From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 01C9BC433F5
	for <u-boot@archiver.kernel.org>; Wed,  1 Dec 2021 08:32:00 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 117338308D;
	Wed,  1 Dec 2021 09:31:58 +0100 (CET)
Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="q4GtPZg4";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 8B3A08128B; Wed,  1 Dec 2021 09:31:56 +0100 (CET)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com
 [IPv6:2607:f8b0:4864:20::d2c])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 8235183082
 for <u-boot@lists.denx.de>; Wed,  1 Dec 2021 09:31:52 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=sughosh.ganu@linaro.org
Received: by mail-io1-xd2c.google.com with SMTP id w22so29746426ioa.1
 for <u-boot@lists.denx.de>; Wed, 01 Dec 2021 00:31:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=GHktzBrY/fxnmIYy79ETwtizWDmbTAobblpNFGrHACU=;
 b=q4GtPZg4dHcLlChk7oTtck9PtWXemo4uidYMcE1PVtsXAXYRJ2xb6I/QuF3vpmiUqs
 qotVv/BTAktaLzOdko2GV+hRYc7FOwrldP7t/cuqMFjAn5gCQ9b+Y38VtXqK/0wFt4JD
 V1FpI/IYTQtI55xu4IZSpajh50XWintpyCvWRSZKVlYxFn0Epv1DUTT/iGR/Mqx3IbCG
 Y9nB7T4j2qZeS6U7hT8Ne/8petWTojrcdkQxkMLCvuALW3JyWvzDsznlJTes/FH9CtcE
 Qqfhf1QsgSMP8uWwThBlrC55rtuuSIfoRZ5uXeAcril5wddNGupRimZLYuqhl6hJITpC
 sqMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=GHktzBrY/fxnmIYy79ETwtizWDmbTAobblpNFGrHACU=;
 b=oJpc+ESvE17FPya5Tjj/hsNMINu+cjMsoTmdLj96aiMQjmQosUD0gIuaBSTTdsbgeL
 IaJIGyPUuWtj7/xghEvhQc3ynhnWxKgNczTCLpFa2ZpISQbVwnQ7LDtjD0WcOU7ssl4q
 z6pwcVvrl9e3x2ZWN4IqiKzpZhmnfmXloZJqyul/7C1KVjqQZeZLri/1Oc+DVYR8wxIM
 edBgesbqY5nicpkqrdryRIiqysV4QpMeOHMmwrAfzlaZWChJFEhdo7pXKfBy1lYCWzF+
 30GXKvDKNw7MPrIM+U7oNwr2j8od1EGuiQhrXpjUmGjki/5gkJC6V9LQZkQ16iX1A7RI
 1vhw==
X-Gm-Message-State: AOAM530HcTZgUo/PleRsZ8/WqBE2bEP5GdJgOEwOwUza1HDDFUB6QThs
 XV203v43LBaQzY4jNoTNbv+4OwyCfg6C3jeKFRIpUg==
X-Google-Smtp-Source: ABdhPJzlAIF3nPXpTDQBO35lWAarU2ZtKSmUsh95YWae7uzeA0dKWPVU84yFEivGNuL8wyD+rIcICP2QWh3zSA2wwtY=
X-Received: by 2002:a5e:d602:: with SMTP id w2mr6427411iom.121.1638347511029; 
 Wed, 01 Dec 2021 00:31:51 -0800 (PST)
MIME-Version: 1.0
References: <20211125071302.3644-1-sughosh.ganu@linaro.org>
 <20211125071302.3644-4-sughosh.ganu@linaro.org>
 <d97b7ebe-01a2-98ce-4717-c61d85ac1d85@gmx.de>
 <CADg8p94FVpEzViZYRqOYOSkJNJ0Oaqw6XLm8m3xpFzni3Nnh-Q@mail.gmail.com>
 <CAC_iWjJFWeng8_NbM+UJdBfiz=K_xRwnB6xW1hZASaHUHDYrNQ@mail.gmail.com>
In-Reply-To: <CAC_iWjJFWeng8_NbM+UJdBfiz=K_xRwnB6xW1hZASaHUHDYrNQ@mail.gmail.com>
From: Sughosh Ganu <sughosh.ganu@linaro.org>
Date: Wed, 1 Dec 2021 14:01:39 +0530
Message-ID: <CADg8p94s7QvwU=F3TaaFjfO7Fwv95tvUBut6=c-wKLGGBPCQdQ@mail.gmail.com>
Subject: Re: [RESEND RFC PATCH 03/10] FWU: Add metadata structure and
 functions for accessing metadata
To: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Patrick Delaunay <patrick.delaunay@foss.st.com>, 
 Patrice Chotard <patrice.chotard@foss.st.com>, Alexander Graf <agraf@csgraf.de>,
 Simon Glass <sjg@chromium.org>, Bin Meng <bmeng.cn@gmail.com>,
 Peng Fan <peng.fan@nxp.com>, AKASHI Takahiro <takahiro.akashi@linaro.org>,
 Jose Marinho <jose.marinho@arm.com>, 
 Grant Likely <grant.likely@arm.com>, Jason Liu <jason.hui.liu@nxp.com>,
 u-boot@lists.denx.de
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.37
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.37
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

hi Ilias,

On Wed, 1 Dec 2021 at 13:20, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Sughosh,
>
> [...]
> >> > +{
> >> > +     struct fwu_metadata_ops *ops;
> >>
> >> The metadata is an untrusted information source and hence MUST NOT be
> >> used to map the image_type_id to the DFU alt_number. Don't invite for an
> >> denial of service attack.
> >>
> >> The signed capsule would be a good place for storing the DFU mapping.
> >
> >
> > I understand your concern with using dfu_alt_info for storing the
> information needed for writing the capsule payload. However, putting the
> information currently stored on the dfu_alt_info on a capsule should
> require a spec change IMO. This should first be discussed and brought in as
> part of the UEFI spec.
>
> Well not the UEFI spec.  You got the FMP driver which is abstract
> enough to handle that.  However as I already replied to Heinrich and
> attacker can just erase the entire GPT,  instead of bothering altering
> it.  So what I've been trying to think based on Heinrich's suggestion
> is if an attacker can manipulate the metadata in such a way to force
> the device boot something it shouldn't.  But since BL1 will go ahead
> and verify signatures before booting them anyway,  I can't think of
> something valid.
>

Sorry, I misinterpreted the comment from Heinrich. I was replying to the
comment from Heinrich about not using the dfu_alt_info env variable for the
updates. I think Heinrich is also suggesting putting the metadata
equivalent information on the capsule. This would also mean adding a header
to each payload where the header stores the metadata information. But as
you say, having the firmware and the metadata on a device that can be
accessed from the non-secure world, we cannot avoid DoS attacks even with
the metadata on the capsule. Also, this would mean having multiple copies
of the metadata, since the earlier stage bootloader(BL2/spl) shall still
need the metadata on a storage device partition to identify which bank to
boot from.

-sughosh


>
> > Also, when you say signed capsule, please note not the entire capsule
> gets signed -- it is only the capsule payloads that are signed, not the
> headers. So putting the information currently stored in dfu env var to the
> capsule would mean adding a header to the payload, which would contain this
> information, and then the header plus payload would be signed. However this
> is > implemented, this would mean changes to the current capsule format,
> and making this change without changing the spec would also mean that we
> will also not be able to use the GenerateCapsule tool for capsule
> generation. This is not a small change which can be included as a patch in
> the FWU A/B update series, but should be taken up as a separate exercise.
> >
>
> [...]
>
>
> Cheers
> /Ilias
>