Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
1. For the kernel modules we can use kernel module signing facilities [1] 2. In case someone wants to provide an external DTB, we can use FIT images to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot. 3. We need to verify initramfs as well. This can be accomplished in various ways. Packing kernel + initramfs or using dm-verity are the two obvious ones but we are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks /Ilias
Hi Ilias
-----Original Message----- From: boot-architecture boot-architecture-bounces@lists.linaro.org On Behalf Of Ilias Apalodimas Sent: Friday, May 24, 2019 8:59 PM To: boot-architecture@lists.linaro.org Subject: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
I believe you are planning to support as UEFI specs [Chapter 31, UEFI spec 2.7]
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1]
- In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot. 3. We need to verify initramfs as well. This can be accomplished in various ways. Packing kernel + initramfs or using dm-verity are the two obvious ones but we are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though).
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable should be written in MM mode.
[1] https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ker nel.org%2Fdoc%2Fhtml%2Fv4.15%2Fadmin-guide%2Fmodule- signing.html&data=02%7C01%7Cudit.kumar%40nxp.com%7C67b7f9e9588 c49dcbbd708d6e05c949a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0 %7C636943085576955336&sdata=d76zsRb9eYBiaIWswbT1ZCEodwAatkmt LLKqqkkL65w%3D&reserved=0
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.lina... o.org%2Fmailman%2Flistinfo%2Fboot- architecture&data=02%7C01%7Cudit.kumar%40nxp.com%7C67b7f9e9588 c49dcbbd708d6e05c949a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0 %7C636943085576955336&sdata=l4QbkknOMe7kzcAa9kxJvHkD%2BJHqxh R6ivV3BqwdIY4%3D&reserved=0
Hi Udit,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot.
I believe you are planning to support as UEFI specs [Chapter 31, UEFI spec 2.7]
Yes you are right
This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1]
- In case someone wants to provide an external DTB, we can use FIT images
to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot. 3. We need to verify initramfs as well. This can be accomplished in various ways. Packing kernel + initramfs or using dm-verity are the two obvious ones but we are open to suggestions.
This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though).
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable should be written in MM mode.
The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
Thanks /Ilias
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
Thanks /Ilias
Hi Udit,
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step
Indeed :) We'll try to have the UEFI secure boot spec in u-boot first, *without* storing the variables in a secure storage. Once we complete this we can start planning the secure part of the varibles.
A bit of history on this. One of the things we are going to try is split U-Boot ENV and UEFI variables. By decoupling those, storing the variables in a different storage should be straightforward (or at least a lot easier than it is today).
Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
All three sound valid. This also depends on the hardware design as well. This is too soon for us, if anyone else has any suggestions it might be a good idea to sum those up in a new thread?
Thanks /Ilias
On 27/05/2019 10:05, Ilias Apalodimas wrote:
Hi Udit,
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step
Indeed :) We'll try to have the UEFI secure boot spec in u-boot first, *without* storing the variables in a secure storage. Once we complete this we can start planning the secure part of the varibles.
A bit of history on this. One of the things we are going to try is split U-Boot ENV and UEFI variables. By decoupling those, storing the variables in a different storage should be straightforward (or at least a lot easier than it is today).
Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
All three sound valid. This also depends on the hardware design as well. This is too soon for us, if anyone else has any suggestions it might be a good idea to sum those up in a new thread?
On systems with normal-world mapped eMMC/UFS with RPMB: Option 1 - trusted app needs to coordinate with normal world firmware & OS - The trusted app will prepare and sign RPMB update transactions and depend on a supplicant in the normal world to perform the transaction. U-Boot will need an implementation of the optee supplicant. Linux already has one.
On systems with secure-world mapped secure storage: Option 3 - The trusted app doesn't need to coordinate with the normal world. - It can directly write to storage.
Option 2 is not an option because we don't want device drivers (ie, for secure storage devices) in EL3 TFA. It is supposed to be as small as possible.
g.
On Fri, 31 May 2019 at 17:33, Grant Likely Grant.Likely@arm.com wrote:
On 27/05/2019 10:05, Ilias Apalodimas wrote:
Hi Udit,
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step
Indeed :) We'll try to have the UEFI secure boot spec in u-boot first, *without* storing the variables in a secure storage. Once we complete this we can start planning the secure part of the varibles.
A bit of history on this. One of the things we are going to try is split U-Boot ENV and UEFI variables. By decoupling those, storing the variables in a different storage should be straightforward (or at least a lot easier than it is today).
Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
All three sound valid. This also depends on the hardware design as well. This is too soon for us, if anyone else has any suggestions it might be a good idea to sum those up in a new thread?
On systems with normal-world mapped eMMC/UFS with RPMB: Option 1
- trusted app needs to coordinate with normal world firmware & OS
- The trusted app will prepare and sign RPMB update transactions and
depend on a supplicant in the normal world to perform the transaction. U-Boot will need an implementation of the optee supplicant.
Just an update, U-Boot already have optee supplicant support for RPMB storage access. Have a look here [1].
[1] https://github.com/u-boot/u-boot/blob/master/drivers/tee/optee/rpmb.c
-Sumit
Linux already has one.
On systems with secure-world mapped secure storage: Option 3
- The trusted app doesn't need to coordinate with the normal world.
- It can directly write to storage.
Option 2 is not an option because we don't want device drivers (ie, for secure storage devices) in EL3 TFA. It is supposed to be as small as possible.
g. _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On 31/05/2019 13:20, Sumit Garg wrote:
On Fri, 31 May 2019 at 17:33, Grant Likely Grant.Likely@arm.com wrote:
On 27/05/2019 10:05, Ilias Apalodimas wrote:
Hi Udit,
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
> > What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step
Indeed :) We'll try to have the UEFI secure boot spec in u-boot first, *without* storing the variables in a secure storage. Once we complete this we can start planning the secure part of the varibles.
A bit of history on this. One of the things we are going to try is split U-Boot ENV and UEFI variables. By decoupling those, storing the variables in a different storage should be straightforward (or at least a lot easier than it is today).
Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
All three sound valid. This also depends on the hardware design as well. This is too soon for us, if anyone else has any suggestions it might be a good idea to sum those up in a new thread?
On systems with normal-world mapped eMMC/UFS with RPMB: Option 1
- trusted app needs to coordinate with normal world firmware & OS
- The trusted app will prepare and sign RPMB update transactions and
depend on a supplicant in the normal world to perform the transaction. U-Boot will need an implementation of the optee supplicant.
Just an update, U-Boot already have optee supplicant support for RPMB storage access. Have a look here [1].
[1] https://github.com/u-boot/u-boot/blob/master/drivers/tee/optee/rpmb.c
Even better! Thanks!
g.
