On Wed, 5 Jun 2019 at 00:41, Tom Rini <trini(a)konsulko.com> wrote:
>
...
> It depends on what you mean by "OS provided". The DTS files come from
> the Linux Kernel sources, full stop.
That is the mistake we should try to fix.
We have DT bindings, which define the contract between the OS on one
side, and the platform on the other side. This means it is the
platform's job to present a DT description that adheres to those
[stable] bindings.
Today's development model of developing DT bindings in lockstep with
the drivers, and then bundling DT files with the OS is completely
unsustainable, since it doesn't scale, and it demonstrably results in
DT bindings that get modified without any regard for devices that are
already in the field (MacchiatoBin is a good example).
So it doesn't really matter where the kernel *sources* come from, as
long as the platform provides its own DT, which does not change just
because the kernel changes.
It is already defined how the platform provides this DT on a UEFI
system, i.e., via a configuration table with a known GUID. How the
firmware popiulates this memory is an implementation detail: if it
wants to load it from a signed file in the file system, that is fine,
as long as it is not the OS providing this file to the firmware.
> That doesn't mean they're embedded
> within the kernel image. They're usually going to be pulled from the
> filesystem.
>
> --
> Tom
On Wed, 5 Jun 2019 at 00:34, Tom Rini <trini(a)konsulko.com> wrote:
>
> On Tue, Jun 04, 2019 at 06:14:16PM -0400, Francois Ozog wrote:
> > Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> >
...
> > I think it may be good to validate but not provide. There is no Linux
> > provided ACPI table right ? So I get the point to validate a DT.
>
> There's "Linux provided" ACPI tables when someone has to decompile,
> fixup and re-compile their DSDT files.
>
> Or perhaps a better way to think of it is that yes, there's "Linux
> provided ACPI tables" when vendors are developing their hardware and
> correcting their ACPI tables. Same thing with DT, by and large (as
> overlays and secure boot are a can of worms to worry about later).
Secure boot enabled Linux does not permit this model. Side loading of
DSDTs/SSDTs is disabled by the hardening patchset that all the distros
carry for secure boot enabled kernels.
Le mar. 4 juin 2019 à 17:31, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:25:23AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:17, Heinrich Schuchardt <xypron.glpk(a)gmx.de>
> wrote:
> >
> > >
> > >
> > > On 6/4/19 3:55 PM, Francois Ozog wrote:
> > > > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > > > wrote:
> > > >
> > > >>
> > > >>
> > > >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
> francois.ozog(a)linaro.org>
> > > >> wrote:
> > > >>
> > > >>> Hi Ard,
> > > >>>
> > > >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> > > ard.biesheuvel(a)linaro.org>
> > > >>> wrote:
> > > >>>
> > > >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > > >>>> <ilias.apalodimas(a)linaro.org> wrote:
> > > >>>>>
> > > >>>>> Hi Grant,
> > > >>>>>> I see two ways to handle this that fits with the Secure Boot
> > > >>>>>> authentication path:
> > > >>>>>>
> > > >>>>>> Option 1: Leave it to the OS loader
> > > >>>>>> We could simply say that if the OS wants to replace the DTB,
> then it
> > > >>>>>> should take care of authentication itself within the OS loader
> > > >>>> (possibly
> > > >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the
> > > >>>>>> configuration table before calling exit boot services. In this
> > > >>>> scenario,
> > > >>>>>> U-Boot doesn't authenticate the DTB at all.
> > > >>>>>>
> > > >>>>>> In fact, Option 1 is pretty close to what is required for the
> > > initrd.
> > > >>>>>>
> > > >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > > >>>> the os
> > > >>>>>> loader can use load_image to authenticate and retrieve the data
> > > >>>> without
> > > >>>>>> actually executing the image. That would allow for the DTB &
> initrd
> > > >>>> to
> > > >>>>>> be authenticated in the same way as the kernel.
> > > >>>>> I asked around on this prior to the email, but i think it boils
> down
> > > to
> > > >>>>> "UEFI is intended to authenticate bootable images for the
> platform",
> > > >>>> so i doubt
> > > >>>>> this will be allowed.
