dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard

Published 20 hours ago verified publisher icon Dasharo

Transition from vboot to CBFS_VERIFICATION

Open miczyg1 opened this issue 4 months ago • 6 comments

Vboot has it s own advantages and disadvantages. Sometimes it causes problems when updating the firmware with some distant base revisions. A few problems have been pointed out on leadership meeting as well.

Transition to CBFS verification would get rid of those problems, but of course new problems would arise. But let's start with the actions required to migrate:

  1. Disable VBOOT and enable CBFS_VERIFICATION in board configs.
  2. Make the BIOS boot medium lock work without vboot. coreboot Kconfig in upstream does not allow to set a lock for a specified region in flash, Either whole flash or nothing. We should be able to specify at least a FMAP region name to be locked (which I added on one of the two dasharo branches on coreboot). Ideally each board should have a WP_RO region covering at least COREBOOT and FMAP (in some cases maybe even more) and have the WP_RO region be locked without vboot enabled. This will be pure convention each board should comply with to get the lock working properly.
  3. Add new test to check CBFS VERIFICATION is present.
  4. Do not run vboot tests if the firmware does not support it.

That's basically the extent of work needed. Some platforms with small flashes already leverage it.

Advantages:

  1. Simpler update process, just one copy of the firmware.
  2. No problems with resets, switches to different partitions, scary pop-ups in the payload.
  3. No more problems with reproducibility and custom vboot signing keys.
  4. Adding CBFS files will not require resigning of the image, e.g. with CBFS UUID and serial number.
  5. Potentially faster boot time with less verification logic to execute.

Disadvantages:

  1. No redundancy in the firmware. If CBFS VERIFICATION fails, we have a brick.
  2. Firmware will no longer be cryptographically verified. CBFS VERIFICATION is pure SHA256 hash verification.
  3. Loading a custom logo will require enabling the option to run decompression algorithms on potentially unverified and untrusted files, i.e. the logo CBFS file is placed in separate CBFS region which is untrusted (not covered by CBFS verification). Enabling this option weakens the security of CBFS VERIFICATION.

miczyg1 avatar Oct 02 '24 12:10 miczyg1