-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce boot warning print for vanilla developer builds #4987
Conversation
@@ -103,6 +103,9 @@ static TEE_Result csu_init(void) | |||
const struct csu_config *csu_config = NULL; | |||
const struct csu_setting *csu_setting = NULL; | |||
|
|||
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) | |||
IMSG("Device running with an insecure setting, consult the security reference manual from NXP"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe we allow long debug print lines since a while back?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May I suggest something like:
IMSG("Device running with an open security settings, please refer to OP-TEE i.MX platform documentation");
?
OPTEE i.MX documentation being the readthedocs page where NXP will add the disclaimer.
Edit: In the end, I agree with @jforissier and @jenswi-linaro. I'm pretty sure other platforms feature equivalent mechanisms. Even optee core has some default insecure configuration (as mentionned for default_ta.pem
). Would a global warning for all platforms make more sense?
This warning would redirect people to the documentation for additional information.
core/arch/arm/plat-imx/conf.mk
Outdated
# For more information about some of the implications when not setting this | ||
# correctly can be found at: | ||
# - https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47 | ||
# - https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This URL is currently only working for OP-TEE admins. But once we've moved it to "public" it will work for anyone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Like you (probably) I'd like we could do better, but I have nothing to suggest. This all looks reasonable and acceptable to me, so:
Acked-by: Jerome Forissier <jerome@forissier.org>
Pushing a bit further... shouldn't a similar message be printed for all devices? As you said, issues were reported related to the IMX CSU, but different platforms have equivalent mechanisms. Or you want to be able to point the downstream user to specific things?
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) | ||
IMSG("Device running with an insecure setting, consult the security reference manual from NXP"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I think there was a consensus. That being said, you could as well print two lines:
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) | |
IMSG("Device running with an insecure setting, consult the security reference manual from NXP"); | |
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) { | |
IMSG("Device running with an insecure setting!"); | |
IMSG("Consult the security reference manual from NXP"); | |
} |
Would "possibly running" be more accurate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really see how this helps. The embedded core image may contain mis-configured security elements with or w/o the switch enabled.
From a platform user perspective, I think I would expect platform refuses to boot or provide some services when CFG_INSECURE_SETTINGS=n
and something is badly configured.
core/arch/arm/plat-imx/conf.mk
Outdated
# accordingly. NXP shares the security reference manual with their partners | ||
# under a NDA. I.e., partners will need to sign a NDA with NXP to get hold | ||
# of the security reference manual. Because of this the OP-TEE project | ||
# cannot and are not allowed to share the security reference manual. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/are/is/
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) | ||
IMSG("Device running with an insecure setting, consult the security reference manual from NXP"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really see how this helps. The embedded core image may contain mis-configured security elements with or w/o the switch enabled.
From a platform user perspective, I think I would expect platform refuses to boot or provide some services when CFG_INSECURE_SETTINGS=n
and something is badly configured.
Agree, that would include to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @jbech-linaro, thanks for your help.
Please see my comments
core/arch/arm/plat-imx/conf.mk
Outdated
@@ -460,5 +460,30 @@ CFG_IMX_CAAM ?= y | |||
endif | |||
endif | |||
|
|||
# This is only here to force an informative print showing that the device runs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would wait for NXP to publish the disclaimer before adding this chunk of text. Some information added in this file will also be specified in the disclaimer NXP is currently working on.
I would also personally prefer to have explanatory text in the documentation rather than in the source code.
Let me know if waiting for the disclaimer before merging is okay for you.
@@ -103,6 +103,9 @@ static TEE_Result csu_init(void) | |||
const struct csu_config *csu_config = NULL; | |||
const struct csu_setting *csu_setting = NULL; | |||
|
|||
if (IS_ENABLED(CFG_IMX_INSECURE_CSU_SETTING)) | |||
IMSG("Device running with an insecure setting, consult the security reference manual from NXP"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May I suggest something like:
IMSG("Device running with an open security settings, please refer to OP-TEE i.MX platform documentation");
?
OPTEE i.MX documentation being the readthedocs page where NXP will add the disclaimer.
Edit: In the end, I agree with @jforissier and @jenswi-linaro. I'm pretty sure other platforms feature equivalent mechanisms. Even optee core has some default insecure configuration (as mentionned for default_ta.pem
). Would a global warning for all platforms make more sense?
This warning would redirect people to the documentation for additional information.
core/arch/arm/plat-imx/conf.mk
Outdated
# correctly can be found at: | ||
# - https://github.com/OP-TEE/optee_os/security/advisories/GHSA-6q85-3ph3-rm47 | ||
# - https://github.com/OP-TEE/optee_os/security/advisories/GHSA-4pqr-q8rf-8464 | ||
CFG_IMX_INSECURE_CSU_SETTING ?= y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please disable this for i.MX6UL, upstream OP-TEE configures the CSU correctly for this variant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct, the i.MX6UL configuration is also incorrect per upcoming advisory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct, the i.MX6UL configuration is also incorrect per upcoming advisory.
Please either post the info directly or point me to the advisory as soon as it becomes available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our advisory is now public here
@jenswi-linaro @jforissier @etienne-lms @clementfaure @Emantor , there was a lot of feedback in this PR. Let me try to summarize here:
General warning
optee_docs and not the code
Print gives false impression
|
Thanks @jbech-linaro for the wrap-up 👍 |
@jbech-linaro here is my proposal.
|
HI @jbech-linaro , |
Looking good Jerome. I'll rework and reuse this PR. Stay tuned. |
2b7adb1
to
3ae7c04
Compare
@OP-TEE/maintainers , I've pushed another patch hopefully capturing the last set of comments. Please have a look. |
Looks reasonable to me:
|
|
|
|
3ae7c04
to
f5fb244
Compare
Thanks, I've added the R-B/A-B tags found so far, so the PR should be ready to merge. But if others would like to have the tag as well, please let me know and I'll add them as well. |
|
f5fb244
to
df79392
Compare
Added your tag as well, thanks! |
|
OP-TEE is a reference implementation for developers and device manufacturers, which implies that there always is a need to fill in missing pieces that cannot be done generically. The chipmakers often have additional security configurations those needs to be configured according to the chipmakers security guidelines and security specifications. To reduce the likelihood of running a vanilla configured OP-TEE we introduce the flag CFG_WARN_INSECURE that will give warning messages in the boot saying that the OP-TEE runs a configuration that might be insecure. The intention is that the device manufacturer making the end products should change the flag to "n" after implementing stubbed functionality in OP-TEE and configuring their device according to the chipmakers security guidelines and security specifications. Signed-off-by: Joakim Bech <joakim.bech@linaro.org> Reviewed-by: Ruchika Gupta <ruchika.gupta@linaro.org> Acked-by: Sumit Garg <sumit.garg@linaro.org> Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> Acked-by: Clement Faure <clement.faure@nxp.com> Acked-by: Jerome Forissier <jerome@forissier.org> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
df79392
to
f49f38d
Compare
Tag added! |
@jbech-linaro thanks! |
Recent security issues reported to the OP-TEE project covering iMX-devices has mostly been about current CSU configuration in the OP-TEE project. This purpose of this PR is to reduce the likelihood of configuring plat-imx incorrectly. It's simply a debug print. It might seem overkill to have something like this, but I think we've seen enough reports now that we can justify adding this.