On Wed, May 8, 2019 at 10:06 AM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
>
> On Wed, May 8, 2019 at 10:04 PM Rob Herring <robh+dt(a)kernel.org> wrote:
> >
> > On Tue, May 7, 2019 at 11:08 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
> > >
> > > On Wed, May 8, 2019 at 3:47 AM Rob Herring <robh+dt(a)kernel.org> wrote:
> > > >
> > > > +boot-architecture list as there was some discussion about this IIRC.
> > > >
> > > > On Mon, May 6, 2019 at 11:54 PM Hsin-Yi Wang <hsinyi(a)chromium.org> wrote:
> > > > >
> > > > > Introducing a chosen node, rng-seed, which is an 64 bytes entropy
> > > > > that can be passed to kernel called very early to increase device
> > > > > randomness. Bootloader should provide this entropy and the value is
> > > > > read from /chosen/rng-seed in DT.
> > > > >
> > > > > Signed-off-by: Hsin-Yi Wang <hsinyi(a)chromium.org>
> > > > >
> > > > > ---
> > > > > Documentation/devicetree/bindings/chosen.txt | 14 +++++++++
> > > >
> > > > Actually, this file has been converted to json-schema and lives
> > > > here[1]. I need to remove this one (or leave it with a reference to
> > > > the new one).
> > > >
> > > > > arch/arm64/kernel/setup.c | 2 ++
> > > > > drivers/of/fdt.c | 33 ++++++++++++++++++++
> > > > > include/linux/of_fdt.h | 1 +
> > > > > 4 files changed, 50 insertions(+)
> > > > >
> > > > > diff --git a/Documentation/devicetree/bindings/chosen.txt b/Documentation/devicetree/bindings/chosen.txt
> > > > > index 45e79172a646..bfd360691650 100644
> > > > > --- a/Documentation/devicetree/bindings/chosen.txt
> > > > > +++ b/Documentation/devicetree/bindings/chosen.txt
> > > > > @@ -28,6 +28,20 @@ mode) when EFI_RNG_PROTOCOL is supported, it will be overwritten by
> > > > > the Linux EFI stub (which will populate the property itself, using
> > > > > EFI_RNG_PROTOCOL).
> > > > >
> > > > > +rng-seed
> > > > > +-----------
> > > > > +
> > > > > +This property served as an entropy to add device randomness. It is parsed
> > > > > +as a 64 byte value, e.g.
> > > >
> > > > Why only 64-bytes?
> > > We can also not specify size and read what bootloader can provide.
> > > >
> > > > > +
> > > > > +/ {
> > > > > + chosen {
> > > > > + rng-seed = <0x31951b3c 0xc9fab3a5 0xffdf1660 ...>
> > > > > + };
> > > > > +};
> > > > > +
> > > > > +This random value should be provided by bootloader.
> > > > > +
> > > > > stdout-path
> > > > > -----------
> > > > >
> > > > > diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c
> > > > > index 413d566405d1..ade4261516dd 100644
> > > > > --- a/arch/arm64/kernel/setup.c
> > > > > +++ b/arch/arm64/kernel/setup.c
> > > > > @@ -292,6 +292,8 @@ void __init setup_arch(char **cmdline_p)
> > > > > early_fixmap_init();
> > > > > early_ioremap_init();
> > > > >
> > > > > + early_init_dt_rng_seed(__fdt_pointer);
> > > > > +
> > > >
> > > > I'm trying to reduce or eliminate all these early_init_dt_* calls.
> > > >
> > > > Why is this arch specific and why can't this be done after
> > > > unflattening? It doesn't look like add_device_randomness() needs
> > > > anything early.
> > > Currently unflattening is called after setup_machine_fdt(), which
> > > called fixmap_remap_fdt() //__fixmap_remap_fdt(dt_phys, &size,
> > > PAGE_KERNEL_RO), and we can't modify DT after that since it's read
> > > only. But we need to clear (eg. write 0 to it) the rng-seed after
> > > reading from DT.
> >
> > Why do you need to clear it? That wasn't necessary for kaslr-seed.
> I think it's for security purpose. If we know the random seed, it's
> more likely we can predict randomness.
> Currently on arm64, kaslr-seed will be wiped out (in
> arch/arm64/kernel/kaslr.c#get_kaslr_seed(), it's set to 0) so we can't
> read from sysfs (eg. /sys/firmware/devicetree/.../kaslr-seed)
> I'm not sure on other arch if it will be wiped out.
The difference is if I have the kaslr seed, I can calculate the kernel
base address.
