email, but i think it boils
> down
> > > to
> > > >>>>> "UEFI is intended to authenticate bootable images for the
> platform",
> > > >>>> so i doubt
> > > >>>>> this will be allowed.
> > > >>>>>
> > > >>>>
> > > >>>> The point I raised when we discussed this is that UEFI is an
> interface
> > > >>>> between the firmware and the OS, and it is up to the firmware to
> > > >>>> *provide* the DT not the other way around.
> > > >>>>
> > > >>>> Whether the firmware reuses some of the existing machinery if it
> > > >>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > > >>>> system is an implementation detail, and shouldn't be part of how
> we
> > > >>>> design the interface. The more we standardize this and the more we
> > > >>>> make it similar to how the OS loader is authenticated, the more
> likely
> > > >>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > > >>>> the OS, which is a practice we are trying very hard to move away
> from.
> > > >>>>
> > > >>>
> > > >>> I have the impression that OS provided DT is a bad solution to a
> real
> > > >>> problem:
> > > >>> There should be a Firmware hardware environment (what to
> initialize,
> > > >>> use...) and a OS hardware environment.
> > > >>> Both should be signed, and controlled by the firmware.
> > > >>> So I would try to find a way to supply firmware with two DTs, or
> more
> > > >>> likely one DT and one OS overlay (if overlays can remove some
> > > hardware).
> > > >>>
> > > >>>
> > > >>
> > > >> If the OS provides a DT to itself, what is the point of pretending
> that
> > > it
> > > >> has been authenticated to the firmware?
> > > >>
> > > > Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > > > controlled by hardware/Firmware provider. OS shall be a consumer
> only.
> > > >
> > > >
> > >
> > > In a perfect world firmware would provide the authoritative source of
> > > the device tree. The current situation has device trees developed in
> the
> > > context of Linux and U-Boot picking them up. U-Boot is lagging far
> > > behind Linux. Whenever I wanted to change a device tree in U-Boot I was
> > > told to first get that change into Linux. I see no commitment to change
> > > this process.
> > >
> > > Device-trees are provided by U-Boot to Linux as UEFI configuration
> > > tables. If a device-tree is malicious it may lead to the destruction of
> > > hardware. So whatever U-Boot provides as a device-tree to Linux should
> > > be validated.
> > >
> > In a perfect world, U-Boot shall lead and we should work towards that if
> > not in place. There is no sch a thing as a Linux validated ACPI table, so
> > why for DT?
>
> There _is_ such a thing as a validated ACPI table and functionally ACPI
> tables on x86 are validated with Windows. This is no different.
>
I think it may be good to validate but not provide. There is no Linux
provided ACPI table right ? So I get the point to validate a DT.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Le mar. 4 juin 2019 à 17:27, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:21:54AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:00, Ard Biesheuvel <ard.biesheuvel(a)linaro.org>
> > wrote:
> >
> > >
> > >
> > > On Tue, 4 Jun 2019 at 15:55, Francois Ozog <francois.ozog(a)linaro.org>
> > > wrote:
> > >
> > >>
> > >>
> > >> On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >> wrote:
> > >>
> > >>>
> > >>>
> > >>> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <francois.ozog(a)linaro.org
> >
> > >>> wrote:
> > >>>
> > >>>> Hi Ard,
> > >>>>
> > >>>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >>>> wrote:
> > >>>>
> > >>>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > >>>>> <ilias.apalodimas(a)linaro.org> wrote:
> > >>>>> >
> > >>>>> > Hi Grant,
> > >>>>> > > I see two ways to handle this that fits with the Secure Boot
> > >>>>> > > authentication path:
> > >>>>> > >
> > >>>>> > > Option 1: Leave it to the OS loader
> > >>>>> > > We could simply say that if the OS wants to replace the DTB,
> then
> > >>>>> it
> > >>>>> > > should take care of authentication itself within the OS loader
> > >>>>> (possibly
> > >>>>> > > the in-kernel UEFI stub) and install a replacement DTB in the
> > >>>>> > > configuration table before calling exit boot services. In this
> > >>>>> scenario,
> > >>>>> > > U-Boot doesn't authenticate the DTB at all.
> > >>>>> > >
> > >>>>> > > In fact, Option 1 is pretty close to what is required for the
> > >>>>> initrd.
> > >>>>> > >
> > >>>>> > > I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > >>>>> the os
> > >>>>> > > loader can use load_image to authenticate and retrieve the data
> > >>>>> without
> > >>>>> > > actually executing the image. That would allow for the DTB &
> > >>>>> initrd to
> > >>>>> > > be authenticated in the same way as the kernel.
> > >>>>> > I asked around on this prior to the email, but i think it boils
> down
> > >>>>> to
> > >>>>> > "UEFI is intended to authenticate bootable images for the
> platform",
> > >>>>> so i doubt
> > >>>>> > this will be allowed.
