On 14 April 2016 at 00:33, Gwendal Grignou <gwendal@xxxxxxxxxxxx> wrote: > On Mon, Apr 4, 2016 at 4:50 AM, Ulf Hansson <ulf.hansson@xxxxxxxxxx> wrote: >> >> On 2 April 2016 at 02:23, Gwendal Grignou <gwendal@xxxxxxxxxxxx> wrote: >> > On Thu, Jan 14, 2016 at 5:16 AM, Ulf Hansson <ulf.hansson@xxxxxxxxxx> wrote: >> >> On 28 December 2015 at 15:12, Alex Lemberg <Alex.Lemberg@xxxxxxxxxxx> wrote: >> >> > I am arriving after the battle, but I have finally rebased the eMMC >> > FFU kernel ffu code to 4.x. It is based on what Avi and Alex have >> > written. >> > As stated earlier, the advantage over using MMC_MUTLI_CMD is we can >> > force a reset and rescan of the card without asking the user to reboot >> > their machine. >> >> No matter what, I think the problem is how you would *safely* deal >> with the reset. Especially in the case when the eMMC already has an >> mounted file system on it. > > Assuming the firmware is not wiping data or resizing the available > space, the data in the flash is readable after the upgrade. This is exactly my point. You can no* assume anything about the card after a firmware upgrade. > For the host point of view, a firmware update and a reset is > equivalent to a reset, that could happen during error recovery. > The only change are in the cid/csd//extcsd registers the firmware may > have updated. Is that defined by the spec and are all eMMC vendors conforming to your above statement? > The stack has to assume these registers are not constant and can > change after reset. > > When looking into the mmc stack, AFAICT, the code that needs to get > device specifics always rely on fields that are re-generated by > mmc_card_inif() (card->ext_csd, output of mmc_decode_csd()/cid(() and > so on). >> >> >> Just doing something that *might* work, isn't good enough to me. >> >> > Also, by only sending a firmware name over the ioctl, we can use Kees' >> > work for firmware validation (https://lwn.net/Articles/605432/). >> >> The request_firmware() interface would indeed be good to use. Although >> unless we can figure out a way on how to safely deal with reset, we >> will have to live without request_firmware(). >> >> > To prevent downloading firmware from unknown source, we would reject >> > some commands (like SWITCH with FFU_MODE) in the kernel >> > MMC_IOC/MULTI_CMD ioctl handler. >> >> I don't follow, can you elaborate on this please. > > Today, an attacker with root access could break the chain of trust by > writing a firmware in the eMMC that corrupts data on the fly and > return infected code to the host after verification. > One way is to use firmware signed by the manufacturer, a stronger > approach is to enforce that the firmware is part of the root > partition. > To prevent a bad firmware from being downloaded, we have to make sure > downloading firmware using raw single or multi commands ioctls does > not work. I clearly see the benefit of using request_firmware() and I open to adopt an in-kernel FFU solution that uses it, as long as a safe reset can be managed. However, whether it's more safe to hackers has nothing to do with it. If a hacker becomes root on a device they can do all kind of magic things, for example replacing a firmware in rootfs or sending ioctl commands to a device node that has root permissions. To achieve security, verification of a signatures are needed and currently the request_firmware() API doesn't support this and nor does the eMMC device itself (at least to my knowledge). Regarding the safe reset, the only way I see how to deal with this, is to force a reboot and prevent serving new read/write request after a firmware upgrade. Although, perhaps you can think of something more clever. Kind regards Uffe -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