In your case, you are feeding an RNG which continually has entropy
added to it. I can't see that knowing one piece of the entropy data is
a security hole. It looks more like you've just copied what what done
for kaslr-seed.
> > Why not change the mapping to RW? It would be nice if this worked on
> > more than one arch.
Still wondering on this question. Mapping it R/W would mean rng-seed
could be handled later and completely out of the arch code and so
could the zeroing of the kaslr-seed. Also, we generally assume the FDT
is modifiable for any fixups. This happens on arm32 and powerpc, but I
guess we haven't needed that yet on arm64.
Rob
Hello Francois, Jan, Christian, and all
Sorry for the late reply, I was waiting for the administrator of the Boot Architecture mailing list to accept my subscription request, but it seems it will take a bit more time. I will send this reply and hope it will not be blocked. I have also added the u-boot mailing list to Cc, as Tom suggested (although I'm not a member), the CIP mailing list, Jan Kiszka (one of the main developers of Efibootguard) and Christian (an expert in software updates).
Background: during the last Linaro connect in Bangkok I was told that Linaro Edge (LEDGE) were working on a secure software update mechanism based on UEFI capsules that would flash firmware updates from a UEFI application, instead of using a Linux agent such as SWUpdate. Then, I had an online meeting with Francois, director of LEDGE. I explained to Francois that in CIP we are using the Linux agent approach right now, and we are also considering the use of a UEFI application (Efibootguard) to arm a watchdog and deal with the state-machine variables (installed, testing, ok, failed..) needed for A/B software updates. Efibootguard sounds like an excellent place to collaborate with Linaro (particularly on the watchdog drivers front) because it does not strictly depend on where the firmware is flashed (UEFI capsule or Linux agent).
> On Fri, Apr 19, 2019 at 12:48:51PM +0200, Francois Ozog wrote:
> > Hi Daniel,
> >
> > We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot.
> >
> > As we are working on UEFI SecureBoot implementation in U-Boot, how do
> > you expect the boot process to be secured? Would U-Boot UEFI
> > SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will
> > check either grub or Linux signature?
> >
> > Please elaborate on your vision of a secured boot process.
Efibootguard is composed of two parts.
- A UEFI application that can arm a watchdog and decide what environment (kernel, boot args, etc.) to use next depending on a set of variables (update status, highest revision, etc.) stored in FAT16 partitions.
- A Linux application that can read and set those variables from Linux (similar to u-boot's fw_setenv). This functionality is also available in the form of a library.
As far as I know, there is no concept of "Secure Booting" in Efibootguard at the moment. Adding signature checks before booting into the selected kernel would be a possible solution.
Thanks,
Daniel
Hi all,
This started as an internal discussion for U-Booa and SSL which quickly span
out of control, so the mailing list is a better suited place for this discussion.
Akashi-san had an interesting idea. Since we will try to implement StandaloneMM
as an OP-TEE TA, why not add payload authentication capabilities on it.
Since it's already doing variable authentication on the secure side, the needed
changes would be minimal (at least that's what i think, please correct me if i
am wrong), since most of the code should already be there.
This means that the payload authentication will be moved to the secure world.
Although doing the authentication in secure world won't offer any security
enhancements, the common code across firmware implementations is probably nice
to have.
The obvious drawback is that you limit the payload authentication capabilities,
since running StMM will become obligatory for image that.
Thanks
/Ilias
Hi Bill and Peter,
[cc'ing boot-architecture to trawl for additional volunteers]
As discussed during EBBR monthly call today, we should have an EBBR
plugfest at ELC and/or ELC-E this year with the goal of working out
compatibility issues between platforms+firmware and OS images (distro
images, OpenEmbedded, Buildroot, Yocto builds, etc).
My initial thought is to run a full day event that is part hacking
sprint and part plugfest. We could ask participants to either bring a
platform (SBC with firmware installed) or an OS images and then set up a
test matrix for each OS to test on each board. After an initial set of
attempts the rest of the day could be a hacking sprint to solve problems
and squash bugs.
I'm only going to be at ELC this year (Aug 21-23rd in San Diego). I
might be able to get the LF to provide a co-located room Tuesday the 20th.
ELC-E will be in late October. If we do this at both events, then
someone will need to take the lead on organizing the European version.
Thoughts?
g.
As discussed at Linaro Connect BKK19 in early April, the
arm.ebbr-discuss mailing list isn't very functional because it doesn't
have a public archive and non-Arm folks cannot subscribe themselves.
I'm shutting down the arm.ebbr-discuss mailing list. From this date all
EBBR discussion will be held on the boot-architecture(a)linaro.org mailing
list.
g.
