Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp258982pxf; Wed, 10 Mar 2021 05:54:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJy5oi9KeHRQWUzwSVkNZBmB0El2HoMm5CAttC4iIB8IBJMji78W1DgWH9lndGfyZBXjKeZf X-Received: by 2002:aa7:d316:: with SMTP id p22mr3287352edq.107.1615384481322; Wed, 10 Mar 2021 05:54:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615384481; cv=none; d=google.com; s=arc-20160816; b=BveeA89c+g6ObuF0E4b8OPpygdFrY8FyaTsWcrV8QuuLX4kMclEOZfQ3fzJ2d8GUIx Z5lFYdOu1rzkjxKZJ6pV/5SvwR1plbWemlnXmmHTSG4SNFs/pjnNDw9ObR9XEs8faGRl OM0BIXms38Ey1w1ZEZeIE9dvSbLMYfwgYst4oXxvlyTHneqisRPmdC/oxo/2recLsDZk aoaM6BI9YvV39nEk41VEK12fALInHSta8gYXwrDU8v9dTaYJyk5FEk3kUpuWNFgBHg5D JiXqriLHw2GykEVxxRC+Og6mQhIdQ5PlidIPqQ5k6GUaALzXKS9elkoTQzMpt6KKGBJK bZfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to; bh=l4igHyEBiseKRWmst+aJ2QMWzUaRFkDaG/Nx4+PCzFA=; b=ni7AECxEqj1lynOxgFKDE0M/0hVyQIhEV9JRYAFMTrs27B6hWjKEtxTiG5PTtevR+7 eoykLes7Y9b1AqLiZblFGoCm9ru/yyW7WOZxqQfCYTos3ohG5ld+P4HrTutFJFOgrzK/ N+9T3dmWEYwgZcG0Ed/eXLVr4CEWEsMdSdMb6pp5w+dPXGqHNnwDY5oXlCgsXLHXiHIR bcZvCCmYY3rSx9jcVLtN/ZXPpahI88IhC5ZU7PC999cC2NjusrMQOcVivS4vOi7MBohk +Vir5f0gRMtDfE+0qGq0XPN+wewr+dN6SmzAZ+COk364WUOltEIELlJ6Gthwg1ciPcsd nGhQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=marcan.st Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x27si2926854edi.240.2021.03.10.05.54.18; Wed, 10 Mar 2021 05:54:41 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=marcan.st Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232910AbhCJNwb (ORCPT + 99 others); Wed, 10 Mar 2021 08:52:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232871AbhCJNwX (ORCPT ); Wed, 10 Mar 2021 08:52:23 -0500 Received: from mail.marcansoft.com (marcansoft.com [IPv6:2a01:298:fe:f::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32D07C061760; Wed, 10 Mar 2021 05:52:23 -0800 (PST) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: marcan@marcan.st) by mail.marcansoft.com (Postfix) with ESMTPSA id DE6D73FA1B; Wed, 10 Mar 2021 13:52:08 +0000 (UTC) To: Linus Walleij , David Howells , keyrings@vger.kernel.org, Jarkko Sakkinen Cc: Sumit Garg , Arnd Bergmann , Joakim Bech , =?UTF-8?Q?Alex_Benn=c3=a9e?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> From: Hector Martin Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem Message-ID: <0a26713a-8988-1713-4358-bc62364b9e25@marcan.st> Date: Wed, 10 Mar 2021 22:52:06 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: es-ES Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/03/2021 18.48, Linus Walleij wrote: > Disk is encrypted, and RPMB is there to block any exhaustive > password or other authentication token search. This relies on having a secure boot chain to start with (otherwise you can just bypass policy that way; the RPMB is merely storage to give you anti-rollback properties, it can't enforce anything itself). So you would have to have a laptop with a fully locked down secure boot, which can only boot some version of Linux signed by you until, say, LUKS decryption. And then the tooling around that needs to be integrated with RPMB, to use it as an attempt counter. But now this ends up having to involve userspace anyway; the kernel key stuff doesn't support policy like this, does it? So having the kernel automagically use RPMB wouldn't get us there. I may be wrong on the details here, but as far as I know RPMB is strictly equivalent to a simple secure increment-only counter in what it buys you. The stuff about writing data to it securely is all a red herring - you can implement secure storage elsewhere, and with secure storage + a single secure counter, you can implement anti-rollback. It is not intended to store keys in a way that is somehow safer than other mechanisms. After all, you need to securely store the RPMB key to begin with; you might as well use that to encrypt a keystore on any random block device. > Ideally: the only way to make use of the hardware again would > be to solder off the eMMC, if eMMC is used for RPMB. > If we have RPMB on an NVME or UFS drive, the idea is > to lock that thing such that it becomes useless and need to > be replaced with a new part in this scenario. > > In practice: make it hard, because we know no such jail is > perfect. Make it not worth the effort, make it cheaper for thieves > to just buy a new harddrive to use a stolen laptop, locking > the data that was in it away forever by making the drive > useless for any practical attacks. But RPMB does not enforce any of this policy for you. RPMB only gives you a primitive: the ability to have storage that cannot be externally rolled back. So none of this works unless the entire system is set up to securely boot all the way until the drive unlock happens, and there are no other blatant code execution avenues. There isn't even any encryption involved in the protocol, so all the data stored in the RPMB is public and available to any attacker. So unless the kernel grows a subsystem/feature to enforce complex key policies (with things like use counts, retry times, etc), I don't think there's a place to integrate RPMB kernel-side. You still need a trusted userspace tool to glue it all together. -- Hector Martin (marcan@marcan.st) Public Key: https://mrcn.st/pub