From: Simon Glass <sjg@chromium.org>
To: Andrew Jeffery <andrew@aj.id.au>
Cc: Alexander Amelkin <a.amelkin@yadro.com>,
OpenBMC Maillist <openbmc@lists.ozlabs.org>
Subject: Re: BMC Image Signing Proposal
Date: Mon, 29 Jan 2018 08:50:39 -0700 [thread overview]
Message-ID: <CAPnjgZ3_ZfbnDfjq1zPM6eAN5_3aTzNn8OcFqOgVoKYwu+9=Hg@mail.gmail.com> (raw)
In-Reply-To: <1517207425.21006.27.camel@aj.id.au>
Hi,
On 28 January 2018 at 23:30, Andrew Jeffery <andrew@aj.id.au> wrote:
> Hi Alexander,
>
> On Fri, 2018-01-26 at 14:07 +0300, Alexander Amelkin wrote:
>> Hi, Anoo!
>>
>> The thoughts are as follows:
>>
>> 1. BMC usually runs in a secured environment where probability of
>> tampering with flash IC contents by means other than BMC's firmware
>> itself is negligible.
>
> This does bring up the issue of developing a threat model to develop
> against; we should probably do that. However, without one, I feel like
> we should design *for* defense in depth and allow people to remove
> protections as they see fit for their environment, rather than make
> potentially compromising assumptions about what that environment is at
> the outset.
>
> For instance, whilst BMCs might typically be isolated from customer
> traffic on a separate LAN, there's still the in-band interface which
> can be used to poke at the BMC. Vulnerabilities in the IPMI stack could
> lead to BMC compromise and undesirable flash writes*. Therefore BMC
> flash integrity remains a valid concern despite network isolation.
>
> * This ties into Michael Brown's talks of isolating daemons to their
> own user/group and enforcing SELinux policy against them.
>
>>
>> 2. U-Boot already performs image checksum validation before booting a
>> FIT image
>
> Typically the rootfs is not part of the FIT, so it will not be checked.
> Some systems supported by OpenBMC directly mount the rootfs rather
> than booting through an initrd, which makes rootfs authentication
> somewhat tricky. Regardless, with signed images we should expand the
> FIT hash check to be a full signature check.
If you use an initrd in the FIT, it can be checked in the same way as
the kernel. FIT supports a full signature check.
If you use a separate rootfs, verity can be used if it is read-only.
Otherwise I am not sure.
>
>>
>> 3. User input really needs validation, at least to make the system
>> fool-proof
>>
>> Having said that, I suggest that the only thing that really needs doing
>> is signing (and checking) of the overall firmware image file that is
>> supplied by the user (admin) during the firmware upgrade procedure.
>> Applying asymmetric cryptography to a digest hash looks to me like a
>> good idea as it indeed allows for verifying the supplier of the firmware
>> image.
>
> Agreed - do Yadro do this already? If so, what did you do to integrate
> image signing into the build process? If not, then I'd be keen to keep
> the discussion alive on how we can achieve it.
>
> Cheers,
>
> Andrew
Regards,
Simon
next prev parent reply other threads:[~2018-01-29 15:51 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-25 21:15 BMC Image Signing Proposal anoo
2018-01-26 11:07 ` Alexander Amelkin
2018-01-29 6:30 ` Andrew Jeffery
2018-01-29 15:50 ` Simon Glass [this message]
2018-01-29 20:59 ` Vernon Mauery
2018-01-30 4:47 ` Stewart Smith
2018-01-30 6:18 ` Joel Stanley
2018-01-30 16:20 ` Simon Glass
2018-01-30 23:53 ` Stewart Smith
2018-01-31 21:13 ` Adriana Kobylak
2018-02-08 20:27 ` Adriana Kobylak
2018-02-10 1:36 ` Yugi Mani
2018-02-13 22:33 ` Adriana Kobylak
2018-02-13 22:34 ` Adriana Kobylak
2018-02-15 4:07 ` Joel Stanley
2018-02-19 21:04 ` Adriana Kobylak
2018-02-23 1:44 ` Stewart Smith
2018-02-23 20:30 ` Vernon Mauery
2018-02-15 4:10 ` Joel Stanley
2018-02-23 1:47 ` Stewart Smith
2018-02-27 22:13 ` Adriana Kobylak
2018-05-15 2:06 ` Lei YU
2018-05-15 18:18 ` Yugi Mani
2018-05-15 23:03 ` Stewart Smith
2018-05-16 16:02 ` Vernon Mauery
2018-05-18 3:33 ` Lei YU
2018-05-18 16:01 ` Adriana Kobylak
2018-05-18 21:02 ` Vernon Mauery
2018-05-22 6:46 ` Lei YU
2018-05-22 15:30 ` Vernon Mauery
2018-05-22 18:28 ` Vernon Mauery
2018-05-24 17:12 ` Adriana Kobylak
2018-05-24 19:34 ` Vernon Mauery
2018-05-25 7:03 ` Lei YU
2018-05-15 20:00 ` Stewart Smith
2018-01-30 4:39 ` Stewart Smith
2018-01-29 5:56 ` Andrew Jeffery
2018-01-29 21:07 ` Vernon Mauery
2018-01-29 10:44 ` Avi Fishman
2018-01-29 14:40 ` Eugene.Cho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPnjgZ3_ZfbnDfjq1zPM6eAN5_3aTzNn8OcFqOgVoKYwu+9=Hg@mail.gmail.com' \
--to=sjg@chromium.org \
--cc=a.amelkin@yadro.com \
--cc=andrew@aj.id.au \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.