From: "Alex G." <mr.nuke.me@gmail.com>
To: Andrew Jeffery <andrew@aj.id.au>,
Dhananjay Phadke <dphadke@linux.microsoft.com>,
Patrick Williams <patrick@stwcx.xyz>
Cc: U-Boot-Denx <u-boot@lists.denx.de>,
openbmc@lists.ozlabs.org, "Chia-Wei,
Wang" <chiawei_wang@aspeedtech.com>,
Simon Glass <sjg@chromium.org>,
Christopher J Engel <cjengel@us.ibm.com>
Subject: Re: [PATCH] image: Control FIT signature verification at runtime
Date: Mon, 28 Feb 2022 16:12:47 -0600 [thread overview]
Message-ID: <e3e8d6a8-43ee-d0f5-d5dc-babcad5147ef@gmail.com> (raw)
In-Reply-To: <483b87d6-a9aa-4f64-9bb5-04874312a97b@www.fastmail.com>
On 2/27/22 19:29, Andrew Jeffery wrote:
>
>
> On Tue, 15 Feb 2022, at 13:55, Andrew Jeffery wrote:
>> On Tue, 15 Feb 2022, at 13:42, Dhananjay Phadke wrote:
>>> On 2/14/2022 3:13 PM, Patrick Williams wrote:
>>>> On Mon, Feb 14, 2022 at 11:14:53AM -0800, Dhananjay Phadke wrote:
>>>>> There's a key-requirement policy already implemented [1].
>>>>>
>>>>> [1]
>>>>> https://lore.kernel.org/u-boot/cover.1597643014.git.thiruan@linux.microsoft.com/
>>>>>
>>>>> Board code can patch "required-policy" = none at runtime based
>>>>> appropriate logic.
>>>>>
>>>
>>> [...]
>>>
>>>>
>>>> Isn't this jumper proposal just like the TCG Physical Presence requirements?
>>>> This is a software implementation and requires a particular hardware design for
>>>> it to be done right, but it seems to be along the same lines.
>>>
>>> I'm supporting idea of having control on FIT verification, just pointed
>>> that it maybe done by board code by just patching U-Boot control FDT,
>>> either the "required-policy" property at /signature or "required"
>>> property in individual key nodes.
>>
>> This might separate the logic out in a way that's acceptable to Alex.
>>
>> Let me poke at it.
>
> I've thought about this some more and adding support for
> `required-mode = "none";` or similar seems like a massive footgun given
> that (as I understand it) the FIT image as a whole isn't verified. Only
> supporting "all" or "any" seems okay because some verification must
> succeed in the context of the keys available in the current stage.
>
> After some internal discussion this effort has been set aside so I'm not
> going to pursue it further for the moment. I don't think it's easy to
> proceed anyway without feedback from Alex.
Don't let my thoughts stop you. I don't think there is a perfect way to
address this situation, and we don't have to. Code can be changed later.
As a general preference, I would like to see a single decision point on
whether to verify/skip. It can be changing `required-mode = "none", or
any other similar solution. Keep in mind that the FIT is the image
you're trying to authenticate. It is completely different from
"required-mode", which is part of u-boot's or SPL's embedded dtb.
Alex
WARNING: multiple messages have this Message-ID (diff)
From: "Alex G." <mr.nuke.me@gmail.com>
To: Andrew Jeffery <andrew@aj.id.au>,
Dhananjay Phadke <dphadke@linux.microsoft.com>,
Patrick Williams <patrick@stwcx.xyz>
Cc: U-Boot-Denx <u-boot@lists.denx.de>,
Christopher J Engel <cjengel@us.ibm.com>,
openbmc@lists.ozlabs.org, Simon Glass <sjg@chromium.org>,
"Chia-Wei, Wang" <chiawei_wang@aspeedtech.com>
Subject: Re: [PATCH] image: Control FIT signature verification at runtime
Date: Mon, 28 Feb 2022 16:12:47 -0600 [thread overview]
Message-ID: <e3e8d6a8-43ee-d0f5-d5dc-babcad5147ef@gmail.com> (raw)
In-Reply-To: <483b87d6-a9aa-4f64-9bb5-04874312a97b@www.fastmail.com>
On 2/27/22 19:29, Andrew Jeffery wrote:
>
>
> On Tue, 15 Feb 2022, at 13:55, Andrew Jeffery wrote:
>> On Tue, 15 Feb 2022, at 13:42, Dhananjay Phadke wrote:
>>> On 2/14/2022 3:13 PM, Patrick Williams wrote:
>>>> On Mon, Feb 14, 2022 at 11:14:53AM -0800, Dhananjay Phadke wrote:
>>>>> There's a key-requirement policy already implemented [1].
>>>>>
>>>>> [1]
>>>>> https://lore.kernel.org/u-boot/cover.1597643014.git.thiruan@linux.microsoft.com/
>>>>>
>>>>> Board code can patch "required-policy" = none at runtime based
>>>>> appropriate logic.
>>>>>
>>>
>>> [...]
>>>
>>>>
>>>> Isn't this jumper proposal just like the TCG Physical Presence requirements?
>>>> This is a software implementation and requires a particular hardware design for
>>>> it to be done right, but it seems to be along the same lines.
>>>
>>> I'm supporting idea of having control on FIT verification, just pointed
>>> that it maybe done by board code by just patching U-Boot control FDT,
>>> either the "required-policy" property at /signature or "required"
>>> property in individual key nodes.
>>
>> This might separate the logic out in a way that's acceptable to Alex.
>>
>> Let me poke at it.
>
> I've thought about this some more and adding support for
> `required-mode = "none";` or similar seems like a massive footgun given
> that (as I understand it) the FIT image as a whole isn't verified. Only
> supporting "all" or "any" seems okay because some verification must
> succeed in the context of the keys available in the current stage.
>
> After some internal discussion this effort has been set aside so I'm not
> going to pursue it further for the moment. I don't think it's easy to
> proceed anyway without feedback from Alex.
Don't let my thoughts stop you. I don't think there is a perfect way to
address this situation, and we don't have to. Code can be changed later.
As a general preference, I would like to see a single decision point on
whether to verify/skip. It can be changing `required-mode = "none", or
any other similar solution. Keep in mind that the FIT is the image
you're trying to authenticate. It is completely different from
"required-mode", which is part of u-boot's or SPL's embedded dtb.
Alex
next prev parent reply other threads:[~2022-02-28 22:13 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-31 3:41 [PATCH] image: Control FIT signature verification at runtime Andrew Jeffery
2022-01-31 3:41 ` Andrew Jeffery
2022-02-07 1:07 ` ChiaWei Wang
2022-02-07 1:07 ` ChiaWei Wang
2022-02-08 21:55 ` Andrew Jeffery
2022-02-08 21:55 ` Andrew Jeffery
2022-02-12 22:54 ` Dhananjay Phadke
2022-02-12 18:55 ` Alex G.
2022-02-12 18:55 ` Alex G.
2022-02-14 1:13 ` Andrew Jeffery
2022-02-14 1:13 ` Andrew Jeffery
2022-02-14 19:14 ` Dhananjay Phadke
2022-02-14 19:14 ` Dhananjay Phadke
2022-02-14 23:08 ` Andrew Jeffery
2022-02-14 23:08 ` Andrew Jeffery
2022-02-14 23:13 ` Patrick Williams
2022-02-14 23:13 ` Patrick Williams
2022-02-15 0:21 ` Andrew Jeffery
2022-02-15 0:21 ` Andrew Jeffery
2022-02-15 3:12 ` Dhananjay Phadke
2022-02-15 3:12 ` Dhananjay Phadke
2022-02-15 3:25 ` Andrew Jeffery
2022-02-15 3:25 ` Andrew Jeffery
2022-02-28 1:29 ` Andrew Jeffery
2022-02-28 1:29 ` Andrew Jeffery
2022-02-28 22:12 ` Alex G. [this message]
2022-02-28 22:12 ` Alex G.
2022-02-28 22:42 ` Andrew Jeffery
2022-02-28 22:42 ` Andrew Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3e8d6a8-43ee-d0f5-d5dc-babcad5147ef@gmail.com \
--to=mr.nuke.me@gmail.com \
--cc=andrew@aj.id.au \
--cc=chiawei_wang@aspeedtech.com \
--cc=cjengel@us.ibm.com \
--cc=dphadke@linux.microsoft.com \
--cc=openbmc@lists.ozlabs.org \
--cc=patrick@stwcx.xyz \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.