Hi Ilias,
On 26 Apr 2019, at 06:56, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi all,
This started as an internal discussion for U-Booa and SSL which quickly span out of control, so the mailing list is a better suited place for this discussion.
Akashi-san had an interesting idea. Since we will try to implement StandaloneMM as an OP-TEE TA, why not add payload authentication capabilities on it. Since it's already doing variable authentication on the secure side, the needed changes would be minimal (at least that's what i think, please correct me if i am wrong), since most of the code should already be there.
This means that the payload authentication will be moved to the secure world. Although doing the authentication in secure world won't offer any security enhancements, the common code across firmware implementations is probably nice to have.
So, as discussed on the private thread, I do not think this is a good idea. The main reasons to use StandaloneMM are to protect secrets (private keys) or to protect storage against unauthorised writes (protect against reset or rollback). When it come to firmware image updates and secure variable changes, using StandaloneMM makes sense.
However, image authentication doesn’t involve access to any secrets. Nor does it change any secure variables. Moving image authentication into the secure world increases complexity without any additional security benefit, and it precludes any secure boot implementations when StandaloneMM is not available.
I’d rather see Secure Boot image authentication implemented generically for all u-boot platforms, even when secure world variable updates are not available.
g.
The obvious drawback is that you limit the payload authentication capabilities, since running StMM will become obligatory for image that.
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.