- TF-A - lists.trustedfirmware.org

Re: [TF-A] FIP header flags available for feature selection

by Soby Mathew

Hi Scott Please add the platform specific flags as a field in fip_dev_state_t. typedef struct { uintptr_t dev_spec; uint32_t plat_toc_flag; } fip_dev_state_t; Then this field can be updated as part of verifying the FIP header. This header needs to be cleared when the device is closed. Introduce a helper in fip driver to query the flags: int fip_dev_get_plat_toc_flag(io_dev_info_t *dev_info, uint32_t *plat_toc_flag); That should satisfy your requirement. Best Regards Soby Mathew > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Scott > Branden via TF-A > Sent: 07 February 2020 18:57 > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] FIP header flags available for feature selection > > Hello, > > The fip header has reserved fields available for platform specific use. > The fiptool allows these header fields to be filled in using the --plat-toc-flags. > > A call needs to be available in the ATF framework to get these flags without > accessing the FIP file again to get these flags. > We have a solution we've used for ATF for quite some time to access these > flags. > > It's finally being upstreamed here: > https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/2839 > > If there are any other efficient methods to access these flags or a better > proposal please suggest. > > Thanks, > Scott > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

4 years, 10 months

2
1
0 0

Re: [TF-A] [RFC] Multiple Signing Domains

by Sandrine Bailleux

Hi Raghu, Thanks a lot for the review comments and feedback! On 2/25/20 3:45 AM, Raghu Krishnamurthy via TF-A wrote: > The patch stack looks great! I do have a suggestion for the long term > evolution/future work on root's of trust and cert_create. It would be > great to generalize "dual-root" to "multi-root". It is conceivable that > firmware supporting secure partitions/SPCI etc, could move to having > multiple root's of trust. Here we have the silicon provider, and the > platform owner as two roots, but a more complex system could contain > silicon firmware, platform firmware and multiple secure partitions, each > signed by different entities. To remove the signing dependencies between > each of these entities, we could have a ROTPK for each of these entities > and the same solution used here, can be applied to solve multiple root's > of trust and is summarized very well by your statement -"As long as > there is a defined contract between BL2 and the (P)(*)ROTK-rooted images > as to how/where to securely get this key or hash, there should not be > any need for the two vendors to do any cross-signing." >> To do this, If possible, we should start moving away from tables such as > the ones in cert_create/src/dualroot/cot.c and have platforms provide > the certificate dependencies and keys used to sign them in a config > file. This achieves two things: it makes cert_create independent of the > cert chain a platform wants to use and the number of roots of trust, > and, makes cert_create more usable by reducing the number of command > line arguments to be provided, which is a long list today. You could > potentially use the config file provided to auto generate the tbbr_cot.c > file being linked into the firmware too. > > Let me know what you think. I agree with everything you said above. Indeed, there's no reason to stop at 2 roots of trust and as you pointed out there are real use cases to enable more. The dualroot chain of trust is only the first step in that direction and is a useful way to experiment with extending the TBBR implementation and chain of trust, while addressing a real use case. Also completely agree with the lack of flexibility of the hard-coded chain of trust in cert_create/src/dualroot/cot.c and drivers/auth/dualroot/cot.c for that matter. In fact, we (at Arm) are thinking along the same lines as you and have had similar ideas boiling for some time. We are making gradual changes to introduce more flexibility into TF-A, not just for the chain of trust, but for any platform-specific data. Maybe you've seen the recent FConf framework patches, which is a key piece into enabling platform layers to move platform-specific data into configuration files. There is still work to do but down the line we are already thinking about moving the chain of trust description into such a configuration file. Moving the CoT into a configuration file has many advantages: - It could constitute the single input source for the chain of trust, serving both the cert_create tool and the firmware. Today, the CoT is described and duplicated in both places and there is really no good reason to keep things like that IMO. As you said, we could auto-generate the tbbr_cot.c file and build into the firmware, or even have the firmware dynamically parse the configuration file at runtime and extract its CoT. - It could simplify the description of the CoT. Today, I think that the C data structures in tbbr_cot.c are quite complex and not straight-forward to understand at first. If we described them using some configuration language, I believe we could abstract some of these details away or at least organize them in a more intuitive way. Regards, Sandrine

