In-Band Firmware Update

Jeremy Kerr jk at ozlabs.org
Wed Aug 8 11:32:51 AEST 2018 

Hi Ed,

>> We are going to investigate using the DFU protocol, as that
>> also has host side tools already available.
> 
> DFU doesn't completely solve the issue though, does it?  Presumably for 
> security reasons you can't have the DFU device exposed to the host all 
> the time.  If you did, I'm sure the penetration testers would hit it 
> hard.  Assuming that leaving it available all the time is a non-starter, 
> don't you need some command to activate the interface to allow the upload?

Yes, we'd have an endpoint exposed all the time (the run-time descriptor
set). This changes into the DFU mode descriptor set at the start of the
upgrade process, when the host-side tools issue a DFU_DETACH.

Does hiding the descriptor get us anything, if it can be enabled from
the host anyway? The run-time descriptor is super simple.

> Assuming I'm not missing something there (I probably am) doesn't it make 
> more sense to just expose a USB mass storage device when the "start" 
> command is sent, as opposed to implementing the full DFU protocol?  It 
> seems like that would require no utilities (aside from a simple nsh/bash 
> script) and be very easy to replicate.

Just that this requires more custom stuff host-side; raw IPMI commands
for the start and stop (unless we can hook into a SCSI eject event for
the stop perhaps). If we can use existing tools that already support
DFU, that's less stuff that needs to be provided on the host side.

That said, it does look like the current DFU spec isn't going to allow
fast enough transfers for a BMC firmware image in reasonable times, so
we may have to modify those *anyway*, so most of the benefit there may
be lost...

A USB-mass-storage-based solution could be okay, as long as we have a
solid specification for what gets written to the device (a filesystem
containing the image? raw image on the device?), secure parsing for that
data (particularly if the BMC is reading a filesystem) and a protocol
between BMC and host so that we can implement proper handover. If we can
use standard tools for that, it might be a good way to go.

Cheers,


Jeremy

More information about the openbmc mailing list