Trả lời: [PATCH 0/3] Enable secured boot for BBB

From: <tho1.nguyendat@toshiba.co.jp>
To: <jan.kiszka@siemens.com>, <cip-dev@lists.cip-project.org>
Cc: <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Trả lời: [PATCH 0/3] Enable secured boot for BBB
Date: Tue, 29 Aug 2023 02:32:56 +0000	[thread overview]
Message-ID: <OS3PR01MB5880C40F370BAB87E9F087F995E7A@OS3PR01MB5880.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <bfcdf1ab-f22f-432e-b232-36733465dced@siemens.com>

[-- Attachment #1: Type: text/plain, Size: 2836 bytes --]

Hi,

Thanks, patch 1 and 3 are already in next (I assume you didn't change
them in this round, did you?).
Yes, I didn't change patch 1 and 3.
Patch 2 now makes we wonder about more fundamental things: I'm sure we
can boot securely via UEFI onward - provided we can store the image keys
somewhere. How did you address that? Did you test that you cannot boot a
manipulated rootfs? I'm not seeing anything that enables secure storage.
What we would need is some secure storage so that we can write the UEFI
keys into it.
I have tried to use TPM2 on BBB before, but I got some problems when enable TPM device on BBB:

  *   No TPM device for BBB, so I tried to use TPM9670 (https://wiki.52pi.com/index.php/EP-0149) but It's for Pi, not sure it can work with BBB.
  *   No device tree configuration for TPM on BBB. I tried to use some examples but still not work

________________________________
Từ: Jan Kiszka <jan.kiszka@siemens.com>
Đã gửi: 28 Tháng Tám 2023 7:45 CH
Đến: nguyen dat tho(ＴＳＤＶ Ｅｎｇ　１) <tho1.nguyendat@toshiba.co.jp>; cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org>
Cc: hayashi kazuhiro(林 和宏 ＤＭＥ ○ＤＩＧ□ＭＰＳ○ＭＰ４) <kazuhiro3.hayashi@toshiba.co.jp>
Chủ đề: Re: [PATCH 0/3] Enable secured boot for BBB

On 28.08.23 12:43, tho1.nguyendat@toshiba.co.jp wrote:
> From: Tho Nguyen <tho1.nguyendat@toshiba.co.jp>
>
> Hi,
>
> The following patch series enables secured boot for Beaglebone Black, please help me review them and give your feedback.
>
> Nguyen Dat Tho (3):
>   linux/cip-kernel-config: Use latest commit
>   bbb: Enable secured boot
>   u-boot: Add EFI secure boot dependency
>
>  Kconfig                                       |  2 +-
>  recipes-bsp/u-boot/files/secure-boot.cfg.tmpl |  1 +
>  recipes-kernel/linux/cip-kernel-config.inc    |  2 +-
>  wic/bbb-efibootguard-secureboot.wks.in        | 13 +++++++++++++
>  4 files changed, 16 insertions(+), 2 deletions(-)
>  create mode 100644 wic/bbb-efibootguard-secureboot.wks.in
>

Thanks, patch 1 and 3 are already in next (I assume you didn't change
them in this round, did you?).

Patch 2 now makes we wonder about more fundamental things: I'm sure we
can boot securely via UEFI onward - provided we can store the image keys
somewhere. How did you address that? Did you test that you cannot boot a
manipulated rootfs? I'm not seeing anything that enables secure storage.
What we would need is some secure storage so that we can write the UEFI
keys into it.

The alternative would be a static chain with (public) image keys
hard-coded into the firmware. But that would be only ok if there is
nothing to store securely during runtime (CONFIG_IMAGE_DATA_ENCRYPTION).

Jan

--
Siemens AG, Technology
Linux Expert Center

[-- Attachment #2: Type: text/html, Size: 7564 bytes --]