New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 790041 link

Starred by 1 user
Status: Fixed
Owner:
jorgelo@chromium.org
Closed: Dec 2017
Cc:
rspangler@chromium.org
mnissler@chromium.org
vapier@chromium.org
igo@chromium.org
dnojiri@chromium.org
adurbin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Task



Sign in to add a comment

EC-EFS: Security Review

Project Member Reported by dnojiri@chromium.org, Nov 30 2017 
We do not allow RO-EC to do USB PD negotiation to reduce the attack surface where vulnerabilities can't be fixed by AU. 

The problem with Fizz (Chromebox) is it doesn't have a battery. Fizz EC needs PD power to boot the AP but PD power can be only given after RW is verified (by the AP).

Our solution is to make EC do its own verification before AP boots (thus it's called EFS=Early Firmware Selection).

The design doc describes the algorithm. Implementation notes describe how we implement the idea. It has all the pointers to the bugs and the patches which have been written for EFS.

Design
https://docs.google.com/document/d/1VJn7a5wi87nTTjRkWAO_uR-cjVvbew51isbBKM_PTg4/edit#heading=h.4udxnk7z5j8n

Implementation
https://docs.google.com/document/d/1vkV8gBLTYA7zq5eYi4EIW5Ni8cveYgaA_-AR14_dVfs/edit#heading=h.opbr08p5wlwy

Comment 1 by vapier@chromium.org, Nov 30 2017

Cc: mnissler@chromium.org
Labels: M-65
my take from b/69321364:

distilling random points from the design doc:
- the normal root key used on CrOS systems is part of the AP RO firmware, hence we typically consider our root of trust to start there.  in reality, the root of trust is the EC RO firmware with newer devices, we've just never signed any of them before, so it's not a big deal.
- the EC RW firmware to do USB PD negotiation is loaded by the EC RO firmware and before anything AP related.  so making it a derivative of the root key doesn't really gain us anything since the root key wouldn't be used to verify the key.
- the EC in existing designs don't have any location to do rollback protection.
- there's no subkeys or any other verification chain here.  there is a single key, independent of anything else, burned into the EC RO by the signer, and used to fully verify the EC RW firmware.
- the EC, at least on the Chromeboxes we're looking at here, doesn't have control over the keyboard or other input signals.

talking to dnojiri@ today, he mentioned that the EC RW firmware is the same across all fizz models.  so all things considered, i don't think we need to pursue generation of sep keys here.

i might reconsider that position if:
- the EC could easily subvert the AP such that it'd be able to inject its own keys at runtime over the ones rooted in the AP firmware (e.g. through memory modification/mapping hacks)
- the EC RW image diverges and we end up shipping diff versions for different fizz models.

Comment 2 by jorgelo@chromium.org, Dec 5 2017

Status: Fixed (was: Untriaged)
So, I took a look at  the doc, reviewed older comments that we had left, and concluded this plan is reasonable, including Mike's observations about keys. Will mark this as fixed.

Sign in to add a comment