mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: "Jan Lübbe" <jlu@pengutronix.de>
Cc: barebox@lists.infradead.org
Subject: Re: [RFC 3/4] FIT: add FIT image support
Date: Mon, 16 Mar 2015 14:51:41 +0100	[thread overview]
Message-ID: <20150316135141.GL26127@ns203013.ovh.net> (raw)
In-Reply-To: <1426512500.3330.115.camel@pengutronix.de>

On 14:28 Mon 16 Mar     , Jan Lübbe wrote:
> On Mo, 2015-03-16 at 13:19 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > On 13:08 Mon 16 Mar     , Jan Lübbe wrote:
> > > On Mo, 2015-03-16 at 12:14 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > > > On 11:19 Mon 16 Mar     , Jan Lübbe wrote:
> > > > > Later I'd like to have optional support to switch barebox into a
> > > > > "non-secure" or "developer" mode at runtime, which would make hardware
> > > > > secrets inaccessible. That could be triggered when a prompt appears or
> > > > > when booting for a different source (such as USB fastboot).
> > > > 
> > > > yeah, I like the idea but for this will have to put a lot of protection so you
> > > > can not read/write some part of the memory included barebox itself (in RAM)
> > > > 
> > > > As in the kernel we have no memmory protection from the shell.
> > > 
> > > Not necessarily. For example on the MX6 you can trigger a security
> > > violation in the CAAM from software. That will clear the OTPMK in its
> > > Key-RAM. From that point on you can run any software but you will not be
> > > able to decrypt any secret data which was encrypted with the OTPMK.
> > > 
> > > On hardware which supports something like this, debugging hardware
> > > problems is easy and there is no danger of leaking any secret
> > > information. If something is useful/possible in any specific project
> > > obviously depends on the threat model and hardware capabilities.
> > 
> > I knonw about the imx6 but that does not mean all the SoC
> > unfortunatly.
> 
> Yes, every SoC is different. But we should be able to use HW features
> when the are available, as sometimes the HW is selected specifically to
> used these security features.

I agree with you we just need to ensure that it work also when we can not
use such HW feature.
> 
> > The other pb I see is this one where and do you plan to store the RO x509
> > the trusted one.
> 
> Sorry, I can't parse this.
where do we store the trusted keys/cert need to be secured or inaccessible
except crypto API
> 
> > if you use on OTP this means this is enough to ensure secured boot as if you
> > can not modify the primary cert of key. No one can brake it. But as you load
> > it in ram you need to be sure no one modify it. Even in unlock mode to do only
> > allow to boot secure images by expected key.
> 
> I should have been more clear: The use case here is to ensure that the
> OTPMK-AES-HW-Key is only available when booting with a correct boot
> chain. It's OK to boot something else (only the OTPMK needs to be
> cleared).
> 
> This is a very different goal from making sure that only correctly
> signed code is executed.
> 
> Both cases need mostly the same verified boot features, only the policy
> (especially what to do on signature errors) is different.
secure boot means in 95% of the case only correctly signed file can be booted
> 
> > So you may not have secured place to store the cert or key in ram but only
> > RAM. so we do need to forbidden this memory acces to everyone except the
> > crypto API. if we want ot allow dev mode.
> 
> On MX6 this can be done by the HW. Doing this (without TrustZone) purely
> in SW seems extremely difficult.

if you do not allow console easy, if you do you need to make the memory where
you do store the trusted keys and barebox itself no accessible by any std API
or command

such as md/mw, etc...

yes this will be difficult

Best Regards,
J.

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

  reply	other threads:[~2015-03-16 13:52 UTC|newest]

Thread overview: 59+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-12 14:39 [RFC 0/4] FIT Support Jan Luebbe
2015-03-12 14:39 ` [RFC 1/4] digest: Make filename arguments const Jan Luebbe
2015-03-13  7:40   ` Sascha Hauer
2015-03-12 14:39 ` [RFC 2/4] Add rsa support Jan Luebbe
2015-03-12 17:47   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13  9:35     ` Jan Lübbe
2015-03-13  9:56       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:06         ` Sascha Hauer
2015-03-13 10:12           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:22             ` Jan Lübbe
2015-03-13 10:26               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:10         ` Jan Lübbe
2015-03-13 10:25           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:43             ` Jan Lübbe
2015-03-13 15:49               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:00                 ` Jan Lübbe
2015-03-16 10:27                   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 11:25                     ` Jan Lübbe
2015-03-16 11:33                       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 15:42                         ` Jan Lübbe
2015-03-17 10:48                           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-17 12:09                             ` Jan Lübbe
2015-03-17 12:39                               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-17 12:57                                 ` Jan Lübbe
2015-03-12 14:39 ` [RFC 3/4] FIT: add FIT image support Jan Luebbe
2015-03-12 18:19   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13  9:28     ` Jan Lübbe
2015-03-13 10:05       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 10:21         ` Jan Lübbe
2015-03-13 14:28           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 15:41             ` Jan Lübbe
2015-03-13 16:08               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:19                 ` Jan Lübbe
2015-03-16 11:14                   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 12:08                     ` Jan Lübbe
2015-03-16 12:19                       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 13:28                         ` Jan Lübbe
2015-03-16 13:51                           ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2015-03-16 14:31                             ` Jan Lübbe
2015-03-16 14:40                               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 14:50                                 ` Jan Lübbe
2015-03-13 11:33         ` Marc Kleine-Budde
2015-03-13 15:54           ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 16:06             ` Marc Kleine-Budde
2015-03-13 17:00               ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 10:04                 ` Jan Lübbe
2015-03-16 10:28                   ` Jean-Christophe PLAGNIOL-VILLARD
2015-12-29 10:18   ` Yegor Yefremov
2015-03-12 14:39 ` [RFC 4/4] FIT: add test config and data [do not merge] Jan Luebbe
2015-03-12 14:51 ` [RFC] digest: Add enum Jan Luebbe
2015-03-12 17:50   ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13  9:54     ` Jan Lübbe
2015-03-13 10:10       ` Jean-Christophe PLAGNIOL-VILLARD
2015-03-13 18:50         ` Robert Schwebel
2015-11-11 11:39 ` [RFC 0/4] FIT Support Yegor Yefremov
2015-11-13 11:35   ` Antony Pavlov
2015-11-13 12:54   ` Sascha Hauer
2015-12-29  8:10     ` Yegor Yefremov
2016-01-05  8:11     ` Marc Kleine-Budde

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150316135141.GL26127@ns203013.ovh.net \
    --to=plagnioj@jcrosoft.com \
    --cc=barebox@lists.infradead.org \
    --cc=jlu@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox