Re: Mount NFSv4.2 filesystem in barebox?

[Ahmad Fatoum <a.fatoum@pengutronix.de>]

Hi David,

On 05.03.25 12:30, David Jander wrote:
> On Tue, 4 Mar 2025 22:50:00 +0100
> Martin Wege <martin.l.wege@gmail.com> wrote:
>> So yes, you would have customers for NFSv4.1 support in barebox.
> 
> Just wanted to chime in to amplify this a bit, since we are also using NFSv4.2
> netboot (though only TFTP in barebox for now):
> 
> Your arguments are solid, and make a lot of sense. If you are going to replace
> more and more microcontroller based nodes with Linux capable SoCs, because it
> makes a lot of economical sense (hardware costs are very similar nowadays, and
> software development is 10x easier and cheaper on Linux than on a uC), you
> will end up inevitably with a lot of Linux nodes inside of a machine or
> industrial plant, where you previously had uC's. So, do you want to continue
> using 1970's tech (RS485/modbus) or 1980's tech (CAN) to communicate between all
> those nodes, or will you use Linux's native language (TCP/IP) which also
> immediately means another 10x reduction in software development costs of the
> networking part? If you choose the latter, you will also get significant HW
> cost savings basically for free if you also net-boot (via NFS and/or TFTP).
> 
> In other words, why are we not already doing this?
> 
> At least we are. We are starting to use Single Pair Ethernet almost everywhere
> where there were other field-busses involved traditionally. So we noticed that
> we end up with a lot of boards running Linux connected together via anything
> from 10Base-T1L to 1000Base-T1. Replace the eMMC chip on all but one of them
> with a cheap 2MiB SPI-NOR flash to load barebox and netboot from one single
> board running an NFSv4.2 (and TFTP) server serving the kernel and rootfs for
> all the others from a single eMMC, that can be updated with a single RAUC
> bundle guaranteeing consistent software and trivially easy updates on all
> nodes at once. Not to mention the benefit of trivial repairs because all
> boards are basically dumb and don't need to be flashed with software that
> matches the machine they are being replaced in, etc...

Which I think is very cool. :-)

> To be fair though, it isn't strictly needed for barebox to have NFS support
> for our use-case, since it suffices to load the kernel (and possibly an
> initramfs) via TFTP and mount the nfsroot from the kernel, but IMHO it is
> certainly valuable to have basic NFSv4.2 support in barebox. It would
> facilitate the use of just 1 protocol instead of 2.

Ack.

> I also agree that NFSv3
> support in that regard offers little value since you really don't want to base
> everything on this obsolete version with all of its limitations.
> 
> But also a bit of caution to be mindful of: Cybersecurity. Of course barebox
> can be made to only boot signed fit images, but are there other potential
> attack vectors?

We have been fuzzing the security critical boot path and issues were found
and fixed. Our network stack and NFS implementation are not currently part
of that. The documentation now spells that out and explicitly advises
against using any unsigned file system at all (whether networked or not)
to contain a signed FIT image:

https://www.barebox.org/doc/latest/user/security.html#avoiding-use-of-file-systems

As we gain more confidence in the implementation (or rather import mptcp and focus
on fuzzing that), this will change, but as things stand now, it's is not advisable
to do network boot of signed images.

> What if the NFS server needs to be secured with with GSS and
> kerberos? Barebox possibly won't be able to access it unless it also supports
> that.

Yes. I think HTTP(S) support may be a better investment of time, even
if it means having to use two protocols still.

> P.S.: I am currently not subscribed to the barebox mailing list, so I don't
> know if this email will get forwarded by the list server.

The ML accepts mails from non-subscribers. Infradead is currently slow on
delivering mail, though, but I hope it will soon show up on both
lore.barebox.org/barebox and lore.kernel.org/barebox.

Cheers,
Ahmad

> 
> Best regards,
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |