public inbox for linux-mtd@lists.infradead.org
 help / color / mirror / Atom feed
From: Zhihao Cheng <chengzhihao1@huawei.com>
To: Daniel Golle <daniel@makrotopia.org>
Cc: Krzysztof Kozlowski <krzk@kernel.org>,
	Miquel Raynal <miquel.raynal@bootlin.com>,
	Richard Weinberger <richard@nod.at>,
	Vignesh Raghavendra <vigneshr@ti.com>,
	Rob Herring <robh@kernel.org>,
	Krzysztof Kozlowski <krzk+dt@kernel.org>,
	Conor Dooley <conor+dt@kernel.org>,
	John Crispin <john@phrozen.org>, <linux-mtd@lists.infradead.org>,
	<devicetree@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC 1/2] dt-bindings: mtd: ubi-volume: add 'volume-is-critical' property
Date: Sun, 29 Sep 2024 19:23:12 +0800	[thread overview]
Message-ID: <3fbc4221-5967-fb9a-3cee-91cd5de2b805@huawei.com> (raw)
In-Reply-To: <Zvkxi-6J8R1K95PQ@makrotopia.org>

在 2024/9/29 18:52, Daniel Golle 写道:
> On Sun, Sep 29, 2024 at 12:03:11PM +0800, Zhihao Cheng wrote:
>> 在 2024/9/28 22:38, Daniel Golle 写道:
>>> On Sat, Sep 28, 2024 at 03:45:49PM +0200, Krzysztof Kozlowski wrote:
>>>> On 28/09/2024 15:09, Daniel Golle wrote:
>>>>> On Sat, Sep 28, 2024 at 03:02:47PM +0200, Krzysztof Kozlowski wrote:
>>>>>> On 28/09/2024 14:47, Daniel Golle wrote:
>>>>>>> Add the 'volume-is-critical' boolean property which marks a UBI volume
>>>>>>> as critical for the device to boot. If set it prevents the user from
>>>>>>> all kinds of write access to the volume as well as from renaming it or
>>>>>>> detaching the UBI device it is located on.
>>>>>>>
>>>>>>> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
>>>>>>> ---
>>>>>>>    .../devicetree/bindings/mtd/partitions/ubi-volume.yaml   | 9 +++++++++
>>>>>>>    1 file changed, 9 insertions(+)
>>>>>>>
>>>>>>> diff --git a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>>>> index 19736b26056b..2bd751bb7f9e 100644
>>>>>>> --- a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>>>> +++ b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>>>> @@ -29,6 +29,15 @@ properties:
>>>>>>>        description:
>>>>>>>          This container may reference an NVMEM layout parser.
>>>>>>> +  volume-is-critical:
>>>>>>> +    description: This parameter, if present, indicates that the UBI volume
>>>>>>> +      contains early-boot firmware images or data which should not be clobbered.
>>>>>>> +      If set, it prevents the user from renaming the volume, writing to it or
>>>>>>> +      making any changes affecting it, as well as detaching the UBI device it is
>>>>>>> +      located on, so direct access to the underlying MTD device is prevented as
>>>>>>> +      well.
>>>>>>> +    type: boolean
>>>>>>
>>>>>> UBI volumes are mapping to partitions 1-to-1, right? So rather I would
>>>>>> propose to use partition.yaml - we already have read-only there with
>>>>>> very similar description.
>>>>>
>>>>> No, that's not the case.
>>>>>
>>>>> An MTD partition can be used as UBI device. A UBI device (and hence MTD
>>>>> partition) can host *several* UBI volumes.
>>>>>
>>>>> Marking the MTD partition as 'read-only' won't work, as UBI needs
>>>>> read-write access to perform bad block relocation, scrubbing, ...
>>>>
>>>> OK, so not partition but read-only volume.
>>>
>>> +1
>>>
>>>>
>>>>>
>>>>> Also, typically not all UBI volumes on a UBI device are
>>>>> read-only/critical but only a subset of them.
>>>>>
>>>>> But you are right that the description is inspired by the description
>>>>> of the 'read-only' property in partition.yaml ;)
>>>>>
>>>>> I initially thought to also name the property 'read-only', just like
>>>>> for MTD partitions. However, as the desired effect goes beyond
>>>>> preventing write access to the volume itself, I thought it'd be
>>>>> better to use a new name.
>>>>
>>>> Yeah, maybe... critical indeed covers multiple cases but is also
>>>> subjective. For some bootloader is critical, for other bootloader still
>>>> might be fully A/B updateable thus could be modifiable. For others, they
>>>> want to use fw_setenv from user-space so not critical at all.
>>>
>>> The case I want to cover here is the bootloader itself being stored
>>> inside a UBI volume. MediaTek's fork of ARM TrustedFirmware-A bl2 comes
>>> with support for UBI and loads BL3 (which is TF-A BL31 and U-Boot, and
>>> maybe OP-TEE as well) from a static UBI volume. Removing, renaming or
>>> altering that volume results in the device not being able to boot any
>>> more and requiring a complicated intervention (at attaching debugging
>>> UART and using low-level recovery tool) in order to recover.
>>
>> Who removes/renames the 'critical' volume? I suggest to fix it in the upper
>> layer(not in kernel). After looking through the patch 2, it seems a hack
>> solution.
> 
> The enemy is the user, the upper layer is between the keyboard and the
> screen. Just like for 'read-only' MTD partitions I'm looking
> for a similar solution for UBI which prevents the user from accidentally
> deleting or destroying the bootloader, lets say, when logged in via SSH.
> .
> 

I guess that other partitions(excepts mtd) have the similar situations, 
users could delete a rootfs(ext4) partition by operation the raw block 
device. The kernel has no way to stop user doing this, what if the user 
just want to rebuild partions?
Marking volume as critical(by a stopper in kernel) could prevent user 
mistakenly operating, but I think it is more important that user need to 
know what he/she is doing.

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

  reply	other threads:[~2024-09-29 11:23 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-28 12:47 [PATCH RFC 1/2] dt-bindings: mtd: ubi-volume: add 'volume-is-critical' property Daniel Golle
2024-09-28 12:48 ` [PATCH RFC 2/2] mtd: ubi: add support for protecting critical volumes Daniel Golle
2024-09-29 12:26   ` Richard Weinberger
2024-09-30  1:56     ` Zhihao Cheng
2024-09-30 18:43       ` Richard Weinberger
2024-09-30 19:39         ` Daniel Golle
2024-09-30 19:54           ` Richard Weinberger
2024-10-08  2:55             ` Zhihao Cheng
2024-09-28 13:02 ` [PATCH RFC 1/2] dt-bindings: mtd: ubi-volume: add 'volume-is-critical' property Krzysztof Kozlowski
2024-09-28 13:09   ` Daniel Golle
2024-09-28 13:45     ` Krzysztof Kozlowski
2024-09-28 14:38       ` Daniel Golle
2024-09-29  4:03         ` Zhihao Cheng
2024-09-29 10:52           ` Daniel Golle
2024-09-29 11:23             ` Zhihao Cheng [this message]
2024-09-29 12:16               ` Daniel Golle

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3fbc4221-5967-fb9a-3cee-91cd5de2b805@huawei.com \
    --to=chengzhihao1@huawei.com \
    --cc=conor+dt@kernel.org \
    --cc=daniel@makrotopia.org \
    --cc=devicetree@vger.kernel.org \
    --cc=john@phrozen.org \
    --cc=krzk+dt@kernel.org \
    --cc=krzk@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mtd@lists.infradead.org \
    --cc=miquel.raynal@bootlin.com \
    --cc=richard@nod.at \
    --cc=robh@kernel.org \
    --cc=vigneshr@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox