07:00 <ccf> Ahoj, I want to lock-down an u-boot. The u-boot is getting checked by the SoC-Microcode (secure boot) and the kernel is getting loaded only when the fitImage-Signature passes. So far so good, not I need to lock-down the u-boot so that it's e.g. not possible to load a kernel by bootz oder tinker with the ram by 'mw'-command. Do you have any idea: What is the best way to do? Just disable uart? (Some Info-Messages would be still nice) Only

07:00 <ccf> disable uart-rx-line?

08:25 <milkylainen_> ccf: Depends on who you're trying to fool with "security" :)

08:27 <milkylainen_> I think the only reasonable security measure (not without drawbacks) is to have an unbroken verification from the CPU on all executing code. If you break that chain at any one point with "my own signature", you become susceptible to choices. Sure. You can harden the whole thing to the point of insanity..

09:06 <clarity> ccf: You could just disable input from uart

09:07 <clarity> Or console input, whatever you call it

09:11 <clarity> I'd grep for tstc and getc (starting with common/console.c maybe)

13:33 <sjg1> ccf: You can disabled CONFIG_CMDLINE and directly run the logic you want

13:34 <sjg1> ccf: Once we have bootmethod/bootflow landed you won't need the cmdline for common boot flows

15:55 <ccf> sjg1: Thanks for your input. With "directly run the logic", you mean simple plain C platform code and not the built in environment code, right?

16:20 <marex> ccf: against what are you trying to protect the system exactly ? what is the threat model ?

16:41 <cambrian_invader> ccf: just use ENV_IS_NOWHERE

16:41 <cambrian_invader> and of course set BOOTDELAY to -2

16:42 <cambrian_invader> see also: https://labs.f-secure.com/publications/u-booting-securely/

16:51 <Sout_> ooo nice paper hand to have

16:56 <Harm> Nice, thanks!

18:33 <ccf> cambrian_invader: thanks, nice docu!

18:33 <ccf> marex: data integrity, tamper resistance, prohibition of changing data offline and as good as possible online. I'll use dm-verity for the root-filesystem. U-Boot is getting checked because it's inside of a FIP image by the rom-code.

18:59 <marex> ccf: exfil of data too ?

18:59 <marex> which soc is this ?

18:59 <ccf> marex: Exfil, what is that?

18:59 <ccf> marex: It's a stm32mp1

18:59 <marex> read data out

18:59 <marex> mrnuke: ^

18:59 <ccf> no, no need for encryption

18:59 <ccf> can you recommend something?

19:00 <marex> ccf: in that case, just have the bootrom authenticate u-boot spl, have u-boot spl authenticate u-boot fitImage and so on

19:00 <marex> I think mrnuke did implement just that recently

19:00 <ccf> marex: That's what I'm currently doing.

19:01 <marex> you can possibly even have the SPL authenticate fitImage with linux and boot it directly, see falcon mode

19:01 <ccf> But I want to disable the interactivity of u-boot, so that a potential attacker is not able to load just another kernel by bootz (not bootm the fitImage)

19:01 <marex> practical attacker would connect JTAG unless you fuse it off

19:02 <marex> ccf: disable bootz altogether, just use fitImage and authenticate that and nothing else

19:02 <ccf> marex: yeah, I will need that too. Can you recommend something to disable the interactivity of u-boot?

19:02 <marex> well, look at falcon mode, you can avoid starting the u-boot altogether, spl can start kernel directly

19:03 <marex> otherwise what cambrian_invader said, set bootdelay to -2

19:03 <marex> it means no way to enter shell

19:03 <ccf> Ah, okay. So it's not necessary to disable the RX-UART line by mxing it offline?

19:04 <marex> you can enable nulldev uart and point u-boot there if you want to avoid any output

19:04 <ccf> s/mxing/muxing

19:04 <marex> and input ...

19:04 <ccf> I wan to see output, but want to disable input

19:04 <marex> bootdelay -2 is what you want then

19:04 <ccf> TF-A is the SPL loader, so there is currently no u-boot spl

19:05 <ccf> Ok, I go with bootdelay -2, thanks for your input!

19:05 <marex> oh ... I see ... so you have no real security anyway

19:05 <ccf> :) ? why not

19:05 <ccf> I am not aware of that

19:07 <ccf> the ST default "trusted" mode is this: rom-code checks FIP-Image Signature, the FIP-Image contains a TF-A -> OPTEE and u-boot get started. Why is that no "real security"?

19:08 <marex> I have very little trust in the atf development model in general

19:08 <marex> I trust the crypto code in u-boot considerably more

19:09 <marex> and honestly, having a big "lock" icon on the website and calling it "trusted" ... and then pushing developers to install code validation tools using NPM doesn't really help

19:09 <marex> the code review process is also not stellar

19:10 <ccf> :D ... oh I see, most of the SoC are shipping default devkits with TF-A, even NXP on the i.mx8 stuff is doing so

19:11 <marex> yes, with NXP that is particularly problematic, their atf implementation is outdated fork with huge amount of changes and nasty misuse of the SVC interface, so you better "trust" it

19:12 <Harm> But there you load ATF through U-Boot SPL right?

19:13 <marex> Harm: well there you load the PSCI interface implementation really (bl31)

19:13 <cambrian_invader> marex: yesh, but do their bugs show back up later as CVEs? :P

19:13 <marex> cambrian_invader: is that a leading question ?

19:13 <ccf> I haven't checked, is u-boot even able to boot directly by ROM-code, or is there currently always a TF-A, bl-blafoo necessary?

19:13 <marex> cambrian_invader: I still prefer the u-boot CVEs than bugs which I don't know about

19:13 <cambrian_invader> I believe you made that exact remark regarding some of your patches and the recent CVEs with verified boot :)

19:14 <marex> ccf: U-Boot has been around long before ARM started on ATF at all, so ... yes ?

19:15 <marex> ccf: even on the stm32mp1, all the systems we ship are shipped without atf, because on armv7a, psci is optional (and on the mp1, useless)

19:15 <Harm> marex: Right, the imx platforms have a proprietary NXP ROM for secure boot. Not sure if that's better than BL1/BL2 from ATF

19:15 <marex> Harm: HAB is OKish, it just authenticates the next stage

19:17 <Harm> The encrypted boot stuff in the HAB is poorly documented though. I managed to get errors that were not documented. The hab_status command implementation in U-Boot is so horrible that it completely hangs when an unknown error occurrs

19:17 <marex> oh, one more thing, atf is open-source, that means the code (you possibly contributed) can be taken and close-sourced without problem and never released in source, or included in close-source program

19:17 <marex> u-boot is free software, so you always have the right to obtain the code if you have a matching binary

19:17 <Harm> What's the ATF license?

19:18 <marex> also, community development (u-boot) vs. atf (single company) development

19:18 <marex> Harm: BSD-3-Clause

19:18 <vagrantc> mostl BSD-3 clause

19:19 <Harm> ah yeah

19:19 <marex> great for easy consumption by big companies, not so great for regular contributors

19:19 <cambrian_invader> HAB also already had bugs iirc

19:19 <marex> cambrian_invader: yes it did

19:19 <cambrian_invader> which had to be fixed with new silicon

19:19 <cambrian_invader> so take your

19:20 <marex> cambrian_invader: at least with u-boot, a silicon vendor cannot not-provide the sources if you have the binary

19:20 <cambrian_invader> "root of trust" with a grain of salt

19:20 <Harm> iirc in the X.509 parsing. Because you obviously need that in a ROM

19:20 <marex> cambrian_invader: with one of the silicon vendors, they refused to provide atf sources already, so ...

19:20 <Harm> Stack-based buffer overflow in the X.509 certificate parser (CVE-2017-7932) ( https://blog.quarkslab.com/vulnerabilities-in-high-assurance-boot-of-nxp-imx-microprocessors.html )

19:21 <marex> https://forum.khadas.com/t/is-the-source-code-of-khadass-bl2-bl30-bl31-available/2403/5 amlogic apparently did this

19:21 <cambrian_invader> IMO secure boot is a lot of effort for very little gain for the end user

19:21 <ccf> marex: pretty interesting to get a bit of more knowledge behind the scenes. You said "psci is on the mp1 useless", in the future I want to use optee - I guess you strongly advise against?

