Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp720077pxf; Thu, 11 Mar 2021 13:12:06 -0800 (PST) X-Google-Smtp-Source: ABdhPJw5uaOYFvbH/DcjBYdDSd9ugp/IUSLLDnycO19CQWgn2lfpmHmrCpsJ7x+b3wOBKuem0MfN X-Received: by 2002:a17:906:3ac3:: with SMTP id z3mr5115652ejd.106.1615497125964; Thu, 11 Mar 2021 13:12:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615497125; cv=none; d=google.com; s=arc-20160816; b=phGg9hApxHfjtT1XfCNQKR5nLbjP2CwVWVsIXSg+HY6WWJkd5VGHXbU0Fp/b/HfmJP mCGMOmrZ/SKGpDqXBgbYQ5Xla1PUf51mPT7S76XR7P3IjPXRm/W9M4i8uZ5/FOBqn3c3 FelZYkBMj/s/ChGhX65QZrTPd+yTmtpHyF7S1YaRRnzZNK+UyxdZP4kAkh1fUeZFQJ9r oFQ2LST9ELAzJs9vn8qTHU8fSDjNP4g4Sl8nE0i6cB2ZseIdhGNDDVINnQwFh2OqH8I/ vfGo6aMPiVi2xJL7E2B4U7n1JJIhLF3o4uEn0Gef0IMeveDN/3QVfqEHE0tKoLc2dWT9 jm+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:in-reply-to:date:subject:cc:to:from:user-agent :references:dkim-signature; bh=WprC7wQ8pjk4v3rRNQRsNnfM+sFohsfztPY3hS+tZkY=; b=LvhGsUL8AOG6kiMdUJoKiKIaUSgR253ozJoIuiRjbH6Ee32sAkC2GLlTUPYjQbdQuw RkekBNnmdWtjr1xZMJ/d1nNdFWogQciPwUngE0Q+kjCH+LgYy4JY4KLIstOBD1FU/jI/ iHSxJ6CdIrbn6j35RZt0/y+8nzjYTjxXI/pK8pIaMtf5VBzGh+DJzO8D8FUP90JLn+O3 N84U51YklSQRPcvbdtYtDC8x20vdpV/2v/MrmGnJeq7crrc6/6OWRXwUJtSWW/Na6cAD 6v8t0mWCjsBdZCFNroOpKXjwE0j8VilBu6ahxVMMGgrFKHj3achuN3fOMAXXc+vXbErK Cc1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dqHaE7uA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cd8si1941672ejb.26.2021.03.11.13.11.42; Thu, 11 Mar 2021 13:12:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=dqHaE7uA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230454AbhCKVIl (ORCPT + 99 others); Thu, 11 Mar 2021 16:08:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60936 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230411AbhCKVIK (ORCPT ); Thu, 11 Mar 2021 16:08:10 -0500 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBE1AC061760 for ; Thu, 11 Mar 2021 13:08:09 -0800 (PST) Received: by mail-ed1-x535.google.com with SMTP id w18so4916520edc.0 for ; Thu, 11 Mar 2021 13:08:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=WprC7wQ8pjk4v3rRNQRsNnfM+sFohsfztPY3hS+tZkY=; b=dqHaE7uAtCtfTturKUgGaMRMcA5A6xT5Sf8lWsZrZvnIOXfijL+712llEvyyGGggiF wBWpjvliIAbOJwKVKtia5E8gK+FEXGp883lN5XdlpTcUthISPjGAzEDaQzMjNHqIAyOS gQxFTfquWRQsSAYvti2QLI1048+HoB/47fTF6sUFrKPoXb2cwjYenOd15JYOR4ifTgKP Y/aP63Q2Vv9xef4NdGHljiTVumdtsFEIsGT/+DcDiRDvrywW83Y9ZV/VMTxOfTmODQul 6JA203LPm32+ADaE3s3VxsP3fZrJNfIzDdNhjPisiCu+P05s6e6Z3rOo4A6pucodFt3d MOWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version:content-transfer-encoding; bh=WprC7wQ8pjk4v3rRNQRsNnfM+sFohsfztPY3hS+tZkY=; b=EjsPyamnV2itn72Dr5ytJDrA0rgslOK7n3DmDK1sKVAOIL+poF22kkvsYiTV+N93Pi +cPTJfJef5XgjnjO6MVu1edQ3OHESFb8jmxbA4YKcWySOrm/eE3LrqdCZNrvp5lRQkxj YZfMzfkJ/OlhBTn+A4CiZerU0zJ5CNGRVsVQ1UQNuryX+dPSlweaNtflLXjurlNg6QTP MCvTF8BpJ8oRAUYqip1yYxGljaKsadXaXCNs/4nuRCWxjZ5OZi+W6M0TECQZmU6cvBjI bMguv9X2pKv9/VUxf9PUUKPukv1znizTXM5S3raJD8V0gs55LuEjvlZKQWYaeY4FINrQ uhWQ== X-Gm-Message-State: AOAM531Qd+Yip2shNaOjCWCzNLm5nRPhGeTe4m9LyZjbTkYjW1Sa2mui gCjgoQ7wmDWP/tQbuU+m3todUA== X-Received: by 2002:a05:6402:3075:: with SMTP id bs21mr10586641edb.274.1615496888399; Thu, 11 Mar 2021 13:08:08 -0800 (PST) Received: from zen.linaroharston ([51.148.130.216]) by smtp.gmail.com with ESMTPSA id r17sm1875032ejz.109.2021.03.11.13.08.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Mar 2021 13:08:07 -0800 (PST) Received: from zen (localhost [127.0.0.1]) by zen.linaroharston (Postfix) with ESMTP id 85CC91FF7E; Thu, 11 Mar 2021 21:08:06 +0000 (GMT) References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> User-agent: mu4e 1.5.8; emacs 28.0.50 From: Alex =?utf-8?Q?Benn=C3=A9e?