Hi,
Yet another security issue surfaced yesterday, see this blog post about it
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
When I was reading it I cannot avoid seeing similarities to what I've tried
to raise in the DT(E)
discussions. I.e., firmware run-time exploits running after signatures have
been verified successfully
(slide 27, 28 [1]) can be devastating and therefore I've tried to suggest
that each component
verifies the DTB that it gets from the previous firmware component (slide
29, 30 [1]), alternatively
and probably better ... doing something like a measured boot (including
DTB's) where you compute
a running hash spanning across all firmware (+configuration) being loaded.
Some quotes from the blog post:
> Almost all signed versions of GRUB2 are vulnerable, meaning virtually
> every Linux distribution is affected.
We don't want to read something similar about DTS/DTB in the future.
> Additionally, as we will show in this blog post, a vulnerability in the
boot
> process that enables arbitrary code execution can allow attackers to
control
> the boot process and operating system, even when secure boot signatures
are verified.
Confirm my concerns.
> In the course of Eclypsium’s analysis, we have identified a buffer
overflow vulnerability
> in the way that GRUB2 parses content from the GRUB2 config file
(grub.cfg).
> Of note: The GRUB2 config file is a text file and typically is not signed
like other files
> and executables. This vulnerability enables arbitrary code execution
within GRUB2 and
> thus control over the booting of the operating system. As a result, an
attacker could
> modify the contents of the GRUB2 configuration file to ensure that attack
code is run
> before the operating system is loaded. In this way, attackers gain
persistence on the device.
Replace "GRUB2" with "DT" and "grub.cfg" with "*.dts/dtb" in the quote
above and
we have another potential future quote about DT security issues.
A solid, useable and robust solution for problems like this might be
complex to realize, but I
think it's worth continuing to look into what can be done, since it seems
risky to continue loading
and running "DT code" like we're doing in many places today (and it's not
only DT that is
subject to this, regular firmware suffers with the same kind of issues).
I.e., I'm going to
raise this again in future DT(E) calls.
[1]
https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL…
<https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/>
Regards,
Joakim
Attendees
François-Frédéric Ozog (Linaro)
Frank Rowand
Simon Glass (Google)
Ilias Apalodimas (Linaro)
Atish Patra (Western Digital)
Mark Brown (Arm)
Heinrich Schuchardt
CVS
Arnd Bergmann
Rob Herring (Arm)
Loic Pallardy (ST)
Poonam (NXP)
Ruchika
Loic Pallardy (ST)
Don Harbin(linaro)
Presentation
SLIDE 2
Francois: if we want authentication, we can’t do fix up
Simon: what is fix up? Can’t change DT or ok to change it?
Francois: can orchestrate transition, [edit as typing notes: changing
is not OK because you can’t identify the scope of change; adding a new
node may be acceptable - because scope is easy to frame]
Simon: code doing the fixup is signed , so it may be a signal that the
changes are OK; don’t know how to pass that to Linux. In principle you
should rely on signed code to make changes
Francois: [rephrasing at note editing] two trust models
1) implicit - trust because generating/updating code is signed
2) explicit - trust because you can check signature of the DT
Heinrich: if the DT comes from file system, it should be signed; for
DT embedded in signed code: no need to have a signature; signature for
things from file but not from memory [at writing notes, I understand
this as a DT fragment generated by FT-A in memory does not need to be
signed]
SLIDE 3
Francois: cold-plug by U-Boot, hotplug by OS
Francois: Board DTB + cape DTBo + cape_on_board DTBo (pin muxing
config, irq config…)
Frank: Device removal triggers DT correspond node(s) removal? If so,
then we should limiting a single device per overlay
Francois: yes. It is also connected to device assignment. There should
be a way to identify all nodes of a device in DT to actually simplify
device assignment (to be discussed later in the deck)
SLIDE 4
Lets use a special config DTBo (chosen…)
Let’s get the parameters out of DT in local OS config (or worst case,
in that config DTBo)
Rob: problem with systems with loadable modules
Arnd: can be passed on command line
Rob: Greg KH say: don’t add module parameters
Arnd: device specific parameters should be done via sysfs/ioctl;
driver wide parameters could be as module parameters or boot command
line
Frank or it could be a “chosen”
[editig time] Francois: for Linux, can we organize module parameters
in modules.d are parsed when modules are statically linked?
Let’s not use DT when we can avoid (OP-TEE bus to discover TAs)
SLIDE 5
Francois: wherever we choose, we shall ensure backward compatibility
SLIDE 6
DTB=base board + 1 DTBo per device
Statically merge DTB + DTBos at compile time and keep metadata about
the merge in a section of the new DT file format.