> > >>>>> >
> > >>>>>
> > >>>>> The point I raised when we discussed this is that UEFI is an
> interface
> > >>>>> between the firmware and the OS, and it is up to the firmware to
> > >>>>> *provide* the DT not the other way around.
> > >>>>>
> > >>>>> Whether the firmware reuses some of the existing machinery if it
> > >>>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > >>>>> system is an implementation detail, and shouldn't be part of how we
> > >>>>> design the interface. The more we standardize this and the more we
> > >>>>> make it similar to how the OS loader is authenticated, the more
> likely
> > >>>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > >>>>> the OS, which is a practice we are trying very hard to move away
> from.
> > >>>>>
> > >>>>
> > >>>> I have the impression that OS provided DT is a bad solution to a
> real
> > >>>> problem:
> > >>>> There should be a Firmware hardware environment (what to initialize,
> > >>>> use...) and a OS hardware environment.
> > >>>> Both should be signed, and controlled by the firmware.
> > >>>> So I would try to find a way to supply firmware with two DTs, or
> more
> > >>>> likely one DT and one OS overlay (if overlays can remove some
> hardware).
> > >>>>
> > >>>>
> > >>>
> > >>> If the OS provides a DT to itself, what is the point of pretending
> that
> > >>> it has been authenticated to the firmware?
> > >>>
> > >> Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > >> controlled by hardware/Firmware provider. OS shall be a consumer only.
> > >>
> > >>
> > >>
> > > But my point remains the same. If we are accommodating a model where
> the
> > > DT is shipped with the OS, the OS can deal with authenticating the DTB
> > > files. If the firmware provides the DT, it is a firmware implementation
> > > detail how and where it keeps the DTB files internally, as long as it
> uses
> > > the official way (i.e., via a UEFI config table) to expose the DT to
> the OS.
> > >
> > > Rolling all of this into secure boot support (which deals with
> > > authenticating OS components/loaders to the firmware) is something we
> > > should avoid.
> > >
> > Agreed. There is no such a thing as an OS provided ACPI table.... yet we
> > allow that for DT... strange isn't it?
>
> I think we're getting a bit side tracked. And, depending on what you
> want to call people having to fixup and recompile DSDT to fix issues...
> :)
>
> The Linux Kernel happens to be the (generally) authoritative source of
> DT files, rather than the hardware manufacturer.
>
To me it looks like walking on the head. I don’t see any OS providing an
ACPI table. I think I understand why it happened. But to me it looks like a
wrong solution to a real use case: firmware hardware execution
environnement is different (probably smaller) than os execution environment.
I think this is more about EBBR and it’s compliance. What shall be the
right policy ? And then we refine EBBR.
>
> > So as a reference platform we can say that an OS provided DT is NOT part
> of
> > the picture. Yet if a vendor still wants to do it, it will be able to. We
> > just don't care.
> >
> > Now, in the context of standard OTA across SoCs, what shall be
> standardized
> > to support the two DTs (for firmware execution and for OS execution). Are
> > we considering UBoot firmware as a "blob" that embeds those two DTs?
> Might
> > be good enough.
>
> The common case is NOT going to be that the DT is provided embedded
> within the hardware, please keep that in mind.
>
EBBR says: “Similarly, devices retained by firmware (i.e., not discoverable
by the OS) shall not be accessed by the OS.” so an OS provided DT is a
recipe for failure.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least
verify DTB (if provided externally), initramfs and kernel modules.
1. For the kernel modules we can use kernel module signing facilities [1]
2. In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will
only be used if the authentication process succeeds. This will allow us to
verify DTBs without introducing any new functionality to U-Boot.
3. We need to verify initramfs as well. This can be accomplished in various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones but we
are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of the
functionality can be achieved with the existing code (minor adjustments might be
needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks
/Ilias
Hi Tom,
On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote:
> On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote:
> > On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote:
> > >> >
> > >> > The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
> > >> > EFI playloads
> > >>
> > >> I think that you'd better explain why you stick to *UEFI* secure boot.
> > >
> > >The main reason is distro support. Since distros use a number of different ways
> > >of booting up on arm boards, using UEFI is the obvious way to unify that (and
> > >alrady supported on some) regardless of the bootloader. UEFI secure boot
> > >provides a common approach to security instead of 'per bootloader' solutions
> >
> > Yup, absolutely (says the Debian EFI team lead) ...
>
> The other things we need to keep in mind is that (based on my own
> experience implementing UEFI secure boot on an x8664 platform), we are
> not looking at a case of "make an existing solution function on other
> architectures" but rather "there's some good concepts here and an
> implementation waiting to be figured out".
We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something
similar to #2 implemented.
I'd prefer having the option to authenticate DTB/initramfs from the 'main
bootloader', than delegating that to some EFI payload, mostly for fragmentation
reasons
Thanks
/Ilias
Hi Tom,
> >
> > > > Continuing the discussions we had on securing the boot flow and OS as much as
> > > > possible, we came up with the following idea.