Hi all,
The EBBR monthly meeting is later today. We're in the quiet period after
releasing EBBR v1.0 and are unlikely to add new content immediately.
Instead, we'll use the monthly meeting to track and discuss progress on
Secure Boot with U-Boot, TF-A, and OP-TEE, as well as other desired EBBR
features. As those features mature, we'll add language to EBBR to match.
Dial in details below.
g.
---
There is a monthly conference call to discuss EBBR topics on the 4th
Tuesday of the month at 15:00 UTC/BST, 7:00 PST/PDT, 23:00/22:00 CST
(following UTC/BST daylight savings time shifts). Anyone is welcome to join.
Online meeting: https://arm-onsite.webex.com/meet/gralik01
Phone
1-408-792-6300 Call-in toll number (US/Canada)
1-877-668-4490 Call-in toll-free number (US/Canada)
44-203-478-5285 Call-in toll number (UK)
08-002061177 Call-in toll-free (UK)
More access numbers: webex-global-numbers
Access code: 809 053 990
On Fri Apr 19 10:48:51 UTC 2019
François Ozog <francois.ozog(a)linaro.org> wrote
> We will be conducting a UEFI gap analysis to support EFIBootGuard in
> U-Boot.
>
> As we are working on UEFI SecureBoot implementation in U-Boot, how do
> you expect the boot process to be secured? Would U-Boot UEFI
> SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will
> check either grub or Linux signature?
>
> Please elaborate on your vision of a secured boot process.
The UEFI spec is quite clear about this:
An implementation of SecureBoot will check the signature of any EFI
binary before starting it. StartImage() will return
EFI_SECURITY_VIOLATION when trying to start an image that is neither
correctly signed nor whose hash is known.
As we use StartImage() for starting any image the signature of
EFIBootGuard would be checked first and then any of the child
applications it starts.
You will not be able to start GRUB or the Linux kernel if their
signature are not added to U-Boot's key database.
Of cause you could implement inside EFIBootGuard your own mechanism to
start a loaded image without calling StartImage(). In this case U-Boot
cannot protect you from invalid images.
Best regards
Heinrich
Hi Daniel,
We will be conducting a UEFI gap analysis to support EFIBootGuard in U-Boot.
As we are working on UEFI SecureBoot implementation in U-Boot, how do
you expect the boot process to be secured? Would U-Boot UEFI
SecureBoot verify EFIBootGuard signature and in turn EFIBootGuard will
check either grub or Linux signature?
Please elaborate on your vision of a secured boot process.
Cheers
FF
PS: you may want to subscribe to the boot-architecture mailing list in Linaro.
Hi,
I suggest we move the discussion to
https://lists.linaro.org/mailman/listinfo/boot-architecture
I am sending the subscription link to BKK19 boot sprint attendees.
Cheers
FF
On Thu, 11 Apr 2019 at 10:31, Francois Ozog <francois.ozog(a)linaro.org>
wrote:
>
>
> On Thu, 11 Apr 2019 at 10:23, AKASHI, Takahiro <takahiro.akashi(a)linaro.org>
> wrote:
>
>> On Thu, 11 Apr 2019 at 16:49, Joakim Bech <joakim.bech(a)linaro.org> wrote:
>> >
>> > Hi,
>> >
>> > @Takahiro, thanks for teaching me what is right and wrong :)
>>
>> No, no. Everything is right, but some are only suitable for a specific
>> relationship :)
>>
>> > @Ilias, @FF, replies inline below.
>> >
>> > On Thu, 11 Apr 2019 at 09:22, Francois Ozog <francois.ozog(a)linaro.org>
>> wrote:
>> >>
>> >>
>> >>
>> >> On Thu, 11 Apr 2019 at 08:51, Ilias Apalodimas <
>> ilias.apalodimas(a)linaro.org> wrote:
>> >>>
>> >>> Hi Akashi-san,
>> >>>
>> >>> > > I'm just drafting a new card for running the Standalone MM
>> >>> > > as Trusted Application in OP-TEE. The use case as I understand
>> >>> > > it is to call this TA from U-Boot environment (and when Linux is
>> >>> > > up and running).
>> >>> >
>> >>> > I heard the almost same thing from Francois.
>> >>> > I don't mind how the service will be implemented in secure world.
>> What I'd
>> >>> > like to do here is to add an interface for communicating with
>> secure world
>> >>> > on U-Boot side (normal world).
>> >>> Can we try and avoid double and triple Jira epics, while still giving
>> credit to
>> >>> SIGs/Groups doing the work?