> > > >>>>>
> > > >>>>
> > > >>>> The point I raised when we discussed this is that UEFI is an
> interface
> > > >>>> between the firmware and the OS, and it is up to the firmware to
> > > >>>> *provide* the DT not the other way around.
> > > >>>>
> > > >>>> Whether the firmware reuses some of the existing machinery if it
> > > >>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > > >>>> system is an implementation detail, and shouldn't be part of how
> we
> > > >>>> design the interface. The more we standardize this and the more we
> > > >>>> make it similar to how the OS loader is authenticated, the more
> likely
> > > >>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > > >>>> the OS, which is a practice we are trying very hard to move away
> from.
> > > >>>>
> > > >>>
> > > >>> I have the impression that OS provided DT is a bad solution to a
> real
> > > >>> problem:
> > > >>> There should be a Firmware hardware environment (what to
> initialize,
> > > >>> use...) and a OS hardware environment.
> > > >>> Both should be signed, and controlled by the firmware.
> > > >>> So I would try to find a way to supply firmware with two DTs, or
> more
> > > >>> likely one DT and one OS overlay (if overlays can remove some
> > > hardware).
> > > >>>
> > > >>>
> > > >>
> > > >> If the OS provides a DT to itself, what is the point of pretending
> that
> > > it
> > > >> has been authenticated to the firmware?
> > > >>
> > > > Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > > > controlled by hardware/Firmware provider. OS shall be a consumer
> only.
> > > >
> > > >
> > >
> > > In a perfect world firmware would provide the authoritative source of
> > > the device tree. The current situation has device trees developed in
> the
> > > context of Linux and U-Boot picking them up. U-Boot is lagging far
> > > behind Linux. Whenever I wanted to change a device tree in U-Boot I was
> > > told to first get that change into Linux. I see no commitment to change
> > > this process.
> > >
> > > Device-trees are provided by U-Boot to Linux as UEFI configuration
> > > tables. If a device-tree is malicious it may lead to the destruction of
> > > hardware. So whatever U-Boot provides as a device-tree to Linux should
> > > be validated.
> > >
> > In a perfect world, U-Boot shall lead and we should work towards that if
> > not in place. There is no sch a thing as a Linux validated ACPI table, so
> > why for DT?
>
> There _is_ such a thing as a validated ACPI table and functionally ACPI
> tables on x86 are validated with Windows. This is no different.
>
I think it may be good to validate but not provide. There is no Linux
provided ACPI table right ? So I get the point to validate a DT.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Le mar. 4 juin 2019 à 17:27, Tom Rini <trini(a)konsulko.com> a écrit :
> On Tue, Jun 04, 2019 at 10:21:54AM -0400, Francois Ozog wrote:
> > On Tue, 4 Jun 2019 at 10:00, Ard Biesheuvel <ard.biesheuvel(a)linaro.org>
> > wrote:
> >
> > >
> > >
> > > On Tue, 4 Jun 2019 at 15:55, Francois Ozog <francois.ozog(a)linaro.org>
> > > wrote:
> > >
> > >>
> > >>
> > >> On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >> wrote:
> > >>
> > >>>
> > >>>
> > >>> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <francois.ozog(a)linaro.org
> >
> > >>> wrote:
> > >>>
> > >>>> Hi Ard,
> > >>>>
> > >>>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
> ard.biesheuvel(a)linaro.org>
> > >>>> wrote:
> > >>>>
> > >>>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas
> > >>>>> <ilias.apalodimas(a)linaro.org> wrote:
> > >>>>> >
> > >>>>> > Hi Grant,
> > >>>>> > > I see two ways to handle this that fits with the Secure Boot
> > >>>>> > > authentication path:
> > >>>>> > >
> > >>>>> > > Option 1: Leave it to the OS loader
> > >>>>> > > We could simply say that if the OS wants to replace the DTB,
> then
> > >>>>> it
> > >>>>> > > should take care of authentication itself within the OS loader
> > >>>>> (possibly
> > >>>>> > > the in-kernel UEFI stub) and install a replacement DTB in the
> > >>>>> > > configuration table before calling exit boot services. In this
> > >>>>> scenario,
> > >>>>> > > U-Boot doesn't authenticate the DTB at all.
