<parabyte>
i got mainline uboot working on a random h3 android board, can anyone suggest ways i can copy the firmware off its mmc and dump it over tftp?
<parabyte>
or suggest any documentation i can read
thefloweringash has left #linux-sunxi ["User left"]
tmlind has joined #linux-sunxi
jstefanop has quit [Ping timeout: 260 seconds]
tmlind has quit [Client Quit]
tmlind has joined #linux-sunxi
dlan_ has quit [Quit: leaving]
dlan has joined #linux-sunxi
jstefanop has joined #linux-sunxi
jstefanop has quit [Ping timeout: 260 seconds]
camus has joined #linux-sunxi
kaspter has quit [Ping timeout: 260 seconds]
camus is now known as kaspter
chewitt has joined #linux-sunxi
Kooda has left #linux-sunxi ["WeeChat 2.8"]
ganbold_ has quit [Read error: Connection reset by peer]
jstefanop has joined #linux-sunxi
jstefanop has quit [Ping timeout: 245 seconds]
ganbold has joined #linux-sunxi
apritzel has joined #linux-sunxi
maciejjo has quit [Quit: leaving]
maciejjo has joined #linux-sunxi
maciejjo is now known as msob
ldevulder has quit [Remote host closed the connection]
pg12 has quit [Quit: pg12]
prefixcactus has joined #linux-sunxi
pg12 has joined #linux-sunxi
pg12 has quit [Client Quit]
pg12 has joined #linux-sunxi
pg12 has quit [Quit: pg12]
pg12 has joined #linux-sunxi
ldevulder has joined #linux-sunxi
pg12 has quit [Quit: pg12]
pg12 has joined #linux-sunxi
pg12 has quit [Client Quit]
pg12 has joined #linux-sunxi
Asara has quit [Read error: Connection reset by peer]
Asara has joined #linux-sunxi
<apritzel>
parabyte: CONFIG_TFTP_PUT (plus allowing this is on the server side)
<apritzel>
parabyte: or you simply use an SD card
anarsoul|2 has quit [Ping timeout: 240 seconds]
<apritzel>
parabyte: but indeed as arti said: UMS sounds like the easiest solution, albeit a bit slow, maybe
anarsoul has joined #linux-sunxi
<apritzel>
parabyte: sorry, the symbol for TFTP is CONFIG_CMD_TFTPPUT
prefixcactus has quit [Ping timeout: 260 seconds]
prefixcactus has joined #linux-sunxi
chewitt_ has joined #linux-sunxi
prefixcactus has quit [Quit: No Ping reply in 180 seconds.]
prefixcactus has joined #linux-sunxi
chewitt has quit [Ping timeout: 260 seconds]
Mangy_Dog has joined #linux-sunxi
Mangy_Dog has quit [Changing host]
Mangy_Dog has joined #linux-sunxi
camus has joined #linux-sunxi
kaspter has quit [Ping timeout: 260 seconds]
camus is now known as kaspter
jstefanop has joined #linux-sunxi
jstefanop has quit [Ping timeout: 252 seconds]
camus has joined #linux-sunxi
kaspter has quit [Ping timeout: 260 seconds]
camus is now known as kaspter
fl_0 has quit [Quit: STRG + Q]
fl_0 has joined #linux-sunxi
fl_0 has quit [Quit: STRG + Q]
fl_0 has joined #linux-sunxi
<parabyte>
apritzel, arti iv never done anything like this before, so im assuming i use the mmc read command to put what ever flash region into ram then i use tftp or usb or what ever means to move or save that ram region right?
<apritzel>
parabyte: yes
<apritzel>
if your box has 1GB of DRAM, you could surely do chunks of say 768 MB
<apritzel>
which would become tedious, but can be scripted, I guess
<parabyte>
im tempted to try and boot armbian on it now when i get in later from work
<parabyte>
i know my way around gnu/linux
<apritzel>
at which point USB OTG (UMS) shines, because you have the full eMMC accessible on your host
<parabyte>
oh
fl_0 has quit [Quit: STRG + Q]
<parabyte>
actually i will push on with u-boot this sounds powerful toolage!
<apritzel>
parabyte: or you boot some minimal Linux on the box and take it from there
<apritzel>
some initrd, for instance
<parabyte>
i think i will push on with uboot, im finding this educational exercise stimulating, and i have recently been tempted about using uboot as a payload on my coreboot system for tinkering reasons
<apritzel>
yes, U-Boot is a nice hacking tool ;-)
fl_0 has joined #linux-sunxi
<apritzel>
in Linux you can easily "dd" the eMMC block device, either to a big enough SD card, or pipe through ssh or netcat to some other machine
<parabyte>
haha i know that one apritzel im a 14+ veteran of broadcom soc's with openwrt
<parabyte>
14+ years
<parabyte>
just recently got sick of broadcom's cfe and i find u-boot very refreshing in comparison
fl_0 has quit [Client Quit]
fl_0 has joined #linux-sunxi
specing_ has joined #linux-sunxi
suniel has joined #linux-sunxi
<suniel>
Hi all, I am exploring secure boot on Allwinner H3 chipset based targets
<suniel>
please suggest me any documentation/blog or github for information on secureboot for H3. Thanks
specing has quit [Ping timeout: 240 seconds]
specing_ is now known as specing
<apritzel>
suniel: good luck with that ;-)
<suniel>
apritzel: thanks for the luck
<apritzel>
I am not sure many people have attempted this before
<apritzel>
your best bet is probably that it's close to what the A64 does
<apritzel>
basically you blow the secure boot fuse, and from then on the SBROM takes over the boot process and looks for TOC0 images instead of eGON images
<suniel>
apritzel: okay, noted
<suniel>
apritzel, can you refer me any document/github/blog on A64 secure boot ? Thanks
<apritzel>
suniel: searching the Wiki for TOC0 should give you some breadcrumbs to follow
<suniel>
apritzel, thanks for the advice. will do that
<apritzel>
suniel: but be warned that this is somewhat uncharted territory and undocumented "rocket science", so you should know what you do
mmarc__ has quit [Remote host closed the connection]
<bauen1>
suniel: you should also take a look at the chatlogs of this channel, as not everything has made its way into the wiki
mmarc__ has joined #linux-sunxi
<suniel>
bauen1, you mean about secure boot for H3 ?
<bauen1>
suniel: well, secureboot for allwinner in general, keywords: a64, h6, toc0, sbrom, efuse, fuse
<suniel>
bauen1: thanks for the advice. will go through the logs
<bauen1>
suniel: also what exactly is your usecase ?
<bauen1>
suniel: oh and just a heads-up secureboot on devices including the h6 and earlier are probably insecure to some extend
atsampson has quit [Ping timeout: 250 seconds]
jaganteki has joined #linux-sunxi
suniel has quit [Quit: Connection closed]
atsampson has joined #linux-sunxi
suniel has joined #linux-sunxi
<suniel>
bauen1: we want to implement secure boot authentication and encryption for H3 SOC based target
<suniel>
summary we want to secure images from bootloader to rootfs
jstefanop has quit [Remote host closed the connection]
jstefanop has joined #linux-sunxi
jstefanop has quit [Ping timeout: 265 seconds]
jaganteki has quit [Quit: Connection closed]
<bauen1>
suniel: that's possible to do (i've at least attempted it on a pine h64) but it won't be secure if the h3 sbrom is anything similiar to the h6 sbrom
random_yanek has quit [Ping timeout: 250 seconds]
<bauen1>
with u-boot i had a sbrom -> toc0 signed-image spl -> u-boot -> linux + initrd ; where the spl and u-boot itself both do signature checks
<suniel>
bauen1: so chain of trust is continued till linux + initrd (like sbrom verifies spl, spl verifies uboot and uboot verifies linux)
<suniel>
bauen1: so you are saying that, you have attempted secure boot on H6 and eventually found out that H6 sbrom is not secure(meaning secure boot not achieved) ?