4 years, 10 months

2
1
0 0

Re: [TF-A] [RFC] Multiple Signing Domains

by Raghu Krishnamurthy

Hi Sandrine, The patch stack looks great! I do have a suggestion for the long term evolution/future work on root's of trust and cert_create. It would be great to generalize "dual-root" to "multi-root". It is conceivable that firmware supporting secure partitions/SPCI etc, could move to having multiple root's of trust. Here we have the silicon provider, and the platform owner as two roots, but a more complex system could contain silicon firmware, platform firmware and multiple secure partitions, each signed by different entities. To remove the signing dependencies between each of these entities, we could have a ROTPK for each of these entities and the same solution used here, can be applied to solve multiple root's of trust and is summarized very well by your statement -"As long as there is a defined contract between BL2 and the (P)(*)ROTK-rooted images as to how/where to securely get this key or hash, there should not be any need for the two vendors to do any cross-signing." To do this, If possible, we should start moving away from tables such as the ones in cert_create/src/dualroot/cot.c and have platforms provide the certificate dependencies and keys used to sign them in a config file. This achieves two things: it makes cert_create independent of the cert chain a platform wants to use and the number of roots of trust, and, makes cert_create more usable by reducing the number of command line arguments to be provided, which is a long list today. You could potentially use the config file provided to auto generate the tbbr_cot.c file being linked into the firmware too. Let me know what you think. Thanks Raghu On 2/24/20 3:43 AM, Sandrine Bailleux via TF-A wrote: > Hi, > > Following up on my email sent in November 2019: > https://lists.trustedfirmware.org/pipermail/tf-a/2019-November/000124.html > > and the proof-of-concept code and documentation shared at that time: > [1] > https://developer.trustedfirmware.org/w/tf_a/poc-multiple-signing-domains/ > [2] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/2443 > > I've made a number of improvements and cleanups in the code. I am > posting a new version that introduces this new chain of trust (called > "dualroot", as it has 2 roots of trust) as an alternative to the default > TBBR one. Right now, it is only enabled on some Arm platforms but it > should be pretty straight-forward to extend this to other platforms. > > The code is available there: > https://review.trustedfirmware.org/q/topic:%22sb%252Fdualroot%22 > > and is comprised of the following patches: > - Introduce a new "dualroot" chain of trust > - cert_create: Define the dualroot CoT > - Build system: Changes to drive cert_create for dualroot CoT > - plat/arm: Provide some PROTK files for development > - plat/arm: Add support for dualroot CoT > - plat/arm: Pass cookie argument down to arm_get_rotpk_info() > - plat/arm: Retrieve the right ROTPK when using the dualroot CoT > > This patch stack is based on preparatory work (which has already been > merged) to select a different CoT. This patch stack: > - Did some build system refactoring. > - Introduced a new 'COT' build option to select the chosen chain of trust. > - Made no functional change. > See > http://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=dcd03… > > Note that I've not updated the TF-A documentation just yet to reflect > these changes. I will do that once I've had some initial feedback from > the community and feel that we're reaching a consensus (in the interest > of saving time keeping documentation aligned with code going under rework). > > > Changes Compared to the Proof-of-Concept Patch [2] > -------------------------------------------------- > > - Introduced a proper, separate chain of trust rather than hijacking the > TBBR one. It also has its own header file for certificate extensions > OIDs now. > > - NS-ROTPK has been renamed into "Platform ROTPK", or PROTPK for short. > Going forward, this key would sign both non-trusted images (such as > BL33) and secure partitions. The NS- prefix did not fit well this use > case. The "Platform" prefix instead refers to the owner of this key, > i.e. the platform owner, as opposed to the Silicon Provider. > > - Removed Non-Trusted World Bootloader Key Certificate. > This didn't seem needed in this context and simplifies the CoT. > > - Removed the Non-Trusted Key from the Trusted Key Certificate, as it's > not used in this CoT (the PROTPK signs all non-trusted images instead). > > - As a consequence, the corresponding option for feeding the PROTPK to > the cert_create tool has been renamed into --prot-key (was --ns-rot-key). > > - The hash of the PROTPK is now provided in a file rather than being > hard-coded into the code. This is cleaner than polluting the code with a > byte array. > > - Proper integration in the build system. > Using the dualroot chain of trust is achieved through the COT build > option: > > make <usual trusted boot build options> COT=dualroot > > - plat_get_rotpk_info() is unchanged if using the TBBR CoT. > The alternative implementation managing both ROTPK or PROTPK is > selected only if the dualroot CoT has been chosen at build time. > > > Testing and Supported Platforms > ------------------------------- > > Tested on AEMv8-A Base Platform (AArch32 and AArch64 execution states), > rde1edge, rdn1edge, SGI-575 and SGM-775 FVPs (all available on > https://developer.arm.com/tools-and-software/simulation-models/fixed-virtua…). > > Arm Juno is not supported right now because it has its own > implementation of plat_get_arm_rotpk_info() instead of piggy-backing on > the Arm common one. > > Ran the standard set of tests available in the TF-A-Tests repository: > http://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/ > > Also ran the firmware update tests available in the same repository. See > > https://trustedfirmware-a-tests.readthedocs.io/en/latest/user-guide.html#ns… > for more information. > > Finally, performed some end-to-end boot tests to Linux. > > And of course, ran our regression tests to make sure that existing > configurations using the TBBR chain of trust are still working as expected. > > > Caveats > ------- > > The PROTPK hash is embedded into the firmware. It's unlikely that a real > system would like to do that. The use case targeted here is to remove > the need for the primary ROTPK owner to interact with the PROTPK owner. > If BL2 embeds the hash, this defeats the purpose, as now the BL2 owner > (which is expected to be the primary ROTPK owner) has to get the PROTPK > from the other vendor. > > In a real system, we would expect the PROTPK to be provisioned in such a > way that BL2 is able to retrieve it. For example, the PROTPK owner might > burn it (or a hash of it) in some OTP memory. As long as there is a > defined contract between BL2 and the PROTK-rooted images as to how/where > to securely get this key or hash, there should not be any need for the > two vendors to do any cross-signing. > > This caveat was already present in the proof-of-concept [2] and stays > out of the scope for this work, as this ties into broader topics such as > key provisioning. Right now, the onus is on the platform layer to handle > this appropriately. > > > Future work > ----------- > > We have plans to change the "dualroot" CoT further and extend the PROTPK > signing domain with a secure partition. This would demonstrate the use > of several secure partitions, some owned by the silicon provider, others > owned by the platform owner. > > > Regards, > Sandrine >

4 years, 10 months

1
0
0 0

New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 1 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 1 of 1 defect(s) ** CID 354288: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 354288: Memory - corruptions (OVERRUN) /plat/intel/soc/common/socfpga_psci.c: 138 in socfpga_system_reset() 132 133 extern uint64_t intel_rsu_update_address; 134 135 static void __dead2 socfpga_system_reset(void) 136 { 137 if (intel_rsu_update_address) >>> CID 354288: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&intel_rsu_update_address" of 8 bytes by passing it to a function which accesses it at byte offset 15. 138 mailbox_rsu_update(&intel_rsu_update_address); 139 else 140 mailbox_reset_cold(); 141 142 while (1) 143 wfi(); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPkl…