>> >>> We already have an initiative up for u-boot relasted issues.
>> >>> https://projects.linaro.org/browse/LEDGE-134
>> >>>
>> >>
>> >> My proposal is that EPICS related to OPTEE are owned by SWG, even if
>> they are resourced by LEDGE.
>> >> For instance, I can task a LEDGE assignee to do the OPTEE work under
>> Joakim guidance and reporting on a SWG EPIC.
>> >
>> > This is inline with my thoughts.
>> >
>> >>
>> >> LEDGE Initiative would include an EPIC link to the SWG EPIC: LEDGE can
>> then track the many tasks done in KWG and SWG.
>> >> Actually I proposed the creation of a lead project: dependable boot.
>> >>
>> >> For the time being, lets create all the Jira cards we think we need to
>> address. Lets check each other iniatives to ensure we have identified all
>> pieces of work.
>> >> https://projects.linaro.org/browse/LEDGE-151
>> >> https://projects.linaro.org/browse/LEDGE-134
>> >
>> > As we're speaking I'm drafting the work for a Standalone MM OP-TEE as
>> well as the fTPM stuff:
>> > https://projects.linaro.org/browse/SWG-372 (I'm going to add more
>> details here after having a chat with Ard ... who is travelling to US for
>> the moment).
>> > https://projects.linaro.org/browse/SWG-373
>> >
>> > Note that I'll more and more start creating Initiatives instead of
>> Epics, since I believe the consensus after TSC voting is that our current
>> Initiatives are too broad containing unrelated features. Having that said,
>> beneath the Initiatives I'll split up sub-tasks as Epics.
>>
>> Let me make clear; I started my UEFI-related tasks almost
>> independently from other groups' activities. In this sense, my
>> 'initiative' is KWG-339 (I don't care much though). KWG-403 is
>> a card where I want to keep my status updated.
>>
>> >>
>> >>
>> >>>
>> >>> >
>> >>> > Yes, I remember that we discussed lots about running Standalone MM
>> as
>> >>> > OP-TEE application, and what I'm asking is
>> >>> > - do you have any chance to use Standalone MM service on SPM, or
>> >>> > - do you want to use it solely as OP-TEE application.
>> >>> For the moment all LEDGE platforms we know of are based on u-boot.
>> >>> The only platform we have that not u-boot based is the SynQuacer box,
>> but Ard
>> >>> has already finished his StandaloneMM in SPM on that.
>> >>
>> >>
>> >> SPM does not work with ST32MP1 which is a LEDGE 32 bit target platform
>> and, AFAIK, will not work with virtualization in trustzone.
>> >> So SPD is our way to go.
>> >
>> > Yes, and IIRC, this is why we need to make Ard's current Standalone MM
>> implementation possible to run as an OP-TEE Trusted Application (basically
>> SWG-372). It's even useful on Armv8 devices until we have support for
>> running multiple SP's.
>>
>> So even for some sort of prototyping or POC, you won't use Standalone
>> MM services
>> in the current form and will be willing to wait for the completion of
>> SWG-372?
>>
>> I think we can swap very easily the protocol used between u-boot and the
> Standalone MM. You can surely do a first iteration with SPM version as it
> exists today and you can just add the u-boot part.
> This allows working in parrallel on different aspects of the
> implementation.
> We will focus on the SPD part.
>
> I heard from Ard that some assignee has finished porting Standalone MM
>> services
>> to qemu, and so I will be able to work on it integrating it into my
>> current secure boot patch.
>>
>>
> Sounds perfect!
>
>
>> In addition, in my previous e-mail, I think that I raised some topic
>> that we should
>> discuss, image authentication as well as rolls of secure world and
>> non-secure world.
>> This will have impacts on my secure boot patch; in some scenario, my
>> current work will
>> make almost no sense.
>>
>> That needs proper discussion:
> shall we use the boot-arch mail alias as the mailing list so that we reach
> a broad community for comments?
> shall we setup a weekly call ? (most attendees are europe to asia time
> zones I believe)
>
>
>> Thanks,
>> -Takahiro Akashi
>> >>
>> >>
>> >>>
>> >>> Cheers
>> >>> /Ilias
>> >
>> >
>> > Regards,
>> > Joakim
>>
>
>
> --
> [image: Linaro]
> <https://www.linaro.org/assets/content/RGB-Linaro_Standard.png>
> François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
> T: +33.67221.6485
> francois.ozog(a)linaro.org | Skype: ffozog
>
>
--
[image: Linaro]
<https://www.linaro.org/assets/content/RGB-Linaro_Standard.png>
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