Hi Grant,
On Fri, May 31, 2019 at 12:03:42PM +0000, Grant Likely wrote:
On 27/05/2019 10:05, Ilias Apalodimas wrote:
Hi Udit,
Hi Ilias
-----Original Message----- From: Ilias Apalodimas ilias.apalodimas@linaro.org Sent: Friday, May 24, 2019 9:57 PM To: Udit Kumar udit.kumar@nxp.com Cc: boot-architecture@lists.linaro.org; Varun Sethi V.Sethi@nxp.com Subject: Re: [EXT] Securing the boot flow in U-Boot
Caution: EXT Email
Hi Udit,
What do you think?
Here we are talking about image signing and image validation. I am not sure, what are your plan to make keys data base (platform key, KeK and DBs) secure while writing. AFAIU, This is one of requirement of secure uefi that these secure variable
should be written in MM mode. The plan on that is run stMM as an OP-TEE TA. This will allow us to run StMM + fTPM simultaneously. The current plan is to support UEFI specs on U-Boot without having secure variable storage. That one is our next step.
May be I am asking too early about your next step
Indeed :) We'll try to have the UEFI secure boot spec in u-boot first, *without* storing the variables in a secure storage. Once we complete this we can start planning the secure part of the varibles.
A bit of history on this. One of the things we are going to try is split U-Boot ENV and UEFI variables. By decoupling those, storing the variables in a different storage should be straightforward (or at least a lot easier than it is today).
Where you see flash driver sitting, Possible options I see, 1/ In OP-TEE and StMM is making sys-call to access it 2/ in TFA (EL3) itself and stMM is making smc calls 3/ OP-TEE is doing sort of mmap to flash controller area and driver is residing in Sec-EL0 itself
All three sound valid. This also depends on the hardware design as well. This is too soon for us, if anyone else has any suggestions it might be a good idea to sum those up in a new thread?
On systems with normal-world mapped eMMC/UFS with RPMB: Option 1
- trusted app needs to coordinate with normal world firmware & OS
- The trusted app will prepare and sign RPMB update transactions and
depend on a supplicant in the normal world to perform the transaction. U-Boot will need an implementation of the optee supplicant. Linux already has one.
We've in fact upstreamed support for an OP-TEE "supplicant" (with RPMB support) to U-Boot not that long ago. So we can tick this one off from the todo list. How to enable RPMB with OP-TEE in U-Boot can be seen section 4 here: https://github.com/u-boot/u-boot/blob/master/doc/README.avb2
On systems with secure-world mapped secure storage: Option 3
- The trusted app doesn't need to coordinate with the normal world.
- It can directly write to storage.
Option 2 is not an option because we don't want device drivers (ie, for secure storage devices) in EL3 TFA. It is supposed to be as small as possible.
g. _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On 24/05/2019 16:28, Ilias Apalodimas wrote:
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1 > 2. In case someone wants to provide an external DTB, we can use FIT
images
to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot.
The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded.
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); }
This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent
I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path.
In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot.
- We need to verify initramfs as well. This can be accomplished in various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones but we are open to suggestions.
Signing initrd images is pretty important I think the same options apply. What is currently being done in the x86 distro space?
This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though).
What do you think?
[1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
Can we just register the OS loader as a UEFI protocol (say LoadGrubImage, LoadLinuxImage, LoadAndroidImage), which would do everything needed to check the broader environment? This becomes usable with both EDKII and U-Boot?
LoadImage is used by <firmware> to securely load shim<arch>.efi LoadGrubImage is used by shim<arch>.efi to securely load grub<arch>.efi (check modules, config...) LoadLinuxImage is used by grub<arch>.efi to securely load Linux environment
If the protocols are not present, then a simple LoadImage is used.
Cheers
FF
On Fri, 31 May 2019 at 13:52, Grant Likely Grant.Likely@arm.com wrote:
On 24/05/2019 16:28, Ilias Apalodimas wrote:
Hello all,
Continuing the discussions we had on securing the boot flow and OS as
much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in
U-Boot.
This will cover the next payload (shim/grub2/shim depending on board
needs).
In order to provide better overall security for the OS we'll need to at
least
verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1
- In case someone wants to provide an external DTB, we can use FIT
images
to secure that. The FIT images will contain the DTB(s) we need. Those
will
only be used if the authentication process succeeds. This will allow us
to
verify DTBs without introducing any new functionality to U-Boot.
The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded.
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); }
This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent
I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path.
In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot.
- We need to verify initramfs as well. This can be accomplished in
various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones
but we
are open to suggestions.
Signing initrd images is pretty important I think the same options apply. What is currently being done in the x86 distro space?
This also makes the development process for LEDGE pretty clear. We'll
have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of
the
functionality can be achieved with the existing code (minor adjustments
might be
needed though).
What do you think?
[1]
https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On 31/05/2019 13:12, Francois Ozog wrote:
Can we just register the OS loader as a UEFI protocol (say LoadGrubImage, LoadLinuxImage, LoadAndroidImage), which would do everything needed to check the broader environment? This becomes usable with both EDKII and U-Boot?
If the protocol (or an evolution of it) is proposed to be included in the UEFI spec, then I agree. However, if it remains a shim-only thing, then it should be left as part of Shim.
g.
LoadImage is used by <firmware> to securely load shim<arch>.efi LoadGrubImage is used by shim<arch>.efi to securely load grub<arch>.efi (check modules, config...) LoadLinuxImage is used by grub<arch>.efi to securely load Linux environment
If the protocols are not present, then a simple LoadImage is used.
