Hi Simon, thanks for the feedback. Additional comments inlined...
On Mon, Apr 04, 2016 at 06:04:15PM -0600, Simon Glass wrote:
Hi Andreas,
On 28 March 2016 at 14:19, Andreas Dannenberg dannenberg@ti.com wrote:
On Mon, Mar 28, 2016 at 03:32:40PM -0400, Tom Rini wrote:
I'm interested in getting secure device support going, but it seems like we should need more than that, ie something to keep the chain of trust going.
Tom et al., I just saw your reply to Vitaly's email and I'm actually just looking into something along the lines you brought up but I didn't want to hijack that discussion so here's a new thread.
As for the chain of trust for ARMv7, my understanding is that when using a combination of SPL and U-Boot there will always be a vendor- specific initial boot (ROM) code that authenticates SPL, and then there will need to be some code inserted into SPL that authenticates U-Boot after it's loaded (for example by using some secure ROM API call and such).
So I was looking into if there is already some generic framework for this in U-Boot but didn't see anything obvious. One "easy" way would be to add a simple call to an authentication routine to board_init_r (u-boot/common/spl/spl.c) but let's say we add such a call for TI or other vendor's stuff I suppose this would not scale very well.
But what about adding one generic call to a default authentication function declared as __weak for spl_image that doesn't do anything, but can be overwritten in vendor-specific files to provide means of authenticating spl_image. Would this be a good approach?
Beyond that I was reviewing some of the awesome work from the Chromium team and I think on ARMv7 after we get MLO to authenticate U-Boot everything beyond that is already looking very solid and thorough (with FIT, DTB/Kernel and initramfs authentication).
It should be possible to use this from SPL, if you can enable FIT in SPL. The current implementation does not support verification, and is deliberately cut down. See common/spl/spl_fit.c.
Oh, I just noticed this file after doing a pull, that's really one step ahead of the U-Boot versions I've worked with so far. Upon further digging I found that the general SPL FIT approach is actually something we are trying to enable for our own customers moving forward. So adding/ enabling FIT auth in SPL would really help connecting the dots and closing the current authentication gap not just for us but actually for all U-Boot users.
Will look at this more closely and see how much overhead this would involve since for SPL memory can be of an issue, as using SPL authenticated FIT will probably mean pulling in the U-Boot crypto stuff as in such case we would be using U-Boot tooling to generate the signed FIT image (as opposed to a vendor-specific signing tool generating an image compatible with a simple SoC ROM API auth call). But looking at the already memory-optimized U-Boot RSA verification code in rsa-verify.c and rsa-checksum.c I would hope the impact would not be too bad. I'd guess maybe 10-20KB total with SHA256, RSA, and the needed code changes to spl_fit.c.
but you could perhaps provide an option to use the full U-Boot implementation instead.
...which would mean that the entire U-Boot would need to be loaded initially as one piece which wouldn't work on some of our SoCs due to memory constraints (hence the SPL approach).
-- Andreas Dannenberg Texas Instruments Inc