EFI File renaming

EFI File renaming

[Traut Manuel LCPF-CH]

Hi,

systemd-boot counting logic requires [0] to be implemented.

Is anybody already working on this?

If not we plan to add the functionality in fs/fs.c and fs/fat - correct?

Cheers
Manuel

[0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Ilias Apalodimas]

Hello Manuel,

On Tue, 12 Nov 2024 at 15:21, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
>
> Hi,
>
> systemd-boot counting logic requires [0] to be implemented.
>
> Is anybody already working on this?

I am not aware of any patches

>
> If not we plan to add the functionality in fs/fs.c and fs/fat - correct?

We don't have plans for it, but explaining any use cases you have might help

Cheers
/Ilias
>
> Cheers
> Manuel
>
> [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Heinrich Schuchardt]

On 12.11.24 14:46, Ilias Apalodimas wrote:
> Hello Manuel,
>
> On Tue, 12 Nov 2024 at 15:21, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
>>
>> Hi,
>>
>> systemd-boot counting logic requires [0] to be implemented.
>>
>> Is anybody already working on this?
>
> I am not aware of any patches
>
>>
>> If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
>
> We don't have plans for it, but explaining any use cases you have might help
>
> Cheers
> /Ilias
>>
>> Cheers
>> Manuel
>>
>> [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Hello Manuel,

The file system layer in fs/fat/fat_write.c does not support renaming, yet.

You would have to start your contributions there.

Best regards

Heinrich

Re: EFI File renaming

[Traut Manuel LCPF-CH]

Hi Ilias,

On Tue, Nov 12, 2024 at 03:46:48PM +0200, Ilias Apalodimas wrote:
> Hello Manuel,
> 
> On Tue, 12 Nov 2024 at 15:21, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
> >
> > Hi,
> >
> > systemd-boot counting logic requires [0] to be implemented.
> >
> > Is anybody already working on this?
> 
> I am not aware of any patches

thanks for the quick response.

> > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> 
> We don't have plans for it, but explaining any use cases you have might help

systemd-boot is able to do bootcounting by renaming the UKI image [0]
the code that triggers the not implemented code section is here [1].

With this it is possible to have watchdog based A/B switching on systems
without a writeable u-boot environment. And therefore it is a nice
method to implement measured boot.

Regards
Manuel

[0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
[1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407

> Cheers
> /Ilias
> >
> > Cheers
> > Manuel
> >
> > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Traut Manuel LCPF-CH]

Hello Heinrich,

> The file system layer in fs/fat/fat_write.c does not support renaming, yet.
> 
> You would have to start your contributions there.

thanks - so the rough roadmap in my head seems to be fine.

Manuel

Re: EFI File renaming

[Ilias Apalodimas]

On Tue, 12 Nov 2024 at 16:22, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
>
> Hi Ilias,
>
> On Tue, Nov 12, 2024 at 03:46:48PM +0200, Ilias Apalodimas wrote:
> > Hello Manuel,
> >
> > On Tue, 12 Nov 2024 at 15:21, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
> > >
> > > Hi,
> > >
> > > systemd-boot counting logic requires [0] to be implemented.
> > >
> > > Is anybody already working on this?
> >
> > I am not aware of any patches
>
> thanks for the quick response.
>
> > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> >
> > We don't have plans for it, but explaining any use cases you have might help
>
> systemd-boot is able to do bootcounting by renaming the UKI image [0]
> the code that triggers the not implemented code section is here [1].
>
> With this it is possible to have watchdog based A/B switching on systems
> without a writeable u-boot environment. And therefore it is a nice
> method to implement measured boot.

The A/B is ok, but I cant understand how that realted to measured
boot. The TPM access, UKI infrastucture etc, will work fine without
A/B

Thanks
/Ilias
>
> Regards
> Manuel
>
> [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
>
> > Cheers
> > /Ilias
> > >
> > > Cheers
> > > Manuel
> > >
> > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Traut Manuel LCPF-CH]

> > > > systemd-boot counting logic requires [0] to be implemented.
> >
> > > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> > >
> > > We don't have plans for it, but explaining any use cases you have might help
> >
> > systemd-boot is able to do bootcounting by renaming the UKI image [0]
> > the code that triggers the not implemented code section is here [1].
> >
> > With this it is possible to have watchdog based A/B switching on systems
> > without a writeable u-boot environment. And therefore it is a nice
> > method to implement measured boot.
> 
> The A/B is ok, but I cant understand how that realted to measured
> boot. The TPM access, UKI infrastucture etc, will work fine without
> A/B

Yes, TPM, UKI works fine right now :)

systemd-boot is renaming the UKI before it starts it, by increasing
the bootcounter that is part of the filename. If the system is fully
booted the file gets renamed again to reset the bootcounter.