Cheers
FF
On Fri, 31 May 2019 at 13:52, Grant Likely <Grant.Likely@arm.com mailto:Grant.Likely@arm.com> wrote:
On 24/05/2019 16:28, Ilias Apalodimas wrote: > Hello all, > > Continuing the discussions we had on securing the boot flow and OS as much as > possible, we came up with the following idea. > > We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. > This will cover the next payload (shim/grub2/shim depending on board needs). > > In order to provide better overall security for the OS we'll need to at least > verify DTB (if provided externally), initramfs and kernel modules. > > 1. For the kernel modules we can use kernel module signing facilities [1 > 2. In case someone wants to provide an external DTB, we can use FIT images > to secure that. The FIT images will contain the DTB(s) we need. Those will > only be used if the authentication process succeeds. This will allow us to > verify DTBs without introducing any new functionality to U-Boot. The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded. I see two ways to handle this that fits with the Secure Boot authentication path: Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all. In fact, Option 1 is pretty close to what is required for the initrd. I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel. Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); } This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path. In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot. > 3. We need to verify initramfs as well. This can be accomplished in various ways. > Packing kernel + initramfs or using dm-verity are the two obvious ones but we > are open to suggestions. Signing initrd images is pretty important I think the same options apply. What is currently being done in the x86 distro space? > > This also makes the development process for LEDGE pretty clear. We'll have to > add UEFI Secure Boot implementation on U-Boot *only* since the rest of the > functionality can be achieved with the existing code (minor adjustments might be > needed though). > > What do you think? > > [1] https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html > > > Thanks > /Ilias > _______________________________________________ > boot-architecture mailing list > boot-architecture@lists.linaro.org <mailto:boot-architecture@lists.linaro.org> > https://lists.linaro.org/mailman/listinfo/boot-architecture > _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org <mailto:boot-architecture@lists.linaro.org> https://lists.linaro.org/mailman/listinfo/boot-architecture-- François-Frédéric Ozog | /Director Linaro Edge & Fog Computing Group/ T: +33.67221.6485 francois.ozog@linaro.org mailto:francois.ozog@linaro.org | Skype: ffozog
On 5/31/19 2:12 PM, Francois Ozog wrote:
Can we just register the OS loader as a UEFI protocol (say LoadGrubImage, LoadLinuxImage, LoadAndroidImage), which would do everything needed to check the broader environment? This becomes usable with both EDKII and U-Boot?
LoadImage is used by <firmware> to securely load shim<arch>.efi LoadGrubImage is used by shim<arch>.efi to securely load grub<arch>.efi (check modules, config...) LoadLinuxImage is used by grub<arch>.efi to securely load Linux environment
If the protocols are not present, then a simple LoadImage is used.
What is the reasoning for your suggestion? I cannot see what you are missing in LoadImage().
With secure boot enabled LoadImage() will check the signature of any EFI binary including GRUB, Linux, and Shim.
It is the task of the loaded application to verify any modules it loads afterwards. This functionality already exists, e.g. once the Linux Kernel is loaded it uses UEFI variables db and dbx to update the system keyring against which the modules are checked.
The UEFI spec should be OS agnostic so having GRUB or Linux specific protocols implemented in U-Boot or EDK II makes no sense to me.
Best regards
Heinrich
Cheers
FF
On Fri, 31 May 2019 at 13:52, Grant Likely Grant.Likely@arm.com wrote:
On 24/05/2019 16:28, Ilias Apalodimas wrote:
Hello all,
Continuing the discussions we had on securing the boot flow and OS as
much as
possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in
U-Boot.
This will cover the next payload (shim/grub2/shim depending on board
needs).
In order to provide better overall security for the OS we'll need to at
least
verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1
- In case someone wants to provide an external DTB, we can use FIT
images
to secure that. The FIT images will contain the DTB(s) we need. Those
will
only be used if the authentication process succeeds. This will allow us
to
verify DTBs without introducing any new functionality to U-Boot.
The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded.
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); }
This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent
I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path.
In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot.
- We need to verify initramfs as well. This can be accomplished in
various ways.
Packing kernel + initramfs or using dm-verity are the two obvious ones
but we
are open to suggestions.
Signing initrd images is pretty important I think the same options apply. What is currently being done in the x86 distro space?
This also makes the development process for LEDGE pretty clear. We'll
have to
add UEFI Secure Boot implementation on U-Boot *only* since the rest of
the
functionality can be achieved with the existing code (minor adjustments
might be
needed though).
What do you think?
[1]
https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
Hi Grant,
On 24/05/2019 16:28, Ilias Apalodimas wrote:
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1 > 2. In case someone wants to provide an external DTB, we can use FIT
images
to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot.
The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded.
This is exactly the reason i mentioned this on my first mail.
"This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though)". s/minor adjustments/Your option #2/
I was wondering how hard/acceptable is to do option #2
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); }
This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent
I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path.
In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot.
Thanks /Ilias
On 5/31/19 4:47 PM, Ilias Apalodimas wrote:
Hi Grant,
On 24/05/2019 16:28, Ilias Apalodimas wrote:
Hello all,
Continuing the discussions we had on securing the boot flow and OS as much as possible, we came up with the following idea.
We are currently sorting out what's needed to add UEFI Secure Boot in U-Boot. This will cover the next payload (shim/grub2/shim depending on board needs).
In order to provide better overall security for the OS we'll need to at least verify DTB (if provided externally), initramfs and kernel modules.
- For the kernel modules we can use kernel module signing facilities [1 > 2. In case someone wants to provide an external DTB, we can use FIT
images
to secure that. The FIT images will contain the DTB(s) we need. Those will only be used if the authentication process succeeds. This will allow us to verify DTBs without introducing any new functionality to U-Boot.
The trouble with this scenario is it uses a different authentication scheme from the OS boot. OS boot would verify against the Secure boot DB/DBX variables, but the FIT image containing a new DTB uses an entirely different authentication path, and the platform needs a way to break into the boot flow early (before UEFI Boot Device Selection) to perform the custom DTB load step before choosing the kernel to boot. That might be too early to know which .dtb needs to be loaded.
This is exactly the reason i mentioned this on my first mail.
"This also makes the development process for LEDGE pretty clear. We'll have to add UEFI Secure Boot implementation on U-Boot *only* since the rest of the functionality can be achieved with the existing code (minor adjustments might be needed though)". s/minor adjustments/Your option #2/
I was wondering how hard/acceptable is to do option #2
I think option 2 is quite easy to implement:
In U-Boot we already have a tool file2include which we can use to convert the FDT into an include. Now we only have to build the EFI binary from a C file with the include. Building an EFI binary is easy with gnu-efi. Last step is to sign the EFI binary with sbsign. The essential point is that the C file will be constant, only the generated include will change.
The good thing about option 2 is its compatibility with any UEFI implementation and not just U-Boot.
I think an operating system should not have to worry about the firmware I am using. E.g. on the MACCHIATObin either of U-Boot or EDK II can be used.
In U-Boot updates to the device tree are not done at ExitBootServices() but when invoking bootefi.
Updating the device tree may result in a larger device tree so it cannot be done in place. Instead we have to install a copy. The problem about updating in ExitBootServices() is that we do not know if the EFI application calling it holds a pointer to the device tree across the call.
bootefi replaces any device tree with its own device tree if not called with a device tree argument. We will have to change this when going with option 2.
Best regards
Heinrich
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
Option 2: Put a PE/COFF wrapper around the dtb The wrapper can be really simple. Little more than the following code: { bootservices.allocate_pages(EFI_ALLOCATE_MAX_ADDRESS, EFI_RUNTIME_SERVICES_DATA, 1, &dtb_addr); memcpy() bootservices.install_configuration_table(dtb_guid, dtb_addr); }
This allows the DTB to be managed separately from the kernel (which may or may not be desired; depending on use-case), and it uses the same authentication scheme as for the OS loader. It would would on both Tianocore and U-Boot UEFI implementations. The dtb toolchain could be modified to use a stock wrapper. The same technique could even be used to load and apply dtb overlays. Downside is the wrapper would be architecture dependent
I think option 1 is pretty close to the approach used by stub, and I suspect it fits better into the deployment scenarios that would want to ship a DTB with the kernel. I would go down that path.
