From: Gwendal Grignou <gwendal@chromium.org>
To: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Gwendal Grignou <gwendal@chromium.org>,
Alex Lemberg <Alex.Lemberg@sandisk.com>,
Holger Schurig <holgerschurig@gmail.com>,
Avi Shchislowski <Avi.Shchislowski@sandisk.com>,
"linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Chris Ball <chris@printf.net>,
Baolin Wang <baolin.wang@linaro.org>
Subject: Re: [RFC 0/6] mmc: Field Firmware Update
Date: Wed, 13 Apr 2016 15:33:36 -0700 [thread overview]
Message-ID: <CAMHSBOUjGutAOXYu01rjr-SgWKkGDL7KfQALn-bgkLopBVwpOA@mail.gmail.com> (raw)
In-Reply-To: <CAPDyKFoH3=czLW5_AKcJLRZa2ptTuumiMT24PZw6zKBW38WOwQ@mail.gmail.com>
On Mon, Apr 4, 2016 at 4:50 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
>
> On 2 April 2016 at 02:23, Gwendal Grignou <gwendal@chromium.org> wrote:
> > On Thu, Jan 14, 2016 at 5:16 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
> >> On 28 December 2015 at 15:12, Alex Lemberg <Alex.Lemberg@sandisk.com> wrote:
>
> > I am arriving after the battle, but I have finally rebased the eMMC
> > FFU kernel ffu code to 4.x. It is based on what Avi and Alex have
> > written.
> > As stated earlier, the advantage over using MMC_MUTLI_CMD is we can
> > force a reset and rescan of the card without asking the user to reboot
> > their machine.
>
> No matter what, I think the problem is how you would *safely* deal
> with the reset. Especially in the case when the eMMC already has an
> mounted file system on it.
Assuming the firmware is not wiping data or resizing the available
space, the data in the flash is readable after the upgrade.
For the host point of view, a firmware update and a reset is
equivalent to a reset, that could happen during error recovery.
The only change are in the cid/csd//extcsd registers the firmware may
have updated.
The stack has to assume these registers are not constant and can
change after reset.
When looking into the mmc stack, AFAICT, the code that needs to get
device specifics always rely on fields that are re-generated by
mmc_card_inif() (card->ext_csd, output of mmc_decode_csd()/cid(() and
so on).
>
>
> Just doing something that *might* work, isn't good enough to me.
>
> > Also, by only sending a firmware name over the ioctl, we can use Kees'
> > work for firmware validation (https://lwn.net/Articles/605432/).
>
> The request_firmware() interface would indeed be good to use. Although
> unless we can figure out a way on how to safely deal with reset, we
> will have to live without request_firmware().
>
> > To prevent downloading firmware from unknown source, we would reject
> > some commands (like SWITCH with FFU_MODE) in the kernel
> > MMC_IOC/MULTI_CMD ioctl handler.
>
> I don't follow, can you elaborate on this please.
Today, an attacker with root access could break the chain of trust by
writing a firmware in the eMMC that corrupts data on the fly and
return infected code to the host after verification.
One way is to use firmware signed by the manufacturer, a stronger
approach is to enforce that the firmware is part of the root
partition.
To prevent a bad firmware from being downloaded, we have to make sure
downloading firmware using raw single or multi commands ioctls does
not work.
Gwendal.
>
>
> Kind regards
> Uffe
next prev parent reply other threads:[~2016-04-13 22:34 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-13 14:56 [RFC 0/6] mmc: Field Firmware Update Holger Schurig
2015-11-13 14:56 ` [PATCH 1/6] mmc: move mmc_prepare_mrq() to core.c Holger Schurig
2015-11-13 14:56 ` [PATCH 2/6] mmc: move mmc_wait_busy() to core Holger Schurig
2015-11-13 14:56 ` [PATCH 3/6] mmc: move mmc_check_result() to core.c Holger Schurig
2015-11-13 14:56 ` [PATCH 4/6] mmc: move mmc_simple_transfer() " Holger Schurig
2015-11-13 14:56 ` [PATCH 5/6] mmc: move mmc_send_cxd_data() " Holger Schurig
2015-11-13 14:56 ` [PATCH 6/6] mmc: eMMC Field Firmware Update support Holger Schurig
2015-11-20 14:20 ` [RFC 0/6] mmc: Field Firmware Update Alan Cooper
2015-11-23 11:40 ` Avi Shchislowski
[not found] ` <CAOpc7mHbM8EYYNRKR+pKnzc0wf1DR1ojX-iFuDWDYyquC3EVZg@mail.gmail.com>
2015-12-15 15:35 ` Ulf Hansson
2015-12-22 8:15 ` Holger Schurig
2015-12-22 8:55 ` Ulf Hansson
2015-12-22 8:57 ` Ulf Hansson
2015-12-22 18:44 ` Olof Johansson
[not found] ` <CAG=SpYGf7czPwLrJVrq49n_Lhph33fmyKq-Nkm6=c0fB1Gn9_w@mail.gmail.com>
2016-01-14 12:50 ` Ulf Hansson
2015-12-28 14:12 ` Alex Lemberg
2016-01-14 13:16 ` Ulf Hansson
2016-04-02 0:23 ` Gwendal Grignou
2016-04-04 11:50 ` Ulf Hansson
2016-04-13 22:33 ` Gwendal Grignou [this message]
2016-04-14 8:35 ` Ulf Hansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMHSBOUjGutAOXYu01rjr-SgWKkGDL7KfQALn-bgkLopBVwpOA@mail.gmail.com \
--to=gwendal@chromium.org \
--cc=Alex.Lemberg@sandisk.com \
--cc=Avi.Shchislowski@sandisk.com \
--cc=baolin.wang@linaro.org \
--cc=chris@printf.net \
--cc=holgerschurig@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).