From: Ulf Hansson <ulf.hansson@linaro.org>
To: Gwendal Grignou <gwendal@chromium.org>
Cc: Alex Lemberg <Alex.Lemberg@sandisk.com>,
Holger Schurig <holgerschurig@gmail.com>,
Avi Shchislowski <Avi.Shchislowski@sandisk.com>,
"linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Chris Ball <chris@printf.net>,
Baolin Wang <baolin.wang@linaro.org>
Subject: Re: [RFC 0/6] mmc: Field Firmware Update
Date: Thu, 14 Apr 2016 10:35:34 +0200 [thread overview]
Message-ID: <CAPDyKFpt5kbBnF9MeC63YKPxgrGLV53uPSB+iTaiTXpun2+4zw@mail.gmail.com> (raw)
In-Reply-To: <CAMHSBOUjGutAOXYu01rjr-SgWKkGDL7KfQALn-bgkLopBVwpOA@mail.gmail.com>
On 14 April 2016 at 00:33, Gwendal Grignou <gwendal@chromium.org> wrote:
> On Mon, Apr 4, 2016 at 4:50 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
>>
>> On 2 April 2016 at 02:23, Gwendal Grignou <gwendal@chromium.org> wrote:
>> > On Thu, Jan 14, 2016 at 5:16 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
>> >> On 28 December 2015 at 15:12, Alex Lemberg <Alex.Lemberg@sandisk.com> wrote:
>>
>> > I am arriving after the battle, but I have finally rebased the eMMC
>> > FFU kernel ffu code to 4.x. It is based on what Avi and Alex have
>> > written.
>> > As stated earlier, the advantage over using MMC_MUTLI_CMD is we can
>> > force a reset and rescan of the card without asking the user to reboot
>> > their machine.
>>
>> No matter what, I think the problem is how you would *safely* deal
>> with the reset. Especially in the case when the eMMC already has an
>> mounted file system on it.
>
> Assuming the firmware is not wiping data or resizing the available
> space, the data in the flash is readable after the upgrade.
This is exactly my point. You can no* assume anything about the card
after a firmware upgrade.
> For the host point of view, a firmware update and a reset is
> equivalent to a reset, that could happen during error recovery.
> The only change are in the cid/csd//extcsd registers the firmware may
> have updated.
Is that defined by the spec and are all eMMC vendors conforming to
your above statement?
> The stack has to assume these registers are not constant and can
> change after reset.
>
> When looking into the mmc stack, AFAICT, the code that needs to get
> device specifics always rely on fields that are re-generated by
> mmc_card_inif() (card->ext_csd, output of mmc_decode_csd()/cid(() and
> so on).
>>
>>
>> Just doing something that *might* work, isn't good enough to me.
>>
>> > Also, by only sending a firmware name over the ioctl, we can use Kees'
>> > work for firmware validation (https://lwn.net/Articles/605432/).
>>
>> The request_firmware() interface would indeed be good to use. Although
>> unless we can figure out a way on how to safely deal with reset, we
>> will have to live without request_firmware().
>>
>> > To prevent downloading firmware from unknown source, we would reject
>> > some commands (like SWITCH with FFU_MODE) in the kernel
>> > MMC_IOC/MULTI_CMD ioctl handler.
>>
>> I don't follow, can you elaborate on this please.
>
> Today, an attacker with root access could break the chain of trust by
> writing a firmware in the eMMC that corrupts data on the fly and
> return infected code to the host after verification.
> One way is to use firmware signed by the manufacturer, a stronger
> approach is to enforce that the firmware is part of the root
> partition.
> To prevent a bad firmware from being downloaded, we have to make sure
> downloading firmware using raw single or multi commands ioctls does
> not work.
I clearly see the benefit of using request_firmware() and I open to
adopt an in-kernel FFU solution that uses it, as long as a safe reset
can be managed.
However, whether it's more safe to hackers has nothing to do with it.
If a hacker becomes root on a device they can do all kind of magic
things, for example replacing a firmware in rootfs or sending ioctl
commands to a device node that has root permissions. To achieve
security, verification of a signatures are needed and currently the
request_firmware() API doesn't support this and nor does the eMMC
device itself (at least to my knowledge).
Regarding the safe reset, the only way I see how to deal with this, is
to force a reboot and prevent serving new read/write request after a
firmware upgrade. Although, perhaps you can think of something more
clever.
Kind regards
Uffe
prev parent reply other threads:[~2016-04-14 8:35 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-13 14:56 [RFC 0/6] mmc: Field Firmware Update Holger Schurig
2015-11-13 14:56 ` [PATCH 1/6] mmc: move mmc_prepare_mrq() to core.c Holger Schurig
2015-11-13 14:56 ` [PATCH 2/6] mmc: move mmc_wait_busy() to core Holger Schurig
2015-11-13 14:56 ` [PATCH 3/6] mmc: move mmc_check_result() to core.c Holger Schurig
2015-11-13 14:56 ` [PATCH 4/6] mmc: move mmc_simple_transfer() " Holger Schurig
2015-11-13 14:56 ` [PATCH 5/6] mmc: move mmc_send_cxd_data() " Holger Schurig
2015-11-13 14:56 ` [PATCH 6/6] mmc: eMMC Field Firmware Update support Holger Schurig
2015-11-20 14:20 ` [RFC 0/6] mmc: Field Firmware Update Alan Cooper
2015-11-23 11:40 ` Avi Shchislowski
[not found] ` <CAOpc7mHbM8EYYNRKR+pKnzc0wf1DR1ojX-iFuDWDYyquC3EVZg@mail.gmail.com>
2015-12-15 15:35 ` Ulf Hansson
2015-12-22 8:15 ` Holger Schurig
2015-12-22 8:55 ` Ulf Hansson
2015-12-22 8:57 ` Ulf Hansson
2015-12-22 18:44 ` Olof Johansson
[not found] ` <CAG=SpYGf7czPwLrJVrq49n_Lhph33fmyKq-Nkm6=c0fB1Gn9_w@mail.gmail.com>
2016-01-14 12:50 ` Ulf Hansson
2015-12-28 14:12 ` Alex Lemberg
2016-01-14 13:16 ` Ulf Hansson
2016-04-02 0:23 ` Gwendal Grignou
2016-04-04 11:50 ` Ulf Hansson
2016-04-13 22:33 ` Gwendal Grignou
2016-04-14 8:35 ` Ulf Hansson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPDyKFpt5kbBnF9MeC63YKPxgrGLV53uPSB+iTaiTXpun2+4zw@mail.gmail.com \
--to=ulf.hansson@linaro.org \
--cc=Alex.Lemberg@sandisk.com \
--cc=Avi.Shchislowski@sandisk.com \
--cc=baolin.wang@linaro.org \
--cc=chris@printf.net \
--cc=gwendal@chromium.org \
--cc=holgerschurig@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).