In either case, I'm now leaning toward the opinion that calling install_configuration_table() to change the dtb is the right thing to do. The DTB still gets exposed to the kernel in the same way, and it provides the option of firmware applying updates (ie. kernel command line) to the new dtb at ExitBootServices() time. It also acknowledges that the DTB used to boot the kernel isn't always the DTB used internally by U-Boot.
Thanks /Ilias _______________________________________________ boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so i doubt this will be allowed.
Thanks /Ilias
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so i doubt this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader
(possibly
the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this
scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the
os
loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so
i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
boot-architecture mailing list boot-architecture@lists.linaro.org https://lists.linaro.org/mailman/listinfo/boot-architecture
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader
(possibly
the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this
scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the
os
loader can use load_image to authenticate and retrieve the data
without
actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so
i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader
(possibly
the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this
scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
loader can use load_image to authenticate and retrieve the data
without
actually executing the image. That would allow for the DTB & initrd
to
be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
On Tue, 4 Jun 2019 at 15:55, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader
(possibly
the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this
scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the
initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
loader can use load_image to authenticate and retrieve the data
without
actually executing the image. That would allow for the DTB & initrd
to
be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down
to
"UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
But my point remains the same. If we are accommodating a model where the DT is shipped with the OS, the OS can deal with authenticating the DTB files. If the firmware provides the DT, it is a firmware implementation detail how and where it keeps the DTB files internally, as long as it uses the official way (i.e., via a UEFI config table) to expose the DT to the OS.
Rolling all of this into secure boot support (which deals with authenticating OS components/loaders to the firmware) is something we should avoid.
On Tue, 4 Jun 2019 at 10:00, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:55, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant, > I see two ways to handle this that fits with the Secure Boot > authentication path: > > Option 1: Leave it to the OS loader > We could simply say that if the OS wants to replace the DTB, then
it
> should take care of authentication itself within the OS loader
(possibly
> the in-kernel UEFI stub) and install a replacement DTB in the > configuration table before calling exit boot services. In this
scenario,
> U-Boot doesn't authenticate the DTB at all. > > In fact, Option 1 is pretty close to what is required for the
initrd.
> > I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
> loader can use load_image to authenticate and retrieve the data
without
> actually executing the image. That would allow for the DTB &
initrd to
> be authenticated in the same way as the kernel. I asked around on this prior to the email, but i think it boils down
to
"UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
But my point remains the same. If we are accommodating a model where the DT is shipped with the OS, the OS can deal with authenticating the DTB files. If the firmware provides the DT, it is a firmware implementation detail how and where it keeps the DTB files internally, as long as it uses the official way (i.e., via a UEFI config table) to expose the DT to the OS.
Rolling all of this into secure boot support (which deals with authenticating OS components/loaders to the firmware) is something we should avoid.
Agreed. There is no such a thing as an OS provided ACPI table.... yet we
allow that for DT... strange isn't it? So as a reference platform we can say that an OS provided DT is NOT part of the picture. Yet if a vendor still wants to do it, it will be able to. We just don't care.
Now, in the context of standard OTA across SoCs, what shall be standardized to support the two DTs (for firmware execution and for OS execution). Are we considering UBoot firmware as a "blob" that embeds those two DTs? Might be good enough.
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader
(possibly
the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this
scenario,
U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
loader can use load_image to authenticate and retrieve the data
without
actually executing the image. That would allow for the DTB & initrd
to
be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Best regards
Heinrich
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant, > I see two ways to handle this that fits with the Secure Boot > authentication path: > > Option 1: Leave it to the OS loader > We could simply say that if the OS wants to replace the DTB, then it > should take care of authentication itself within the OS loader
(possibly
> the in-kernel UEFI stub) and install a replacement DTB in the > configuration table before calling exit boot services. In this
scenario,
> U-Boot doesn't authenticate the DTB at all. > > In fact, Option 1 is pretty close to what is required for the initrd. > > I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
> loader can use load_image to authenticate and retrieve the data
without
> actually executing the image. That would allow for the DTB & initrd
to
> be authenticated in the same way as the kernel. I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote: > > Hi Grant, >> I see two ways to handle this that fits with the Secure Boot >> authentication path: >> >> Option 1: Leave it to the OS loader >> We could simply say that if the OS wants to replace the DTB, then it >> should take care of authentication itself within the OS loader (possibly >> the in-kernel UEFI stub) and install a replacement DTB in the >> configuration table before calling exit boot services. In this scenario, >> U-Boot doesn't authenticate the DTB at all. >> >> In fact, Option 1 is pretty close to what is required for the initrd. >> >> I wonder if it is possible to wrap the DTB with a PE/COFF so that the os >> loader can use load_image to authenticate and retrieve the data without >> actually executing the image. That would allow for the DTB & initrd to >> be authenticated in the same way as the kernel. > I asked around on this prior to the email, but i think it boils down to > "UEFI is intended to authenticate bootable images for the platform", so i doubt > this will be allowed. >
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Verification of the device tree is a necessary part of secure booting. But as it is not in the UEFI spec up to now you may be inclined not to call it "UEFI" secure boot.
Best regards
Heinrich
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas > ilias.apalodimas@linaro.org wrote: >> >> Hi Grant, >>> I see two ways to handle this that fits with the Secure Boot >>> authentication path: >>> >>> Option 1: Leave it to the OS loader >>> We could simply say that if the OS wants to replace the DTB, then it >>> should take care of authentication itself within the OS loader > (possibly >>> the in-kernel UEFI stub) and install a replacement DTB in the >>> configuration table before calling exit boot services. In this > scenario, >>> U-Boot doesn't authenticate the DTB at all. >>> >>> In fact, Option 1 is pretty close to what is required for the initrd. >>> >>> I wonder if it is possible to wrap the DTB with a PE/COFF so that > the os >>> loader can use load_image to authenticate and retrieve the data > without >>> actually executing the image. That would allow for the DTB & initrd > to >>> be authenticated in the same way as the kernel. >> I asked around on this prior to the email, but i think it boils down to >> "UEFI is intended to authenticate bootable images for the platform", > so i doubt >> this will be allowed. >> > > The point I raised when we discussed this is that UEFI is an interface > between the firmware and the OS, and it is up to the firmware to > *provide* the DT not the other way around. > > Whether the firmware reuses some of the existing machinery if it > chooses to load the DT it provides from an arbitrary file on the file > system is an implementation detail, and shouldn't be part of how we > design the interface. The more we standardize this and the more we > make it similar to how the OS loader is authenticated, the more likely > it becomes that it will be relied upon for DTs that are bundled with > the OS, which is a practice we are trying very hard to move away from. >
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some hardware).
