XO-1: RTC anti-rollback
|Reported by:||wmb@…||Owned by:||martin.langhoff|
|Component:||ofw - open firmware||Version:||1.0 Hardware|
|Deployments affected:||Action Needed:||test in release|
The idea is to record boot timestamps in SPI FLASH to guard against clock-rollback attacks on the XO security.
It could be done without FLASH wearout by using several thousand locations in the mfg data page, incrementing to the next location on each boot. Erasure would be very infrequent. For example, if 32K were used, with 4-byte-plus-parity-byte timestamps, that would be 6K reboots before erase/rewrite is needed. That's about 4 reboots per day every day for 5 years.
The current idea is for OFW to convert the RTC date and time to a Unix-style seconds timestamp and write it to the next available location in the mfg data page of SPI FLASH. This would happen in the OFW secure startup sequence before disabling indexed IO. A new EC feature (already prototyped) permits writing to SPI FLASH without having to reboot.
OFW will make the latest timestamp available to the OS via a property in the device tree - details TBD.
OFW will only write increasing timestamps. If the RTC time is less than the last valid (good parity) timestamp, OFW will not write a new timestamp, and the fact that the RTC is too early will be exported to the OS via another device tree property - but the OS will be booted anyway in order to permit the initrd to fix the RTC.
Change History (15)
comment:1 Changed 6 years ago by wmb@…
- Action Needed changed from never set to code
- Status changed from new to assigned
- Summary changed from RTC anti-rollback to XO-1: RTC anti-rollback
comment:5 Changed 6 years ago by Quozl
- Milestone changed from Not Triaged to Future Release
- Version changed from not specified to 1.0 Hardware
comment:6 Changed 6 years ago by wmb@…
- Milestone changed from Future Release to 1.0-firmware-security
comment:14 Changed 4 years ago by wmb@…
- Action Needed changed from code to test in release
- Owner changed from wmb@… to martin.langhoff
- Status changed from assigned to new