Fit images and EFI_LOAD_FILE2_PROTOCOL

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Oct 3 18:35:01 CEST 2020


On 10/3/20 3:12 PM, Ard Biesheuvel wrote:
>
>
> On Sat, 3 Oct 2020 at 13:16, François Ozog <francois.ozog at linaro.org
> <mailto:francois.ozog at linaro.org>> wrote:
>
>
>
>     Le sam. 3 oct. 2020 à 13:14, François Ozog <francois.ozog at linaro.org
>     <mailto:francois.ozog at linaro.org>> a écrit :
>
>
>
>         Le sam. 3 oct. 2020 à 10:51, Heinrich Schuchardt
>         <xypron.glpk at gmx.de <mailto:xypron.glpk at gmx.de>> a écrit :
>
>             Hello Ilias, hello Christian,
>
>
>
>             with commit ec80b4735a59 ("efi_loader: Implement FileLoad2
>             for initramfs
>
>             loading") Ilias provided the possibility to specify a device
>             path
>
>             (CONFIG_EFI_INITRD_FILESPEC) from which an initial RAM disk
>             can be
>
>             served via the EFI_FILE_LOAD2_PROTOCOL.
>
>
>
>             Ard extended the Linux EFI stub to allow loading the initial
>             RAM disk
>
>             via the EFI_FILE_LOAD2_PROTOCOL with the utmost priority.
>
>
>
>             With commit ecc7fdaa9ef1 ("bootm: Add a bootm command for type
>
>             IH_OS_EFI") Cristian enabled signed FIT images that contain
>             a device
>
>             tree and a UEFI binary (enabled by CONFIG_BOOTM_EFI=y).
>
>
>
>             In the DTE calls we have discussed that it is unfortunate
>             that we do not
>
>             have a method to validate initial RAM images in the UEFI
>             context.
>
>
>
>             To me it would look like a good path forward to combine the
>             two ideas:
>
>
>
>             * Let the signed FIT image (of type IH_OS_EFI) contain a RAM
>             disk
>
>             * Pass location and size to the UEFI subsystem and serve
>             them via
>
>               the EFI_FILE_LOAD2_PROTOCOL.
>
>
>
>             We could also extend the bootefi command to be callable as
>
>
>
>                bootefi $kernel_addr_r $ramdisk_addr_r:$filesize $fdt_addr_r
>
>
>
>             like the booti command to serve an initial RAM disk.
>
>
>
>             What are your thoughts?
>
>         that looks super interesting. 
>         I propose something (in the latest desk preparing oct 14th)
>         similar except the an efi application boots the FIT.
>         I view UEFI as booting a PE coff and pass a set of config
>         tables. Today we have DTB, we could just add Initrd (you command
>         line). Bootefi would be responsible to valide the containing FIT
>         before pushing initrd (and dTB?)into the table. It would be the
>         responsibility of the efi stub to get the initrd from the config
>         table (GUID to be defined).
>
>     the memory attributes of the initrd config table should be such that
>     it can be recovered for normal use. That may be tricky though.
>
>
> The purpose of the EFI_FILE_LOAD2_PROTOCOL based initrd loading
> mechanism is to allow the EFI stub (which is tightly coupled to the
> kernel arch/version/etc) to allocate the memory for the initrd, and pass
> it into the LoadFile2() request, using whichever policy it wants to
> adhere to for alignment, offset and/or vicinity of the kernel image. It
> also ensures that any measurement performed by the bootloader for
> attestation or authentication can be delayed to the point where the
> booting kernel assumes ownership of the initrd contents, preventing
> potential TOCTOU issues where intermediate boot stages are involved
> (shim+grub etc)

Any UEFI binary that you invoke can overwrite the complete system table
and replace the existing UEFI API by its own implementation which may be
malicious.

So the EFI_FILE_LOAD2_PROTOCOL does not provide any safety guarantees
whatsoever.

Either you have a chain of trust or not. If you have a chain of trust,
it is sufficient that user input, e.g. an initrd loaded from disk is
verified once.

>
> Creating an initrd config table would mean that the bootloader decides
> where to load the initrd in memory, and only passesthe address and size.
> This is exactly what we wanted to avoid, because now, the bootloader has
> to know all these different rules that vary between kernel version,
> configurations and architectures.
>
> For uboot's implementation of FIT based EFI_FILE_LOAD2_PROTOCOL, this
> might mean that the initrd is loaded into memory first, and copied to
> another location (and [re-]authenticated) when LoadFile2() is invoked. I
> don't think this is a problem in the general case, but we might think
> about ways to avoid this if this turns out to be a problem for memory
> constrained devices with huge initrds.
>
>

Securitywise this all makes no difference. See above.

Best regards

Heinrich


More information about the U-Boot mailing list