From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754296AbcDNIfm (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Apr 2016 04:35:42 -0400
Received: from mail-wm0-f49.google.com ([74.125.82.49]:35296 "EHLO
	mail-wm0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754243AbcDNIfg (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Apr 2016 04:35:36 -0400
MIME-Version: 1.0
In-Reply-To: <CAMHSBOUjGutAOXYu01rjr-SgWKkGDL7KfQALn-bgkLopBVwpOA@mail.gmail.com>
References: <1447426572-11756-1-git-send-email-holgerschurig@gmail.com>
	<SN1PR02MB13891415516DE9FA4756140783070@SN1PR02MB1389.namprd02.prod.outlook.com>
	<CAOpc7mHbM8EYYNRKR+pKnzc0wf1DR1ojX-iFuDWDYyquC3EVZg@mail.gmail.com>
	<CAPDyKFp2WEVF4yi=Upzx+58SY15u=Fp4=tr3_hh7AS3T2yz4qQ@mail.gmail.com>
	<87r3ierjae.fsf@gmail.com>
	<BLUPR02MB2773299A3F882A172DF0E3694FB0@BLUPR02MB277.namprd02.prod.outlook.com>
	<CAPDyKFopp9gaaPu_DBR0Rpcsu6BCXu5DexXiVxYv9v5uX150jw@mail.gmail.com>
	<CAMHSBOUCT0mQfpN6+7NfeaR5wKMOizQeH__-j9fup1Y-H48Wcg@mail.gmail.com>
	<CAPDyKFoH3=czLW5_AKcJLRZa2ptTuumiMT24PZw6zKBW38WOwQ@mail.gmail.com>
	<CAMHSBOUjGutAOXYu01rjr-SgWKkGDL7KfQALn-bgkLopBVwpOA@mail.gmail.com>
Date: Thu, 14 Apr 2016 10:35:34 +0200
Message-ID: <CAPDyKFpt5kbBnF9MeC63YKPxgrGLV53uPSB+iTaiTXpun2+4zw@mail.gmail.com>
Subject: Re: [RFC 0/6] mmc: Field Firmware Update
From: Ulf Hansson <ulf.hansson@linaro.org>
To: Gwendal Grignou <gwendal@chromium.org>
Cc: Alex Lemberg <Alex.Lemberg@sandisk.com>,
        Holger Schurig <holgerschurig@gmail.com>,
        Avi Shchislowski <Avi.Shchislowski@sandisk.com>,
        "linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Chris Ball <chris@printf.net>, Baolin Wang <baolin.wang@linaro.org>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 14 April 2016 at 00:33, Gwendal Grignou <gwendal@chromium.org> wrote:
> On Mon, Apr 4, 2016 at 4:50 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
>>
>> On 2 April 2016 at 02:23, Gwendal Grignou <gwendal@chromium.org> wrote:
>> > On Thu, Jan 14, 2016 at 5:16 AM, Ulf Hansson <ulf.hansson@linaro.org> wrote:
>> >> On 28 December 2015 at 15:12, Alex Lemberg <Alex.Lemberg@sandisk.com> wrote:
>>
>> > I am arriving after the battle, but I have finally rebased the eMMC
>> > FFU kernel ffu code to 4.x. It is based on what Avi and Alex have
>> > written.
>> > As stated earlier, the advantage over using MMC_MUTLI_CMD is we can
>> > force a reset and rescan of the card without asking the user to reboot
>> > their machine.
>>
>> No matter what, I think the problem is how you would *safely* deal
>> with the reset. Especially in the case when the eMMC already has an
>> mounted file system on it.
>
> Assuming the firmware is not wiping data or resizing the available
> space, the data in the flash is readable after the upgrade.

This is exactly my point. You can no* assume anything about the card
after a firmware upgrade.

> For the host point of view, a firmware update and a reset is
> equivalent to a reset, that could happen during error recovery.
> The only change are in the cid/csd//extcsd registers the firmware may
> have updated.

Is that defined by the spec and are all eMMC vendors conforming to
your above statement?

> The stack has to assume these registers are not constant and can
> change after reset.
>
> When looking into the mmc stack, AFAICT, the code that needs to get
> device specifics always rely on fields that are re-generated by
> mmc_card_inif() (card->ext_csd, output of mmc_decode_csd()/cid(() and
> so on).
>>
>>
>> Just doing something that *might* work, isn't good enough to me.
>>
>> > Also, by only sending a firmware name over the ioctl, we can use Kees'
>> > work for firmware validation (https://lwn.net/Articles/605432/).
>>
>> The request_firmware() interface would indeed be good to use. Although
>> unless we can figure out a way on how to safely deal with reset, we
>> will have to live without request_firmware().
>>
>> > To prevent downloading firmware from unknown source, we would reject
>> > some commands (like SWITCH with FFU_MODE) in the kernel
>> > MMC_IOC/MULTI_CMD ioctl handler.
>>
>> I don't follow, can you elaborate on this please.
>
> Today, an attacker with root access could break the chain of trust by
> writing a firmware in the eMMC that corrupts data on the fly and
> return infected code to the host after verification.
> One way is to use firmware signed by the manufacturer, a stronger
> approach is to enforce that the firmware is part of the root
> partition.
> To prevent a bad firmware from being downloaded, we have to make sure
> downloading firmware using raw single or multi commands ioctls does
> not work.

I clearly see the benefit of using request_firmware() and I open to
adopt an in-kernel FFU solution that uses it, as long as a safe reset
can be managed.

However, whether it's more safe to hackers has nothing to do with it.
If a hacker becomes root on a device they can do all kind of magic
things, for example replacing a firmware in rootfs or sending ioctl
commands to a device node that has root permissions. To achieve
security, verification of a signatures are needed and currently the
request_firmware() API doesn't support this and nor does the eMMC
device itself (at least to my knowledge).

Regarding the safe reset, the only way I see how to deal with this, is
to force a reboot and prevent serving new read/write request after a
firmware upgrade. Although, perhaps you can think of something more
clever.

Kind regards
Uffe