From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1lABQo-0000jD-Q9 for mharc-grub-devel@gnu.org; Thu, 11 Feb 2021 07:50:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:58804) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lABQn-0000hu-8O for grub-devel@gnu.org; Thu, 11 Feb 2021 07:50:49 -0500 Received: from mout.gmx.net ([212.227.17.20]:44297) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lABQh-0004fm-Bj for grub-devel@gnu.org; Thu, 11 Feb 2021 07:50:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1613047834; bh=80lZnkqL9C+a7Nyg1y49Xyw670XAvIBSH+Q+qt95uY8=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Reply-To:Date: In-Reply-To; b=LaPUiybDz1nNr+McBiIH1YF99NlSHfVSLWKZcuEbUjKGQZ5WOA4y6Xn9LsUjanZ9E kG6GUyt5r/O9/fWq/feKM5efgI5WTNCcDUmCixxhGPdQVFLvf91rPhLPV0/QSqBv3p N5hM5vWC8zvUWwNd+fBjNkZXE7C+552M8LObPOYg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [172.30.9.9] ([131.228.32.169]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M5QFB-1l8oW449CP-001QVG; Thu, 11 Feb 2021 13:50:34 +0100 Subject: Re: [PATCH v2 1/2] efi: SPI NOR flash support To: Heinrich Schuchardt , The development of GNU GRUB Cc: Paul Menzel References: <521ca300-6d1e-94ed-c87d-f4005a1f7870@gmx.de> From: Michael Lawnick Reply-To: The development of GNU GRUB Message-ID: <60272707-3e9c-2f7c-ceed-3ce1337f65b2@gmx.de> Date: Thu, 11 Feb 2021 13:50:31 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:DOiYiQ7luvwuC4K+WgqyyGzKO22CEY1vfpUAI4ygMpwb5NtKqYK ZhKS8JGdmkncGjWsIFcIw/OnfA7165xz/F+2ce8sKp1N5DjwSQWMIVkiwrzKKCY2AJDsv1L ggw3YQ2kNk0xHGhpzADCpNBhGB63BTliGlalaucsu2iuURV1d4HLxzqAwmh21df+2Y+UagJ l8h//yAOTKyl0tAyeG/ew== X-UI-Out-Filterresults: notjunk:1;V03:K0:oCox+tLH730=:wy87t6WtwRiz0U1cqYDrj0 Lg+Pw8TiCwXpZp8H5g/uRm1cATW/636bb6gsrA53jN26HNCytOgCYtBnOK5h/1Z2wqHBH0nMU Y8UE2EtY6/yeUf276/IVGEbBC1WruwqDRlB7m1WQYod35du5U/HazLC5WmPV7CnD8wrye6spD J8sZ/azE4WU/yt4I1CCUqovm1Vha2geSLisH+qEt93gxKd51ogom7Lm4+Wl4q9gaU0Fuhw8zp OZMFz7mdHLYHUhiJjJ8Q+ZJWh0sKsrUa0ATxpbotVv/bTlhcD0hnvC3tLSCl6mOe+K69SK+7v LXI7amcE4j0PPWlHht0RMrDlIOWD75bXDPOinPCqTNmDa6fAMl/R3Rdji3coWjRtdsvMsLace G9Mb/Zj1daqeEQdSQ+1Izas0Ju+x5UUWcOYOu06OZp2fQmjxbXBGXE07hwE7zpVAq1fkVBXdA Xlv93NkE4TU7lg7vajF0upGoEbcgLbkeWwvtsxXXPc2ZjE0RongETwOiQqHtsl8DYjdNcYxg6 lBLqzrl+5ANAfFAZGTGe+R1CGdq74KtYHaxQuWWvD53UyUb0TrzkFiALHER8pbmnVo5RmoKrq dx2JGUmOOqwKl5yOK3XkkW18/pX1m6ZREBb6gS7mpYZ0WeRwUJsx4+oUo4OlHnDDu2h5y0xa1 7s1/t06xpTEA8TdisNt6LpysXvjh0OK/zUl5H+M1usbUsFU4CgD+wv8M8G8EjewCPcly6RVu5 7eHrpli1H7oi4n8qrhvsqJgpJdUICsF/XkR7rXYvUq2kcdFDHP5alX2GSXCwLikceO/GFYaW7 v2BkDkthgFfC/oEqr84zbpVCSWILWMWNJURJvG4q9a25SlvCRDuq6ikTaO9W+O4kgh81Yon+l DtTO3zyEK8JNxeeLGEnA== Received-SPF: pass client-ip=212.227.17.20; envelope-from=ml.lawnick@gmx.de; helo=mout.gmx.net X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.119, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2021 12:50:49 -0000 Am 11.02.2021 um 09:51 schrieb Heinrich Schuchardt: > On 11.02.21 08:36, Michael Lawnick wrote: >> >> Hi, >> >> seven days of silence. In the end no interest for extending EFI support= ? >> >> KR >> Michael >> >> Am 05.02.2021 um 09:58 schrieb Michael Lawnick: >>> Add EFI SPI NOR driver >>> >>> Use UEFI interface for accessing SPI NOR flashes. >>> If supported the implementation of UEFI boot software abstracts >>> away all those ugly H/W details like SPI controller or protocol. >>> Provided functions: >>> grub_efi_spi_nor_ >>> =C2=A0=C2=A0=C2=A0=C2=A0init >>> =C2=A0=C2=A0=C2=A0=C2=A0erase >>> =C2=A0=C2=A0=C2=A0=C2=A0write >>> =C2=A0=C2=A0=C2=A0=C2=A0read >>> =C2=A0=C2=A0=C2=A0=C2=A0flash_size >>> =C2=A0=C2=A0=C2=A0=C2=A0flash_id >>> =C2=A0=C2=A0=C2=A0=C2=A0erase_block_size >>> >>> This driver might be used for further abstraction to a common >>> (SPI) flash interface. >>> > > A commit message should describe what the patch is good for. > > What is the use case for GRUB accessing SPI? Many industrial systems use SPI flash as primary boot source. And most times there are changeable parameters to be stored. > > In your second patch you introduce a command to write and erase the SPI > flash. Hopefully the firmware has disabled writes. > > GRUB writing to SPI would mean that a user program could introduce > malware into the firmware by adding said command to grub.cfg. > > This would be a gross security issue. Hopefully the firmware has locked > the SPI flash before entering GRUB. > > SPI flash updates should be effected via signed UEFI update capsules and > not via GRUB. Hi, write protection is system architecture issue. If sensitive sections aren't protected S/W support for access won't change that. Latest in O/S state the devices can be accessed. On (many/some) x86 SoC I know it is BIOS which configures read/write protection, on my current ARM based system it is a combination of security level for complete boot device and H/W protection pin for unchangeable section in data device. In our company's area we do have H/W protection enabled on root of trust part and verification on module chain. Several boot parameters are stored in our SPI flash to configure the systems for different use cases. I have the impression that your view is coming from x86/desktop direction. I am coming from embedded systems. KR Michael