> > >>>>> > >
> > >>>>> > > In fact, Option 1 is pretty close to what is required for the
> > >>>>> initrd.
> > >>>>> > >
> > >>>>> > > I wonder if it is possible to wrap the DTB with a PE/COFF so
> that
> > >>>>> the os
> > >>>>> > > loader can use load_image to authenticate and retrieve the data
> > >>>>> without
> > >>>>> > > actually executing the image. That would allow for the DTB &
> > >>>>> initrd to
> > >>>>> > > be authenticated in the same way as the kernel.
> > >>>>> > I asked around on this prior to the email, but i think it boils
> down
> > >>>>> to
> > >>>>> > "UEFI is intended to authenticate bootable images for the
> platform",
> > >>>>> so i doubt
> > >>>>> > this will be allowed.
> > >>>>> >
> > >>>>>
> > >>>>> The point I raised when we discussed this is that UEFI is an
> interface
> > >>>>> between the firmware and the OS, and it is up to the firmware to
> > >>>>> *provide* the DT not the other way around.
> > >>>>>
> > >>>>> Whether the firmware reuses some of the existing machinery if it
> > >>>>> chooses to load the DT it provides from an arbitrary file on the
> file
> > >>>>> system is an implementation detail, and shouldn't be part of how we
> > >>>>> design the interface. The more we standardize this and the more we
> > >>>>> make it similar to how the OS loader is authenticated, the more
> likely
> > >>>>> it becomes that it will be relied upon for DTs that are bundled
> with
> > >>>>> the OS, which is a practice we are trying very hard to move away
> from.
> > >>>>>
> > >>>>
> > >>>> I have the impression that OS provided DT is a bad solution to a
> real
> > >>>> problem:
> > >>>> There should be a Firmware hardware environment (what to initialize,
> > >>>> use...) and a OS hardware environment.
> > >>>> Both should be signed, and controlled by the firmware.
> > >>>> So I would try to find a way to supply firmware with two DTs, or
> more
> > >>>> likely one DT and one OS overlay (if overlays can remove some
> hardware).
> > >>>>
> > >>>>
> > >>>
> > >>> If the OS provides a DT to itself, what is the point of pretending
> that
> > >>> it has been authenticated to the firmware?
> > >>>
> > >> Agreed, that is stupid! I mispresented my idea: I talk about two DTs
> > >> controlled by hardware/Firmware provider. OS shall be a consumer only.
> > >>
> > >>
> > >>
> > > But my point remains the same. If we are accommodating a model where
> the
> > > DT is shipped with the OS, the OS can deal with authenticating the DTB
> > > files. If the firmware provides the DT, it is a firmware implementation
> > > detail how and where it keeps the DTB files internally, as long as it
> uses
> > > the official way (i.e., via a UEFI config table) to expose the DT to
> the OS.
> > >
> > > Rolling all of this into secure boot support (which deals with
> > > authenticating OS components/loaders to the firmware) is something we
> > > should avoid.
> > >
> > Agreed. There is no such a thing as an OS provided ACPI table.... yet we
> > allow that for DT... strange isn't it?
>
> I think we're getting a bit side tracked. And, depending on what you
> want to call people having to fixup and recompile DSDT to fix issues...
> :)
>
> The Linux Kernel happens to be the (generally) authoritative source of
> DT files, rather than the hardware manufacturer.
>
To me it looks like walking on the head. I don’t see any OS providing an
ACPI table. I think I understand why it happened. But to me it looks like a
wrong solution to a real use case: firmware hardware execution
environnement is different (probably smaller) than os execution environment.
I think this is more about EBBR and it’s compliance. What shall be the
right policy ? And then we refine EBBR.
>
> > So as a reference platform we can say that an OS provided DT is NOT part
> of
> > the picture. Yet if a vendor still wants to do it, it will be able to. We
> > just don't care.