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
This means that if we standardize secure boot as the means to authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
Verification of the device tree is a necessary part of secure booting. But as it is not in the UEFI spec up to now you may be inclined not to call it "UEFI" secure boot.
In my opinion, we should leave it up to the platform to solve this, and not standardize it in the context of UEFI. If u-boot wants to load DT from a file and authenticate it, that is perfectly fine, but don't conflate it with authenticating the OS.
On 6/4/19 4:37 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
> Hi Ard, > > On Fri, 31 May 2019 at 13:35, Ard Biesheuvel ard.biesheuvel@linaro.org > wrote: > >> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas >> ilias.apalodimas@linaro.org wrote: >>> >>> Hi Grant, >>>> I see two ways to handle this that fits with the Secure Boot >>>> authentication path: >>>> >>>> Option 1: Leave it to the OS loader >>>> We could simply say that if the OS wants to replace the DTB, then it >>>> should take care of authentication itself within the OS loader >> (possibly >>>> the in-kernel UEFI stub) and install a replacement DTB in the >>>> configuration table before calling exit boot services. In this >> scenario, >>>> U-Boot doesn't authenticate the DTB at all. >>>> >>>> In fact, Option 1 is pretty close to what is required for the initrd. >>>> >>>> I wonder if it is possible to wrap the DTB with a PE/COFF so that >> the os >>>> loader can use load_image to authenticate and retrieve the data >> without >>>> actually executing the image. That would allow for the DTB & initrd >> to >>>> be authenticated in the same way as the kernel. >>> I asked around on this prior to the email, but i think it boils down to >>> "UEFI is intended to authenticate bootable images for the platform", >> so i doubt >>> this will be allowed. >>> >> >> The point I raised when we discussed this is that UEFI is an interface >> between the firmware and the OS, and it is up to the firmware to >> *provide* the DT not the other way around. >> >> Whether the firmware reuses some of the existing machinery if it >> chooses to load the DT it provides from an arbitrary file on the file >> system is an implementation detail, and shouldn't be part of how we >> design the interface. The more we standardize this and the more we >> make it similar to how the OS loader is authenticated, the more likely >> it becomes that it will be relied upon for DTs that are bundled with >> the OS, which is a practice we are trying very hard to move away from. >> > > I have the impression that OS provided DT is a bad solution to a real > problem: > There should be a Firmware hardware environment (what to initialize, > use...) and a OS hardware environment. > Both should be signed, and controlled by the firmware. > So I would try to find a way to supply firmware with two DTs, or more > likely one DT and one OS overlay (if overlays can remove some hardware). > >
If the OS provides a DT to itself, what is the point of pretending that it has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
This means that if we standardize secure boot as the means to authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
You are a making a very valid point here. A Linux distribution typically comes with dozens of device trees. Currently U-Boot uses the filename to identify which is the correct device tree. And then Linux trusts the firmware to have made the right choice.
So in a process to validate external device trees there would be some content element (e.g. the model property) needed to be checked by the firmware besides a signature.
Regards
Heinrich
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
Verification of the device tree is a necessary part of secure booting. But as it is not in the UEFI spec up to now you may be inclined not to call it "UEFI" secure boot.
In my opinion, we should leave it up to the platform to solve this, and not standardize it in the context of UEFI. If u-boot wants to load DT from a file and authenticate it, that is perfectly fine, but don't conflate it with authenticating the OS.
On Tue, 4 Jun 2019 at 10:37, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de
wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
francois.ozog@linaro.org>
wrote:
> Hi Ard, > > On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
> wrote: > >> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas >> ilias.apalodimas@linaro.org wrote: >>> >>> Hi Grant, >>>> I see two ways to handle this that fits with the Secure Boot >>>> authentication path: >>>> >>>> Option 1: Leave it to the OS loader >>>> We could simply say that if the OS wants to replace the DTB,
then it
>>>> should take care of authentication itself within the OS loader >> (possibly >>>> the in-kernel UEFI stub) and install a replacement DTB in the >>>> configuration table before calling exit boot services. In this >> scenario, >>>> U-Boot doesn't authenticate the DTB at all. >>>> >>>> In fact, Option 1 is pretty close to what is required for the
initrd.
>>>> >>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
that
>> the os >>>> loader can use load_image to authenticate and retrieve the data >> without >>>> actually executing the image. That would allow for the DTB &
initrd
>> to >>>> be authenticated in the same way as the kernel. >>> I asked around on this prior to the email, but i think it boils
down to
>>> "UEFI is intended to authenticate bootable images for the
platform",
>> so i doubt >>> this will be allowed. >>> >> >> The point I raised when we discussed this is that UEFI is an
interface
>> between the firmware and the OS, and it is up to the firmware to >> *provide* the DT not the other way around. >> >> Whether the firmware reuses some of the existing machinery if it >> chooses to load the DT it provides from an arbitrary file on the
file
>> system is an implementation detail, and shouldn't be part of how
we
>> design the interface. The more we standardize this and the more we >> make it similar to how the OS loader is authenticated, the more
likely
>> it becomes that it will be relied upon for DTs that are bundled
with
>> the OS, which is a practice we are trying very hard to move away
from.
>> > > I have the impression that OS provided DT is a bad solution to a
real
> problem: > There should be a Firmware hardware environment (what to
initialize,
> use...) and a OS hardware environment. > Both should be signed, and controlled by the firmware. > So I would try to find a way to supply firmware with two DTs, or
more
> likely one DT and one OS overlay (if overlays can remove some
hardware).
> >
If the OS provides a DT to itself, what is the point of pretending
that it
has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer
only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in
the
context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I
was
told to first get that change into Linux. I see no commitment to
change
this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction
of
hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
Aren't we talking about Arm systems that do not need Microsoft keys?
This means that if we standardize secure boot as the means to
authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
EL3 software (trustedfirmware for instance) validates untrusted firmware,
and probably DTs. Or is U-Boot a consummer of TF provided DT? Does U-Boot provide a DT to OS? I had a discussion with Loic from ST (added) that he sees multiple keys for different parts of the boot.
Verification of the device tree is a necessary part of secure booting.
But as it is not in the UEFI spec up to now you may be inclined not to call it "UEFI" secure boot.
In my opinion, we should leave it up to the platform to solve this, and not standardize it in the context of UEFI. If u-boot wants to load DT from a file and authenticate it, that is perfectly fine, but don't conflate it with authenticating the OS.
