xous-core icon indicating copy to clipboard operation
xous-core copied to clipboard

Published 20 hours ago verified publisher icon betrusted-io

Stage 1 loader - request for review

Open bunnie opened this issue 3 years ago • 1 comments

The early-stage loader, which runs before the kernel boots, is responsible for things like parsing configuration arguments.

It's also responsible for keeping a backup copy of the kernel arguments and extracting the suspend/resume PID in its dedicated page, for use on the next resume cycle after a suspend.

Currently, there's nothing that prevents the loader stack from overwriting these items, other than the general structure of the code. Generally, we could argue that once signature validation is implemented in the SoC boot rom, and "of course" that includes validating all the kernel arguments, it should be impossible to muck with any of these values on a reboot and thus cause havock.

However, it's probably advisable to implement some additional defenses here, because the suspend/resume cycle is a vulnerable time for the device and the bootloader has great power over the configuration of the Xous kernel. In particular, a quick review of the code looks like if one could pass invalid arguments to the loader on the configuration of the kernel, one should be able to fabricate some pretty powerful and scary pointers that can manipulate stuff elsewhere in memory.

Obviously, since this is the loader, we don't have an MMU. There might be a number of ways to mitigate this problem; or maybe it's simply sufficient to say "we signature check everything before we run it" and therefore someone mucking with args isn't a problem because they are only ever set by a trusted source. At the very least, I think a few minutes more thought should be put into the issue before simply shoveling it into the bin of sigcheck therefore trust transfer therefore safe.

bunnie avatar Apr 30 '21 16:04 bunnie

note that the current implementation of secure boot includes a stack guard that checks for overrun of the stack. so, at the very least, nominal-path code has some diagnostic ability to avoid this outcome.

leaving issue open, though, because probably more thought should be put into red-teaming some of the assumptions here.

bunnie avatar Jul 15 '21 10:07 bunnie

Closing as no activity on this for a long time.

bunnie avatar Feb 19 '23 07:02 bunnie