> >
> > Now, in the context of standard OTA across SoCs, what shall be
> standardized
> > to support the two DTs (for firmware execution and for OS execution). Are
> > we considering UBoot firmware as a "blob" that embeds those two DTs?
> Might
> > be good enough.
>
> The common case is NOT going to be that the DT is provided embedded
> within the hardware, please keep that in mind.
>
EBBR says: “Similarly, devices retained by firmware (i.e., not discoverable
by the OS) shall not be accessed by the OS.” so an OS provided DT is a
recipe for failure.
>
> --
> Tom
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least
verify DTB (if provided externally), initramfs and kernel modules.
1. For the kernel modules we can use kernel module signing facilities [1]
2. In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will
only be used if the authentication process succeeds. This will allow us to
verify DTBs without introducing any new functionality to U-Boot.
3. We need to verify initramfs as well. This can be accomplished in various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones but we
are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of the
functionality can be achieved with the existing code (minor adjustments might be
needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks
/Ilias
Hi Tom,
On Fri, May 31, 2019 at 11:05:20AM -0400, Tom Rini wrote:
> On Fri, May 31, 2019 at 02:40:32PM +0100, Steve McIntyre wrote:
> > On Tue, May 28, 2019 at 02:04:23PM +0300, Ilias Apalodimas wrote:
> > >> >
> > >> > The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
> > >> > EFI playloads
> > >>
> > >> I think that you'd better explain why you stick to *UEFI* secure boot.
> > >
> > >The main reason is distro support. Since distros use a number of different ways
> > >of booting up on arm boards, using UEFI is the obvious way to unify that (and
> > >alrady supported on some) regardless of the bootloader. UEFI secure boot
> > >provides a common approach to security instead of 'per bootloader' solutions
> >
> > Yup, absolutely (says the Debian EFI team lead) ...
>
> The other things we need to keep in mind is that (based on my own
> experience implementing UEFI secure boot on an x8664 platform), we are
> not looking at a case of "make an existing solution function on other
> architectures" but rather "there's some good concepts here and an
> implementation waiting to be figured out".
We agree here. From Grant's proposal's #1 and #2, i'd prefer seeing something
similar to #2 implemented.
I'd prefer having the option to authenticate DTB/initramfs from the 'main
bootloader', than delegating that to some EFI payload, mostly for fragmentation
reasons
Thanks
/Ilias
Hi Tom,
> >
> > > > Continuing the discussions we had on securing the boot flow and OS as much as
> > > > possible, we came up with the following idea.
> > > >
> > > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > > > This will cover the next payload (shim/grub2/shim depending on board needs).
> > > >
> > > > In order to provide better overall security for the OS we'll need to at least
> > > > verify DTB (if provided externally), initramfs and kernel modules.
> > > >
> > > > 1. For the kernel modules we can use kernel module signing facilities [1]
> > > > 2. In case someone wants to provide an external DTB, we can use FIT images
> > > > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > > > only be used if the authentication process succeeds. This will allow us to
> > > > verify DTBs without introducing any new functionality to U-Boot.
> > > > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > > > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > > > are open to suggestions.
> > >
> > > For #3, making use of FIT images should be investigated seriously that
> > > already allows for what you're asking about.
> > Sure, thanks for the heads up.
> > I had a sentence saying '#3 can deploy similar methods to #2" on my initial
> > e-mail, but removed it right before sending.
> > It makes a lot of sense to me to keep similar functionality, as long as
> > we can keep the stored keys (to verify signatures) in small numbers.
>
> Sure. One thing I want to make sure people understand is that U-Boot
> already supports a verified boot scheme including reaching out to ROM
> where applicable and has for a number of years.
I think we are exaclty on the same page here!
The tl;dr purpose of my e-mail was 'Is implementing UEFI Secure Boot for the
EFI playloads and use *existing* tools for the rest doable?'. I think the answer
is yes. If it is i don't think it makes any sense at all to implement
something new
Thanks
/Ilias
Hi,
Linaro TSC validate the creation of the Dependable Lead Project.