If the bootcounter exceeds systemd-boot tries the next UKI.
The UKIs can be signed and are still valid after rename.

I expect that changes to the u-boot env will change a PCR measurement.
At least it should be like this, since it might alter the boot path?

For trusted systems it would be nice to have a meaurement of the EFI
variables and beside that have no dynamic environment.

Hope this explenation is understandable?
Manuel

> > [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> > [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
> >
> > > >
> > > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Ilias Apalodimas]

On Tue, 12 Nov 2024 at 16:55, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
>
> > > > > systemd-boot counting logic requires [0] to be implemented.
> > >
> > > > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> > > >
> > > > We don't have plans for it, but explaining any use cases you have might help
> > >
> > > systemd-boot is able to do bootcounting by renaming the UKI image [0]
> > > the code that triggers the not implemented code section is here [1].
> > >
> > > With this it is possible to have watchdog based A/B switching on systems
> > > without a writeable u-boot environment. And therefore it is a nice
> > > method to implement measured boot.
> >
> > The A/B is ok, but I cant understand how that realted to measured
> > boot. The TPM access, UKI infrastucture etc, will work fine without
> > A/B
>
> Yes, TPM, UKI works fine right now :)
>
> systemd-boot is renaming the UKI before it starts it, by increasing
> the bootcounter that is part of the filename. If the system is fully
> booted the file gets renamed again to reset the bootcounter.
>
> If the bootcounter exceeds systemd-boot tries the next UKI.
> The UKIs can be signed and are still valid after rename.
>
> I expect that changes to the u-boot env will change a PCR measurement.

No env changes are not and IIRC it isnt necesarry. We measure what's
described in the PC client spec. So the loaded image PCRs would
change, but that's a user decision (which PCRS to use and seal
secrets)

> At least it should be like this, since it might alter the boot path?
>
> For trusted systems it would be nice to have a meaurement of the EFI
> variables and beside that have no dynamic environment.

We do measure EFI variables and Boot#### variables in PCR7

>
> Hope this explanation is understandable?

Yes thanks

/Ilias
> Manuel
>
> > > [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> > > [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
> > >
> > > > >
> > > > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971

Re: EFI File renaming

[Enric Balletbo i Serra]

Hi,

Just to double check as I didn't find more after this thread. There
was any advance regarding this topic? I might also be interested in
help on this.

Thanks,
  Enric

On Tue, Nov 12, 2024 at 4:05 PM Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> On Tue, 12 Nov 2024 at 16:55, Traut Manuel LCPF-CH <Manuel.Traut@mt.com> wrote:
> >
> > > > > > systemd-boot counting logic requires [0] to be implemented.
> > > >
> > > > > > If not we plan to add the functionality in fs/fs.c and fs/fat - correct?
> > > > >
> > > > > We don't have plans for it, but explaining any use cases you have might help
> > > >
> > > > systemd-boot is able to do bootcounting by renaming the UKI image [0]
> > > > the code that triggers the not implemented code section is here [1].
> > > >
> > > > With this it is possible to have watchdog based A/B switching on systems
> > > > without a writeable u-boot environment. And therefore it is a nice
> > > > method to implement measured boot.
> > >
> > > The A/B is ok, but I cant understand how that realted to measured
> > > boot. The TPM access, UKI infrastucture etc, will work fine without
> > > A/B
> >
> > Yes, TPM, UKI works fine right now :)
> >
> > systemd-boot is renaming the UKI before it starts it, by increasing
> > the bootcounter that is part of the filename. If the system is fully
> > booted the file gets renamed again to reset the bootcounter.
> >
> > If the bootcounter exceeds systemd-boot tries the next UKI.
> > The UKIs can be signed and are still valid after rename.
> >
> > I expect that changes to the u-boot env will change a PCR measurement.
>
> No env changes are not and IIRC it isnt necesarry. We measure what's
> described in the PC client spec. So the loaded image PCRs would
> change, but that's a user decision (which PCRS to use and seal
> secrets)
>
> > At least it should be like this, since it might alter the boot path?
> >
> > For trusted systems it would be nice to have a meaurement of the EFI
> > variables and beside that have no dynamic environment.
>
> We do measure EFI variables and Boot#### variables in PCR7
>
> >
> > Hope this explanation is understandable?
>
> Yes thanks
>
> /Ilias
> > Manuel
> >
> > > > [0] https://uapi-group.org/specifications/specs/boot_loader_specification/#boot-counting
> > > > [1] https://github.com/systemd/systemd/blob/3304a029b847e87da51f7a8ad8c118111508e009/src/boot/boot.c#L1407
> > > >
> > > > > >
> > > > > > [0] https://elixir.bootlin.com/u-boot/v2025.01-rc1/source/lib/efi_loader/efi_file.c#L971
>