On Tue, 4 Jun 2019 at 16:52, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 10:37, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de
wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
wrote:
> > > On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
francois.ozog@linaro.org>
> wrote: > >> Hi Ard, >> >> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
>> wrote: >> >>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas >>> ilias.apalodimas@linaro.org wrote: >>>> >>>> Hi Grant, >>>>> I see two ways to handle this that fits with the Secure Boot >>>>> authentication path: >>>>> >>>>> Option 1: Leave it to the OS loader >>>>> We could simply say that if the OS wants to replace the DTB,
then it
>>>>> should take care of authentication itself within the OS loader >>> (possibly >>>>> the in-kernel UEFI stub) and install a replacement DTB in the >>>>> configuration table before calling exit boot services. In this >>> scenario, >>>>> U-Boot doesn't authenticate the DTB at all. >>>>> >>>>> In fact, Option 1 is pretty close to what is required for the
initrd.
>>>>> >>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
that
>>> the os >>>>> loader can use load_image to authenticate and retrieve the data >>> without >>>>> actually executing the image. That would allow for the DTB &
initrd
>>> to >>>>> be authenticated in the same way as the kernel. >>>> I asked around on this prior to the email, but i think it boils
down to
>>>> "UEFI is intended to authenticate bootable images for the
platform",
>>> so i doubt >>>> this will be allowed. >>>> >>> >>> The point I raised when we discussed this is that UEFI is an
interface
>>> between the firmware and the OS, and it is up to the firmware to >>> *provide* the DT not the other way around. >>> >>> Whether the firmware reuses some of the existing machinery if it >>> chooses to load the DT it provides from an arbitrary file on the
file
>>> system is an implementation detail, and shouldn't be part of how
we
>>> design the interface. The more we standardize this and the more
we
>>> make it similar to how the OS loader is authenticated, the more
likely
>>> it becomes that it will be relied upon for DTs that are bundled
with
>>> the OS, which is a practice we are trying very hard to move away
from.
>>> >> >> I have the impression that OS provided DT is a bad solution to a
real
>> problem: >> There should be a Firmware hardware environment (what to
initialize,
>> use...) and a OS hardware environment. >> Both should be signed, and controlled by the firmware. >> So I would try to find a way to supply firmware with two DTs, or
more
>> likely one DT and one OS overlay (if overlays can remove some
hardware).
>> >> > > If the OS provides a DT to itself, what is the point of pretending
that it
> has been authenticated to the firmware? > Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer
only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in
the
context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I
was
told to first get that change into Linux. I see no commitment to
change
this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction
of
hardware. So whatever U-Boot provides as a device-tree to Linux
should
be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
Aren't we talking about Arm systems that do not need Microsoft keys?
Yes, we are. And this is a battle I have been fighting for years, but the distros as well as the silicon vendors are only interested in Microsoft owning all the secure boot signing keys, as they do on x86.
This means that if we standardize secure boot as the means to
authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
EL3 software (trustedfirmware for instance) validates untrusted firmware,
and probably DTs. Or is U-Boot a consummer of TF provided DT? Does U-Boot provide a DT to OS? I had a discussion with Loic from ST (added) that he sees multiple keys for different parts of the boot.
Yes, that makes sense. But the problem is that UEFI secure boot does not support this model. An image is considered valid if it authenticates against any of the keys in db. And any key in KEK can sign updates to db and dbx. And today's current practice is to include Microsoft keys in both KEK and db.
I have argued time and time again that this is entirely broken as a security model. Any db update that Microsoft has ever signed can be applied to my brand new arm64 system (unless it has been blacklisted explicitly, and my vendor has bothered to ship with an up to date dbt)
I am perfectly happen to reopen that debate as well, by the way :-)
On Tue, 4 Jun 2019 at 10:57, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:52, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 10:37, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de
wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote: > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
> wrote: > >> >> >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
francois.ozog@linaro.org>
>> wrote: >> >>> Hi Ard, >>> >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
>>> wrote: >>> >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas >>>> ilias.apalodimas@linaro.org wrote: >>>>> >>>>> Hi Grant, >>>>>> I see two ways to handle this that fits with the Secure Boot >>>>>> authentication path: >>>>>> >>>>>> Option 1: Leave it to the OS loader >>>>>> We could simply say that if the OS wants to replace the DTB,
then it
>>>>>> should take care of authentication itself within the OS loader >>>> (possibly >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the >>>>>> configuration table before calling exit boot services. In this >>>> scenario, >>>>>> U-Boot doesn't authenticate the DTB at all. >>>>>> >>>>>> In fact, Option 1 is pretty close to what is required for the
initrd.
>>>>>> >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
that
>>>> the os >>>>>> loader can use load_image to authenticate and retrieve the
data
>>>> without >>>>>> actually executing the image. That would allow for the DTB &
initrd
>>>> to >>>>>> be authenticated in the same way as the kernel. >>>>> I asked around on this prior to the email, but i think it
boils down to
>>>>> "UEFI is intended to authenticate bootable images for the
platform",
>>>> so i doubt >>>>> this will be allowed. >>>>> >>>> >>>> The point I raised when we discussed this is that UEFI is an
interface
>>>> between the firmware and the OS, and it is up to the firmware to >>>> *provide* the DT not the other way around. >>>> >>>> Whether the firmware reuses some of the existing machinery if it >>>> chooses to load the DT it provides from an arbitrary file on
the file
>>>> system is an implementation detail, and shouldn't be part of
how we
>>>> design the interface. The more we standardize this and the more
we
>>>> make it similar to how the OS loader is authenticated, the more
likely
>>>> it becomes that it will be relied upon for DTs that are bundled
with
>>>> the OS, which is a practice we are trying very hard to move
away from.
>>>> >>> >>> I have the impression that OS provided DT is a bad solution to a
real
>>> problem: >>> There should be a Firmware hardware environment (what to
initialize,
>>> use...) and a OS hardware environment. >>> Both should be signed, and controlled by the firmware. >>> So I would try to find a way to supply firmware with two DTs, or
more
>>> likely one DT and one OS overlay (if overlays can remove some
hardware).
>>> >>> >> >> If the OS provides a DT to itself, what is the point of
pretending that it
>> has been authenticated to the firmware? >> > Agreed, that is stupid! I mispresented my idea: I talk about two
DTs
> controlled by hardware/Firmware provider. OS shall be a consumer
only.
> >
In a perfect world firmware would provide the authoritative source
of
the device tree. The current situation has device trees developed
in the
context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I
was
told to first get that change into Linux. I see no commitment to
change
this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the
destruction of
hardware. So whatever U-Boot provides as a device-tree to Linux
should
be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
Aren't we talking about Arm systems that do not need Microsoft keys?