I started to build infrastructure to be able to capture all information we
need to be as successful as possible.
Should you think one of your JIRA cards be updated to reflect its
relationship with the newly cerated DB Jira Lead Project, please do so.
Portal (documentation, meeting notes):
https://collaborate.linaro.org/display/DBS/Dependable+Boot
Kanban board:
https://projects.linaro.org/secure/RapidBoard.jspa?rapidView=257
The portal is far from complete but I preferred to share it as soon as
possible so that we can make it as useful as possible.
Cheers
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi Tom,
> > Continuing the discussions we had on securing the boot flow and OS as much as
> > possible, we came up with the following idea.
> >
> > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
> > This will cover the next payload (shim/grub2/shim depending on board needs).
> >
> > In order to provide better overall security for the OS we'll need to at least
> > verify DTB (if provided externally), initramfs and kernel modules.
> >
> > 1. For the kernel modules we can use kernel module signing facilities [1]
> > 2. In case someone wants to provide an external DTB, we can use FIT images
> > to secure that. The FIT images will contain the DTB(s) we need. Those will
> > only be used if the authentication process succeeds. This will allow us to
> > verify DTBs without introducing any new functionality to U-Boot.
> > 3. We need to verify initramfs as well. This can be accomplished in various ways.
> > Packing kernel + initramfs or using dm-verity are the two obvious ones but we
> > are open to suggestions.
>
> For #3, making use of FIT images should be investigated seriously that
> already allows for what you're asking about.
Sure, thanks for the heads up.
I had a sentence saying '#3 can deploy similar methods to #2" on my initial
e-mail, but removed it right before sending.
It makes a lot of sense to me to keep similar functionality, as long as
we can keep the stored keys (to verify signatures) in small numbers.
>
> --
> Tom
Thanks
/Ilias
Introducing a chosen node, rng-seed, which is an entropy that can be
passed to kernel called very early to increase initial device
randomness. Bootloader should provide this entropy and the value is
read from /chosen/rng-seed in DT.
Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org>
---
change log:
v1->v2:
* call function in early_init_dt_scan_chosen
* will add doc to devicetree-org/dt-schema on github if this is accepted
---
Documentation/devicetree/bindings/chosen.txt | 14 ++++++++++++++
drivers/of/fdt.c | 11 +++++++++++
2 files changed, 25 insertions(+)
diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt
index 45e79172a646..fef5c82672dc 100644
--- a/Documentation/devicetree/bindings/chosen.txt
+++ b/Documentation/devicetree/bindings/chosen.txt
@@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by
the Linux EFI stub (which will populate the property itself, using
EFI_RNG_PROTOCOL).
+rng-seed
+-----------
+
+This property served as an entropy to add device randomness. It is parsed
+as a byte array, e.g.
+
+/ {
+ chosen {
+ rng-seed = <0x31 0x95 0x1b 0x3c 0xc9 0xfa 0xb3 ...>;
+ };
+};
+
+This random value should be provided by bootloader.
+
stdout-path
-----------
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index de893c9616a1..96ea5eba9dd5 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -24,6 +24,7 @@
#include <linux/debugfs.h>
#include <linux/serial_core.h>
#include <linux/sysfs.h>
+#include <linux/random.h>
#include <asm/setup.h> /* for COMMAND_LINE_SIZE */
#include <asm/page.h>
@@ -1079,6 +1080,7 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
{
int l;
const char *p;
+ const void *rng_seed;
pr_debug("search \"chosen\", depth: %d, uname: %s\n", depth, uname);
@@ -1113,6 +1115,15 @@ int __init early_init_dt_scan_chosen(unsigned long node, const char *uname,
pr_debug("Command line is: %s\n", (char*)data);
+ rng_seed = of_get_flat_dt_prop(node, "rng-seed", &l);
+ if (!rng_seed || l == 0)
+ return 1;
+
+ /* try to clear seed so it won't be found. */
+ fdt_nop_property(initial_boot_params, node, "rng-seed");
+
+ add_device_randomness(rng_seed, l);
+
/* break now */
return 1;
}
--
2.20.1
