mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Marco Felsch <m.felsch@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>
Cc: "open list:BAREBOX" <barebox@lists.infradead.org>
Subject: Re: [PATCH 02/13] firmware: add function to verify next image
Date: Mon, 10 Mar 2025 19:37:33 +0100	[thread overview]
Message-ID: <20250310183733.gykbqq25cznu72it@pengutronix.de> (raw)
In-Reply-To: <20250228-am625-secure-v1-2-4002488ff5ed@pengutronix.de>

On 25-02-28, Sascha Hauer wrote:
> Some SoCs use a startup sequence that includes multiple stages where a
> full barebox is loaded by an early small barebox that fits into the
> SoC's SRAM. This is commonly referred to as xload. In a secure boot
> environment it's necessary to load only trusted barebox images. One
> way to accomplish this is to compile a sha256 into the first stage
> barebox and to verify the full barebox against this hash.
> 
> This patch adds the generic parts for this. The full barebox binary
> can be put into the first stage build as a firmware file. The firmware
> itself won't be used, only the hash is compiled into the image. SoC
> code can then check the full barebox image against the hash. As this
> requires SoC code to check the hash, the option is hidden behind
> CONFIG_HAVE_FIRMWARE_VERIFY_NEXT_IMAGE. SoC code can select this option
> when it implements the required hash checking.
> 
> It's worth noting that using a hash for verification has one advantage
> over cryptographicaly signing followup images: It ties first stage
> and full barebox stages together effectively avoiding mix-and-match
> attacks.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
>  firmware/Kconfig   | 23 +++++++++++++++++++++++
>  firmware/Makefile  |  2 ++
>  include/firmware.h | 28 ++++++++++++++++++++++++++++
>  3 files changed, 53 insertions(+)
> 
> diff --git a/firmware/Kconfig b/firmware/Kconfig
> index ba005976c5..bdb71321bc 100644
> --- a/firmware/Kconfig
> +++ b/firmware/Kconfig
> @@ -108,4 +108,27 @@ config FIRMWARE_LS1028A_ATF
>  config FIRMWARE_LS1046A_ATF
>  	bool
>  
> +config HAVE_FIRMWARE_VERIFY_NEXT_IMAGE
> +	bool
> +
> +config FIRMWARE_VERIFY_NEXT_IMAGE
> +	depends on HAVE_FIRMWARE_VERIFY_NEXT_IMAGE
> +	bool "verify next image to load"
> +	help
> +	  The boot process of some SoCs uses multiple stages where the first stage is
> +	  a stripped down barebox loaded by the SoC's ROM and the next state is a full
> +	  barebox loaded by the first stage. In a trusted boot scenario the next stage
> +	  has to be verified by the first stage,
> +
> +	  This option allows to specify the next image to be loaded. Put the next stage
> +	  image to firmware/next-image.bin. The image itself is not used, but a sha256
> +	  hash of the image will be generated and compiled into the first stage which
> +	  can be used to verify the next stage.
> +
> +	  Note that this option only enabled generation of the sha256 hash. Loading and
> +	  starting the next stage is highly SoC dependent and it's the SoC code's
> +	  responsibility to actually verify the hash and to only start successfully
> +	  verified images. The function to check the next stage image hash is
> +	  firmware_next_image_verify(), make sure your SoC code uses it.
> +
>  endmenu
> diff --git a/firmware/Makefile b/firmware/Makefile
> index 095d6f0e31..67fd898890 100644
> --- a/firmware/Makefile
> +++ b/firmware/Makefile
> @@ -34,6 +34,8 @@ pbl-firmware-$(CONFIG_ARCH_RK3588) += rk3588-bl32.bin
>  pbl-firmware-$(CONFIG_ARCH_RK3399) += rk3399-bl32.bin
>  endif
>  
> +firmware-$(CONFIG_FIRMWARE_NEXT_IMAGE) += next-image.bin

Why can't we use the fw-external here?

