linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Hector Martin <marcan@marcan.st>
To: Sumit Garg <sumit.garg@linaro.org>,
	Linus Walleij <linus.walleij@linaro.org>
Cc: "Arnd Bergmann" <arnd@linaro.org>,
	"open list:ASYMMETRIC KEYS" <keyrings@vger.kernel.org>,
	"David Howells" <dhowells@redhat.com>,
	"Jarkko Sakkinen" <jarkko@kernel.org>,
	"Joakim Bech" <joakim.bech@linaro.org>,
	"Alex Bennée" <alex.bennee@linaro.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"Maxim Uvarov" <maxim.uvarov@linaro.org>,
	"Ilias Apalodimas" <ilias.apalodimas@linaro.org>,
	"Ruchika Gupta" <ruchika.gupta@linaro.org>,
	"Winkler, Tomas" <tomas.winkler@intel.com>,
	yang.huang@intel.com, bing.zhu@intel.com,
	Matti.Moell@opensynergy.com, hmo@opensynergy.com,
	linux-mmc <linux-mmc@vger.kernel.org>,
	linux-scsi <linux-scsi@vger.kernel.org>,
	linux-nvme@vger.kernel.org,
	"Ulf Hansson" <ulf.hansson@linaro.org>,
	"Arnd Bergmann" <arnd.bergmann@linaro.org>
Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem
Date: Wed, 10 Mar 2021 17:47:45 +0900	[thread overview]
Message-ID: <beca6bc8-8970-bd01-8de0-6ded1fb69be2@marcan.st> (raw)
In-Reply-To: <CAFA6WYOYmTgguVDwpyjnt3gLssqW48qzAkRD_nyPYg0nNhxT2A@mail.gmail.com>

On 10/03/2021 14.14, Sumit Garg wrote:
> On Wed, 10 Mar 2021 at 02:47, Hector Martin <marcan@marcan.st> wrote:
>>
>> On 09/03/2021 01.20, Linus Walleij wrote:
>>> I suppose it would be a bit brutal if the kernel would just go in and
>>> appropriate any empty RPMB it finds, but I suspect it is the right way
>>> to make use of this facility given that so many of them are just sitting
>>> there unused. Noone will run $CUSTOM_UTILITY any more than they
>>> run the current RPMB tools in mmc-tools.
>>
>> AIUI the entire thing relies on a shared key that is programmed once
>> into the RPMB device, which is a permanent operation. This key has to be
>> secure, usually stored on CPU fuses or derived based on such a root of
>> trust. To me it would seem ill-advised to attempt to automate this
>> process and have the kernel do a permanent take-over of any RPMBs it
>> finds (with what key, for one?) :)
>>
> 
> Wouldn't it be a good idea to use DT here to represent whether a
> particular RPMB is used as a TEE backup or is available for normal
> kernel usage?
> 
> In case of normal kernel usage, I think the RPMB key can come from
> trusted and encrypted keys subsystem.

Remember that if the key is ever lost, the RPMB is now completely 
useless forever.

This is why, as far as I know, most sane platforms will use hard fused 
values to derive this kind of thing, not any kind of key stored in 
erasable storage.

Also, newly provisioned keys are sent in plain text, which means that 
any kind of "if the RPMB is blank, take it over" automation equates to 
handing over your key who an attacker who removes the RPMB and replaces 
it with a blank one, and then they can go access anything they want on 
the old RPMB device (assuming the key hasn't changed; and if it has 
changed that's conversely a recipe for data loss if something goes wrong).

I really think trying to automate any kind of "default" usage of an RPMB 
is a terrible idea. It needs to be a conscious decision on a 
per-platform basis.