Yes, we are. And this is a battle I have been fighting for years, but the distros as well as the silicon vendors are only interested in Microsoft owning all the secure boot signing keys, as they do on x86.
This means that if we standardize secure boot as the means to
authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
EL3 software (trustedfirmware for instance) validates untrusted
firmware, and probably DTs. Or is U-Boot a consummer of TF provided DT? Does U-Boot provide a DT to OS? I had a discussion with Loic from ST (added) that he sees multiple keys for different parts of the boot.
Yes, that makes sense. But the problem is that UEFI secure boot does not support this model. An image is considered valid if it authenticates against any of the keys in db. And any key in KEK can sign updates to db and dbx. And today's current practice is to include Microsoft keys in both KEK and db.
I have argued time and time again that this is entirely broken as a security model. Any db update that Microsoft has ever signed can be applied to my brand new arm64 system (unless it has been blacklisted explicitly, and my vendor has bothered to ship with an up to date dbt)
I am perfectly happen to reopen that debate as well, by the way :-)
Is it correct to say that Msft could revoke selective keys and prevent the boot of selected devices? If true, in the current geopolitical context, I would assume this is not acceptable... and distros may not have the final word here as it may be regulatory costrainst or customer requirement.
[ Trimming some quoting! ]
On Tue, Jun 04, 2019 at 11:17:09AM -0400, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 10:57, Ard Biesheuvel ard.biesheuvel@linaro.org
Yes, that makes sense. But the problem is that UEFI secure boot does not support this model. An image is considered valid if it authenticates against any of the keys in db. And any key in KEK can sign updates to db and dbx. And today's current practice is to include Microsoft keys in both KEK and db.
I have argued time and time again that this is entirely broken as a security model. Any db update that Microsoft has ever signed can be applied to my brand new arm64 system (unless it has been blacklisted explicitly, and my vendor has bothered to ship with an up to date dbt)
I am perfectly happen to reopen that debate as well, by the way :-)
Is it correct to say that Msft could revoke selective keys and prevent the boot of selected devices? If true, in the current geopolitical context, I would assume this is not acceptable... and distros may not have the final word here as it may be regulatory costrainst or customer requirement.
Technically yes, but actually updating the revocation and blacklists is quite rare. It would be up to the user (or some user-enabled software) to take the updates.
Cheers,
On Tue, 4 Jun 2019 at 10:57, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:52, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 10:37, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 16:29, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 4:20 PM, Ard Biesheuvel wrote:
On Tue, 4 Jun 2019 at 16:17, Heinrich Schuchardt xypron.glpk@gmx.de
wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote: > On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
> wrote: > >> >> >> On Tue, 4 Jun 2019 at 15:44, Francois Ozog <
francois.ozog@linaro.org>
>> wrote: >> >>> Hi Ard, >>> >>> On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
>>> wrote: >>> >>>> On Fri, 31 May 2019 at 19:25, Ilias Apalodimas >>>> ilias.apalodimas@linaro.org wrote: >>>>> >>>>> Hi Grant, >>>>>> I see two ways to handle this that fits with the Secure Boot >>>>>> authentication path: >>>>>> >>>>>> Option 1: Leave it to the OS loader >>>>>> We could simply say that if the OS wants to replace the DTB,
then it
>>>>>> should take care of authentication itself within the OS loader >>>> (possibly >>>>>> the in-kernel UEFI stub) and install a replacement DTB in the >>>>>> configuration table before calling exit boot services. In this >>>> scenario, >>>>>> U-Boot doesn't authenticate the DTB at all. >>>>>> >>>>>> In fact, Option 1 is pretty close to what is required for the
initrd.
>>>>>> >>>>>> I wonder if it is possible to wrap the DTB with a PE/COFF so
that
>>>> the os >>>>>> loader can use load_image to authenticate and retrieve the
data
>>>> without >>>>>> actually executing the image. That would allow for the DTB &
initrd
>>>> to >>>>>> be authenticated in the same way as the kernel. >>>>> I asked around on this prior to the email, but i think it
boils down to
>>>>> "UEFI is intended to authenticate bootable images for the
platform",
>>>> so i doubt >>>>> this will be allowed. >>>>> >>>> >>>> The point I raised when we discussed this is that UEFI is an
interface
>>>> between the firmware and the OS, and it is up to the firmware to >>>> *provide* the DT not the other way around. >>>> >>>> Whether the firmware reuses some of the existing machinery if it >>>> chooses to load the DT it provides from an arbitrary file on
the file
>>>> system is an implementation detail, and shouldn't be part of
how we
>>>> design the interface. The more we standardize this and the more
we
>>>> make it similar to how the OS loader is authenticated, the more
likely
>>>> it becomes that it will be relied upon for DTs that are bundled
with
>>>> the OS, which is a practice we are trying very hard to move
away from.
>>>> >>> >>> I have the impression that OS provided DT is a bad solution to a
real
>>> problem: >>> There should be a Firmware hardware environment (what to
initialize,
>>> use...) and a OS hardware environment. >>> Both should be signed, and controlled by the firmware. >>> So I would try to find a way to supply firmware with two DTs, or
more
>>> likely one DT and one OS overlay (if overlays can remove some
hardware).
>>> >>> >> >> If the OS provides a DT to itself, what is the point of
pretending that it
>> has been authenticated to the firmware? >> > Agreed, that is stupid! I mispresented my idea: I talk about two
DTs
> controlled by hardware/Firmware provider. OS shall be a consumer
only.
> >
In a perfect world firmware would provide the authoritative source
of
the device tree. The current situation has device trees developed
in the
context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I
was
told to first get that change into Linux. I see no commitment to
change
this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the
destruction of
hardware. So whatever U-Boot provides as a device-tree to Linux
should
be validated.
Of course. But that does not mean it should be the job of UEFI secure boot to do so.
For me validating the device-tree means that U-Boot checks a signature added to the device-tree. It is just the same type ofprocess as the one we will do in UEFI secure boot when loading an application like GRUB or Linux.
Even if we use the same algorithms to authenticate a DT as we use to authenticate parts of the OS, conflating the two is a dangerous and slippery slope. The industry today expresses a strong preference towards putting all the security eggs in a single basket, and make Microsoft the owner of all keys relating to secure boot.
Aren't we talking about Arm systems that do not need Microsoft keys?
Yes, we are. And this is a battle I have been fighting for years, but the distros as well as the silicon vendors are only interested in Microsoft owning all the secure boot signing keys, as they do on x86.
This means that if we standardize secure boot as the means to
authenticate DT to the firmware, this may lead to a situation where I can load a DT for a different but similar SoC into my system (given that they are all signed by Microsoft), and possibly circumvent security features since the GPIOs are not wired the same.
