lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZvgU0eBEwTJ3sHuN@makrotopia.org>
Date: Sat, 28 Sep 2024 15:38:09 +0100
From: Daniel Golle <daniel@...rotopia.org>
To: Krzysztof Kozlowski <krzk@...nel.org>
Cc: Miquel Raynal <miquel.raynal@...tlin.com>,
	Richard Weinberger <richard@....at>,
	Vignesh Raghavendra <vigneshr@...com>,
	Rob Herring <robh@...nel.org>,
	Krzysztof Kozlowski <krzk+dt@...nel.org>,
	Conor Dooley <conor+dt@...nel.org>,
	Zhihao Cheng <chengzhihao1@...wei.com>,
	John Crispin <john@...ozen.org>, linux-mtd@...ts.infradead.org,
	devicetree@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC 1/2] dt-bindings: mtd: ubi-volume: add
 'volume-is-critical' property

On Sat, Sep 28, 2024 at 03:45:49PM +0200, Krzysztof Kozlowski wrote:
> On 28/09/2024 15:09, Daniel Golle wrote:
> > On Sat, Sep 28, 2024 at 03:02:47PM +0200, Krzysztof Kozlowski wrote:
> >> On 28/09/2024 14:47, Daniel Golle wrote:
> >>> Add the 'volume-is-critical' boolean property which marks a UBI volume
> >>> as critical for the device to boot. If set it prevents the user from
> >>> all kinds of write access to the volume as well as from renaming it or
> >>> detaching the UBI device it is located on.
> >>>
> >>> Signed-off-by: Daniel Golle <daniel@...rotopia.org>
> >>> ---
> >>>  .../devicetree/bindings/mtd/partitions/ubi-volume.yaml   | 9 +++++++++
> >>>  1 file changed, 9 insertions(+)
> >>>
> >>> diff --git a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
> >>> index 19736b26056b..2bd751bb7f9e 100644
> >>> --- a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
> >>> +++ b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
> >>> @@ -29,6 +29,15 @@ properties:
> >>>      description:
> >>>        This container may reference an NVMEM layout parser.
> >>>  
> >>> +  volume-is-critical:
> >>> +    description: This parameter, if present, indicates that the UBI volume
> >>> +      contains early-boot firmware images or data which should not be clobbered.
> >>> +      If set, it prevents the user from renaming the volume, writing to it or
> >>> +      making any changes affecting it, as well as detaching the UBI device it is
> >>> +      located on, so direct access to the underlying MTD device is prevented as
> >>> +      well.
> >>> +    type: boolean
> >>
> >> UBI volumes are mapping to partitions 1-to-1, right? So rather I would
> >> propose to use partition.yaml - we already have read-only there with
> >> very similar description.
> > 
> > No, that's not the case.
> > 
> > An MTD partition can be used as UBI device. A UBI device (and hence MTD
> > partition) can host *several* UBI volumes.
> > 
> > Marking the MTD partition as 'read-only' won't work, as UBI needs
> > read-write access to perform bad block relocation, scrubbing, ...
> 
> OK, so not partition but read-only volume.

+1

> 
> > 
> > Also, typically not all UBI volumes on a UBI device are
> > read-only/critical but only a subset of them.
> > 
> > But you are right that the description is inspired by the description
> > of the 'read-only' property in partition.yaml ;)
> > 
> > I initially thought to also name the property 'read-only', just like
> > for MTD partitions. However, as the desired effect goes beyond
> > preventing write access to the volume itself, I thought it'd be
> > better to use a new name.
> 
> Yeah, maybe... critical indeed covers multiple cases but is also
> subjective. For some bootloader is critical, for other bootloader still
> might be fully A/B updateable thus could be modifiable. For others, they
> want to use fw_setenv from user-space so not critical at all.

The case I want to cover here is the bootloader itself being stored
inside a UBI volume. MediaTek's fork of ARM TrustedFirmware-A bl2 comes
with support for UBI and loads BL3 (which is TF-A BL31 and U-Boot, and
maybe OP-TEE as well) from a static UBI volume. Removing, renaming or
altering that volume results in the device not being able to boot any
more and requiring a complicated intervention (at attaching debugging
UART and using low-level recovery tool) in order to recover.

It is true that also in this case a fully A/B updateable strategy could
be implemented, however, typically that would not be done in Linux, but
rather the code carrying out such update would be part of the bootloader
itself.
UEFI update capsules are a good example for that, but in most cases
things are much less complex on simple embedded Linux networking
appliances such as routers, access points, switches, ...

> 
> I am in general not so happy in describing flash layout in DT, because
> it sounds way too policy or one-use-case specific.
> 
> UBI volume is purely SW construct. One OS can partition MTD in multiple
> ways, so maybe I just do not understand why we have in the first place.

Support for attaching UBI from DT and referencing UBI volumes has been
added because they serve as NVMEM providers, ie. UBI volumes are used to
store things such as Ethernet MAC addresses and Wi-Fi calibration data,
similar to how it also works on devices with NOR flash and simple MTD
partitions holding that data.
And we needed the kernel drivers to be able to access that information
directly, also in case eg. nfsroot is being used.

So while it's true that both, MTD partitioning as well as use of UBI
are pure software constructs, their use can go beyond and below the OS
kernel, meaning that early boot firmware usually requires a specific MTD
partition layout, and some require also certain UBI volumes to be present
for the device to be able to even start the bootloader.

It is also true that (just like MTD partitioning as well) it is
questionable whether this should be communicated as a property of the
flash hardware in DT, or rather end up as information filed under the
/chosen node which to me seems more appropriate. Moving all MTD
partitioning away from the node representing the flash chip and into the
/chosen node would have to happen in a way which doesn't break
compatibility with existing DT, which all describe MTD partitions as a
subnode of the storage hardware itself. Obviously that is beyond the
scope (and independent) of being able to mark some UBI volumes as
critical.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