Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem

From: Hector Martin
Date: Thu Mar 11 2021 - 15:32:40 EST

Next message: Borislav Petkov: "Re: [PATCH v6 00/12] SVM cleanup and INVPCID feature support"
Previous message: Andi Kleen: "Re: [PATCH V2 20/25] perf/x86/intel: Add Alder Lake Hybrid support"
In reply to: Linus Walleij: "Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem"
Next in thread: Alex Bennée: "Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/03/2021 23.31, Linus Walleij wrote:

I understand your argument, is your position such that the nature
of the hardware is such that community should leave this hardware
alone and not try to make use of RPMB for say ordinary (self-installed)
Linux distributions?

It's not really that the community should leave this hardware alone, so much that I think there is a very small subset of users who will be able to benefit from it, and that subset will be happy with a usable kernel/userspace interface and some userspace tooling for this purpose, including provisioning and such.

Consider the prerequisites for using RPMB usefully here:

* You need (user-controlled) secureboot
* You need secret key storage - so either some kind of CPU-fused key, or one protected by a TPM paired with the secureboot (key sealed to PCR values and such)
* But if you have a TPM, that can handle secure counters for you already AIUI, so you don't need RPMB
* So this means you must be running a non-TPM secureboot system

And so we're back to embedded platforms like Android phones and other SoC stuff... user-controlled secureboot is already somewhat rare here, and even rarer are the cases where the user controls the whole chain including the TEE if any (otherwise it'll be using RPMB already); this pretty much excludes all production Android phones except for a few designed as completely open systems; we're left with those and a subset of dev boards (e.g. the Jetson TX1 I did fuse experiments on). In the end, those systems will probably end up with fairly bespoke set-ups for any given device or SoC family, for using RPMB.

But then again, if you have a full secureboot system where you control the TEE level, wouldn't you want to put the RPMB shenanigans there and get some semblance of secure TPM/keystore/attempt throttling functionality that is robust against Linux exploits and has a smaller attack surface? Systems without EL3 are rare (Apple M1 :-)) so it makes more sense to do this on those that do have it. If you're paranoid enough to be getting into building your own secure system with anti-rollback for retry counters, you should be heading in that directly anyway.

And now Linux's RPMB code is useless because you're running the stack in the secure monitor instead :-)

--
Hector Martin (marcan@xxxxxxxxx)
Public Key: https://mrcn.st/pub

Next message: Borislav Petkov: "Re: [PATCH v6 00/12] SVM cleanup and INVPCID feature support"
Previous message: Andi Kleen: "Re: [PATCH V2 20/25] perf/x86/intel: Add Alder Lake Hybrid support"
In reply to: Linus Walleij: "Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem"
Next in thread: Alex Bennée: "Re: [RFC PATCH 1/5] rpmb: add Replay Protected Memory Block (RPMB) subsystem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]