It has been a long time since there has been a regular EBBR review
meeting, and with the amount of activity that has happened in the last
year I think it is time to start meeting again. I'd like to start
talking about content for EBBR v1.0+.
A biweekly cadence seems about right to me, but we can discuss when we
start meetings again. Would Monday, 31 Aug at 16:00BST, 08:00PST work?
Email me privately if you want me to send you a calendar invite.
Discussion topics:
- EBBR testing progress
- EBBR Scope -- doing a better job to describe the purpose of EBBR
- Tightening requirements as U-Boot implementation matures (make fewer
things optional)
- Security requirements - Secure boot and secure capsule update
- issue review
- Signing requirements on dtbs and variables
Send me an email if you want to add to the agenda, or add an issue to
the github page:
https://github.com/arm-software/ebbr/issues
g.
----
Time: Every second Monday starting 31 Aug at 16:00BST, 08:00PST
Join Zoom Meeting
https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09
Meeting ID: 920 8136 5511
Password: 490324
One tap mobile
+14086380968,,92081365511#,,#,490324# US (San Jose)
+16465189805,,92081365511#,,#,490324# US (New York)
Dial by your location
+1 408 638 0968 US (San Jose)
+1 646 518 9805 US (New York)
+1 346 248 7799 US (Houston)
Meeting ID: 920 8136 5511
Password: 490324
Find your local number: https://armltd.zoom.us/u/adYiWaDyys
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi,
I just updated the technical report
<https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>
with a section on "Trusting DT" that is the result of my analysis of the
discussion we had (not what I presented).
Please comment, correct, update...
Cordially,
FF
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
Hi all,
The OpenAMP-remoteproc working group is looking forward to discuss OpenAMP bindings with the System DT working group & all others interested in System DT.
Best regards,
Nathalie C. Chan King Choy
Program Manager focused on Open Source & Community
Meeting number (access code): 145 853 2028
Meeting password: NgTwf4r8R$3
Monday, August 31, 2020
8:00 am | (UTC-07:00) Pacific Time (US & Canada) | 1 hr
Join meeting<https://xilinx.webex.com/xilinx/j.php?MTID=mcd4ad9bca009dfef38671c26d5a1d301>
Canada toll free 1-844-426-4405
France toll free 0800-912-485
India toll free 000-800-040-1016
Sweden toll free 020-033-6721
UK toll free 08000315372
United States Toll Free 1-844-621-3956
Global call-in numbers<https://xilinx.webex.com/xilinx/globalcallin.php?MTID=m370fae0984a8792a3592…> | Toll-free calling restrictions<https://www.webex.com/pdf/tollfree_restrictions.pdf>
Hi All,
We are interested in adopting EBBR as the boot specification for the
embedded RISC-V platforms.
We firmly believe that EBBR is a very well defined specification for
boot requirement and there
is no need for reinventing the wheel for RISC-V. Hence, this is a
thread to discuss all the requirements
for adding RISC-V to EBBR. Here is my current understanding. Please
correct me if I am wrong.
Logistic Requirement:
1. As per the contribution guidelines[1], patches should be sent to
boot-architecture(a)lists.linaro.org.
and the specification will be hosted under "ARM-software" Github.
I am hoping that introducing RISC-V
related changes are okay with the current maintainers.
2. The specification is licensed under Creative Commons. The RISC-V
related changes will refer to
some of the RISC-V specifications as well. AFAIK, there shouldn't
be an issue with that.
3. It should be okay to add other copyrights in addition to "Arm
Limited and Contributors".
Technical Requirement:
1. Software status:
a. UEFI support for RISC-V Linux kernel is already available in
the mailing list[2]. The targeted upstream
merge is the 5.10 merge window.
b. U-Boot already supports UEFI for RISC-V.
c. EDK2 upstreaming is currently under progress [3] as well.
Is it okay to start sending patches for EBBR RISC-V related changes
now or do we need to wait for EDK2 and Linux
kernel patches to be available upstream ?
2. RISC-V related sections in EBBR
a. UEFI:
Currently, RISC-V doesn't support a EFI_RESET_SYSTEM boot
service as firmware doesn't have a standard way
to reset the system. There is a proposal to add a system reset
function to Supervisor Binary Specification(SBI) which
can be mapped to EFI_RESET_SYSTEM by the firmware. Apart from
that, I believe RISC-V supports all UEFI boot and
run time services mandated by EBBR. Is it a blocker for RISC-V
EBBR compatibility?
b. RISC-V Multiprocessor Startup Protocol: This section will
contain the details of booting protocol for RISC-V and mandatory
RISC-V specifications that need to be implemented.
c. Firmware Storage: AFAIK, RISC-V platforms are already
compatible with this.
