From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 33399C433F5
	for <u-boot@archiver.kernel.org>; Mon,  3 Oct 2022 12:21:41 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 231E384DE5;
	Mon,  3 Oct 2022 14:21:39 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="RA4vBXr7";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 1D93D84915; Mon,  3 Oct 2022 14:21:37 +0200 (CEST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com
 [IPv6:2a00:1450:4864:20::62f])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id A8D4684D55
 for <u-boot@lists.denx.de>; Mon,  3 Oct 2022 14:21:34 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-ej1-x62f.google.com with SMTP id qx23so3647836ejb.11
 for <u-boot@lists.denx.de>; Mon, 03 Oct 2022 05:21:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=in-reply-to:content-disposition:mime-version:references:message-id
 :subject:cc:to:from:date:from:to:cc:subject:date;
 bh=B6EdDNBFHQ8KDPhfszEsXX4E3DIWYVoshlLKHCGJLHY=;
 b=RA4vBXr7qrugP3klQhGlsvbgHyffpglkH5/oc/q3lzLU+EERkyZ7xTBIzMQg4/SoTp
 LLZ2GSYzIM0KMpdZUMm6YBaeDDzsm+/siykg5JHsN4Jz9Zag1Egq46em0owbwNH9ccUg
 m7hzTvhhMjEW6v/IgaqspHw88VvT8BAfad5dflGHlqst2cPU5n2D4H2MOjI+76+GZK5e
 6rgNsb5/AQMv6uYBkwpwcG6j4XQSXcR8C83NlX1yO0OFHAUuo6HJXB19DdJc7G2PnItX
 HVIUVGqIAEYTujlsRTH/PHZd64nKTja+eIfcfgUYqm5l8Popk5OAg9h6OWSOg35vyO3E
 Eqkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=in-reply-to:content-disposition:mime-version:references:message-id
 :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date;
 bh=B6EdDNBFHQ8KDPhfszEsXX4E3DIWYVoshlLKHCGJLHY=;
 b=WjLWjYv/QQg4ZfPOB0Ta3UVyt8hQGsli9MSTH66Di5UsTSA4ygm3sY+sLic/wKX6gh
 0TXIb7kQUYOGHAY3y7TIYTwSFngxkUx9rHA5Aw9RQ9CB/Ugyx7/G37Ne8Eo4W9DdagZz
 o5WTfQRmb4CWnrlo+zzZZ4gi2yn05Q2yNaHId3DU3kk7Qd17TGfngGZXma4qejfRvW4h
 QFJEPwKehLrcMUu6pRN2ueQiO9wb+Ok48I4ySywpUyEadCFyJA6KhnbgblavjjHu+2vz
 mEAlTxawmXEaGF0VzoyDldLkG0bhKq6Ax3A9TZv9dfrjPBwXZ5whB/qGMo90XaLtOFRo
 SVLg==
X-Gm-Message-State: ACrzQf03yFDbcR6odg85iHocM8rD9WTZzXLWU65ZC3eWehfEkIwgZJhN
 8OGIGnI8pvg6GeQ8Kv8jaKn+6Q==
X-Google-Smtp-Source: AMsMyM4GLSl5atz4PV0v9zSJGN2X4XGNGlrsW7u57bZdFydgiq1nIj352kFRgnfB16gqR5oavv/FGg==
X-Received: by 2002:a17:907:2c77:b0:77c:59aa:c011 with SMTP id
 ib23-20020a1709072c7700b0077c59aac011mr15324468ejc.724.1664799694266; 
 Mon, 03 Oct 2022 05:21:34 -0700 (PDT)
Received: from hera (ppp046103015185.access.hol.gr. [46.103.15.185])
 by smtp.gmail.com with ESMTPSA id
 kx21-20020a170907775500b0073ae9ba9ba8sm5391638ejc.3.2022.10.03.05.21.32
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 03 Oct 2022 05:21:33 -0700 (PDT)
Date: Mon, 3 Oct 2022 15:21:31 +0300
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: Jassi Brar <jassisinghbrar@gmail.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>,
 Sughosh Ganu <sughosh.ganu@linaro.org>, u-boot@lists.denx.de,
 Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Takahiro Akashi <takahiro.akashi@linaro.org>,
 Patrick Delaunay <patrick.delaunay@foss.st.com>,
 Patrice Chotard <patrice.chotard@foss.st.com>,
 Simon Glass <sjg@chromium.org>, Bin Meng <bmeng.cn@gmail.com>,
 Tom Rini <trini@konsulko.com>, Michal Simek <monstr@monstr.eu>,
 Jassi Brar <jaswinder.singh@linaro.org>
Subject: Re: [PATCH v10 10/15] FWU: Add support for the FWU Multi Bank Update
 feature
Message-ID: <YzrTy2nITBZxuWkT@hera>
References: <20220915081451.633983-1-sughosh.ganu@linaro.org>
 <20220915081451.633983-11-sughosh.ganu@linaro.org>
 <CABb+yY3AeXNhZ3cGYzng_pU4cB0DC_AOOAXpG=s6Bu0Gni+ArA@mail.gmail.com>
 <CADg8p95f_vnh7=UYKq3fcqgxfBT8f0POONM-kNRvmm7FheMydQ@mail.gmail.com>
 <CABb+yY20a7x57pyBa2_XZ+10z1Q5eUFw6KQn+SkPqBiA3zurxg@mail.gmail.com>
 <CADg8p94kXqD_g0Ou6JPfarfhtW7ct14Yc0oBty=5YBpJ7n3LPw@mail.gmail.com>
 <CABb+yY2vLW-HZ4kEQjmx0q5YoRss_wQD_-Oe73Ug-av8TSxPtA@mail.gmail.com>
 <CADg8p95wxbEuB2RspKyS9Gs4B0_r2biuHvEA7MXyaRoh6VwJ+A@mail.gmail.com>
 <CAN5uoS8CfwjnOcOkS72k3+1StEhxCbx8Hy8Vpkk5J9MvQY2BAA@mail.gmail.com>
 <CABb+yY0+aX=zgq-jMONWxbCpqZggTa5uT=QNaGyFgQXnUa0GVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABb+yY0+aX=zgq-jMONWxbCpqZggTa5uT=QNaGyFgQXnUa0GVA@mail.gmail.com>
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