<bauen1>
suniel: yes
<bauen1>
suniel: well, the h6 does implement signature verification of the bootloader, but there's 1-2 bugs that allow one to bypass it if you have write access to the boot medium (so linux root or basic physical access)
cmeerw has joined #linux-sunxi
random_yanek has joined #linux-sunxi
<suniel>
bauen1: thats a good experience you shared, then i will do research BROM a bit
<suniel>
bauen1: search on google, looks like couple of people have implemented secure boot on H3, but findings are not that clear
netlynx has joined #linux-sunxi
netlynx has joined #linux-sunxi
mmarc__ has quit [Remote host closed the connection]
<smaeul>
^ that implementation works for signed SPL on A64/H5/H6
<smaeul>
however there's no support in the SBROM for SPL encryption, so you would need some unencrypted stub and do the decryption yourself
<suniel>
bauen1: is it possible to share any document/writeup(if it exists - which has some sort of steps) for the secureboot you implemented on H6
<smaeul>
this u-boot toc0 branch may work for H3 as well, but I have not tried it
<smaeul>
suniel: you should describe your threat model. if you want to defend against an attacker with hardware access, you are out of luck
<bauen1>
smaeul: suniel: you could still use the efuses to store a secret key (but that is subjected to limitations) coupled with secure boot
<bauen1>
suniel: i've never published anything, but if you can explain your threat model a bit i can tell you if it's possible to achive on the H6 (and therefor likely to be achievable on the H3)
<bauen1>
actually there's an u-boot branch where i pushed some of my tests
<apritzel>
suniel: that's what I meant earlier: there is no howto for this, to follow some easy steps. You have to understand the code and work this out yourself, mostly
<bauen1>
and secure boot on allwinner is very rarely used (because there's no documentation and because the implementation is often broken)
<apritzel>
and given that those secure boot requirements typically come with a commercial background, that's probably fair enough, I'd say ;-)
<bauen1>
another thing, with most allwinner chips there's fel that gives you execution access over usb, and that usually can't be disabled ; and fel can often be used to read/write the efuses again breaking secureboot if you have usb access
<apritzel>
suniel: so long story short: if you want secure boot, go i.MX or the like :-D
camus has joined #linux-sunxi
kaspter has quit [Remote host closed the connection]
camus is now known as kaspter
<bauen1>
btw is there anything known about allwinners risc-v chip security features (if any) ?
jaganteki has joined #linux-sunxi
<suniel>
smaeul: when you say "however there's no support in the SBROM for SPL encryption". are you taking about SPL decryption ?
<suniel>
apritzel: when you say "You have to understand the code and work this out yourself, mostly", are you taking about uboot or brom code ?
<apritzel>
suniel: probably both, but at least the U-Boot part. People sharing this code is actually more than you could hope for ...
<apritzel>
suniel: ideally you wouldn't need the SBROM, but given the level of available documentation this is probably your best reference
dev1990 has joined #linux-sunxi
<apritzel>
this is at least what smaeul and bauen1 did ...
Throwawayname has joined #linux-sunxi
Throwawayname has quit [Max SendQ exceeded]
<suniel>
apritzel, bauen1, smaeul: thanks guys for your inputs
<suniel>
the above link looks like allwinner has opened brom code for H3 ?
<jernej>
that is boot0 code, what is SPL in mainline U-Boot, if I'm not mistaken
<suniel>
apritzel, bauen1, smaeul: when you say: "with most allwinner chips there's fel that gives you execution access over usb, and that usually can't be disabled ; and fel can often be used to read/write the efuses again breaking secureboot if you have usb access"
<suniel>
meaning even if we implement secure boot, if the hacker gets access to fel, then he can change contents of efuses breaking the secure boot model
<suniel>
is myunderstanding correct ?
<suniel>
jernej: yes i think you are correct, it is the SPL code
<jaganteki>
I'm not sure about this point, I remember correctly Jun Nie(Linaro) has tried this before.