lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 6 Jun 2023 09:52:50 +0200
From:   Jan Kiszka <jan.kiszka@...mens.com>
To:     Ard Biesheuvel <ardb@...nel.org>,
        Sumit Garg <sumit.garg@...aro.org>
Cc:     Masahisa Kojima <masahisa.kojima@...aro.org>,
        Jens Wiklander <jens.wiklander@...aro.org>,
        linux-kernel@...r.kernel.org, op-tee@...ts.trustedfirmware.org,
        Ilias Apalodimas <ilias.apalodimas@...aro.org>,
        Johan Hovold <johan+linaro@...nel.org>,
        Maxime Coquelin <mcoquelin.stm32@...il.com>,
        Alexandre Torgue <alexandre.torgue@...s.st.com>,
        linux-efi@...r.kernel.org,
        linux-stm32@...md-mailman.stormreply.com,
        linux-arm-kernel@...ts.infradead.org,
        "Su, Bao Cheng (RC-CN DF FA R&D)" <baocheng.su@...mens.com>
Subject: Re: [PATCH v5 3/3] efi: Add tee-based EFI variable driver

On 06.06.23 08:57, Ard Biesheuvel wrote:
> On Tue, 6 Jun 2023 at 08:52, Sumit Garg <sumit.garg@...aro.org> wrote:
>>
>> Hi Jan,
>>
>> On Tue, 6 Jun 2023 at 12:09, Jan Kiszka <jan.kiszka@...mens.com> wrote:
>>>
>>> On 26.05.23 03:07, Masahisa Kojima wrote:
>>>> When the flash is not owned by the non-secure world, accessing the EFI
>>>> variables is straightforward and done via EFI Runtime Variable Services.
>>>> In this case, critical variables for system integrity and security
>>>> are normally stored in the dedicated secure storage and only accessible
>>>> from the secure world.
>>>>
>>>> On the other hand, the small embedded devices don't have the special
>>>> dedicated secure storage. The eMMC device with an RPMB partition is
>>>> becoming more common, we can use an RPMB partition to store the
>>>> EFI Variables.
>>>>
>>>> The eMMC device is typically owned by the non-secure world(linux in
>>>> this case). There is an existing solution utilizing eMMC RPMB partition
>>>> for EFI Variables, it is implemented by interacting with
>>>> TEE(OP-TEE in this case), StandaloneMM(as EFI Variable Service Pseudo TA),
>>>> eMMC driver and tee-supplicant. The last piece is the tee-based
>>>> variable access driver to interact with TEE and StandaloneMM.
>>>>
>>>> So let's add the kernel functions needed.
>>>>
>>>> This feature is implemented as a kernel module.
>>>> StMM PTA has TA_FLAG_DEVICE_ENUM_SUPP flag when registered to OP-TEE
>>>> so that this tee_stmm_efi module is probed after tee-supplicant starts,
>>>> since "SetVariable" EFI Runtime Variable Service requires to
>>>> interact with tee-supplicant.
>>>>
>>>> Acked-by: Sumit Garg <sumit.garg@...aro.org>
>>>> Co-developed-by: Ilias Apalodimas <ilias.apalodimas@...aro.org>
>>>> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@...aro.org>
>>>> Signed-off-by: Masahisa Kojima <masahisa.kojima@...aro.org>
>>>> ---
>>>>  drivers/firmware/efi/Kconfig                 |  15 +
>>>>  drivers/firmware/efi/Makefile                |   1 +
>>>>  drivers/firmware/efi/stmm/mm_communication.h | 236 +++++++
>>>>  drivers/firmware/efi/stmm/tee_stmm_efi.c     | 638 +++++++++++++++++++
>>>>  4 files changed, 890 insertions(+)
>>>>  create mode 100644 drivers/firmware/efi/stmm/mm_communication.h
>>>>  create mode 100644 drivers/firmware/efi/stmm/tee_stmm_efi.c
>>>>
> ...
>>>
>>> I think we have a probe ordering issue with this driver:
>>> efivarfs_fill_super() may be called before the TEE bus was probed, thus
>>> with the default efivar ops still registered. And that means
>>> efivar_supports_writes() will return false, and the fs declares itself
>>> as readonly. I've seen systemd mounting it r/o initialling, and you need
>>> to remount the fs to enable writability.
>>>
>>> Is there anything that could be done to re-order things reliably, probe
>>> the tee bus earlier etc.?
>>
>> This driver has a dependency on user-space daemon: tee-supplicant to
>> be running for RPMB access. So once you start that daemon the
>> corresponding device will be enumerated on the TEE bus and this driver
>> probe will be invoked. So I would suggest you to load this daemon very
>> early in the boot process or better to make it a part of initramfs.
>>
> 
> That is not the point, really.
> 
> If this dependency exists, the code should be aware of that, and made
> to work correctly in spite of it. Requiring a module to be part of
> initramfs is not a reasonable fix.

In fact, I've tested a non-modularized build as well, just to exclude
that issue. The daemon dependency is more likely the problem here.

> 
> IIUC, this also means that the efivar ops are updated while there is
> already a client. This seems less than ideal as well

Jan

-- 
Siemens AG, Technology
Competence Center Embedded Linux

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