SLIDE 7
Arnd/Simon: Right now the Android boot loader merges DTB/DTBos and
passes one DTB to the kernel
Simon: ChromeOS has a FIT image with multiple DTs, it selects one to pass to OS
Arnd/Ilias: FIT is only understood by U-Boot
Francois: wherever we choose, we shall ensure backward compatibility
Arnd: It’s simpler to have a single DTB for the kernel
Early kernel is not really powerful
There are security advantages in signed DTBos
Francois: I think the key question is decide on a model. Allow
bootloaders to change the DTB and rely on signed DTBos?
Simon: is either or ? [explicit vs implicit trust models], what is the
threat model?
Francois: yes, I think so.
Heinrich: problem is wrong voltage in DT results in destroying the board
Arnd: steal sensitive data
Ilias: DoS can become a problem
Ilias: signing per device (key mgmt complexity) ? or per device model
(can compromise all devices of a model)?
Francois: Who signs what is also a fundamental concept, because there
might be different signing authorities
Loic: That’s the current case wit ST devices
Arnd: There’s 3 options here:
Kernel with embedded DTB, if the kernel signature is checked, the DTB
does not need to be checked
The bootloader loads the kernel from a disk
Nothing is checked
Checking one of those makes no sense
Simon: we have to be careful in not tying ourselves in a knot. There
is *no* bidirectional root of trust. The model is that trust is built
starting from the root of trust, the next level implicitly trusts the
level that loaded it.
Mark Brown: DT is used with EDK2
Loic: there is no direct boot from U-Boot to kernel, it is vouched by OP-TEE.
security of co-processors requires the same model
Hardware firewall (device and memory) can be leveraged to ensure full security
DTE Project information portal:
https://collaborate.linaro.org/display/DTE/DTE+Progress+Updates
Security presentation: (listed in the portal, but copied here for
simple access):
https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL…
Hi,
I think we have gathered enough knowledge in the Technical Report to
try architecting DT evolution technologies.
To that end, I'll kick start discussion with:
https://docs.google.com/presentation/d/1jACxdO-3fDzSk5MEMUEmAu0iMjtp9Td7Xbb…
Everyone has commenter capabilities in the document, so please use it.
I am sure most of the proposals cannot be "decided on" during the
call. But I'd like to come to a conclusion on one topic: whether or
not fix ups are allowed. If we introduce signature of any form with
DTB, then I believe fixups are not possible anymore.
Cheers
--
FF
Hi all,
The notes from today's call can be found on the OpenAMP Wiki at https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020#2020J…
The action items are:
* Stefano to share slides
* Xilinx and ST to discuss interconnect binding, considering that it could be expanded beyond QoS, and review Rob's earlier feedback to Benjamin on pin control
* Stefano to check if configuration interface assumes that IDs are global
* Stefano to work with Bruce to prototype something w/ Lopper to generate a bus firewall configuration table
* Stefano to present openamp-remoteproc binding for System DT at next call
@ Stefano, Loic, Rob, Ilias, Tomas (and anyone else who spoke, if I missed you): Please check if there are any errors or important omissions in what I captured for your parts. You can make corrections directly in the wiki page.
Thanks & regards,
Nathalie C. Chan King Choy
Program Manager focused on Open Source and Community
[Invitation going out to both the sytem-dt list and the boot-architecture list, based on recommendation from Francois]
Hi all,
It has been a while since our last call, because work was happening on the 4th action item below. Now, there are some updates to present.
The notes from the previous call can be found on the OpenAMP wiki at this link:
https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020
Action items from the previous call:
* Nathalie sync up w/ Francois about who should be invited to System DT call (some individuals at DTE call didn't get this invitation)
* Stefano to go back & discuss w/ Xilinx XMPU expert.
* Stefano: Revisit wording of IDs
* Stefano & Tomas to sync-up with Loic & Benjamin. Target for next System DT call to discuss how the 2 proposals combine. Include description of the use cases you're giving solution for.
For info about the system-dt list, link to the archives, to unsubscribe yourself, or
for someone to subscribe themselves, visit:
https://lists.openampproject.org/mailman/listinfo/system-dt
For information about the System Device Trees effort, including a link to
the intro presentation from Linaro Connect SAN19:
https://github.com/OpenAMP/open-amp/wiki/System-Device-Trees
Best regards,
Nathalie C. Chan King Choy
Program Manager focused on Open Source and Community
===================
Nathalie Chan King Choy is inviting you to a scheduled Zoom meeting.
