Hi Ilias, On Mon, Oct 3, 2022 at 7:21 AM Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote: > > Hi Jassi, > > On Wed, Sep 28, 2022 at 10:16:53AM -0500, Jassi Brar wrote: > > Hi Etienne, > > > > On Wed, Sep 28, 2022 at 2:30 AM Etienne Carriere > > <etienne.carri...@linaro.org> wrote: > > > Hello Jassi, Sughosh and all, > > > > > > >>> But a malicious user may force some old vulnerable image back into > > > use > > > >>> by updating all but that image. > > > > > > When the system boots with accepted images (referring to fwu-mdata > > > regular/trial state), the platform monotonic counter is updated > > > against booted image version number if needed, preventing older images > > > to be booted when an accepted image has been deployed. > > > @Jassi, does this answer your question? > > > > > As I said in my earlier post, I know we can employ security+integrity > > techniques to prevent such misuse. > > My point is FWU should still be implemented assuming no such technique > > might be available due to any reason, and we do the best we can. Just > > as we don't say lets not care about buffer-overflow vulnerabilities > > because the system can implement secure boot and other such > > techniques. > > > > For example, the spec warns : "The metadata can be maliciously > > crafted, it should be treated as an insecure information source." So > > clearly the spec doesn't count on rollback and authentication > > mechanisms to be always available - and that is how it should be. > > We've discussed this extensively during drafting the spec. You are right > that we would be better off trying to protect the fwu metadata somehow. In > fact Heinrich had similar concerns when the original RFC was posted. i > Actually I never said we should protect the metadata. If you read the whole thread, the point was that we should try to protect against partial bank updates - accidental or malicious. We can not assume a user updating only partially, knows what they are doing.
cheers.