-- 
Hector Martin (marcan@marcan.st)
Public Key: https://mrcn.st/pub

  reply	other threads:[~2021-03-10  8:48 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-03 13:54 [RFC PATCH 0/5] RPMB internal and user-space API + WIP virtio-rpmb frontend Alex Bennée
2021-03-03 13:54 ` [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem Alex Bennée
2021-03-03 15:28   ` Ulf Hansson
2021-03-03 19:37     ` Alex Bennée
2021-03-04 20:56   ` Arnd Bergmann
2021-03-05  7:51     ` Joakim Bech
2021-03-05  8:44       ` Arnd Bergmann
2021-03-08 16:20         ` Linus Walleij
2021-03-09 21:09           ` Hector Martin
2021-03-10  5:14             ` Sumit Garg
2021-03-10  8:47               ` Hector Martin [this message]
2021-03-10  9:48                 ` Linus Walleij
2021-03-10 13:52                   ` Hector Martin
2021-03-11  0:36                     ` Linus Walleij
2021-03-11  9:22                       ` Hector Martin
2021-03-11 14:06                         ` Linus Walleij
2021-03-11 20:02                           ` Hector Martin
2021-03-12  9:22                             ` Linus Walleij
2021-03-10 10:29                 ` Sumit Garg
2021-03-11  0:49                   ` Linus Walleij
2021-03-11  1:07                     ` James Bottomley
2021-03-11  9:45                     ` Hector Martin
2021-03-11 14:31                       ` Linus Walleij
2021-03-11 20:29                         ` Hector Martin
2021-03-11 20:57                           ` Alex Bennée
2021-03-12 10:00                             ` Linus Walleij
2021-03-12  9:47                           ` Linus Walleij
2021-03-12 11:59                           ` Sumit Garg
2021-03-12 12:08                             ` Ilias Apalodimas
2021-03-09 17:12         ` David Howells
2021-03-10  4:54           ` Sumit Garg
2021-03-10  9:33           ` Linus Walleij
2021-03-03 13:54 ` [RFC PATCH 2/5] char: rpmb: provide a user space interface Alex Bennée
2021-03-04  7:01   ` Winkler, Tomas
2021-03-04 10:19     ` Alex Bennée
2021-03-04 10:34       ` Winkler, Tomas
2021-03-04 17:52         ` Alex Bennée
2021-03-04 19:54           ` Winkler, Tomas
2021-03-04 21:43             ` Arnd Bergmann
2021-03-05  6:31               ` Winkler, Tomas
2021-03-04 21:08   ` Arnd Bergmann
2021-03-03 13:54 ` [RFC PATCH 3/5] tools rpmb: add RPBM access tool Alex Bennée
2021-03-03 13:54 ` [RFC PATCH 4/5] rpmb: create virtio rpmb frontend driver [WIP] Alex Bennée
2021-03-03 13:55 ` [RFC PATCH 5/5] tools/rpmb: simple test sequence Alex Bennée
2021-03-09 13:27 ` [RFC PATCH 0/5] RPMB internal and user-space API + WIP virtio-rpmb frontend Avri Altman
2021-03-10 14:29   ` Alex Bennée
2021-03-11 13:45     ` Avri Altman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=beca6bc8-8970-bd01-8de0-6ded1fb69be2@marcan.st \
    --to=marcan@marcan.st \
    --cc=Matti.Moell@opensynergy.com \
    --cc=alex.bennee@linaro.org \
    --cc=arnd.bergmann@linaro.org \
    --cc=arnd@linaro.org \
    --cc=bing.zhu@intel.com \
    --cc=dhowells@redhat.com \
    --cc=hmo@opensynergy.com \
    --cc=ilias.apalodimas@linaro.org \
    --cc=jarkko@kernel.org \
    --cc=joakim.bech@linaro.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linus.walleij@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=linux-nvme@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=maxim.uvarov@linaro.org \
    --cc=ruchika.gupta@linaro.org \
    --cc=sumit.garg@linaro.org \
    --cc=tomas.winkler@intel.com \
    --cc=ulf.hansson@linaro.org \
    --cc=yang.huang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).