Please let me know if I missed something or oversimplified any
requirement. We want to make RISC-V compatible with EBBR
sooner than later and ready work on any missing pieces if any.
[1] https://github.com/ARM-software/ebbr/blob/master/CONTRIBUTING.rst
[2] https://lkml.org/lkml/2020/8/19/1252
[3] https://edk2.groups.io/g/devel/message/63831?p=,,,20,0,0,0::Created,,RISC-V…
[4] https://lists.riscv.org/g/tech-unixplatformspec/message/49?p=,,,20,0,0,0::r…
--
Regards,
Atish
Hi,
Yet another security issue surfaced yesterday, see this blog post about it
https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
When I was reading it I cannot avoid seeing similarities to what I've tried
to raise in the DT(E)
discussions. I.e., firmware run-time exploits running after signatures have
been verified successfully
(slide 27, 28 [1]) can be devastating and therefore I've tried to suggest
that each component
verifies the DTB that it gets from the previous firmware component (slide
29, 30 [1]), alternatively
and probably better ... doing something like a measured boot (including
DTB's) where you compute
a running hash spanning across all firmware (+configuration) being loaded.
Some quotes from the blog post:
> Almost all signed versions of GRUB2 are vulnerable, meaning virtually
> every Linux distribution is affected.
We don't want to read something similar about DTS/DTB in the future.
> Additionally, as we will show in this blog post, a vulnerability in the
boot
> process that enables arbitrary code execution can allow attackers to
control
> the boot process and operating system, even when secure boot signatures
are verified.
Confirm my concerns.
> In the course of Eclypsium’s analysis, we have identified a buffer
overflow vulnerability
> in the way that GRUB2 parses content from the GRUB2 config file
(grub.cfg).
> Of note: The GRUB2 config file is a text file and typically is not signed
like other files
> and executables. This vulnerability enables arbitrary code execution
within GRUB2 and
> thus control over the booting of the operating system. As a result, an
attacker could
> modify the contents of the GRUB2 configuration file to ensure that attack
code is run
> before the operating system is loaded. In this way, attackers gain
persistence on the device.
Replace "GRUB2" with "DT" and "grub.cfg" with "*.dts/dtb" in the quote
above and
we have another potential future quote about DT security issues.
A solid, useable and robust solution for problems like this might be
complex to realize, but I
think it's worth continuing to look into what can be done, since it seems
risky to continue loading
and running "DT code" like we're doing in many places today (and it's not
only DT that is
subject to this, regular firmware suffers with the same kind of issues).
I.e., I'm going to
raise this again in future DT(E) calls.
[1]
https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL…
<https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/>
Regards,
Joakim
Attendees
François-Frédéric Ozog (Linaro)
Frank Rowand
Simon Glass (Google)
Ilias Apalodimas (Linaro)
Atish Patra (Western Digital)
Mark Brown (Arm)
Heinrich Schuchardt
CVS
Arnd Bergmann
Rob Herring (Arm)
Loic Pallardy (ST)
Poonam (NXP)
Ruchika
Loic Pallardy (ST)
Don Harbin(linaro)
Presentation
SLIDE 2
Francois: if we want authentication, we can’t do fix up
Simon: what is fix up? Can’t change DT or ok to change it?
Francois: can orchestrate transition, [edit as typing notes: changing
is not OK because you can’t identify the scope of change; adding a new
node may be acceptable - because scope is easy to frame]
Simon: code doing the fixup is signed , so it may be a signal that the
changes are OK; don’t know how to pass that to Linux. In principle you
should rely on signed code to make changes
Francois: [rephrasing at note editing] two trust models
1) implicit - trust because generating/updating code is signed
2) explicit - trust because you can check signature of the DT
Heinrich: if the DT comes from file system, it should be signed; for
DT embedded in signed code: no need to have a signature; signature for
things from file but not from memory [at writing notes, I understand
this as a DT fragment generated by FT-A in memory does not need to be
signed]
SLIDE 3
Francois: cold-plug by U-Boot, hotplug by OS
Francois: Board DTB + cape DTBo + cape_on_board DTBo (pin muxing
config, irq config…)
Frank: Device removal triggers DT correspond node(s) removal? If so,
then we should limiting a single device per overlay
Francois: yes. It is also connected to device assignment. There should
be a way to identify all nodes of a device in DT to actually simplify
device assignment (to be discussed later in the deck)
SLIDE 4
Lets use a special config DTBo (chosen…)
Let’s get the parameters out of DT in local OS config (or worst case,
in that config DTBo)
Rob: problem with systems with loadable modules
Arnd: can be passed on command line
Rob: Greg KH say: don’t add module parameters
Arnd: device specific parameters should be done via sysfs/ioctl;
driver wide parameters could be as module parameters or boot command
line
Frank or it could be a “chosen”
[editig time] Francois: for Linux, can we organize module parameters
in modules.d are parsed when modules are statically linked?
