Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1172832pxf; Fri, 12 Mar 2021 03:49:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJwzBMtYzCEQPg5svgGx2XQriI7OP9JAJW0uf+eE/owyEjxj8J+OUUTojXBQDhRliGxxVQS/ X-Received: by 2002:a17:906:e116:: with SMTP id gj22mr7893063ejb.398.1615549742756; Fri, 12 Mar 2021 03:49:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615549742; cv=none; d=google.com; s=arc-20160816; b=A5SACCwxRcshSpRej6fDu0XvFtJSm8bLpvCg2pQa5mBJ2IowaCtswrDRgTtB3vJ4dp Qe6UG7aSIde2brfSwEijNtQ26eGotZORgpoJe5xGm91Yafo3+g62ZmT0LdIhgBb8U3PD TtjyZj9S/e42a7m4D0A1Hhblc1cYR44YMxThXXP5aQ5XSbr6D8uWLmhaDqKDDB7zMB2N pfW5dtDM+K2zUNloT46TkUveOc2VNCEiqpLOfzKp4fHyA3ZfKH5zI3B7X3odV3Jh3LrH D1mR/aCgV7fTVJSYUzz463nr3n85IpbeXXoMct4vLZ6lW0qk6g2/ccWDF9cmX3/ksYat 6bXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=oc5bTi7/1MBiAyWrb/BCqxKaS2n3HhEl1VJrsEcMc6k=; b=M766C2fRabzPstIPVVH0obs70UMs4hWPd+GZbPOEu342cLi7dh97hGHQDZwblDIyFZ ERZxly8jgZL3qQCUuDVZ8Uljs8KLHSr8lt7VzJLFgRMGQocqkSA2fXUn2ZOsU6/Li/TD Qj7LHgk+VTO0LJLa/1k11PbXgIpxnZ4rFpbHNXATJ+6NpRhgpd8c+rd24I6v1qGzDCRT Fh/EHrusnnrHmNwjRr4Pma890MRvLmzWHMekCtjYnNdGF8gexrCHo2xwfg3T4wXnCAWM TpLpWHhma05l9Cd6D37KtK4fT4Ngc2Mhzo+JE3uwOB6JhT56qYBsot/s89UQA6CF8mXi 4R8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KDFdseRP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h7si3946196edt.553.2021.03.12.03.48.40; Fri, 12 Mar 2021 03:49:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KDFdseRP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232839AbhCLJXA (ORCPT + 99 others); Fri, 12 Mar 2021 04:23:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232825AbhCLJWh (ORCPT ); Fri, 12 Mar 2021 04:22:37 -0500 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6771AC061761 for ; Fri, 12 Mar 2021 01:22:37 -0800 (PST) Received: by mail-lf1-x12d.google.com with SMTP id u4so44665389lfs.0 for ; Fri, 12 Mar 2021 01:22:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oc5bTi7/1MBiAyWrb/BCqxKaS2n3HhEl1VJrsEcMc6k=; b=KDFdseRP1eAOQEMh2Ks3MiJXJtEoNybe7gdJzx1f/I/PLG7U3A/Moiz1/CxbjuJp72 fpQqvBBkdC/hcLc3wA5TCEOTBLQ2aFBVwqDB97xSBmttxHg/ydqlbdZzR84D1tQsdnS/ 76mH37N6q/1iS6dVN96PQqaGQEN2ckQV9xhaYowqgSr3ZxIvxDJz8j8WiV8HgEyWOqUH RVq1S9eXjzn4oixocusNCm6/y08R7v8wf3TE8TRbjFbF6Ph0n578RuEXpmi1m1rvxszD 4WYDpUzpSr4gMYS0qyXesNgBNsnLP3EK6sYBecZmnUrFJwYRLvnAdQKzJfJDs2R7APZw aFdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oc5bTi7/1MBiAyWrb/BCqxKaS2n3HhEl1VJrsEcMc6k=; b=bKCy+KKL/qwAd9eMzvF/waKjhL0+/ZVduGa1XbKuZnZ9tZIKMFao0pzHpvbK2wUQ41 BL7ZkN+Dg919HJV/Vf/JA8tSaU/beqcYAxChpkoXaPERIxrPn4JsyDZMEds3i1dxrAq0 +sqlp6yIu8UHEBFHsiefqKBKst3iWcz0zRASw8y8yQIg3ae8cCA19rgfuR+vsfHoWZpJ jPTwVVnAJwbYgJenvThu4p71IpXBGw0qZWZPQeVQDsXM8uiy7UQp50jlM/nBoFWF+MrZ FHc5iFYN8JxtFoLfTWKbIyfogzgYHL+Rpc+Pequ2tRTK28NeOcUyaGzuNvUuI+XzmSdo JgNw== X-Gm-Message-State: AOAM530DVTvGQCVp7SfyxmcuwU33bYxZYbU+mpzy4dhjRUG3mR1b6pPt 1ymQZxhr9hz8E2ujCx/bQpdoJBI/qqO7ROsJvQaloA== X-Received: by 2002:a05:6512:243:: with SMTP id b3mr4968951lfo.529.1615540955761; Fri, 12 Mar 2021 01:22:35 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <0a26713a-8988-1713-4358-bc62364b9e25@marcan.st> <32bdceb1-e70d-7481-96e3-a064a7108eb9@marcan.st> In-Reply-To: From: Linus Walleij Date: Fri, 12 Mar 2021 10:22:24 +0100 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: Hector Martin Cc: David Howells , "open list:ASYMMETRIC KEYS" , Jarkko Sakkinen , Sumit Garg , Arnd Bergmann , Joakim Bech , =?UTF-8?B?QWxleCBCZW5uw6ll?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Hector, thanks for the long and detailed answer! I learn new things all the time. (Maybe one day I add something too, who knows.) I hope I'm not taking too much of your time, we're having fun :) On Thu, Mar 11, 2021 at 9:02 PM Hector Martin wrote: > On 11/03/2021 23.06, Linus Walleij wrote: > > Yes. And this is what mobile phone vendors typically did. > > > > But the nature of different electrical attacks made them worried > > about different schemes involving cutting power and disturbing > > signals with different probes, so they wanted this counter > > implemented in hardware and that is why RPMB exists at all > > (IIUC). > > No, prior to RPMB there was no such secure counter at all. The problem > is that non-volatile erasable storage (i.e. EEPROM/Flash) is > incompatible with modern SoC manufacturing processes, so there is no way > to embed a secure counter into the main SoC. And once your counter needs > to be external, there needs to be a secure communications protocol to > access it. This is what RPMB implements. > > For preventing software downgrades, especially of bootloader code, this > can be implemented with one-time fuses embedded in the SoC, but there is > a limited supply of those. So this doesn't work for things like PIN > attempt counters. For that you need a secure external counter. Actually what we did (I was there, kind of) was to go to the flash vendors (IIRC first Intel) and require what is today called "fuses" in the flash memory. Originally this was for things like unique serial numbers set in production. But they could easily add some more of it for other use cases. This became what is known as OTP (one time programmable flash). The OTP was all set to 1:s when the flash was new, then what we did for anti-rollback was to designate some bits for software versions. To make sure the OTP readout wasn't tampered with, some additional hashes of the OTP was stored in the flash and MAC signed. This was recalculated when we changed a bit from 1->0 in the OTP to indicate a new firmware version. Clever, isn't it? :) I think the scheme in RPMB was based in part on the needs solved by that crude mechanism. (Linux MTD did actually even gain some support for OTP recently, it is used only from userspace AFIAK.) > RPMB isn't pointless; what I am saying is that > if you strip away everything but the counter functionality, you can > still build equivalent security guarantees. You still need the counter. > There is no way to get that counter without RPMB or something like it > (another option is e.g. to use a smartcard IC as a secure element; AIUI > modern Apple devices do this). Software alone doesn't work. This is why > I wrote that article about how the FBI cracks iPhones; that works > because they weren't using a secure rollback-protected storage/counter > chip of any kind. Yeah. Hm, actually if they had flash memory they should have used the OTP... But I suppose they were all on eMMC. > it helps if you forget about the read/write commands and treat > it as a simple counter. Yep you're right. > Once you do that, you'll realize that e.g. putting keys in RPMB doesn't > really make sense as a kernel primitive. The usefulness of RPMB is > purely in the integration of that counter (which is equivalent to > rollback-protected storage) with a policy system. Everything else is > icing on the cake; it doesn't create new use cases. OK I understand. So what you're saying is we can't develop anything without also developing a full policy system. > Consider this: (...) > You have now built a secure, rollback-protected Git repository, with > similar security properties to RPMB storage, without using RPMB storage; > just a counter. This example of using the RPMB to protect rollback of a git was really nice! I think I understood as much before but maybe I don't explain that well enough :/ > Thus, we can conclude that the storage features of RPMB do not provide > additional security properties that cannot be derived from a simple counter. I agree. > * Disclaimer: please don't actually deploy this; I'm trying to make a > point here, it's 5AM and I'm not claiming this is a perfectly secure > design and I haven't missed anything. Please don't design > rollback-protected Git repositories without expert review. I am assuming > filesystem mutations only happen between operations and handwaving away > active attacks, which I doubt Git is designed to be robust against. A > scheme like this can be implemented securely with care, but not naively. It's an example all kernel developers can relate to, so the educational value is high! > Well, that's what I'm saying, you do need secureboot for this to make > sense :-) > > RPMB isn't useless and some systems should implement it; but there's no > real way for the kernel to transparently use it to improve security in > general (for anyone) without the user being aware. Since any security > benefit from RPMB must come from integration with user policy, it > doesn't make sense to "well, just do something else with RPMB because > it's better than nothing"; just doing "something" doesn't make systems > more secure. There needs to be a specific, practical use case that we'd > be trying to solve with RPMB here. As of now there are no other real world examples than TEE for this user policy. TPM and secure enclave exist, but they both have their own counters and does not need this. Can one realistically imagine another secure environment needing a RPMB counter? If not, then TEE (tee-supplicant is the name of the software daemon in userspace for OP-TEE, then some vendors have their own version of TEE) will ever be the only user, and then we only need to design for that. Yours, Linus Walleij