= To: Hector Martin Cc: Linus Walleij , Sumit Garg , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , Ulf Hansson , Arnd Bergmann Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem Date: Thu, 11 Mar 2021 20:57:50 +0000 In-reply-to: <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> Message-ID: <87k0qd7615.fsf@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hector Martin writes: > On 11/03/2021 23.31, Linus Walleij wrote: >> I understand your argument, is your position such that the nature >> of the hardware is such that community should leave this hardware >> alone and not try to make use of RPMB for say ordinary (self-installed) >> Linux distributions? > > It's not really that the community should leave this hardware alone, so=20 > much that I think there is a very small subset of users who will be able= =20 > to benefit from it, and that subset will be happy with a usable=20 > kernel/userspace interface and some userspace tooling for this purpose,=20 > including provisioning and such. > > Consider the prerequisites for using RPMB usefully here: > > * You need (user-controlled) secureboot > * You need secret key storage - so either some kind of CPU-fused key, or= =20 > one protected by a TPM paired with the secureboot (key sealed to PCR=20 > values and such) > * But if you have a TPM, that can handle secure counters for you already= =20 > AIUI, so you don't need RPMB > * So this means you must be running a non-TPM secureboot system > > And so we're back to embedded platforms like Android phones and other=20 > SoC stuff... user-controlled secureboot is already somewhat rare here,=20 > and even rarer are the cases where the user controls the whole chain=20 > including the TEE if any (otherwise it'll be using RPMB already); this=20 > pretty much excludes all production Android phones except for a few=20 > designed as completely open systems; we're left with those and a subset=20 > of dev boards (e.g. the Jetson TX1 I did fuse experiments on). In the=20 > end, those systems will probably end up with fairly bespoke set-ups for=20 > any given device or SoC family, for using RPMB. > > But then again, if you have a full secureboot system where you control=20 > the TEE level, wouldn't you want to put the RPMB shenanigans there and=20 > get some semblance of secure TPM/keystore/attempt throttling=20 > functionality that is robust against Linux exploits and has a smaller=20 > attack surface? Systems without EL3 are rare (Apple M1 :-)) so it makes=20 > more sense to do this on those that do have it. If you're paranoid=20 > enough to be getting into building your own secure system with=20 > anti-rollback for retry counters, you should be heading in that directly= =20 > anyway. > > And now Linux's RPMB code is useless because you're running the stack in= =20 > the secure monitor instead :-) Well quiet - the principle use-case of virtio-rpmb is to provide a RPMB like device emulation for things like OPTEE when running under QEMU's full-system emulation. However when it came to testing it out I went for Thomas' patches because that was the only virtio FE implementation available. When I finished the implementation and Ilias started on the uBoot front-end for virtio-rpmb. uBoot being firmware could very well be running in the secure world so would have a valid use case accessing an RPMB device. We ran into API dissonance because uboot's driver model is roughly modelled on the kernel so expects to be talking to eMMC devices which lead to requirements to fake something up to keep the driver stacks happy. I guess what we are saying is that real secure monitors should come up with their own common API for interfacing with RPMB devices without looking to the Linux kernel for inspiration? --=20 Alex Benn=C3=A9e