Let’s not use DT when we can avoid (OP-TEE bus to discover TAs)
SLIDE 5
Francois: wherever we choose, we shall ensure backward compatibility
SLIDE 6
DTB=base board + 1 DTBo per device
Statically merge DTB + DTBos at compile time and keep metadata about
the merge in a section of the new DT file format.
SLIDE 7
Arnd/Simon: Right now the Android boot loader merges DTB/DTBos and
passes one DTB to the kernel
Simon: ChromeOS has a FIT image with multiple DTs, it selects one to pass to OS
Arnd/Ilias: FIT is only understood by U-Boot
Francois: wherever we choose, we shall ensure backward compatibility
Arnd: It’s simpler to have a single DTB for the kernel
Early kernel is not really powerful
There are security advantages in signed DTBos
Francois: I think the key question is decide on a model. Allow
bootloaders to change the DTB and rely on signed DTBos?
Simon: is either or ? [explicit vs implicit trust models], what is the
threat model?
Francois: yes, I think so.
Heinrich: problem is wrong voltage in DT results in destroying the board
Arnd: steal sensitive data
Ilias: DoS can become a problem
Ilias: signing per device (key mgmt complexity) ? or per device model
(can compromise all devices of a model)?
Francois: Who signs what is also a fundamental concept, because there
might be different signing authorities
Loic: That’s the current case wit ST devices
Arnd: There’s 3 options here:
Kernel with embedded DTB, if the kernel signature is checked, the DTB
does not need to be checked
The bootloader loads the kernel from a disk
Nothing is checked
Checking one of those makes no sense
Simon: we have to be careful in not tying ourselves in a knot. There
is *no* bidirectional root of trust. The model is that trust is built
starting from the root of trust, the next level implicitly trusts the
level that loaded it.
Mark Brown: DT is used with EDK2
Loic: there is no direct boot from U-Boot to kernel, it is vouched by OP-TEE.
security of co-processors requires the same model
Hardware firewall (device and memory) can be leveraged to ensure full security
DTE Project information portal:
https://collaborate.linaro.org/display/DTE/DTE+Progress+Updates
Security presentation: (listed in the portal, but copied here for
simple access):
https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL…
Hi,
I think we have gathered enough knowledge in the Technical Report to
try architecting DT evolution technologies.
To that end, I'll kick start discussion with:
https://docs.google.com/presentation/d/1jACxdO-3fDzSk5MEMUEmAu0iMjtp9Td7Xbb…
Everyone has commenter capabilities in the document, so please use it.
I am sure most of the proposals cannot be "decided on" during the
call. But I'd like to come to a conclusion on one topic: whether or
not fix ups are allowed. If we introduce signature of any form with
DTB, then I believe fixups are not possible anymore.
Cheers
--
FF
Hi all,
The notes from today's call can be found on the OpenAMP Wiki at https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020#2020J…
The action items are:
* Stefano to share slides
* Xilinx and ST to discuss interconnect binding, considering that it could be expanded beyond QoS, and review Rob's earlier feedback to Benjamin on pin control
* Stefano to check if configuration interface assumes that IDs are global
* Stefano to work with Bruce to prototype something w/ Lopper to generate a bus firewall configuration table
* Stefano to present openamp-remoteproc binding for System DT at next call
@ Stefano, Loic, Rob, Ilias, Tomas (and anyone else who spoke, if I missed you): Please check if there are any errors or important omissions in what I captured for your parts. You can make corrections directly in the wiki page.
Thanks & regards,
Nathalie C. Chan King Choy
Program Manager focused on Open Source and Community