Topic: System DT call - July
Time: Jul 20, 2020 08:00 AM Pacific Time (US and Canada)
Join Zoom Meeting
https://us02web.zoom.us/j/89143577824
Meeting ID: 891 4357 7824
One tap mobile
+13126266799,,89143577824# US (Chicago)
+13462487799,,89143577824# US (Houston)
Dial by your location
+1 312 626 6799 US (Chicago)
+1 346 248 7799 US (Houston)
+1 646 558 8656 US (New York)
+1 669 900 9128 US (San Jose)
+1 253 215 8782 US (Tacoma)
+1 301 715 8592 US (Germantown)
+1 587 328 1099 Canada
+1 647 374 4685 Canada
+1 647 558 0588 Canada
+1 778 907 2071 Canada
+1 204 272 7920 Canada
+1 438 809 7799 Canada
+44 203 051 2874 United Kingdom
+44 203 481 5237 United Kingdom
+44 203 481 5240 United Kingdom
+44 203 901 7895 United Kingdom
+44 131 460 1196 United Kingdom
+33 1 7037 9729 France
+33 1 7095 0103 France
+33 1 7095 0350 France
+33 1 8699 5831 France
+33 1 7037 2246 France
+46 8 5050 0828 Sweden
+46 8 5050 0829 Sweden
+46 8 5052 0017 Sweden
+46 850 539 728 Sweden
+46 8 4468 2488 Sweden
+46 8 5016 3827 Sweden
Meeting ID: 891 4357 7824
Find your local number: https://us02web.zoom.us/u/k6bFgrs5K
Hi,
Here are the notes from our last meeting.
(For next calls, it would be nice people take some notes in the shared
scratch document so that we increase quality of them)
Attendees
Tom Rini
Joakim Bech (Linaro)
François-Frédéric Ozog (Linaro)
Ilias Apalodimas (Linaro)
Mark Brown (Arm)
Heinrich Schuchardt
Priyanka Jain (NXP)
Jens Wiklander (Linaro)
Arnd Bergmann
CVS
Atish Patra (Western Digital)
Grant Likely (Arm)
Etienne Carriere (ST)
====================================
I - RISC-V
Atish from Western Digital has a 4 developer team on. Focus on
standardized boot flows:
- U-Boot SPL + U-Boot.
- coreBoot + EDK2
====================================
II - Technical report github
Atul volunteered
FF: What format to use ? RST? MD? Other?
Heinrich: RST and MD are rendered by github.
====================================
III - Technical report outline and content updates
A proposal to be made so that a minimal UEFI set of requirements is
defined with DT support.
Frank: Should not put DT spec in the UEFI forum
FF: this is not the goal, the goal is to get references to DT in UEFI
Need to ensure we have terminology that can be applied to all
architectures (for instance Arm+TFA+U-Boot and RISC-V+U-Boot
SPL+U-Boot).
Please make proposals for content including new sections for the use cases.
====================================
IV- Overlays presentation
Franks Presentation notes:
https://elinux.org/Frank%27s_Evolving_Overlay_Thoughtshttps://elinux.org/images/0/03/Elce_2018_dt_bof.pdfhttps://elinux.org/Device_Tree_Reference -> OverLays
Overlay made simple with DTC extensions: use a reference to define the
place in the tree where the update is to be made:
&{/path/to/node} { <overlay definition> }
Use cases:
Hot swap
Expansion slots (beaglebone)
FPGAs (load from kernel to FPGA; led by Altera/Xilinx)
Not too dynamic, in particular because there are still memory leaks
Use of “apply overlay by the bootload” helps reducing the number of
DTS/DTB files to deal with.
plugable CPU: overlay is a solution
few terms to define/standardise/clarify by frank:
Cold-swap = ? < describe the actual use-case in simple terms >
Hot-swap = ? < describe the actual use-case in simple terms >
Real hot-swap will be difficult to support.
Another use case for “hot-swap” is a developer helper to change
parameter “dynamically” to avoid a full reboot.
FF: DT event may be a wrong way to deal with dynamism: using bus
events to trigger changes seem more natural
Grant: event code is fragile, prefer pre-boot control
Hi,
I have updated the document to reflect what I heard from the remainder
of the last call. Please have a look and comment.
https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…
If you volunteer to edit content, please ask me and I'll give you edit
rights on the document.
Shall we make a github backed document? If so, any volunteer to make it happen?
Agenda for June 24th:
- DT Overlay status presentation by Frank Rowand.
- Document review and trying to close all comments.
Cordially
--
FF
Hi,
Trusted OSes such as OP-TEE or QSEE are using SMC yielding function
numbers in the 0x32000000-0x3200006F range. The SMC calling
conventions are specified in DEN0028 which has currently three
versions (see below).
To the best of my understanding, the use of this range is:
- compliant with version a
- acceptable with version b
- somewhat contradicting with version c
version a analysis:
table 6.1 states that the trusted OS standard calls should be in the
range "0x02000000-0x7FFFFFFF", so the selected range is good. Section
2.1 that defines a bit structure for function numbers for both
yielding and fast calls and the range is compatible. The range covered
by table 6.1 for Trusted OS calls is however much bigger that the bit
structure definition. As a result a 0x02000000 call is a yielding
Trusted OS call as per table 6.1 but a Yielding SiP call as per
section 2.1.
version b analysis:
table 6.2 states that the trusted OS yielding calls should be in the
range "0x02000000-0x1FFFFFFF" and that the range
"0x20000000-0x7FFFFFFF" is "reserved for future expansion of Trusted
OS Yielding Calls". So the range is acceptable but poorly selected.
