Dear all,
in the DTE meetings we have been discussing how we should add signatures to device-trees.
Due to the way how libfdt adds properties the sanest place to add metadata is before the memory reservation block. I have tested this with the U-Boot->GRUB->Linux boot sequence.
See my slides at
https://github.com/xypron/dte/blob/master/DTE%20-%20Adding%20Metadata.pdf
and the test program I used
https://github.com/xypron/dte/blob/master/src/add_metadata_area.c
In the next DTE meetings we could discuss drafting a specification change for this.
Best regards
Heinrich
Hi Heinrich,
On Sun, May 02, 2021 at 07:55:09PM +0200, Heinrich Schuchardt wrote:
Dear all,
in the DTE meetings we have been discussing how we should add signatures to device-trees.
Due to the way how libfdt adds properties the sanest place to add metadata is before the memory reservation block. I have tested this with the U-Boot->GRUB->Linux boot sequence.
See my slides at
https://github.com/xypron/dte/blob/master/DTE%20-%20Adding%20Metadata.pdf
and the test program I used
https://github.com/xypron/dte/blob/master/src/add_metadata_area.c
Thanks for putting together the proposal and I've read the slides and the program so I think I understand what you're trying to do (creating a gap 'DELTA' to make room for some meta data). However, just so I understand this correctly, can you please elaborate a bit on how the meta data would look like? And give an example how it would be used? Are signatures supposed to be verified the first time the DTB is being brought into memory? Or is it meant to be a more dynamic approach? (I believe it's the former you're proposing).
Related, I've been involved in PoC with a student where he did DT-verification of (sub-)nodes, in Linux kernel. PoC was based on the ideas from U-Boot's FIT signature verification. It has some rough corners (and would need a bit more tooling), but it captures the overall idea. I think that is a bit different to what you're proposing (this is probably more related to what I refer to when saying a more dynamic approach).
[1] https://github.com/marianomarciello/Device_Tree_Verification/blob/e0b2fc989a...
In the next DTE meetings we could discuss drafting a specification change for this.
I'm interested in this.
// Regards Joakim
On 5/3/21 11:05 AM, Joakim Bech wrote:
Hi Heinrich,
On Sun, May 02, 2021 at 07:55:09PM +0200, Heinrich Schuchardt wrote:
Dear all,
in the DTE meetings we have been discussing how we should add signatures to device-trees.
Due to the way how libfdt adds properties the sanest place to add metadata is before the memory reservation block. I have tested this with the U-Boot->GRUB->Linux boot sequence.
See my slides at
https://github.com/xypron/dte/blob/master/DTE%20-%20Adding%20Metadata.pdf
and the test program I used
https://github.com/xypron/dte/blob/master/src/add_metadata_area.c
Thanks for putting together the proposal and I've read the slides and the program so I think I understand what you're trying to do (creating a gap 'DELTA' to make room for some meta data). However, just so I understand this correctly, can you please elaborate a bit on how the meta data would look like? And give an example how it would be used? Are signatures supposed to be verified the first time the DTB is being brought into memory? Or is it meant to be a more dynamic approach? (I believe it's the former you're proposing).
My idea is that the dtb will be verified when it is loaded from file, similar to what UEFI's LoadImage() does.
Instead of adding an extra section for metadata we could also add a special node with the signature, e.g.
dtbsignatures { signatures1 { #address-cells = <0>; #size-cells = <64>; signature@0 { compatible = "foo_bar_signature"; hashalg = "foo"; signalg = "bar"; reg = < 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 >; }; }; };
To create the signature you would
* add an zeroed out node with space for the signature * calculate the signature * update the node with the value of the signature
When checking you would likewise zero out the signature and then recalculate the signed hash.
This way we would only have to define a new node and not have any changes to the device-tree format.
Best regards
Heinrich
Related, I've been involved in PoC with a student where he did DT-verification of (sub-)nodes, in Linux kernel. PoC was based on the ideas from U-Boot's FIT signature verification. It has some rough corners (and would need a bit more tooling), but it captures the overall idea. I think that is a bit different to what you're proposing (this is probably more related to what I refer to when saying a more dynamic approach).
[1] https://github.com/marianomarciello/Device_Tree_Verification/blob/e0b2fc989a...
In the next DTE meetings we could discuss drafting a specification change for this.
I'm interested in this.
// Regards Joakim
boot-architecture@lists.linaro.org
-
Heinrich Schuchardt -
Joakim Bech