Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp733567pxf; Wed, 10 Mar 2021 16:44:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJzwdquvmeDIrtRdBkMCArrcSwNvbu5/WAgn6QiLQk85qj+N/0Wpd9ceoOXMBZvBG6qLm2ED X-Received: by 2002:a05:6402:84b:: with SMTP id b11mr5926470edz.56.1615423496679; Wed, 10 Mar 2021 16:44:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615423496; cv=none; d=google.com; s=arc-20160816; b=B+RELklhC7i/oArbEcoY9tOG+SuHxAVU4s00BM22zyjRpR5ezEke51zgedOS8uAR2w IlMBPchkZ8Owc3SfL4wLY4UNB8Lt3u1iSMx2Dyfl488GbJ3lBaLBl3uRk/AXMEl+WrPJ 4uKOPYZg9BWMx3+LBOQXUgy6mnUYohN816wbQjzqs3AmulljEwgdl5eIIuF9XYHdJBz5 LYVuYX4l5A8xhYKhV1mf13jXpXVITQrmlM2Z7VPOeiSK7GicHJK0de7VjnufNJUT419Q RiAERIgt+xXIl30QeMuCwUkGs3/go3aJCh1/tXlXAjnIpDq1j3eNy1F9iEbuei1vyXUY RAfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=EEzbsSCDR9QboIA8OrN63K5HZEwShS0wIkxT1lrzd0Y=; b=YaN3j1eG+/fx6JHMTF3Iln94+7BHErUjyF7pr9PtdDesCEyJaG/nzsjw9TGV6DrRJ1 Tph2a/ZctSNV74ue78MUOEIE0TSMqbDB/WhJFkoohjK+dgNuYA9UhfhwL3diR4OdKYI6 nfw2GjGfG6KOgXpcXK8XA6FAALuD6LvOvPTY+uBHpJkaYiC6t8fOrJZkxlaiuijKyFAq JdIOvZKrgkafcXCn5aXPSTojdlh7aTxwhVzIeneI+qJxtX05uUqbLhtPpASUt0jjWPNK wBo3U0MeHJksuUheGabpc+SJ3rwEazmirM4t5UBzefZrHXYBR0y20xfupMevfFAoeaj7 2LaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=riZjyH1N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k1si611491ejj.10.2021.03.10.16.44.34; Wed, 10 Mar 2021 16:44:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=riZjyH1N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231289AbhCKAhQ (ORCPT + 99 others); Wed, 10 Mar 2021 19:37:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231126AbhCKAgx (ORCPT ); Wed, 10 Mar 2021 19:36:53 -0500 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4D83C061761 for ; Wed, 10 Mar 2021 16:36:52 -0800 (PST) Received: by mail-lf1-x130.google.com with SMTP id m22so36747808lfg.5 for ; Wed, 10 Mar 2021 16:36:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EEzbsSCDR9QboIA8OrN63K5HZEwShS0wIkxT1lrzd0Y=; b=riZjyH1NfHDCunME5Ebgwcbph2FiEIMHDSKKFitpNg0U8iOTWuJwtB6GzHL3vNfxn3 bKC6k1jMXjsf5GoCwsYzyYIe9V8eRGIjZxbtrzAHA4cWo/kfcaVq0a2yxRHziD/UHYtL KrJVPIzP09ibIN4SoXEEPVGDtIxaHre5IZ2sYsYyR9ToplAng35DTKF6bOubx+i39R1f Dyh6YNTaIYGkqNxapf4Gtw75AiC382TPw8+LxMz+fxeVGy15sf7k73kyLEtXBsVNkWpt etsNBpGlXtrr7f+X+XS+9XGQN3Nqb1sTEg7ly23GPExeT193DJfFsQE4BqchIm93na3Z gRrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EEzbsSCDR9QboIA8OrN63K5HZEwShS0wIkxT1lrzd0Y=; b=AqUCHbwWxoGRqRsoUGdTgt6720lEgHE04ysCTlKSUJl0I2p6rbCoEHMIjBqe4PDTzb JS1V2oMmBB1HrlmzF8GbaMO/TAIrdWxOyYsEALpSwzPLiM1Z2QSUCbLvx96YGt92mEr+ vchKtdil/HgQIb7Dsg0qlFwyCoafclZIGeWx8gOyNIbRnfZqaX+fyTMy3kLkFrk8Gj2z aUQOR6PE4SIiwTH3XEGRpa/97LFMFzJK8fbCCzL0rCDbr1OpYiQ0L7e226VMSFnmwB/v V0ZIGIQMbQYMWb+jBjRzBcBuVD0A9ry7UFTIGT3rAIvRwX8dXcNEhcPmltqJ7TjLbqU0 ZSQw== X-Gm-Message-State: AOAM5336c6vsorJIvVzPfnrRq7mLkaRazmzVYWCCTzPmuhIvW+ruKpqh XQ3yEnnTCOwqCQyNci+oLNxDNosbSIC9K7h2yM4kow== X-Received: by 2002:a19:4c08:: with SMTP id z8mr638983lfa.157.1615423011194; Wed, 10 Mar 2021 16:36:51 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <0a26713a-8988-1713-4358-bc62364b9e25@marcan.st> In-Reply-To: <0a26713a-8988-1713-4358-bc62364b9e25@marcan.st> From: Linus Walleij Date: Thu, 11 Mar 2021 01:36:39 +0100 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: Hector Martin Cc: David Howells , keyrings@vger.kernel.org, Jarkko Sakkinen , Sumit Garg , Arnd Bergmann , Joakim Bech , =?UTF-8?B?QWxleCBCZW5uw6ll?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 10, 2021 at 2:52 PM Hector Martin wrote: > This relies on having a secure boot chain to start with (otherwise you > can just bypass policy that way; the RPMB is merely storage to give you > anti-rollback properties, it can't enforce anything itself). So you > would have to have a laptop with a fully locked down secure boot, which > can only boot some version of Linux signed by you until, say, LUKS > decryption. And then the tooling around that needs to be integrated with > RPMB, to use it as an attempt counter. Yes and no. For secure boot yes. For other use cases it can still be useful. The way I understand it, there are people (not me) with secure boot ambitions but I wouldn't say that is the only use case, see below. > But now this ends up having to involve userspace anyway; the kernel key > stuff doesn't support policy like this, does it? So having the kernel > automagically use RPMB wouldn't get us there. Yes, you are right, I had the wrong idea. It needs to be something the user (or the users agent such as an organization) decides to make use of, and it is policy so it should be in userspace. We may standardize the key format on the device though. > I may be wrong on the details here, but as far as I know RPMB is > strictly equivalent to a simple secure increment-only counter in what it > buys you. The stuff about writing data to it securely is all a red > herring - you can implement secure storage elsewhere, and with secure > storage + a single secure counter, you can implement anti-rollback. > > It is not intended to store keys in a way that is somehow safer than > other mechanisms. After all, you need to securely store the RPMB key to > begin with; you might as well use that to encrypt a keystore on any > random block device. The typical use-case mentioned in one reference is to restrict the number of password/pin attempts and combine that with secure time to make sure that longer and longer intervals are required between password attempts. This seems pretty neat to me. > But RPMB does not enforce any of this policy for you. RPMB only gives > you a primitive: the ability to have storage that cannot be externally > rolled back. So none of this works unless the entire system is set up to > securely boot all the way until the drive unlock happens, and there are > no other blatant code execution avenues. This is true for firmware anti-rollback or say secure boot. But RPMB can also be used for example for restricting the number of PIN attempts. A typical attack vector on phones (I think candybar phones even) was a robot that was punching PIN codes to unlock the phone, combined with an electronic probe that would cut the WE (write enable) signal to the flash right after punching a code. The counter was stored in the flash. (A bit silly example as this can be countered by reading back the counter from flash and checking etc, but you get the idea, various versions of this attack is possible,) With RPMB this can be properly protected against because the next attempt can not be made until after the RPMB monotonic counter has been increased. Of course the system can be compromised in other ways, (like, maybe it doesn't even have secure boot or even no encrypted drive) but this is one of the protection mechanisms that can plug one hole. It is thus a countermeasure to keyboard emulators and other evil hardware trying to brute force their way past screen locks and passwords. Such devices exist, sadly. > There isn't even any encryption involved in the protocol, so all the > data stored in the RPMB is public and available to any attacker. You need to pass the symmetric key to increase a counter and store a new "key" (data chunk, 256 bytes). But as you say one can read it without the symmetric key. AFAICT that is not a problem for any use case for RPMB. > So unless the kernel grows a subsystem/feature to enforce complex key > policies (with things like use counts, retry times, etc), I don't think > there's a place to integrate RPMB kernel-side. You still need a trusted > userspace tool to glue it all together. Yes, I understand such ambitions may exist and pretty much why I CC the keyring people. So the question is whether they think that is something they would go and use for e.g. passphrase retries. Yours, Linus Walleij