There is the same inconsistency as version a when it comes to
qualifying a 0x02000000 call: table 6.2 says it is a Trusted OS
yielding call, section 2.5 says it is a yielding SiP call.
version c analysis:
section 2.5.1 now clearly states that the bit structure is only for
Fast calls. and both section 2.52 and table 6.2 state that Trusted OS
calls should be in the range "0x02000000-0x1FFFFFFF". both section
2.5.2 and 6 qualify the 0x02000000 call as a Trusted OS yielding
call.
I think that version a and b have inconsistent between chapter 2 and
6. Version c brings internal consistency but seems to be not in
alignment with best practices.
I guess there is a need to both address internal document
inconsistency and better reflect existing products.
Any thoughts?
-FF
version a:
https://drive.google.com/file/d/1OclQZk0o28n5ZUIYeTuFICbLiGWzOvxH/view?usp=…
version b: https://static.docs.arm.com/den0028/b/ARM_DEN0028B_SMC_Calling_Convention.p…
version c:
https://static.docs.arm.com/den0028/c/Q1-ARM-DEN-0028_SMC_Calling_Conventio…
Hello Francois,
in our last meeting you suggested to investigate deeper what meaning
modularization in device trees could mean.
One example I have seen is the definition of memory mappings for PCIe.
If for you example you look in the device tree of the Raspberry Pi 4 you
can find that there is an entry:
pcie@7d500000 {
ranges = <
0x2000000 0x00 0xf8000000 0x06 0x00 0x00 0x4000000>;
};
The ranges property defines the mapping
MEM 0x600000000..0x603ffffff -> 0xf8000000
and thereby the address and size of the memory windows used for
communication.
On some boards e.g. the MacchitoBin you have multiple platform devices
each with its own ranges definitions. Here are the values in May 2019:
pcie@f2600000 {
ranges = <
0x81000000 0x0 0xf9000000 0x0 0xf9000000 0x0 0x10000
0x82000000 0x0 0xf6000000 0x0 0xf6000000 0x0 0xf00000>;
}
pcie@f2620000 {
ranges = <
0x81000000 0x0 0xf9010000 0x0 0xf9010000 0x0 0x10000
0x82000000 0x0 0xf7000000 0x0 0xf7000000 0x0 0xf00000>;
}
pcie@f2640000 {
ranges = <
0x81000000 0x0 0xf9020000 0x0 0xf9020000 0x0 0x10000
0x82000000 0x0 0xf8000000 0x0 0xf8000000 0x0 0xf00000>;
}
On my MacchitoBin the GPU card was not usable because the memory window
was too small to create the required BARs. Changing the window size and
location solved the problem, commit d3446b266a8c ("arm64: dts: marvell:
mcbin: enlarge PCI memory window").
The problem with the current way in qhich PCI devices are declared is
that they do not indicate requirements and capabilities and let the
software figure out a good mapping. But instead fixed mappings are
hard-coded into the device-tree.
So for me this would be one element of DT modularization:
The description of a device should provide capabilities and requirements
and avoid fixed software settings.
Best regards
Heinrich
Address comments from Heinrich Schuchardt:
- Typo fixes
- Be specific to say "Devicetree Blob"
- Add comment on rationale for choosing EfiACPIReclaimMemory for DTB
Cc: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
source/chapter2-uefi.rst | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index c9c0101..066fefb 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -81,9 +81,9 @@ A UEFI system that complies with this specification may provide the additional
tables via the EFI Configuration Table.
Compliant systems are required to provide one, but not both, of the following
-tables.
+tables:
-- An Advanced Configuration and Power Interface [ACPI]_ table, or
+- an Advanced Configuration and Power Interface [ACPI]_ table, or
- a Devicetree [DTSPEC]_ system description
EBBR systems must not provide both ACPI and Devicetree
@@ -96,11 +96,13 @@ Devicetree
^^^^^^^^^^
If firmware provides a Devicetree system description then it must be provided
-in Flattened Devicetree (DTB) format version 17 or higher as described in
+in Flattened Devicetree Blob (DTB) format version 17 or higher as described in
[DTSPEC]_ § 5.1.
The following GUID must be used in the EFI system table ([UEFI]_ § 4)
to identify the DTB.
The DTB must be contained in memory of type EfiACPIReclaimMemory.
+EfiACPIReclaimMemory was chosen to match the recommendation for ACPI
+tables which fulfill the same task as the DTB.
.. code-block:: c
--
2.20.1