On 6/5/19 3:55 PM, Francois Ozog wrote:
So trying to summarize the DT side track discussion in a different thread:
( Shall we organize a virtual design sprint before the end of the month? I'd like to create a section from the discussion in Boot Flows documen )
I - Current situation is:
- DT provided by Linux kernel because it was “easier” and there was no
upstream home
- ACPI is provided by firmware (to make things simple), non secure OS can
patch them in case of issues, SecureBoot prevents those patches
OS provided DT is a cool developer facility in the context of floating DT bindings and lack of proper upstream project. But conceptually speaking, DT is not an OS thing and is not a firmware thing: it is a board thing that may be massaged by firmware and consumed by OS.
With EBBR we seek a clean and salable solution that make the DT as simple as ACPI.
II - Desired DT for EBBR policy
- "upstream" DT
1.1) who provides DT Board vendor make a <reference DT> that describes every hardware piece, firmware provides a DT to OS, OS may be able to validate the DT but not override it in secureboot production. For security and boot latency consideration, firmware may actually need two DTs: a stripped version from <reference DT> to operate on the minimal set of devices it want to bring up the OS (say the <firmware DT>), a pruned/adapted version from <reference DT> , ie without devices firmware wants to control and conforms to EBBR spec (say the <OS DT>).
Can we get the Linux Foundation involved to integrate their view?
Regards
Heinrich
1.2) upstream <reference DT> The board reference DT> shall be valid regardless of the firmware (may be trusted firmware, uboot, edkII, linuxBoot...) not mentioning OS! There are many candidates but I start to think Linaro could host a DT and EBBR companion community project: "EBBR DTs" that will contain all the <reference DT> from every EBBR compliant board vendor. (Other boards can continue the mess, it is irrelevant EBBR, and us. SecureBoot, MeasuredBoot implementations will assume EBBR compliance)
- who sign what with what key
If we think of the following use case: Silicon Vendor provides a chip, a board vendor provides a board, ABB builds a controller, Caterpillar creates a mining truck with the controller, Rio Tinto operates the trck.
One possible (just designed to show case the need of various keysets) trust chain is:
- Board key db is loaded with a board vendor, ABB and caterpillar certs. - Trusted firmware: ABB doesn't want to deal with this, so the Board vendor provides and signs trusted firmware, with key_tf. - untrusted firmware: ABB selects the <firmware DT> and <OS DT> signs both DTs and firmware with key_firmware. Trusted Firmware will validate the signatures as key DB is loaded with ABB cert. - grub and the OS: Caterpillar signs them with key_os (What is signed and how it is verified is still a big discussion topic and the origin of the sidetrack on DT) - applications: Rio Tinto insurance company may be given the authority to sign hosted OPTEE applications with a different key.
- OS payload signing and verification: was the original topic of the
discussion and shall continue in the other thread.
- operational considerations
In non SecureBoot environment, DT can be patched by OS (same as ACPI). OS may decide to verify validaty of provided DT (mechanism yet to be defined) "dtb=" kernel command line parameter is still possible in non secure boot but forbiden in secureBoot.