Hi Jassi, 

On Wed, Sep 28, 2022 at 10:16:53AM -0500, Jassi Brar wrote:
> Hi Etienne,
> 
> On Wed, Sep 28, 2022 at 2:30 AM Etienne Carriere
> <etienne.carriere@linaro.org> wrote:
> > Hello Jassi, Sughosh and all,
> >
> >  >>> But a malicious user may force some old vulnerable image back into use
> >  >>> by updating all but that image.
> >
> > When the system boots with accepted images (referring to fwu-mdata
> > regular/trial state), the platform monotonic counter is updated
> > against booted image version number if needed, preventing older images
> > to be booted when an accepted image has been deployed.
> > @Jassi, does this answer your question?
> >
> As I said in my earlier post, I know we can employ security+integrity
> techniques to prevent such misuse.
> My point is FWU should still be implemented assuming no such technique
> might be available due to any reason, and we do the best we can. Just
> as we don't say lets not care about buffer-overflow vulnerabilities
> because the system can implement secure boot and other such
> techniques.
> 
> For example, the spec warns : "The metadata can be maliciously
> crafted, it should be treated as an insecure information source." So
> clearly the spec doesn't count on rollback and authentication
> mechanisms to be always available - and that is how it should be.

We've discussed this extensively during drafting the spec.  You are right
that we would be better off trying to protect the fwu metadata somehow.  In
fact Heinrich had similar concerns when the original RFC was posted.  i

But can you think of such a reliable mechanism?  The only thing
we could come up without overcomplicating the entire spec was a device that
boots from the secure world and stores the metadata either in a flash there
or a device with such protection mechanisms (e.g an RPMB).

Cheers
/Ilias

> 
> cheers.