From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 440B4C433EF for ; Wed, 1 Dec 2021 07:50:53 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 430B683099; Wed, 1 Dec 2021 08:50:51 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="y9GQNgpL"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D5F788308D; Wed, 1 Dec 2021 08:50:48 +0100 (CET) Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 23595830A2 for ; Wed, 1 Dec 2021 08:50:45 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-yb1-xb29.google.com with SMTP id 131so60777145ybc.7 for ; Tue, 30 Nov 2021 23:50:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1QbV9a1n+dhQsL4P8uYK3mDkX1Hj76xdvhRhWuZ180Y=; b=y9GQNgpLmUaKgd3Nq8CIw3cRTAIiE0bT0jcQT15H1hAbCUlkEBw29AsckoWirnJPRQ mVTCCWYw5zZkFLX2oc706KMNjIpOUDljzpMxuIpQRVXyWhne0D6Gd7AHXyWluzIam4GG ypbYRoSIiuDWQZCok2vYklojKqMBK+xAHbTwoXnffKXygk6er/QFOzUZewlvePBUI3dR TbFhcFxKVAA6uAbIICf23BDUXm6SLkXtPZw0vL0Xo7ADbBLQM4dA+t1u3Q1fzcq6QWwo 5IcEjCcxIme/sZLVHvAn49ldlRa88OYL7OMlxnvdTIYSyKzqsS9cxTlC+nWW+tpNAsTx 8dkw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1QbV9a1n+dhQsL4P8uYK3mDkX1Hj76xdvhRhWuZ180Y=; b=N8SV+kfY2ofAksBdYb1bXuJiUf4L7pAJWX7Z3n8QnZjkT1fb2vaHNb1ScemdTZvAib PjPzNnUEYHO5mpWjjZP8CbaOCstlr9ad/iDYO/lf1gfrPXH3Ro02WjgiO39sNPPSA44S +jQGsydyGAGN/FLmPRlpBXMZt2N2ILyHGjs5TUqrsmm+iae0yF5KeVlaWzMTPMUs+RgA 4xyTFc4JCK6YS5DyAXP4mJ5x1n3ki5B42iCGCh2DDJE2OlTPpsNuP8o4u2zMzsD+N6yr X9qTcgQ+ccYIJrAdAJlH7IEpdOzWqnSjKHnkOkv2cfUhA4TWHbzk8BuUtKyk0A7dBNht MBeA== X-Gm-Message-State: AOAM53314eJ9UwkoTh4EkBrntv1jlKGPRffhSw2su7R6yFXFycCP4+IM IK6Kn4tJcF6iq4u489G4cp26J9ynLvaBZzFUwDa3Uw== X-Google-Smtp-Source: ABdhPJx7e7/HxPVtuBdk4XNewruXfwSwZRpUK9vL/brEgMca9PbdCWOcjNjmzeRJCcyabrzsH+Vo8836BpHLYkMrkHs= X-Received: by 2002:a25:ac21:: with SMTP id w33mr5519527ybi.616.1638345043918; Tue, 30 Nov 2021 23:50:43 -0800 (PST) MIME-Version: 1.0 References: <20211125071302.3644-1-sughosh.ganu@linaro.org> <20211125071302.3644-4-sughosh.ganu@linaro.org> In-Reply-To: From: Ilias Apalodimas Date: Wed, 1 Dec 2021 09:50:07 +0200 Message-ID: Subject: Re: [RESEND RFC PATCH 03/10] FWU: Add metadata structure and functions for accessing metadata To: Sughosh Ganu Cc: Heinrich Schuchardt , Patrick Delaunay , Patrice Chotard , Alexander Graf , Simon Glass , Bin Meng , Peng Fan , AKASHI Takahiro , Jose Marinho , Grant Likely , Jason Liu , u-boot@lists.denx.de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.37 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean Hi Sughosh, [...] >> > +{ >> > + struct fwu_metadata_ops *ops; >> >> The metadata is an untrusted information source and hence MUST NOT be >> used to map the image_type_id to the DFU alt_number. Don't invite for an >> denial of service attack. >> >> The signed capsule would be a good place for storing the DFU mapping. > > > I understand your concern with using dfu_alt_info for storing the informa= tion needed for writing the capsule payload. However, putting the informati= on currently stored on the dfu_alt_info on a capsule should require a spec = change IMO. This should first be discussed and brought in as part of the UE= FI spec. Well not the UEFI spec. You got the FMP driver which is abstract enough to handle that. However as I already replied to Heinrich and attacker can just erase the entire GPT, instead of bothering altering it. So what I've been trying to think based on Heinrich's suggestion is if an attacker can manipulate the metadata in such a way to force the device boot something it shouldn't. But since BL1 will go ahead and verify signatures before booting them anyway, I can't think of something valid. > Also, when you say signed capsule, please note not the entire capsule get= s signed -- it is only the capsule payloads that are signed, not the header= s. So putting the information currently stored in dfu env var to the capsul= e would mean adding a header to the payload, which would contain this infor= mation, and then the header plus payload would be signed. However this is >= implemented, this would mean changes to the current capsule format, and ma= king this change without changing the spec would also mean that we will als= o not be able to use the GenerateCapsule tool for capsule generation. This = is not a small change which can be included as a patch in the FWU A/B updat= e series, but should be taken up as a separate exercise. > [...] Cheers /Ilias