[PATCH] habv4: add the possibility to changing the signing area from Kconfig

[PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Maik Otto]

the whole barebox with mbr and partition table will be signed by default
add the possibility in the Kconfig to change from full signing to skip-mbr
and from-dcdofs

Signed-off-by: Maik Otto <m.otto@phytec.de>
---
 arch/arm/mach-imx/Kconfig                          | 26 ++++++++++++++++++++++
 arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h |  2 +-
 scripts/imx/imx.c                                  |  6 ++---
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 6e98e95..ca1e6f3 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -859,6 +859,32 @@ config HABV4_IMG_CRT_PEM
 
 endif
 
+if HABV4
+choice
+	prompt "Select type for signing area"
+	help
+	  select the signing area, which is checked from the HAB modul
+	  of the i.mx controller
+
+config HABV4_BLOCKS_TYPE_FULL
+	bool "complete barebox with mbr and partition table"
+
+config HABV4_BLOCKS_TYPE_FROM_DCDOFS
+	bool "signing area begins from dcdofs address"
+
+config HABV4_BLOCKS_TYPE_SKIP_MBR
+	bool "signing area begins after MBR"
+
+endchoice
+
+endif
+
+config HABV4_BLOCKS_TYPE
+	string
+	default skip-mbr if HABV4_BLOCKS_TYPE_SKIP_MBR
+	default from-dcdofs if HABV4_BLOCKS_TYPE_FROM_DCDOFS
+	default full
+
 config HABV3
 	tristate "HABv3 support"
 	select HAB
diff --git a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
index 5818879..60d3baf 100644
--- a/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
+++ b/arch/arm/mach-imx/include/mach/habv4-imx6-gencsf.h
@@ -42,7 +42,7 @@ hab [Authenticate Data]
 /* verification key index in key store (2...4) */
 hab Verification index = 2
 
-hab_blocks
+hab_blocks CONFIG_HABV4_BLOCKS_TYPE
 
 hab_encrypt [Install Secret Key]
 hab_encrypt Verification index = 0
diff --git a/scripts/imx/imx.c b/scripts/imx/imx.c
index b3e8d62..4a96d8d 100644
--- a/scripts/imx/imx.c
+++ b/scripts/imx/imx.c
@@ -365,17 +365,17 @@ static int do_hab_blocks(struct config_data *data, int argc, char *argv[])
 			offset += PLUGIN_HDMI_SIZE;
 	}
 
-	if (!strcmp(type, "full")) {
+	if (strstr(type, "full")) {
 		ret = asprintf(&str, "Blocks = 0x%08x 0x%08x 0x%08x \"%s\"\n",
 			       data->image_load_addr, offset, signed_size,
 			       data->outfile);
-	} else if (!strcmp(type, "from-dcdofs")) {
+	} else if (strstr(type, "from-dcdofs")) {
 		ret = asprintf(&str, "Blocks = 0x%08x 0x%x %d \"%s\"\n",
 			       data->image_load_addr + data->image_dcd_offset,
 			       data->image_dcd_offset,
 			       signed_size - data->image_dcd_offset,
 			       data->outfile);
-	} else if (!strcmp(type, "skip-mbr")) {
+	} else if (strstr(type, "skip-mbr")) {
 		ret = asprintf(&str,
 			       "Blocks = 0x%08x 0 440 \"%s\", \\\n"
 			       "         0x%08x 512 %d \"%s\"\n",
-- 
2.7.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Sascha Hauer]

On Tue, Dec 10, 2019 at 04:06:27PM +0100, Maik Otto wrote:
> the whole barebox with mbr and partition table will be signed by default
> add the possibility in the Kconfig to change from full signing to skip-mbr
> and from-dcdofs

Not signing the MBR seems the right thing to do. Do we need it
configurable at all or would it be better to just always skip the first
KiB?

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Maik Otto]

Hi Sascha,

in my opinion it is better to have it configurable, because ther are
different use cases and security requirements.
i found the problem by creating  a sd-card \emmc image with wic.  The
mbr, the partition table and bootloader became be signed at barebox
build and wic changes
the partition table at the end of the build process. Then the sd card
image could not boot , because the signature was wrong. yeah secure boot
works :-)
the highest protection you have, when mbr and partition table is signed
with the bootloader, but it is not always necessary.

there was implemented skip-mbr, dcdofs and full, but full was by default
in the code. at the moment i think , it is a good and easy choice.