So now we have two classes of images, platform and OS. Do we add separate keyrings? Do we add metadata? What else do we need to add beyond what the UEFI spec defines to support this model?
EL3 software (trustedfirmware for instance) validates untrusted
firmware, and probably DTs. Or is U-Boot a consummer of TF provided DT? Does U-Boot provide a DT to OS? I had a discussion with Loic from ST (added) that he sees multiple keys for different parts of the boot.
Yes, that makes sense. But the problem is that UEFI secure boot does not support this model. An image is considered valid if it authenticates against any of the keys in db. And any key in KEK can sign updates to db and dbx. And today's current practice is to include Microsoft keys in both KEK and db.
Only shim<arch>.efi is Microsoft signed. So we shold be clear to sign
SecureBoot without Shim, booting directly grub<arch>.efi for instance.
I have argued time and time again that this is entirely broken as a security model. Any db update that Microsoft has ever signed can be applied to my brand new arm64 system (unless it has been blacklisted explicitly, and my vendor has bothered to ship with an up to date dbt)
I am perfectly happen to reopen that debate as well, by the way :-)
On Tue, 4 Jun 2019 at 18:38, Francois Ozog francois.ozog@linaro.org wrote:
On Tue, 4 Jun 2019 at 10:57, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
Yes, that makes sense. But the problem is that UEFI secure boot does not support this model. An image is considered valid if it authenticates against any of the keys in db. And any key in KEK can sign updates to db and dbx. And today's current practice is to include Microsoft keys in both KEK and db.
Only shim<arch>.efi is Microsoft signed. So we shold be clear to sign
SecureBoot without Shim, booting directly grub<arch>.efi for instance.
Unfortunately, the way things work today, secureboot-enabled GRUB can only run in combination with shim, since it explicitly attaches to a protocol exposed by shim. So even on a system where the installer can see that the required certificates (i.e., redhat's signing certificate) are present in the firmware's keyring, it still needs to install shim in order to be able to run GRUB.
This is on my list of things to get fixed, and I have already discussed a possible solution with Peter Jones (RH) but neither of us currently have the bandwidth to sit down and do the work.
On Tue, 4 Jun 2019 at 10:17, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
On 6/4/19 3:55 PM, Francois Ozog wrote:
On Tue, 4 Jun 2019 at 09:49, Ard Biesheuvel ard.biesheuvel@linaro.org wrote:
On Tue, 4 Jun 2019 at 15:44, Francois Ozog francois.ozog@linaro.org wrote:
Hi Ard,
On Fri, 31 May 2019 at 13:35, Ard Biesheuvel <
ard.biesheuvel@linaro.org>
wrote:
On Fri, 31 May 2019 at 19:25, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Grant, > I see two ways to handle this that fits with the Secure Boot > authentication path: > > Option 1: Leave it to the OS loader > We could simply say that if the OS wants to replace the DTB, then it > should take care of authentication itself within the OS loader
(possibly
> the in-kernel UEFI stub) and install a replacement DTB in the > configuration table before calling exit boot services. In this
scenario,
> U-Boot doesn't authenticate the DTB at all. > > In fact, Option 1 is pretty close to what is required for the
initrd.
> > I wonder if it is possible to wrap the DTB with a PE/COFF so that
the os
> loader can use load_image to authenticate and retrieve the data
without
> actually executing the image. That would allow for the DTB & initrd
to
> be authenticated in the same way as the kernel. I asked around on this prior to the email, but i think it boils down
to
"UEFI is intended to authenticate bootable images for the platform",
so i doubt
this will be allowed.
The point I raised when we discussed this is that UEFI is an interface between the firmware and the OS, and it is up to the firmware to *provide* the DT not the other way around.
Whether the firmware reuses some of the existing machinery if it chooses to load the DT it provides from an arbitrary file on the file system is an implementation detail, and shouldn't be part of how we design the interface. The more we standardize this and the more we make it similar to how the OS loader is authenticated, the more likely it becomes that it will be relied upon for DTs that are bundled with the OS, which is a practice we are trying very hard to move away from.
I have the impression that OS provided DT is a bad solution to a real problem: There should be a Firmware hardware environment (what to initialize, use...) and a OS hardware environment. Both should be signed, and controlled by the firmware. So I would try to find a way to supply firmware with two DTs, or more likely one DT and one OS overlay (if overlays can remove some
hardware).
If the OS provides a DT to itself, what is the point of pretending that
it
has been authenticated to the firmware?
Agreed, that is stupid! I mispresented my idea: I talk about two DTs controlled by hardware/Firmware provider. OS shall be a consumer only.
In a perfect world firmware would provide the authoritative source of the device tree. The current situation has device trees developed in the context of Linux and U-Boot picking them up. U-Boot is lagging far behind Linux. Whenever I wanted to change a device tree in U-Boot I was told to first get that change into Linux. I see no commitment to change this process.
Device-trees are provided by U-Boot to Linux as UEFI configuration tables. If a device-tree is malicious it may lead to the destruction of hardware. So whatever U-Boot provides as a device-tree to Linux should be validated.
In a perfect world, U-Boot shall lead and we should work towards that if
not in place. There is no sch a thing as a Linux validated ACPI table, so why for DT? Logically, it makes no sense to me, the firmware is hardware dependent/aware and shall be the authority. OS just a user. Worse, if an OS does not comply it shall be considered as a security breach.
Best regards
Heinrich
On 5/31/19 7:16 PM, Ilias Apalodimas wrote:
Hi Grant,
I see two ways to handle this that fits with the Secure Boot authentication path:
Option 1: Leave it to the OS loader We could simply say that if the OS wants to replace the DTB, then it should take care of authentication itself within the OS loader (possibly the in-kernel UEFI stub) and install a replacement DTB in the configuration table before calling exit boot services. In this scenario, U-Boot doesn't authenticate the DTB at all.
In fact, Option 1 is pretty close to what is required for the initrd.
I wonder if it is possible to wrap the DTB with a PE/COFF so that the os loader can use load_image to authenticate and retrieve the data without actually executing the image. That would allow for the DTB & initrd to be authenticated in the same way as the kernel.
I asked around on this prior to the email, but i think it boils down to "UEFI is intended to authenticate bootable images for the platform", so i doubt this will be allowed.
What makes you think so? Also drivers are authenticated according to the UEFI spec.
Best regards
Heinrich
boot-architecture@lists.linaro.org
-
Ard Biesheuvel -
Francois Ozog -
Grant Likely -
Heinrich Schuchardt -
Ilias Apalodimas -
Joakim Bech -
Steve McIntyre -
Sumit Garg -
Udit Kumar