4 years, 10 months

1
0
0 0

Re: [TF-A] [RFC] Multiple Signing Domains

by Sandrine Bailleux

Hi, Following up on my email sent in November 2019: https://lists.trustedfirmware.org/pipermail/tf-a/2019-November/000124.html and the proof-of-concept code and documentation shared at that time: [1] https://developer.trustedfirmware.org/w/tf_a/poc-multiple-signing-domains/ [2] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/2443 I've made a number of improvements and cleanups in the code. I am posting a new version that introduces this new chain of trust (called "dualroot", as it has 2 roots of trust) as an alternative to the default TBBR one. Right now, it is only enabled on some Arm platforms but it should be pretty straight-forward to extend this to other platforms. The code is available there: https://review.trustedfirmware.org/q/topic:%22sb%252Fdualroot%22 and is comprised of the following patches: - Introduce a new "dualroot" chain of trust - cert_create: Define the dualroot CoT - Build system: Changes to drive cert_create for dualroot CoT - plat/arm: Provide some PROTK files for development - plat/arm: Add support for dualroot CoT - plat/arm: Pass cookie argument down to arm_get_rotpk_info() - plat/arm: Retrieve the right ROTPK when using the dualroot CoT This patch stack is based on preparatory work (which has already been merged) to select a different CoT. This patch stack: - Did some build system refactoring. - Introduced a new 'COT' build option to select the chosen chain of trust. - Made no functional change. See http://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=dcd03… Note that I've not updated the TF-A documentation just yet to reflect these changes. I will do that once I've had some initial feedback from the community and feel that we're reaching a consensus (in the interest of saving time keeping documentation aligned with code going under rework). Changes Compared to the Proof-of-Concept Patch [2] -------------------------------------------------- - Introduced a proper, separate chain of trust rather than hijacking the TBBR one. It also has its own header file for certificate extensions OIDs now. - NS-ROTPK has been renamed into "Platform ROTPK", or PROTPK for short. Going forward, this key would sign both non-trusted images (such as BL33) and secure partitions. The NS- prefix did not fit well this use case. The "Platform" prefix instead refers to the owner of this key, i.e. the platform owner, as opposed to the Silicon Provider. - Removed Non-Trusted World Bootloader Key Certificate. This didn't seem needed in this context and simplifies the CoT. - Removed the Non-Trusted Key from the Trusted Key Certificate, as it's not used in this CoT (the PROTPK signs all non-trusted images instead). - As a consequence, the corresponding option for feeding the PROTPK to the cert_create tool has been renamed into --prot-key (was --ns-rot-key). - The hash of the PROTPK is now provided in a file rather than being hard-coded into the code. This is cleaner than polluting the code with a byte array. - Proper integration in the build system. Using the dualroot chain of trust is achieved through the COT build option: make <usual trusted boot build options> COT=dualroot - plat_get_rotpk_info() is unchanged if using the TBBR CoT. The alternative implementation managing both ROTPK or PROTPK is selected only if the dualroot CoT has been chosen at build time. Testing and Supported Platforms ------------------------------- Tested on AEMv8-A Base Platform (AArch32 and AArch64 execution states), rde1edge, rdn1edge, SGI-575 and SGM-775 FVPs (all available on https://developer.arm.com/tools-and-software/simulation-models/fixed-virtua…). Arm Juno is not supported right now because it has its own implementation of plat_get_arm_rotpk_info() instead of piggy-backing on the Arm common one. Ran the standard set of tests available in the TF-A-Tests repository: http://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/ Also ran the firmware update tests available in the same repository. See https://trustedfirmware-a-tests.readthedocs.io/en/latest/user-guide.html#ns… for more information. Finally, performed some end-to-end boot tests to Linux. And of course, ran our regression tests to make sure that existing configurations using the TBBR chain of trust are still working as expected. Caveats ------- The PROTPK hash is embedded into the firmware. It's unlikely that a real system would like to do that. The use case targeted here is to remove the need for the primary ROTPK owner to interact with the PROTPK owner. If BL2 embeds the hash, this defeats the purpose, as now the BL2 owner (which is expected to be the primary ROTPK owner) has to get the PROTPK from the other vendor. In a real system, we would expect the PROTPK to be provisioned in such a way that BL2 is able to retrieve it. For example, the PROTPK owner might burn it (or a hash of it) in some OTP memory. As long as there is a defined contract between BL2 and the PROTK-rooted images as to how/where to securely get this key or hash, there should not be any need for the two vendors to do any cross-signing. This caveat was already present in the proof-of-concept [2] and stays out of the scope for this work, as this ties into broader topics such as key provisioning. Right now, the onus is on the platform layer to handle this appropriately. Future work ----------- We have plans to change the "dualroot" CoT further and extend the PROTPK signing domain with a secure partition. This would demonstrate the use of several secure partitions, some owned by the silicon provider, others owned by the platform owner. Regards, Sandrine

4 years, 10 months

1
0
0 0

Need to synchronize pending EA

by Madhukar Pappireddy

Hi, I have pushed a patch [1] to use a barrier to synchronize pending EA at the entry and exit of exception handlers in BL31(EL3S). There is an interesting discussion as seen in the gerrit review comments of the patch. It looks like this patch is just enabling early panic/crash of the system in the event of SErrors but it does come with performance penalty (due to DSBs) for common exceptions like SMC calls. We believe this needs broader discussion to understand the practical approach to handle SErrors, especially in SoCs without RAS support. Please let us know your thoughts on this patch. [1] https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3440 Thanks, Madhukar