19:22 <marex> ccf: talk to mrnuke , he did mp1 without atf and with optee

19:24 <marex> ccf: I only looked very briefly into optee, so I don't have an opinion

19:24 <ccf> cool, I will send him an IM, currently he is disconnected (ZNC IRC bouncer).

19:24 <marex> ccf: mrnuke is in this channel, so just wait a bit

19:25 <marex> cambrian_invader: it is useful if you're manufacturing devices which you need to lock down

19:26 <cambrian_invader> yeah, but that's not in the user's interest :)

19:29 <marex> cambrian_invader: I can see how it can go both ways

19:43 <sjg1> ccf: Yes I mean you call the same code that the commands call

19:43 <sjg1> ccf: There is a way to disable loading the environment too I think

19:44 <ccf> sjg1: yeah, this (no env loading from anywhere other) and bootdelay -2 should be enough.

19:44 <Harm> CONFIG_ENV_IS_NOWHERE

19:44 <ccf> sjg1: so even environment script is possible

19:45 <sjg1> ccf: See should_load_env() - the load-environment config so put it in the /config node in the DT - see doc/device-tree-bindings/config.txt

19:46 <marex> sjg1: it is possible to filter out env variables from external env too, so your machine imports e.g. only one integer from the env

19:46 <marex> but not scripts for example

19:47 <marex> so you can then do things like fw_setenv in userspace, set your integer and do e.g. boot-into-OS-B-copy for AB update

19:47 <ccf> sjg1: So just the default built-in-environment is enought for me.

19:47 <marex> ENV_WRITEABLE_LIST this

19:48 <ccf> by the way, why is it possible to enable CONFIG_ENV_IS_NOWHERE and CONFIG_ENV_IS_IN_MMC at the same time?

19:48 <marex> yeah, the ^ writeable env list uses just that

19:48 <marex> env nowhere for the default env template, and env in some storage from which it imports the select variables

19:49 <ccf> ahhh, ... for AB update, I get it

19:49 <ccf> cool move

19:49 <marex> thats what I used it for, it can be used for whatever other purposes where you only want to import specific variables

19:49 <ccf> so the userland env-set-tool can still be made working, right?

19:49 <marex> avoid strings obviously

19:50 <marex> yeah

19:50 <ccf> maybe obvious, but why is it not a good idea to use strings?

19:51 <marex> ccf: because you can have a string which says "setenv bootcmd go 0xevilcode" or some such

19:51 <marex> say, you do something like this

19:51 <marex> bootcmd=run myscript bootcommand

19:52 <marex> myscript=echo do nothing <-- but you leave this string unprotected

19:52 <marex> then bad actor can do fw_setenv myscript run bad commands

19:52 <ccf> okay, ... but calling "run with "myscript-string-which-I-have-no-idea" is a bad idea

19:52 <marex> on next reboot ... well ... bad commands run within the bootloader shell

19:52 <ccf> so the bad idea is not to use strings but to call them with the interpreter, right?

19:53 <marex> ccf: that's why you should have the default built-in u-boot env contain all the scripts you audited

19:53 <marex> ccf: and only have those scripts react e.g. on integer variables which come from external env

19:53 <marex> like ... bootcmd=test $var -eq 1 && run boot_a_copy ; run boot_b_copy

19:53 <ccf> and in that "ENV_WRITEABLE_LIST" I can define that $var-from-outside is only an integer?

19:54 <marex> var is an integer, if the attacker sets it to whatever, it will either boot A or B copy, but no other damage done

19:54 <marex> if external env from which that var is pulled in is deleted, default value of $var from built-in env is picked, no problem

19:54 <marex> yeah

19:55 <marex> look at CONFIG_ENV_FLAGS_LIST_STATIC

19:55 <marex> "var:dw" is what you want

19:56 <marex> d -- %d , w -- writeable (gets pulled in from external env)