> +
>  firmware-$(CONFIG_DRIVER_NET_FSL_FMAN) += fsl_fman_ucode_ls1046_r1.0_106_4_18.bin
>  
>  fw-external-$(CONFIG_FIRMWARE_LS1028A_ATF) += ls1028a-bl31.bin
> diff --git a/include/firmware.h b/include/firmware.h
> index d7feae1371..7225b55e4f 100644
> --- a/include/firmware.h
> +++ b/include/firmware.h
> @@ -13,6 +13,8 @@
>  #include <debug_ll.h>
>  #include <linux/kernel.h>
>  #include <asm/sections.h>
> +#include <crypto/sha.h>
> +#include <crypto.h>
>  
>  struct firmware {
>  	size_t size;
> @@ -113,4 +115,30 @@ static inline void firmware_ext_verify(const void *data_start, size_t data_size,
>  #define get_builtin_firmware_ext(name, base, start, size)		\
>  	__get_builtin_firmware(name, (long)base - (long)_text, start, size)
>  
> +static inline int firmware_next_image_verify(const void *hash_start, size_t hash_size, bool verbose)
> +{
> +	extern char _fw_next_image_bin_sha_start[];
> +	int ret;
> +
> +	if (!IS_ENABLED(CONFIG_FIRMWARE_NEXT_IMAGE))
> +		return -EINVAL;
> +
> +	if (hash_size != SHA256_DIGEST_SIZE)
> +		return -EINVAL;
> +
> +	ret = crypto_memneq(hash_start, _fw_next_image_bin_sha_start, hash_size);

If we don't check the runtime sha256 of next_image an attacker could
replace next_image and keep the builtin sha256sum and we wouldn't
recognize it, or do I miss something?

Regards,
  Marco

> +
> +	if (verbose) {
> +		if (ret) {
> +			pr_err("next image hash mismatch!\n");
> +			pr_err("expected: sha256=%*phN\n", hash_size, _fw_next_image_bin_sha_start);
> +			pr_err("found:    sha256=%*phN\n", hash_size, hash_start);
> +		} else {
> +			pr_info("hash sha256=%*phN OK\n", hash_size, _fw_next_image_bin_sha_start);
> +		}
> +	}
> +
> +	return ret;
> +}
> +
>  #endif /* FIRMWARE_H */
> 
> -- 
> 2.39.5
> 
> 
> 



  reply	other threads:[~2025-03-10 18:38 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-28  7:16 [PATCH 00/13] am625: support secure loading of full barebox Sascha Hauer
2025-02-28  7:16 ` [PATCH 01/13] firmware: always generate sha256sum Sascha Hauer
2025-02-28  7:16 ` [PATCH 02/13] firmware: add function to verify next image Sascha Hauer
2025-03-10 18:37   ` Marco Felsch [this message]
2025-03-11  7:35     ` Sascha Hauer
2025-02-28  7:16 ` [PATCH 03/13] ARM: k3: r5: drop loading of separate binaries Sascha Hauer
2025-03-10 18:44   ` Marco Felsch
2025-02-28  7:16 ` [PATCH 04/13] ARM: k3: r5: add proper error handling Sascha Hauer
2025-03-10 18:52   ` Marco Felsch
2025-03-11  8:24     ` Sascha Hauer
2025-03-11  8:50       ` Marco Felsch
2025-02-28  7:16 ` [PATCH 05/13] fip: rework fip_image_open() Sascha Hauer
2025-02-28  7:16 ` [PATCH 06/13] fip: fix wrong function call Sascha Hauer
2025-02-28  7:16 ` [PATCH 07/13] fip: add function to calculate a sha256 over FIP image Sascha Hauer
2025-02-28  7:16 ` [PATCH 08/13] ARM: am625: support hash verification of full barebox Sascha Hauer
2025-03-10 19:22   ` Marco Felsch
2025-03-11  7:53     ` Sascha Hauer
2025-02-28  7:16 ` [PATCH 09/13] ARM: k3: add support for authenticating images against the ROM API Sascha Hauer
2025-02-28  7:16 ` [PATCH 10/13] ARM: k3: r5: delete fip image when it can't be opened Sascha Hauer
2025-02-28  7:16 ` [PATCH 11/13] ARM: k3: r5: Allow to authenticate next image by ROM API Sascha Hauer
2025-03-10 19:26   ` Marco Felsch
2025-03-11  7:54     ` Sascha Hauer
2025-02-28  7:17 ` [PATCH 12/13] scripts/k3img: remove temporary files Sascha Hauer
2025-02-28  7:17 ` [PATCH 13/13] scripts: add k3sign Sascha Hauer
2025-03-10 17:40 ` [PATCH 00/13] am625: support secure loading of full barebox Marco Felsch
2025-03-11  8:12   ` Sascha Hauer
2025-03-11  8:48     ` Marco Felsch
2025-03-11  9:13       ` Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250310183733.gykbqq25cznu72it@pengutronix.de \
    --to=m.felsch@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=s.hauer@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox