Security Working Group meeting - Wednesday February 2

Andrew Jeffery andrew at aj.id.au
Thu Feb 3 10:31:35 AEDT 2022 


On Thu, 3 Feb 2022, at 07:51, Joseph Reynolds wrote:
> On 2/1/22 9:24 PM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday February 2 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda 
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, 
>> and anything else that comes up:
>
> Attended: Joseph, Jiang, Dick, Michael Richardson, Daniil, Surya, James, 
> Dhananjay
>
> Note that we started on topic 1 (RoT), and then covered topic 3 (CNA) 
> before returning to topic 1.  Topic 2 (NoAccess users) was not covered.
>
>
>>
>> 1. followup from previous meeting: OpenBMC’s AST2600 RoT work 2. 
>> discuss the concept and need for NoAccess users and how they would be 
>> different from disabled BMC user accounts
>
> 1 followup from previous meeting: OpenBMC’s AST2600 RoT work is here 
> https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789 
> <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/49789>with the 
> underlying OE/bitbake recipe here: 
> https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass 
> <https://github.com/openbmc/openbmc/blob/master/meta-aspeed/classes/socsec-sign.bbclass>.  
> Note OTP refers to one-time programmable memory used to set the signing 
> key, etc.  Also I (Joseph Reynolds) believe the AST2600 specs are not 
> public domain.

There's another related patch in-flight that adds the OTP configuration 
for p10bmc. It might be a helpful reference. The only thing I'd ask is 
that people use big-endian mode for their keys (which isn't what has 
happened with p10bmc):

https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/50716

SOCSEC_SIGN_ENABLE: command not found
Other than that the only thing that's required is setting  in the 
machine configuration, e.g:

https://github.com/openbmc/openbmc/blob/bb99d22ecef61f3af21290b1e1ead3083f25d20f/meta-ibm/conf/machine/p10bmc.conf#L56

>
> …  and general  OpenBMC Root of Trust (RoT) discussion
>
>
> DISCUSSION:
>
> Secure boot trust chain: the BMC hardware performs secure boot of the 
> bootloader (e.g., U-Boot, then U-Boot verifies 
> {kernel,devicetree,rootfs}, etc., up to starting the application.
>
>
> Secure boot has three layers: 1 hardware validates uboot, 2 U-Boot 
> validates the Readonly fs, 3 the operation system validates applications.

This is close but could be more general and more precise:

1. The hardware loads loads the bootloader and validates its signature
2. The bootloader loads the kernel and validates its signature
3. The kernel locates the rootfs and uses a mechanism to verify its 
integrity

Mapping that to the AST2600, we have:

1. The ROM code loads the u-boot SPL into SRAM and validates its 
signature using the public keys from the OTP

2. The SPL loads the u-boot FIT image into DRAM and validates the 
configuration signatures over the hashes of the embedded images using 
the keys residing in the SPL image

3. u-boot loads the kernel FIT image into DRAM and validates the 
configuration signatures over the hashes of the embedded images using 
keys residing in the u-boot image

4. The kernel locates the rootfs and uses a mechanism to verify its 
integrity

> To validate before starting applications:  DMverity, IMA
>
>
> The OpenBMC project is working to support the first layer, specifically 
> AST2600 secure booting U-Boot.  The intention is then to support U-Boot  
> securely booting the next layer (kernel, etc.)  

Again, not quite true.

It's already the case that the SPL validates u-boot and u-boot 
validates the kernel where signing for each is enabled.

Again, leaning on p10bmc as a reference, this scheme is enabled here:

https://github.com/openbmc/openbmc/blob/bb99d22ecef61f3af21290b1e1ead3083f25d20f/meta-ibm/conf/machine/p10bmc.conf#L39-L40

The patches linked earlier add the hardware root-of-trust support 
(generating the AST2600 OTP image and signing the SPL in a manner that 
can pass verification using the OTP image).

> Also there is interest 
> in using DMverity and IMA, but no agreements.

dm-verity is conceptually simpler than IMA, but has limitations that 
IMA can help overcome, so as you say, at least from IBM's perspective, 
we're still working through the details here.

> Does BMC download applications as part of its intended operation?  
> Different use cases.
>
> In the base use case, the BMC read only file system has all 
> applications.  Only developers (and advanced diagnostics) download code, 
> presumably to test fixes or collect more diagnostic data.
>
> Use cases include both validating the filesystem which has the code, and 
> validating the app itself as it is loaded (exec’d) into a Linux process.

If no modifications are made to the filesystem then validating the 
integrity of the filesystem is the same as validating the integrity of 
the application. However in the face of run-time modifications to the 
filesystem, IMA's design helps prevent arbitrary code execution by 
enabling policies such as "any exec'ed file must have a valid 
signature". Trying to enforce a signed execution environment in the 
face of mutable filesystems is hard with dm-verity.

Andrew

More information about the openbmc mailing list