On 5/3/21 11:05 AM, Joakim Bech wrote:
> Hi Heinrich,
>
> On Sun, May 02, 2021 at 07:55:09PM +0200, Heinrich Schuchardt wrote:
>> Dear all,
>>
>> in the DTE meetings we have been discussing how we should add signatures
>> to device-trees.
>>
>> Due to the way how libfdt adds properties the sanest place to add
>> metadata is before the memory reservation block. I have tested this with
>> the U-Boot->GRUB->Linux boot sequence.
>>
>> See my slides at
>>
>> https://github.com/xypron/dte/blob/master/DTE%20-%20Adding%20Metadata.pdf
>>
>> and the test program I used
>>
>> https://github.com/xypron/dte/blob/master/src/add_metadata_area.c
>>
> Thanks for putting together the proposal and I've read the slides and
> the program so I think I understand what you're trying to do (creating a
> gap 'DELTA' to make room for some meta data). However, just so I
> understand this correctly, can you please elaborate a bit on how the
> meta data would look like? And give an example how it would be
> used? Are signatures supposed to be verified the first time the DTB is
> being brought into memory? Or is it meant to be a more dynamic approach?
> (I believe it's the former you're proposing).
My idea is that the dtb will be verified when it is loaded from file,
similar to what UEFI's LoadImage() does.
Instead of adding an extra section for metadata we could also add a
special node with the signature, e.g.
dtbsignatures {
signatures1 {
#address-cells = <0>;
#size-cells = <64>;
signature@0 {
compatible = "foo_bar_signature";
hashalg = "foo";
signalg = "bar";
reg = < 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 >;
};
};
};
To create the signature you would
* add an zeroed out node with space for the signature
* calculate the signature
* update the node with the value of the signature
When checking you would likewise zero out the signature and then
recalculate the signed hash.
This way we would only have to define a new node and not have any
changes to the device-tree format.
Best regards
Heinrich
>
> Related, I've been involved in PoC with a student where he did
> DT-verification of (sub-)nodes, in Linux kernel. PoC was based on the
> ideas from U-Boot's FIT signature verification. It has some rough
> corners (and would need a bit more tooling), but it captures the overall
> idea. I think that is a bit different to what you're proposing (this is
> probably more related to what I refer to when saying a more dynamic
> approach).
>
> [1]
> https://github.com/marianomarciello/Device_Tree_Verification/blob/e0b2fc989acb00aa73b62d03409a210631deae43/report.pdf
>
>
>> In the next DTE meetings we could discuss drafting a specification
>> change for this.
>>
> I'm interested in this.
>
> // Regards
> Joakim
>
_______________________________________________
boot-architecture mailing list
boot-architecture@lists.linaro.org
https://lists.linaro.org/mailman/listinfo/boot-architecture