4 years, 10 months

1
0
0 0

Re: [TF-A] Protecting Secure World Translation Tables

by Petre-Ionut Tudor

Hi Raghu, Thank you for your comments. My own comments are inline. ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Raghu Krishnamurthy via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 18 February 2020 00:16 To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Subject: Re: [TF-A] Protecting Secure World Translation Tables I think it is worth implementing this to raise the bar for successful attacks. To Varun's point, in today's systems without S-EL2(<v8.4), it would be less effective as pointed out, since EL3 memory can be completely accessed by SEL1 and SEL1 code tends to have a larger code base on mobile devices(OPTEE, tlk etc). However, on systems with very thin SEL1 shims(typically servers), this would definitely raise the bar for attacks, since you effectively only have SEL0 and EL3. SEL1 cannot be exploited practically. For new SoCs with SEL2, this mitigation can still be very effective if we can ensure future SEL2 implementations have much smaller code bases and implements this mitigation itself. Effectively, i view SEL2 and EL3 as being equally privileged(it is no different than SEL1 because SEL2 can barf all over EL3 memory and TZ resources if exploited). SEL2 extensions, however, gives EL3 protection from SEL1 and can prevent SEL1 from accessing ALL TZ resources. If you view SEL2 and EL3 as equally privileged and view both together as a single entity, v8.4 systems effectively have EL3, SEL1, SEL0 AND the ability for EL3 to protect itself and other TZ resources from SEL1. In such a system, EL3(and SEL2) having this mitigation will definitely raise the bar for successful attacks. Also, the cost to implement this mitigation is relatively low for a fairly significant raise in the bar for successful attacks. PS - I say significantly raise the bar since an attacker will potentially require gadgets to modify TTBRx, invalidate TLB's, and enough gadgets in the code base to have a successful attack. If code in TF-A EL3 is fairly small, and code that writes to TTBR_EL3 can be in some section of the image that can be reclaimed/erased after initial setup, the attacker would have no gadget to modify TTBR_EL3, so there would be virtually no way to change TTBR_EL3. On a default build of FVP, there is a grand total of 1 instruction that writes to TTBR0_EL3 in enable_mmu_direct_el3. This might be a nice follow up change to this mitigation, if others think it is worth it. The same could be extended to other system registers that don't ever need to be changed(VBAR_EL3? SCTLR_EL3?). Petre: enable_mmu_direct_el3 is also used in the read-only xlat tables API, because the change is made while the MMU is on (so it must be disabled first). I decided to implement it this way in order to allow a platform to make any changes it needs to the translation tables (e.g. for reclaiming initialization code) before calling this API. So, it is kind of "dynamic"...but after it is called nothing can be done to the tables from that EL. This means that we have to reclaim before using this API (otherwise we would have to choose between reclaiming and this feature since RO tables won't allow changing the memory map). I was afraid the change might impose too much rigidity on the initialization of platform BL images, so I went with this approach instead of making the tables read-only at creation by the init_xlat_tables* functions. Thanks Raghu On 2/17/20 12:35 PM, Varun Wadekar via TF-A wrote: > Hello Petre, > > Thanks for the patch. Before I review the actual code, would like to understand how effective this patch will be and if you have seen a real world attack that this patch mitigates. > > AFAIU, the ARM architecture provides the TZ bit as the only protection to create "partitions" on a CPU core. So, potentially S-EL1 can access almost all TZ resources that EL3 can access. Thus, creating a silo inside EL3 exception mode is not an effective mitigation against any other TZ component writing to the physical memory where the page tables are stored. For the scope of this attack vector, are we assuming that the system cannot be compromised by attacking other TZ software components in the system? > > I feel until we have a way to distinguish between CPU realms (EL3 v S-EL2 v S-EL1) at the hardware bus level (ARM v9?), these mitigations are not that effective. > > Thoughts? > > -Varun > > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Petre-Ionut Tudor via TF-A > Sent: Monday, February 17, 2020 9:40 AM > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Protecting Secure World Translation Tables > > External email: Use caution opening links or attachments > > > Hello Everyone, > > For quite some time I have been working on a security hardening feature that offers extra protection against tampering with the Secure world translation tables. An example would be using a gadget that can perform writes to arbitrary Secure memory locations to change memory attributes and/or the memory map. > > A real world exploit that uses read/write gadgets to tamper with translation tables can be found here: https://vimeo.com/335948808. If you only want the slide deck, it's available here: https://speakerdeck.com/hhj4ck/el3-tour-get-the-ultimate-privilege-of-andro…. > > A patch implementing this feature has been recently pushed upstream here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3349. It extends v2 of the translation tables library with an API that can be called by a BL image any time after the initialization of the xlat tables to make them read-only. > > It would be great to hear your opinions about this, particularly whether or not it is a desirable feature to have in TF-A and what extra work needs to be done for it to meet the use cases that you consider most relevant. > > Best wishes > Petre > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > ----------------------------------------------------------------------------------- > This email message is for the sole use of the intended recipient(s) and may contain > confidential information. Any unauthorized review, use, disclosure or distribution > is prohibited. If you are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. > ----------------------------------------------------------------------------------- > -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 11 months

2
5
0 0

Re: [TF-A] Protecting Secure World Translation Tables

by Petre-Ionut Tudor

Hi Varun, Thank you for the suggestions. My comments are inline. Petre ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Varun Wadekar via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 18 February 2020 05:44 To: Raghu Krishnamurthy <raghu.ncstate(a)icloud.com> Cc: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Subject: Re: [TF-A] Protecting Secure World Translation Tables Thanks Raghu. I agree that this patch reduces the attack surface and would be a good addition, if we consider use cases where EL3 code runs in a silo. Since S-EL1 can contain any third party code, there is an opportunity to change memory contents without EL3 ever noticing the change. A hash for the RO page tables would improve this change immensely IMO. > Petre: Thank you for the suggestion. Sounds like an interesting improvement to make (maybe in a follow-up to this change?, since my rotation in the TF-A team is nearing its end). This change is not effective for platforms that use dynamic page tables e.g. Tegra platforms, so we won't be enabling it. But if other maintainers think this is a good addition to their platforms, I don’t have any objection. > Petre: Do you think it would be worth making this feature play more nicely with the dynamic translation library? I'm thinking providing a counter-API to make tables writable again. So that, every time a dynamic API is needed, since the translation context will be aware of the tables being RO, it first calls a make_tables_writable API before doing whatever it needs to and after it completes (whether successfully or not) calls make_tables_readonly. Essentially, it would act like a wrapper around the dynamic library functions. What do you think of this? Is the disable MMU + cache flush penalty too severe (incurred twice for each dynamic xlat API call)? -----Original Message----- From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Raghu Krishnamurthy via TF-A Sent: Monday, February 17, 2020 4:16 PM To: tf-a(a)lists.trustedfirmware.org Subject: Re: [TF-A] Protecting Secure World Translation Tables External email: Use caution opening links or attachments I think it is worth implementing this to raise the bar for successful attacks. To Varun's point, in today's systems without S-EL2(<v8.4), it would be less effective as pointed out, since EL3 memory can be completely accessed by SEL1 and SEL1 code tends to have a larger code base on mobile devices(OPTEE, tlk etc). However, on systems with very thin SEL1 shims(typically servers), this would definitely raise the bar for attacks, since you effectively only have SEL0 and EL3. SEL1 cannot be exploited practically. For new SoCs with SEL2, this mitigation can still be very effective if we can ensure future SEL2 implementations have much smaller code bases and implements this mitigation itself. Effectively, i view SEL2 and EL3 as being equally privileged(it is no different than SEL1 because SEL2 can barf all over EL3 memory and TZ resources if exploited). SEL2 extensions, however, gives EL3 protection from SEL1 and can prevent SEL1 from accessing ALL TZ resources. If you view SEL2 and EL3 as equally privileged and view both together as a single entity, v8.4 systems effectively have EL3, SEL1, SEL0 AND the ability for EL3 to protect itself and other TZ resources from SEL1. In such a system, EL3(and SEL2) having this mitigation will definitely raise the bar for successful attacks. Also, the cost to implement this mitigation is relatively low for a fairly significant raise in the bar for successful attacks. PS - I say significantly raise the bar since an attacker will potentially require gadgets to modify TTBRx, invalidate TLB's, and enough gadgets in the code base to have a successful attack. If code in TF-A EL3 is fairly small, and code that writes to TTBR_EL3 can be in some section of the image that can be reclaimed/erased after initial setup, the attacker would have no gadget to modify TTBR_EL3, so there would be virtually no way to change TTBR_EL3. On a default build of FVP, there is a grand total of 1 instruction that writes to TTBR0_EL3 in enable_mmu_direct_el3. This might be a nice follow up change to this mitigation, if others think it is worth it. The same could be extended to other system registers that don't ever need to be changed(VBAR_EL3? SCTLR_EL3?). Thanks Raghu On 2/17/20 12:35 PM, Varun Wadekar via TF-A wrote: > Hello Petre, > > Thanks for the patch. Before I review the actual code, would like to understand how effective this patch will be and if you have seen a real world attack that this patch mitigates. > > AFAIU, the ARM architecture provides the TZ bit as the only protection to create "partitions" on a CPU core. So, potentially S-EL1 can access almost all TZ resources that EL3 can access. Thus, creating a silo inside EL3 exception mode is not an effective mitigation against any other TZ component writing to the physical memory where the page tables are stored. For the scope of this attack vector, are we assuming that the system cannot be compromised by attacking other TZ software components in the system? > > I feel until we have a way to distinguish between CPU realms (EL3 v S-EL2 v S-EL1) at the hardware bus level (ARM v9?), these mitigations are not that effective. > > Thoughts? > > -Varun > > -----Original Message----- > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of > Petre-Ionut Tudor via TF-A > Sent: Monday, February 17, 2020 9:40 AM > To: tf-a(a)lists.trustedfirmware.org > Subject: [TF-A] Protecting Secure World Translation Tables > > External email: Use caution opening links or attachments > > > Hello Everyone, > > For quite some time I have been working on a security hardening feature that offers extra protection against tampering with the Secure world translation tables. An example would be using a gadget that can perform writes to arbitrary Secure memory locations to change memory attributes and/or the memory map. > > A real world exploit that uses read/write gadgets to tamper with translation tables can be found here: https://vimeo.com/335948808. If you only want the slide deck, it's available here: https://speakerdeck.com/hhj4ck/el3-tour-get-the-ultimate-privilege-of-andro…. > > A patch implementing this feature has been recently pushed upstream here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3349. It extends v2 of the translation tables library with an API that can be called by a BL image any time after the initialization of the xlat tables to make them read-only. > > It would be great to hear your opinions about this, particularly whether or not it is a desirable feature to have in TF-A and what extra work needs to be done for it to meet the use cases that you consider most relevant. > > Best wishes > Petre > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > ---------------------------------------------------------------------- > ------------- This email message is for the sole use of the intended > recipient(s) and may contain confidential information. Any > unauthorized review, use, disclosure or distribution is prohibited. > If you are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. > ---------------------------------------------------------------------- > ------------- > -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 11 months

