Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RoT should do local signature validation for bootleby before flashing. #1404

Closed
lzrd opened this issue Jun 8, 2023 · 1 comment
Closed

RoT should do local signature validation for bootleby before flashing. #1404

lzrd opened this issue Jun 8, 2023 · 1 comment
Labels
🤔 design Forward-looking discussions and proposals lpc55 Has specific implications for LPC55 processors robustness Fixing this would improve robustness of deployed firmware root-of-trust security Fixing this would improve system security

Comments

@lzrd
Copy link
Contributor

lzrd commented Jun 8, 2023

The RoT does not currently perform signature validation before flashing the bootloader.
Instead, it relies on kindness of upper layers to only request flashing of correct images.

Rather than put signature validation in update_server, Cliff has suggested staging an image in bootloader reserved flash and having the bootloader or pre-main perform a verification using the same ROM routines use at boot time. In addition to the verification status already passed for Hubris-A and Hubris-B images, the status of the staged image would be passed as well.

Details on where update_server would place the image for verification, coordination of the necessary reset to give early FW control for verification, and how that information is passed is TBD.

The control plane does not currently update the bootloader. After this feature is implemented, it would be safer to do so.
Most incorrect installations have been done using faux-mgs by "hand" or through scripts to date.

RFDs 349 and 374 should be updated to reflect the new feature.
@lzrd lzrd added security Fixing this would improve system security robustness Fixing this would improve robustness of deployed firmware 🤔 design Forward-looking discussions and proposals lpc55 Has specific implications for LPC55 processors root-of-trust labels Jun 8, 2023
@lzrd lzrd mentioned this issue Mar 21, 2024
Merged
lzrd added a commit that referenced this issue Apr 30, 2024
@lzrd
Update RoT bootloader, a.k.a. stage0 (#1675)
0c001d4 
This PR has four commits to simplify reviewing.

- The first is Laura's macro to manipulate the HASHCRYPT interrupt
vector.
- 2nd is pre-main kernel changes to create a staging area for Bootleby
update and to validate the (now) four RoT flash banks and record those
results for use by update_server.
- 3rd are the API changes to support stage0 update including treating
the bootloader as a separate component with A (active) and B
(stage0next) banks.
  - last is the code in the RoT update_server to actually update stage0

Before merging this PR, Cargo.toml needs to be edited to reference the
gateway-message-service main branch.
Merging needs to be coordinated with an MGS merge.

Closes #1043, #1404, #1548, #1353,
@lzrd
Copy link
Contributor Author

lzrd commented May 1, 2024

Closed by PR 1674

@lzrd lzrd closed this as completed May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🤔 design Forward-looking discussions and proposals lpc55 Has specific implications for LPC55 processors robustness Fixing this would improve robustness of deployed firmware root-of-trust security Fixing this would improve system security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lzrd