Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1181672pxf; Fri, 12 Mar 2021 04:03:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwjKNDqjXaZerv0Fx9AVvBGPEt1WLHQIGe+f9L7cKsVnsjxKaHp/htJ24t2OeDGrAGyAyDt X-Received: by 2002:a17:906:f01:: with SMTP id z1mr8409411eji.235.1615550594019; Fri, 12 Mar 2021 04:03:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615550594; cv=none; d=google.com; s=arc-20160816; b=fdbg9W9J1Sdrz2fIuwSHAPZ4J7wWLIyMat6hI3fFd5c4DJG1DOS1oGTjMPcxMHOdZE A/uKbSonccu2J97MLYlVIyTJRwSSR9wSfej8gvYozLhPSIe8GcpZdlpNNFHVVkOw7HfS JTBCTwJtjKQ5DrEUaCZAalBfo65vxKjvoZaQYo4UuaP4Mb7K9dgGfMflvAn61RSKAsDY nZwtlcGENOGVjDJfoWQ4PApmQbKM278cksRgaflg68Il86x7kE65aJvQ6uuUfBjY6+/o STqg69DYEUcwoKFAZVx2p2WWyDh/dtvuIrvHhB2QaoS/AVN3n0OoTt5kRR5wI3NSL0LI Ygzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=bpfFLNlEFTtLYALUbQ+wZtMSFLoEa38YGl9oGhtt8UU=; b=tMXcNVGVNf5b1RgpPBQP6X6LonkqNT6TrxYXGgMivEaxOqUtSt8mhVv4hR5FSYBmEA +Xs3x/xrI+owtjDts0Uch5MgsBelAe5XYke703dS85kvtEJPWQP2VHxzQ7O/534vEbDH iz4iFtku/HbMl7d6LLfC5+ZXVbSVyv+taeOSPnr7peTQ9mEiFILCktKGpCDB230ya+lr bhhWDi5wleAhrG8aieC2Jes70gAvyLqtA86rUhyKuCknM1k2S8Co1PwH9SKKdnfjEuGj HD0uEIm3BudsexRSncLr0Qr7XZ9bjUbXDLPklBzueuQIfYGxkCuOKRyXA95aRyXnW3fZ TA8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OJ8hOSmZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id hb4si3800298ejb.642.2021.03.12.04.02.50; Fri, 12 Mar 2021 04:03:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=OJ8hOSmZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230110AbhCLL7m (ORCPT + 99 others); Fri, 12 Mar 2021 06:59:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54908 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230189AbhCLL7e (ORCPT ); Fri, 12 Mar 2021 06:59:34 -0500 Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 464ABC061762 for ; Fri, 12 Mar 2021 03:59:34 -0800 (PST) Received: by mail-lj1-x22d.google.com with SMTP id y1so6407330ljm.10 for ; Fri, 12 Mar 2021 03:59:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bpfFLNlEFTtLYALUbQ+wZtMSFLoEa38YGl9oGhtt8UU=; b=OJ8hOSmZeHOaMypXlHqIgOHHwqUyA+0g8YG/4U7b/fYQ6g4HCAlV6X9TPzumop9vA8 tkoN5lRrgX8emUbeDsV/4j46mRDMg0ufRupWxDxCo9QSAX5H9bpF1UQ4rigGhUw4T0Dd eZZzQ1x3g4sQCQJ3aa/h5qP/MQ6LGzMLkPyc5ywa4TX0D98YEKXuBYt40Vu2eSjc7ToW BxTDuwTn0DnAk6dGmloeRM9x0nOe/ygTpeKvWOEDjth6rqt7y14En7Co6lAX3RMGh3gi AjrVOE2kpaeBH7gfC2159MMgA1SUp3/irNNIJc6sH8fLV+eHgY2GESnaY4Fh7B0xl4Ad LNdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bpfFLNlEFTtLYALUbQ+wZtMSFLoEa38YGl9oGhtt8UU=; b=oUvUZlItZFyPcIo2vwB4OXAVoPvnqRP+J/U/mRML6nYHAzoxyF1TnoN3wjo048JO2S xWgGOQR90zOQ5pXQwmZsD4GfMzlko47gTKhVplKDIGyFHd6P/Z6eMRA/GiE1aMvs3CW0 3Q6EyC3uLHdt9IDRWhRspiR7HGjB4+z9kHW8bHAZKHMFfBl72vob2qfGKSmrkNoMTjbT YZhR8GLwNFEpHradW70CH9gPTT631/3CRuF974SdQeaSSqc1QNeb4b8aFbwIIJFTvWbk cT1TzWeYEKntRnoaF9M/5Lo9HWEIHu4wcVMxbu3ItdAzsYuTbilFNLv6pOJ2JgWDNdmJ AOBg== X-Gm-Message-State: AOAM530ndmmbOPyD+xexEtfxrMskpvFV5rpLWDNykoiNPHp3mgMuw5gK /wQJcztmFxrW/zXiPhbrM5S9Gz6vmCRzDQzfptIrtg== X-Received: by 2002:a2e:557:: with SMTP id 84mr2219735ljf.480.1615550372646; Fri, 12 Mar 2021 03:59:32 -0800 (PST) MIME-Version: 1.0 References: <20210303135500.24673-1-alex.bennee@linaro.org> <20210303135500.24673-2-alex.bennee@linaro.org> <20210305075131.GA15940@goby> <6c542548-cc16-af68-c755-df52bd13b209@marcan.st> <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> In-Reply-To: <02d035ca-697d-1634-a434-a43b9c01f4a9@marcan.st> From: Sumit Garg Date: Fri, 12 Mar 2021 17:29:20 +0530 Message-ID: Subject: Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem To: Hector Martin Cc: Linus Walleij , Arnd Bergmann , "open list:ASYMMETRIC KEYS" , David Howells , Jarkko Sakkinen , Joakim Bech , =?UTF-8?B?QWxleCBCZW5uw6ll?= , "linux-kernel@vger.kernel.org" , Maxim Uvarov , Ilias Apalodimas , Ruchika Gupta , "Winkler, Tomas" , yang.huang@intel.com, bing.zhu@intel.com, Matti.Moell@opensynergy.com, hmo@opensynergy.com, linux-mmc , linux-scsi , linux-nvme@vger.kernel.org, Ulf Hansson , Arnd Bergmann Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 12 Mar 2021 at 01:59, Hector Martin wrote: > > On 11/03/2021 23.31, Linus Walleij wrote: > > I understand your argument, is your position such that the nature > > of the hardware is such that community should leave this hardware > > alone and not try to make use of RPMB for say ordinary (self-installed) > > Linux distributions? > > It's not really that the community should leave this hardware alone, so > much that I think there is a very small subset of users who will be able > to benefit from it, and that subset will be happy with a usable > kernel/userspace interface and some userspace tooling for this purpose, > including provisioning and such. > > Consider the prerequisites for using RPMB usefully here: > > * You need (user-controlled) secureboot Agree with this prerequisite since secure boot is essential to build initial trust in any system whether that system employs TEE, TPM, secure elements etc. > * You need secret key storage - so either some kind of CPU-fused key, or > one protected by a TPM paired with the secureboot (key sealed to PCR > values and such) > * But if you have a TPM, that can handle secure counters for you already > AIUI, so you don't need RPMB Does TPM provide replay protected memory to store information such as: - PIN retry timestamps? - Hash of encrypted nvme? IMO, having replay protection for user data on encrypted nvme is a valid use-case. > * So this means you must be running a non-TPM secureboot system > AFAIK, there exist such systems which provide you with a hardware crypto accelerator (like CAAM on i.Mx SoCs) that can protect your keys (in this case RPMB key) and hence can leverage RPMB for replay protection. > And so we're back to embedded platforms like Android phones and other > SoC stuff... user-controlled secureboot is already somewhat rare here, > and even rarer are the cases where the user controls the whole chain > including the TEE if any (otherwise it'll be using RPMB already); this > pretty much excludes all production Android phones except for a few > designed as completely open systems; we're left with those and a subset > of dev boards (e.g. the Jetson TX1 I did fuse experiments on). In the > end, those systems will probably end up with fairly bespoke set-ups for > any given device or SoC family, for using RPMB. > > But then again, if you have a full secureboot system where you control > the TEE level, wouldn't you want to put the RPMB shenanigans there and > get some semblance of secure TPM/keystore/attempt throttling > functionality that is robust against Linux exploits and has a smaller > attack surface? Systems without EL3 are rare (Apple M1 :-)) so it makes > more sense to do this on those that do have it. If you're paranoid > enough to be getting into building your own secure system with > anti-rollback for retry counters, you should be heading in that directly > anyway. > > And now Linux's RPMB code is useless because you're running the stack in > the secure monitor instead :-) > As Linus mentioned in other reply, there are limitations in order to put eMMC/RPMB drivers in TEE / secure monitor such as: - One of the design principle for a TEE is to keep its footprint as minimal as possible like in OP-TEE we generally try to rely on Linux for filesystem services, RPMB access etc. And currently we rely on a user-space daemon (tee-supplicant) for RPMB access which IMO isn't as secure as compared to direct RPMB access via kernel. - Most embedded systems possess a single storage device (like eMMC) for which the kernel needs to play an arbiter role. It looks like other TEE implementations such as Trusty on Android [1] and QSEE [2] have a similar interface for RPMB access. So it's definitely useful for various TEE implementations to have direct RPMB access via kernel. And while we are at it, I think it should be useful (given replay protection benefits) to provide an additional kernel interface to RPMB leveraging Trusted and Encrypted Keys subsystem. [1] https://android.googlesource.com/trusty/app/storage/ [2] https://www.qualcomm.com/media/documents/files/guard-your-data-with-the-qualcomm-snapdragon-mobile-platform.pdf -Sumit > -- > Hector Martin (marcan@marcan.st) > Public Key: https://mrcn.st/pub