2
2
0 0

Re: [TF-A] Protecting Secure World Translation Tables

by Varun Wadekar

Hello Petre, Thanks for the patch. Before I review the actual code, would like to understand how effective this patch will be and if you have seen a real world attack that this patch mitigates. AFAIU, the ARM architecture provides the TZ bit as the only protection to create "partitions" on a CPU core. So, potentially S-EL1 can access almost all TZ resources that EL3 can access. Thus, creating a silo inside EL3 exception mode is not an effective mitigation against any other TZ component writing to the physical memory where the page tables are stored. For the scope of this attack vector, are we assuming that the system cannot be compromised by attacking other TZ software components in the system? I feel until we have a way to distinguish between CPU realms (EL3 v S-EL2 v S-EL1) at the hardware bus level (ARM v9?), these mitigations are not that effective. Thoughts? -Varun -----Original Message----- From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Petre-Ionut Tudor via TF-A Sent: Monday, February 17, 2020 9:40 AM To: tf-a(a)lists.trustedfirmware.org Subject: [TF-A] Protecting Secure World Translation Tables External email: Use caution opening links or attachments Hello Everyone, For quite some time I have been working on a security hardening feature that offers extra protection against tampering with the Secure world translation tables. An example would be using a gadget that can perform writes to arbitrary Secure memory locations to change memory attributes and/or the memory map. A real world exploit that uses read/write gadgets to tamper with translation tables can be found here: https://vimeo.com/335948808. If you only want the slide deck, it's available here: https://speakerdeck.com/hhj4ck/el3-tour-get-the-ultimate-privilege-of-andro…. A patch implementing this feature has been recently pushed upstream here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/3349. It extends v2 of the translation tables library with an API that can be called by a BL image any time after the initialization of the xlat tables to make them read-only. It would be great to hear your opinions about this, particularly whether or not it is a desirable feature to have in TF-A and what extra work needs to be done for it to meet the use cases that you consider most relevant. Best wishes Petre IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a ----------------------------------------------------------------------------------- This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. -----------------------------------------------------------------------------------