> > > >
> > > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > > > This will cover the next payload (shim/grub2/shim depending on board needs).
> > > >
> > > > In order to provide better overall security for the OS we'll need to at least
> > > > verify DTB (if provided externally), initramfs and kernel modules.
> > > >
> > > > 1. For the kernel modules we can use kernel module signing facilities [1]
> > > > 2. In case someone wants to provide an external DTB, we can use FIT images
> > > > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > > > only be used if the authentication process succeeds. This will allow us to
> > > > verify DTBs without introducing any new functionality to U-Boot.
> > > > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > > > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > > > are open to suggestions.
> > >
> > > For #3, making use of FIT images should be investigated seriously that
> > > already allows for what you're asking about.
> > Sure, thanks for the heads up.
> > I had a sentence saying '#3 can deploy similar methods to #2" on my initial
> > e-mail, but removed it right before sending.
> > It makes a lot of sense to me to keep similar functionality, as long as
> > we can keep the stored keys (to verify signatures) in small numbers.
>
> Sure. One thing I want to make sure people understand is that U-Boot
> already supports a verified boot scheme including reaching out to ROM
> where applicable and has for a number of years.
I think we are exaclty on the same page here!
The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
EFI playloads and use *existing* tools for the rest doable?'. I think the answer
is yes. If it is i don't think it makes any sense at all to implement
something new
Thanks
/Ilias
Hi,
Linaro TSC validate the creation of the Dependable Lead Project.
I started to build infrastructure to be able to capture all information we
need to be as successful as possible.
Should you think one of your JIRA cards be updated to reflect its
relationship with the newly cerated DB Jira Lead Project, please do so.
Portal (documentation, meeting notes):
https://collaborate.linaro.org/display/DBS/Dependable+Boot
Kanban board:
https://projects.linaro.org/secure/RapidBoard.jspa?rapidView=257
The portal is far from complete but I preferred to share it as soon as
possible so that we can make it as useful as possible.
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi Tom,
> > Continuing the discussions we had on securing the boot flow and OS as much as
> > possible, we came up with the following idea.
> >
> > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > This will cover the next payload (shim/grub2/shim depending on board needs).
> >
> > In order to provide better overall security for the OS we'll need to at least
> > verify DTB (if provided externally), initramfs and kernel modules.
> >
> > 1. For the kernel modules we can use kernel module signing facilities [1]
> > 2. In case someone wants to provide an external DTB, we can use FIT images
> > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > only be used if the authentication process succeeds. This will allow us to
> > verify DTBs without introducing any new functionality to U-Boot.
> > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > are open to suggestions.
>
> For #3, making use of FIT images should be investigated seriously that
> already allows for what you're asking about.
Sure, thanks for the heads up.
I had a sentence saying '#3 can deploy similar methods to #2" on my initial
e-mail, but removed it right before sending.
It makes a lot of sense to me to keep similar functionality, as long as
we can keep the stored keys (to verify signatures) in small numbers.
>
> --
> Tom
Thanks
/Ilias
Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. Bootloader should provide this entropy and the value is
read from /chosen/rng-seed in DT.
Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org>
---
change log:
v1->v2:
* call function in early_init_dt_scan_chosen
* will add doc to devicetree-org/dt-schema on github if this is accepted
---
Documentation/devicetree/bindings/chosen.txt | 14 ++++++++++++++
drivers/of/fdt.c | 11 +++++++++++
2 files changed, 25 insertions(+)
diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt
index 45e79172a646..fef5c82672dc 100644
--- a/Documentation/devicetree/bindings/chosen.txt
+++ b/Documentation/devicetree/bindings/chosen.txt
@@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by
the Linux EFI stub (which will populate the property itself, using
EFI_RNG_PROTOCOL).
+rng-seed
+-----------
+
+This property served as an entropy to add device randomness. It is parsed
+as a byte array, e.g.
+
+/ {
+ chosen {
+ rng-seed = <0x31 0x95 0x1b 0x3c 0xc9 0xfa 0xb3 ...>;
+ };
+};
+
+This random value should be provided by bootloader.
+
stdout-path
-----------
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index de893c9616a1..96ea5eba9dd5 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -24,6 +24,7 @@
#include <linux/debugfs.h>
#include <linux/serial_core.h>
#include <linux/sysfs.h>
+#include <linux/random.h>
#include <asm/setup.h> /* for COMMAND_LINE_SIZE */
#include <asm/page.h>
@@ -1079,6 +1080,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
{
int l;
const char *p;
+ const void *rng_seed;
pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
@@ -1113,6 +1115,15 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
pr_debug("Command line is: %s\n", (char*)data);
+ rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
+ if (!rng_seed || l == 0)
+ return 1;
+
+ /* try to clear seed so it won't be found. */
+ fdt_nop_property(initial_boot_params, node, "rng-seed");
+
+ add_device_randomness(rng_seed, l);
+
/* break now */
return 1;
}
--
2.20.1
