lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ad5a3811-c856-4f4b-f569-bb67a0e3f751@huawei.com>
Date: Sun, 29 Sep 2024 12:03:11 +0800
From: Zhihao Cheng <chengzhihao1@...wei.com>
To: Daniel Golle <daniel@...rotopia.org>, Krzysztof Kozlowski
	<krzk@...nel.org>
CC: Miquel Raynal <miquel.raynal@...tlin.com>, Richard Weinberger
	<richard@....at>, Vignesh Raghavendra <vigneshr@...com>, Rob Herring
	<robh@...nel.org>, Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley
	<conor+dt@...nel.org>, John Crispin <john@...ozen.org>,
	<linux-mtd@...ts.infradead.org>, <devicetree@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH RFC 1/2] dt-bindings: mtd: ubi-volume: add
 'volume-is-critical' property

在 2024/9/28 22:38, Daniel Golle 写道:
> On Sat, Sep 28, 2024 at 03:45:49PM +0200, Krzysztof Kozlowski wrote:
>> On 28/09/2024 15:09, Daniel Golle wrote:
>>> On Sat, Sep 28, 2024 at 03:02:47PM +0200, Krzysztof Kozlowski wrote:
>>>> On 28/09/2024 14:47, Daniel Golle wrote:
>>>>> Add the 'volume-is-critical' boolean property which marks a UBI volume
>>>>> as critical for the device to boot. If set it prevents the user from
>>>>> all kinds of write access to the volume as well as from renaming it or
>>>>> detaching the UBI device it is located on.
>>>>>
>>>>> Signed-off-by: Daniel Golle <daniel@...rotopia.org>
>>>>> ---
>>>>>   .../devicetree/bindings/mtd/partitions/ubi-volume.yaml   | 9 +++++++++
>>>>>   1 file changed, 9 insertions(+)
>>>>>
>>>>> diff --git a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>> index 19736b26056b..2bd751bb7f9e 100644
>>>>> --- a/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>> +++ b/Documentation/devicetree/bindings/mtd/partitions/ubi-volume.yaml
>>>>> @@ -29,6 +29,15 @@ properties:
>>>>>       description:
>>>>>         This container may reference an NVMEM layout parser.
>>>>>   
>>>>> +  volume-is-critical:
>>>>> +    description: This parameter, if present, indicates that the UBI volume
>>>>> +      contains early-boot firmware images or data which should not be clobbered.
>>>>> +      If set, it prevents the user from renaming the volume, writing to it or
>>>>> +      making any changes affecting it, as well as detaching the UBI device it is
>>>>> +      located on, so direct access to the underlying MTD device is prevented as
>>>>> +      well.
>>>>> +    type: boolean
>>>>
>>>> UBI volumes are mapping to partitions 1-to-1, right? So rather I would
>>>> propose to use partition.yaml - we already have read-only there with
>>>> very similar description.
>>>
>>> No, that's not the case.
>>>
>>> An MTD partition can be used as UBI device. A UBI device (and hence MTD
>>> partition) can host *several* UBI volumes.
>>>
>>> Marking the MTD partition as 'read-only' won't work, as UBI needs
>>> read-write access to perform bad block relocation, scrubbing, ...
>>
>> OK, so not partition but read-only volume.
> 
> +1
> 
>>
>>>
>>> Also, typically not all UBI volumes on a UBI device are
>>> read-only/critical but only a subset of them.
>>>
>>> But you are right that the description is inspired by the description
>>> of the 'read-only' property in partition.yaml ;)
>>>
>>> I initially thought to also name the property 'read-only', just like
>>> for MTD partitions. However, as the desired effect goes beyond
>>> preventing write access to the volume itself, I thought it'd be
>>> better to use a new name.
>>
>> Yeah, maybe... critical indeed covers multiple cases but is also
>> subjective. For some bootloader is critical, for other bootloader still
>> might be fully A/B updateable thus could be modifiable. For others, they
>> want to use fw_setenv from user-space so not critical at all.
> 
> The case I want to cover here is the bootloader itself being stored
> inside a UBI volume. MediaTek's fork of ARM TrustedFirmware-A bl2 comes
> with support for UBI and loads BL3 (which is TF-A BL31 and U-Boot, and
> maybe OP-TEE as well) from a static UBI volume. Removing, renaming or
> altering that volume results in the device not being able to boot any
> more and requiring a complicated intervention (at attaching debugging
> UART and using low-level recovery tool) in order to recover.

Who removes/renames the 'critical' volume? I suggest to fix it in the 
upper layer(not in kernel). After looking through the patch 2, it seems 
a hack solution.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