4 years, 11 months

2
1
0 0

Re: [TF-A] [RFC] New feature in TF-A to load encrypted FIP payloads

by Soby Mathew

On 18/02/2020 05:52, Sumit Garg wrote: > On Tue, 18 Feb 2020 at 00:44, Soby Mathew <Soby.Mathew(a)arm.com> wrote: >> >> Hi Everyone, >> I have confirmation from the TBFU architect that both decrypt-then-verify and verify-then-decrypt is acceptable and neither case affects boot integrity. > > Thanks for this confirmation. > >> So I think the flexibility should be given to the platform to choose this. >> >> @Sumit Garg, could you please rework the patches as I mentioned in my previous feedback and submit again? > > Sure I will try to address implementation specific concerns. Actually > earlier I was waiting for above design specific confirmation. > > -Sumit [Adding back the tf-a list] OK, Thanks Sumit. >> >> Best Regards >> Soby Mathew >> >>> -----Original Message----- >>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Raghupathy >>> Krishnamurthy via TF-A >>> Sent: 28 January 2020 14:58 >>> To: Sumit Garg <sumit.garg(a)linaro.org> >>> Cc: Daniel Thompson <daniel.thompson(a)linaro.org>; Miklos Balint >>> <Miklos.Balint(a)arm.com>; Kiyoshi Owada <owada.kiyoshi(a)socionext.com>; tf- >>> a(a)lists.trustedfirmware.org; Joakim Bech <joakim.bech(a)linaro.org>; nd >>> <nd(a)arm.com>; Sandrine Bailleux <Sandrine.Bailleux(a)arm.com> >>> Subject: Re: [TF-A] [RFC] New feature in TF-A to load encrypted FIP payloads >>> >>> Hi Sumit, >>> >>> >>> I completely agree with you! All i'm asking for is that what you are proposing is >>> ratified in the spec clearly, without any ambiguities and that we don't >>> implement what we *think* is correct, but implement the spec. If the spec >>> specifies encryption, we should implement encryption, not authenticated >>> encryption. One is not a direct substitute for the other and requires careful >>> thinking. Similarly, the order of signing, encryption, decryption and >>> authentication must be specified and explained clearly, specifically to avoid >>> these kinds of discussions. >>> >>> >>> Thanks >>> -Raghu >>> >>> On January 27, 2020 at 10:49 PM, Sumit Garg <sumit.garg(a)linaro.org> wrote: >>> >>> >>> On Mon, 27 Jan 2020 at 22:54, Raghupathy Krishnamurthy >>> <raghu.ncstate(a)icloud.com> wrote: >>> >>> >>> >>> Sumit, >>> >>> >>> Great point. This perhaps needs to be added to the list of things that need >>> clarification(Sandrine can you help with this too?) in the PSA-TBFU . I believe >>> the answer to your concern lies in the PSA-TBFU in section 3.5, where it talks >>> about optimizing the trusted boot process. To overcome the problem you're >>> talking about, you would: >>> 1) Verify asymmetric signature. >>> 2) Decrypt firmware using SSK on successful signature verification. >>> 3) Rekey the firmware using BSSK(or as the PSA specifies, a key derived from >>> the HUK using a KDF). >>> You will only verify the asymmetric signature on every firmware update, and >>> use the rekeyed firmware(encrypted and mac;d with device specific key) on >>> normal boot. >>> >>> >>> >>> Following is the quote from PSA-TBFU spec: >>> >>> "An implementation **can** optimize the trusted boot process at the expense >>> of **simplicity**" >>> >>> It doesn't seems to be a recommended practice from spec. And especially for >>> DRM use-cases, this approach is NOT recommended due to following concerns >>> raised by DRM vendors (original concerns were with respect to TAs but will >>> equally apply for firmware as well): >>> - allows the device to self sign code authorized to run on the device. >>> - increase the attack surface by having two different ways to load firmware. >>> - allow a break once break forever situation, if you defeat the RSA 'install' once, >>> no matter how hard it is, now your firmware is nicely transformed in a secure >>> firmware and can be reused. >>> >>> Whereas on the other hand, considering >>> "sign-then-encrypt-then-authenticate", it provides two mutually exclusive >>> crypto layers (signature layer and authenticated encryption >>> layer) which in turns provides implementation flexibility as follows: >>> >>> Firmware update: >>> - Require both layers. >>> >>> Normal boot: >>> - DRM use-case, require both layers. >>> - Boot time optimization required, can use only authenticated encryption. >>> - Platform provides secure on-chip NVM and boot time optimization required, >>> can use only signature verification (or simply hash stored in secure on-chip >>> NVM memory). >>> >>> -Sumit >>> >>> >>> Thanks >>> Raghu >>> >>> >>> On January 26, 2020 at 10:34 PM, Sumit Garg <sumit.garg(a)linaro.org> wrote: >>> >>> >>> On Fri, 24 Jan 2020 at 16:36, Sumit Garg <sumit.garg(a)linaro.org> wrote: >>> >>> >>> >>> >>> On Fri, 24 Jan 2020 at 04:02, Raghupathy Krishnamurthy >>> >>> >>> <raghu.ncstate(a)icloud.com> wrote: >>> >>> >>>> >>> >>> >>>> I also just realized that both the TBBR and ARM PSA only talk about >>> encryption of the image, and not authenticated encryption. The guarantees >>> provided by both are completely different. Your >>> review(https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/2495/) >>> talks about the requirement R060_TBBR_FUNCTION being implemented, which >>> is technically not true(and potentially misleading). We must make a note of this >>> difference and use the appropriate terminology, without mixing the two, in the >>> documentation, commit messages, source code comments and error prints. >>> The tool is also called 'encrypt_fw ' but should maybe be named appropriately >>> to indicate it is doing authenticated encryption. >>> >>> >>> >>> >>> I wouldn't call it misleading. Since firmware encryption feature >>> >>> >>> essentially provides confidentiality protection and authenticated >>> >>> >>> encryption is the type of crypto algorithm which we have used to >>> >>> >>> implement it. >>> >>> >>> >>> >>>> >>> >>> >>>> BTW, ARM PSA(file:///home/raghu/repos/fvp/DEN0072-PSA_TBFU_1-0- >>> REL.pdf) expects that the image manifest(X509 certificate) contain the hash of >>> the ENCRYPTED image(Table 2 and as described in my answer to your question >>> "How would this ensure integrity of ciphertext"). The TBBR spec completely >>> misses this fact, and is a crucial detail if we only implement encryption(as >>> opposed to authenticated encryption).Build_macros.mk, in your change, passes >>> the un-encrypted image to cert-tool. You can get away with it in your >>> implementation, since you are using authenticated encryption, not if you were >>> only implementing firmware encryption. >>> >>> >>> >>> >>> I have already highlighted the issue with signing the ciphertext in my >>> >>> >>> previous reply which deviates from security properties provided by >>> >>> >>> signature verification of plain firmware. So I think we need to >>> >>> >>> revisit ARM PSA TBFU spec. >>> >>> >>> >>> >>> >>> >>> In addition to this, there are implementation specific issues with "signing the >>> ciphertext" too. It simply makes the ciphertext immutable for device and >>> disallows meeting following firmware re-encryption requirement as per TBBR >>> spec: >>> >>> >>> R070_TBBR_PROTECTION. The Trusted boot firmware may do the binding of >>> software image updates at run- time by decrypting the updated SoC certificates >>> and software images using the OTP/Fuse Secret Symmetric Key (SSK), followed >>> by the re-encrypting these SoC certificates and software images using a >>> reproducible secret unique per device symmetric key (BSSK), and then updating >>> the ToC correspondingly. >>> >>> >>> Also, externally signing every firmware image encrypted with BSSK doesn't >>> seem scalable as well. It also hampers the case where encryption key is never >>> exposed out from device eg. encryption key is only accessible to hardware >>> crypto engine etc. >>> >>> >>> -Sumit >>> >>> >>> >>> >>>> >>> >>> >>>> Is it possible for somebody from ARM to have the TBBR spec updated to >>> reflect this? Also perhaps talk to the spec writers about incorporating >>> authenticated encryption into TBBR and PSA? This patch set is somewhat >>> trailblazing in this regard. >>> >>> >>>> >>> >>> >>>> -Raghu >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> On January 23, 2020 at 12:08 PM, Raghupathy Krishnamurthy via TF-A <tf- >>> a(a)lists.trustedfirmware.org> wrote: >>> >>> >>>> >>> >>> >>>> Hi Sumit, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Thanks for your response. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> So firstly I would suggest you to revisit TBBR spec [1], >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK] I'm very familiar with the TBBR spec and the requirements. Note >>>> that not all SoC's adhere perfectly to the TBBR spec, since it does >>>> not apply to devices in all market segments. However, these devices do >>>> use arm trusted firmware and TBBR CoT in a slightly modified form, >>>> which is still perfectly valid. Also, the TBBR spec can be changed if >>>> required :) >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Why would one use authenticated decryption only to establish TBBR >>> >>> >>>> >>> >>> >>>> Chain of Trust providing device the capability to self sign its firmware? >>> >>> >>>> >>> >>> >>>> [RK] Fair point. However, you may have devices that don't have the >>> processing power or hardware budget or cost factors(paying for HSM's to store >>> private asymmetric keys), to implement asymmetric verification, in which case >>> using authenticated decryption to verify firmware authenticity and integrity is >>> perfectly valid. The attacks on devices that use symmetric keys to verify >>> firmware authenticity and integrity are usually related to exploiting firmware >>> flaws that leak the key or insiders leaking keys, but that is a different problem >>> and requires different solutions. Fundamentally, there is nothing wrong with >>> using symmetric keys for this purpose, so long as the key is well protected. Also >>> note, security requirements and guarantees are different for different systems. >>> The risk is taken by the system designer and should not be imposed by >>> framework code. I don't advocate doing this but it is an option that your >>> implementation does not provide(and perhaps rightly so). >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> How would this ensure integrity of ciphertext? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK] You sign the ciphertext. In your design, you pass bl31_enc.bin to >>> cert_tool to sign. You don't decrypt the encrypted cipher text until you have >>> verified the asymmetric signature(which provides integrity). As far as signature >>> verification is concerned, whether you sign the plain text or ciphertext is >>> immaterial, since you are simply verifying that the absolute bits you loaded >>> have not been modified(assuming you use a secure signature scheme). >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Have a look at some defective sign and encrypt techniques here [2] >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK] Again, very familiar with [2]. In the S/MIME case, you have multiple >>> parties. With secure boot, you have one party, effectively verifying its own >>> messages across time. There is only one key used to verify signatures. 1.1 and >>> 1.2 does not apply. Also you are encrypting and signing with completely >>> different keys and algorithms. Section 1.2 applies when you use RSA/El-gamal >>> encryption. Here you use symmetric encryption and asymmetric signing. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Why would one not use TBBR CoT here? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK] see above. Not all systems are designed equal. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> and why would one like to hardcode in a device during >>> >>> >>>> >>> >>> >>>> provisioning to boot only either an encrypted or a plain firmware >>> >>> >>>> image? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK] Why would you not? You typically want to have the same security policy >>> for a class of devices and not be modifiable by an attacker. It isn't common for >>> the same class of devices to use encrypted firmware some times, and un- >>> encrypted firmware other times. If it is common, there is no problem with >>> setting the bit in the FIP header, as long as verified boot is mandatory. The only >>> concern(as my original email said) is the coupling of the FIP layer and the >>> crypto module, in the implementation. I still don't like that fact that the bit >>> saying the file is encrypted is not signed and this may require talking to the >>> TBBR spec writers. Page 22 of the TBBR spec calls out ToC as "Trusted Table of >>> Contents". The FIP header cannot be "trusted", if it is not in ROM or its integrity >>> is verified by some means! R010_TBBR_TOC should perhaps be mandatory >>> then. Also see R080_TBBR_TOC that says the TOC MUST be ROM'ed or tied by >>> hardware in readable registers. This requirement seems contradictory to >>> R010_TBBR_TOC, given that the FIP header(TOC) is copied from mutable NVM >>> by ROM or some boot stage and then ROM'd or loaded into registers. I may be >>> misunderstanding R080_TBBR_TOC, but i'd interpret it as the TOC(FIP header >>> in ATF implementation of TBBR) as being in ROM or integrity verified. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> How would one handle a case where BL31 is in plain format and BL32 is in >>> encrypted format? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> [RK]TBBR CoT is equipped to do this. The table is defined on a per image >>> basis. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> If you are really paranoid about authentication of FIP header... >>> >>> >>>> >>> >>> >>>> [RK] I don't mean to pontificate but there are real world customers buying >>> real hardware, running ATF code, who care about such details and ask about >>> such things routinely. It is not just me being paranoid and is definitely not a >>> minor matter to think of such details. We should discuss more and consider the >>> implications of R080_TBBR_TOC and R010_TBBR_TOC, perhaps on a different >>> thread, without blocking your code review. Can somebody from ARM clarify >>> these requirements with the spec writers? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Thanks >>> >>> >>>> -Raghu >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> On January 23, 2020 at 12:38 AM, Sumit Garg <sumit.garg(a)linaro.org> >>> wrote: >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Hi Raghu, >>> >>> >>>> >>> >>> >>>> I guess you have completely misunderstood this feature. This is an >>> >>> >>>> optional feature which allows to load encrypted FIP payloads using >>> >>> >>>> authenticated decryption which MUST be used along with signature >>> >>> >>>> verification (or TBBR CoT). >>> >>> >>>> >>> >>> >>>> So firstly I would suggest you to revisit TBBR spec [1], especially >>> >>> >>>> requirements: R040_TBBR_TOC, R060_TBBR_FUNCTION etc. >>> >>> >>>> >>> >>> >>>> On Thu, 23 Jan 2020 at 00:14, Raghupathy Krishnamurthy >>> >>> >>>> <raghu.ncstate(a)icloud.com> wrote: >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Hello, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> The patch stack looks good. The only comment i have is that the FIP layer has >>> now become security aware and supports authenticated decryption(only). This >>> is a deviation from the secure/signed/verified boot design, where we use the >>> TBBR COT to dictate the security operations on the file. This is nice, because >>> file IO is decoupled from the security policy. This may be a big deviation(i >>> apologize if this was considered and shot down for some other reason), but it >>> may be worthwhile to consider making authenticated decryption a part of the >>> authentication framework as opposed to coupling it with the FIP layer. >>> >>> >>>> >>> >>> >>>> It looks like you have mixed both TBBR CoT and this authenticated >>> >>> >>>> decryption feature. They both are completely different and rather >>> >>> >>>> complement each other where TBBR CoT establishes >>> >>> >>>> secure/signed/verified boot and this authenticated decryption feature >>> >>> >>>> provides confidentiality protection for FIP payloads. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> At a high level, this would mean adding a new authentication >>> method(perhaps AUTH_METHOD_AUTHENTICATED_DECRYPTION), and having >>> the platform specify that the image is using authenticated encryption in the >>> TBBR COT. >>> >>> >>>> >>> >>> >>>> Why would one use authenticated decryption only to establish TBBR >>> >>> >>>> Chain of Trust providing device the capability to self sign its >>> >>> >>>> firmwares? We must use signature verification for TBBR CoT (see >>> >>> >>>> section: 2.1 Authentication of Code Images by Certificate in TBBR spec >>> >>> >>>> [1]). >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> The authentication framework is already well designed and well equipped to >>> handle these types of extensions. >>> >>> >>>> 1) This would make the change simpler, since you would not require changes >>> to the FIP tool and the FIP layer. >>> >>> >>>> 2) This would also allow for future cases where a platform may want to only >>> encrypt the file and use public key authentication on the encrypted file(for ex. >>> the soc does not have a crypto accelerator for aes-gcm but only for AES and >>> public key verification, for whatever reason). >>> >>> >>>> >>> >>> >>>> How would this ensure integrity of ciphertext? This approach may be >>> >>> >>>> vulnerable to Chosen Ciphertext Attacks (CCAs). Authentication tag as >>> >>> >>>> part of AES-GCM provides integrity protection for ciphertext. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> 3) This would let you choose the order in which you want to do the >>> authenticated decryption(or just decryption) and signature verification, if you >>> use both, one or the other. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Have a look at some defective sign and encrypt techniques here [2]. >>> >>> >>>> The order can't be any arbitrary one, we need to be careful about >>> >>> >>>> this. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> One other thing i'm not entirely comfortable with is that the flag indicating if >>> there are encrypted files or not in the FIP, is in the *unsigned* portion of the >>> FIP header. An attacker could simply flip bits that dictate security policy in the >>> header and avoid detection(in this case, the indication that the file needs >>> authenticated decryption). If a platform only uses authenticated encryption, but >>> not verified boot, an attacker could flip the bit in the FIP header and have any >>> image loaded on the platform. >>> >>> >>>> >>> >>> >>>> Why would one not use TBBR CoT here? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> If authenticated encryption cannot be used without verified boot(which >>> requires build time flags), having a flag to indicate that there are encrypted >>> files in the FIP header is moot, since this can come at build time through the >>> TBBR COT. In any case, it seems like the security policy that firmware images >>> need to be decrypted or authenticated with authenticated decryption, seems >>> like a firmware build time or manufacturing time decision(perhaps a bit set in >>> the e-fuses). >>> >>> >>>> >>> >>> >>>> Again you are confusing TBBR CoT with authenticated decryption >>> >>> >>>> feature. And why would one like to hardcode in a device during >>> >>> >>>> provisioning to boot only either an encrypted or a plain firmware >>> >>> >>>> image? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> There seems to be no benefit to having a flag in the FIP header. >>> >>> >>>> >>> >>> >>>> How would one handle a case where BL31 is in plain format and BL32 is >>> >>> >>>> in encrypted format? >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Otherwise, I cant think of any attacks due to this and it may be completely >>> okay, but generally, consuming data that dictates security policy/operations >>> before verifying its integrity seems like a recipe for disaster. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> If you are really paranoid about authentication of FIP header then you >>> >>> >>>> should look at implementing optional requirement: R010_TBBR_TOC as per >>> >>> >>>> TBBR spec [1]. >>> >>> >>>> >>> >>> >>>> [1] >>>> https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requi >>>> rements-client-tbbr-client-armv8-a >>> >>> >>>> [2] http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html >>> >>> >>>> >>> >>> >>>> -Sumit >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> -Raghu >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> On January 22, 2020 at 3:51 AM, Sumit Garg via TF-A <tf- >>> a(a)lists.trustedfirmware.org> wrote: >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Hi Sandrine, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> On Wed, 22 Jan 2020 at 15:43, Sandrine Bailleux >>> >>> >>>> <Sandrine.Bailleux(a)arm.com> wrote: >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Hello Sumit, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Thank you for reworking the patches and addressing all of my review >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> comments. I am happy with the latest version of these and consider >>>> them >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> ready to go. I plan to leave them in Gerrit for another week to give >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> extra time for other potential reviewers to have a look and comment. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Thanks for your review. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> To everyone on the list: Please raise any concerns you may have about >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> these patches in the coming week. If I don't hear anything by 29th >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> January 2020, I will merge these patches. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> @Sumit: One of the next actions for this patch stack would be to have >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> some level of testing in the CI system to detect any potential >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> regressions. We (at Arm) can quite easily add a few build tests but >>>> then >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> testing the software stack on QEMU is a bit more involved for various >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> reasons (first instance of QEMU testing, dependencies on OPTEE, UEFI, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> ...) so this might have to wait for some time. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Okay, will wait for CI testing. >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> -Sumit >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Regards, >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> Sandrine >>> >>> >>>> >>> >>> >>>> >>> >>> >>>> -- >>> >>> >>>> TF-A mailing list >>> >>> >>>> TF-A(a)lists.trustedfirmware.org >>> >>> >>>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >>> >>> >>>> -- >>> >>> >>>> TF-A mailing list >>> >>> >>>> TF-A(a)lists.trustedfirmware.org >>> >>> >>>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >>> -- >>> TF-A mailing list >>> TF-A(a)lists.trustedfirmware.org >>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 11 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

TF-A