Best regards

Maik

Am 10.12.2019 um 16:21 schrieb Sascha Hauer:
> On Tue, Dec 10, 2019 at 04:06:27PM +0100, Maik Otto wrote:
>> the whole barebox with mbr and partition table will be signed by default
>> add the possibility in the Kconfig to change from full signing to skip-mbr
>> and from-dcdofs
> Not signing the MBR seems the right thing to do. Do we need it
> configurable at all or would it be better to just always skip the first
> KiB?
>
> Sascha
>


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Sascha Hauer]

On Wed, Dec 11, 2019 at 08:57:45AM +0100, Maik Otto wrote:
> Hi Sascha,
> 
> in my opinion it is better to have it configurable, because ther are
> different use cases and security requirements.
> i found the problem by creating  a sd-card \emmc image with wic.  The
> mbr, the partition table and bootloader became be signed at barebox
> build and wic changes
> the partition table at the end of the build process. Then the sd card
> image could not boot , because the signature was wrong. yeah secure boot
> works :-)
> the highest protection you have, when mbr and partition table is signed
> with the bootloader, but it is not always necessary.

But in which cases is it really necessary? I can't think of any. The mbr
and partition table are not evaluated by the ROM code, hence they do not
need to be signed for HAB.

The images generated by the build system all do not have a partition table
included, so basically we are currently enforcing no partition table at
all which is just not useful.

I think the current way of including the first KiB in signed area comes
from the fact that we started doing HAB on a NAND device which doesn't
have a partition table. Other projects we are currently doing use eMMC
where we use the boot partitions, again no MBR or partition table.

If we had started on SD cards, we wouldn't have included the partition
table in the signature and also would never have thought it would be a
good idea to do so.

Regards
 Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Maik Otto]

Hi Sascha,

so do you think we should always start from-dcdofs instead of full?
at the moment i use this configuration with from-dcdofs and i think you
have right, there is
not really a good case to sign the area between 0x00 and dcdofs in the
barebox build
What is the best solution in your opinion?
change default from full to dcdofs in the scripts/imx/imx.c ?
additional delete full and skip-mbr ?

Best regards

Maik


Am 11.12.2019 um 09:15 schrieb Sascha Hauer:
> On Wed, Dec 11, 2019 at 08:57:45AM +0100, Maik Otto wrote:
>> Hi Sascha,
>>
>> in my opinion it is better to have it configurable, because ther are
>> different use cases and security requirements.
>> i found the problem by creating  a sd-card \emmc image with wic.  The
>> mbr, the partition table and bootloader became be signed at barebox
>> build and wic changes
>> the partition table at the end of the build process. Then the sd card
>> image could not boot , because the signature was wrong. yeah secure boot
>> works :-)
>> the highest protection you have, when mbr and partition table is signed
>> with the bootloader, but it is not always necessary.
> But in which cases is it really necessary? I can't think of any. The mbr
> and partition table are not evaluated by the ROM code, hence they do not
> need to be signed for HAB.
>
> The images generated by the build system all do not have a partition table
> included, so basically we are currently enforcing no partition table at
> all which is just not useful.
>
> I think the current way of including the first KiB in signed area comes
> from the fact that we started doing HAB on a NAND device which doesn't
> have a partition table. Other projects we are currently doing use eMMC
> where we use the boot partitions, again no MBR or partition table.
>
> If we had started on SD cards, we wouldn't have included the partition
> table in the signature and also would never have thought it would be a
> good idea to do so.
>
> Regards
>  Sascha
>


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] habv4: add the possibility to changing the signing area from Kconfig

[Sascha Hauer]

On Wed, Dec 11, 2019 at 10:10:10AM +0100, Maik Otto wrote:
> Hi Sascha,
> 
> so do you think we should always start from-dcdofs instead of full?
> at the moment i use this configuration with from-dcdofs and i think you
> have right, there is
> not really a good case to sign the area between 0x00 and dcdofs in the
> barebox build
> What is the best solution in your opinion?
> change default from full to dcdofs in the scripts/imx/imx.c ?
> additional delete full and skip-mbr ?

Yes. Always only check the executed image without the 1KiB padding at
the beginning. Note that on i.MX8 it's 32KiB padding until the image
start.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox