dev1990_ has quit [Quit: Konversation terminated!]
gaston1980 has quit [Quit: Konversation terminated!]
ChriChri_ has joined #linux-sunxi
ChriChri has quit [Ping timeout: 260 seconds]
ChriChri_ is now known as ChriChri
_whitelogger has joined #linux-sunxi
cnxsoft has joined #linux-sunxi
TheSeven has quit [Ping timeout: 240 seconds]
TheSeven has joined #linux-sunxi
asdf28 has joined #linux-sunxi
asdf28 has quit [Ping timeout: 240 seconds]
OnkelUll1 has left #linux-sunxi [#linux-sunxi]
lurchi_ has joined #linux-sunxi
lurchi__ has quit [Ping timeout: 246 seconds]
OnkelUlla has joined #linux-sunxi
_whitelogger has joined #linux-sunxi
cnxsoft1 has joined #linux-sunxi
cnxsoft has quit [Ping timeout: 272 seconds]
gediz0x539 has joined #linux-sunxi
asdf28 has joined #linux-sunxi
reinforce has joined #linux-sunxi
gediz0x539 has quit [Ping timeout: 240 seconds]
gediz0x539 has joined #linux-sunxi
gediz0x539 has quit [Client Quit]
indy has joined #linux-sunxi
diego71 has quit [Ping timeout: 260 seconds]
gediz0x539 has joined #linux-sunxi
diego71 has joined #linux-sunxi
_whitelogger has joined #linux-sunxi
cmeerw has joined #linux-sunxi
JohnDoe_71Rus has joined #linux-sunxi
ldevulder__ is now known as ldevulder
yann|work has joined #linux-sunxi
[jesapel^root] is now known as [ShockwaveRider]
dev1990 has joined #linux-sunxi
mripard has quit [Quit: Lost terminal]
mripard has joined #linux-sunxi
qschulz has joined #linux-sunxi
<bauen1>
willmore: haven't heard of it yet, but i'm mostly looking for a hardware RISC-V that can run linux without selling a kidney, a few weeks ago rioslabs announced the development of a raspberry pi like RISC-V board (https://rioslab.org/) but so far not much has come of that
indy has quit [Read error: Connection reset by peer]
jernej has quit [Client Quit]
jernej has joined #linux-sunxi
jernej has quit [Client Quit]
jernej has joined #linux-sunxi
jernej has quit [Client Quit]
jernej has joined #linux-sunxi
indy_ has joined #linux-sunxi
gnarface has joined #linux-sunxi
tnovotny has joined #linux-sunxi
matthias_bgg has joined #linux-sunxi
AneoX has joined #linux-sunxi
_whitelogger has joined #linux-sunxi
<bauen1>
so FEL can also be used to read data (https://linux-sunxi.org/FEL/Protocol FEL_UPLOAD) can also be used to read memory, so either burning the pins or using an SRAM PUF is required to defend against that
<karlp>
trying to defend against physical access? sounds like a fun way to suck time :)
<bauen1>
absolutely
<bauen1>
and if you've got something that is "secure", just increase your attackers budget and keep going lol
jbrown has joined #linux-sunxi
ganbold has quit [Ping timeout: 256 seconds]
Mangy_Dog has joined #linux-sunxi
cnxsoft1 has quit [Read error: Connection reset by peer]
fl_0 has quit [Ping timeout: 272 seconds]
fl_0 has joined #linux-sunxi
ldevulder_ has joined #linux-sunxi
ldevulder has quit [Ping timeout: 264 seconds]
gaston1980 has joined #linux-sunxi
tnovotny has quit [Quit: Leaving]
tnovotny has joined #linux-sunxi
chewitt has joined #linux-sunxi
lurchi_ is now known as lurchi__
ldevulder_ is now known as ldevulder\
ldevulder\ is now known as ldevulder
<hramrach>
yes, if you are paranoid you should keep your computer in a locked suitcase and assume it compromised if ther eis any sign of tampering
<hramrach>
because you might be runnig trusted code but constructing small piece of additional hardware that reads your keystrokes or spies some low-speed bus is quite easy and quite hard to detect
<bauen1>
hramrach: the real elephant in the room is how a human with (limited) no tools can verify the identity or integrity of an object, but this proof also needs to be impossible to fake
<bauen1>
probably impossible
<bauen1>
you don't really need to carry around an entire computer / laptop, you only really need a trusted way of doing I/O (keyboard + screen) and a processor that can do asymtric encryption
<bauen1>
you don't need any storage if you can memorise a number and a password
<bauen1>
or rather you don't need any trusted storage
matthias_bgg has joined #linux-sunxi
<bauen1>
nevermind the $5 iron pipe to the head secret extraction method
AneoX has quit [Ping timeout: 244 seconds]
AneoX has joined #linux-sunxi
AneoX has quit [Ping timeout: 240 seconds]
AneoX has joined #linux-sunxi
florian has quit [Quit: Leaving]
xyntrix has joined #linux-sunxi
matthias_bgg has quit [Quit: Leaving]
tnovotny has quit [Quit: Leaving]
msimpson has joined #linux-sunxi
vagrantc has joined #linux-sunxi
gaston1980 has quit [Ping timeout: 240 seconds]
gaston1980 has joined #linux-sunxi
AneoX has quit [Ping timeout: 240 seconds]
damex has joined #linux-sunxi
lurchi_ is now known as lurchi__
victhor_ has joined #linux-sunxi
victhor_ is now known as victhor
JohnDoe_71Rus has quit [Read error: No route to host]
JohnDoe_71Rus has joined #linux-sunxi
gaston1980 has quit [Ping timeout: 256 seconds]
[ShockwaveRider] is now known as [Heineken]
gaston1980 has joined #linux-sunxi
tuxd3v has quit [Remote host closed the connection]
<bauen1>
there's also another fun attack vector: only the boot code is signed, not the run address
<bauen1>
so given a valid toc0 file you can modify the TOC0_SERIAL_NUM, TOC0_STATUS, append additional items, the reserved field, and most importantly the run address
<bauen1>
it's basically an arbitrary write of predefined values
<bauen1>
at the very least the boot code needs to handle being loaded to arbitrary addresses
<bauen1>
or controlled code execution if you target it at read-only memory, e.g. the brom
<bauen1>
the secure boot rom verifies that the certificate in the TOC0 matches the one in the SID before executing the code
<bauen1>
after it has verified the signed code it copies it to the run_address specified in the TOC0
<bauen1>
in theory this allows for secure boot, i.e. only boot what has been signed by you
<bauen1>
except that only the code executed is signed, but not the location where it is copied to be executed
<bauen1>
so you could point that where ever you want the sbrom will (try to) copy the code and then jump to it
<karlp>
and how does the run address matter again?
<asdf28>
i wish i could comment on that but it's beyond my knowledge
<bauen1>
karlp: the sbrom will copy the contents of the toc0 to that location, and then jump to it
<bauen1>
for example if you have your signed code that expects to be loaded at 0x10000, i can load it somewhere else, e.g. 0x1BADBAD and still have it signed
<asdf28>
can you use the uboot bin/fex system with a newer mainline kernel?
rex_victor has joined #linux-sunxi
<karlp>
bauen1: right..... and?
jbrown has joined #linux-sunxi
<bauen1>
you can do a lot of things if you can write to memory
<bauen1>
and that defeats the purpose of secure boot
<asdf28>
:->
mauz555 has joined #linux-sunxi
lurchi__ is now known as lurchi_
<bauen1>
and i think the toc0 is loaded at 0x10000 upwards and the stack grows down from ~0x44ff0 downwards you can just make a really big toc0 image, overwrite the stack with pointers to your code
<bauen1>
allwinner and secure boot, so close yet so far
vagrantc has quit [Ping timeout: 240 seconds]
vagrantc has joined #linux-sunxi
msimpson has quit [Remote host closed the connection]
<bauen1>
if anyone wants to test my theory on an actuall h5 board with secure boot enabled i can probably cook up an image
<bauen1>
smaeul: oh and if you ever dump the nbrom or sbrom of the h6 i would love to take a look at it too
asdf28 has quit [Ping timeout: 256 seconds]
vagrantc has quit [Ping timeout: 244 seconds]
vagrantc has joined #linux-sunxi
nashpa_ has joined #linux-sunxi
nashpa has quit [Ping timeout: 260 seconds]
cmeerw has quit [Ping timeout: 240 seconds]
steev has quit [Ping timeout: 272 seconds]
steev has joined #linux-sunxi
mauz555 has quit []
dev1990 has quit [Quit: Konversation terminated!]
tuxillo has quit [Read error: Connection reset by peer]