jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23980
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 6:21 am

jcyr wrote:
Mon Sep 02, 2019 12:04 am
jamesh wrote:
Sun Sep 01, 2019 6:37 pm
BTW, I know of no disgruntled Brcm employees. And there certainly are no RPi ones!
Retired from Broadcom as master engineer after a 20 year stint. Plenty of disgruntled engsineers along the way. Certainly not a majority, but plenty still. Was a great company till Avago took over, not so much since...
Sorry, was talking about VC4 experienced engineers with access to internal details relevant to the topic.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

timg236
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 246
Joined: Thu Jun 21, 2018 4:30 pm

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 9:52 am

jamesh wrote:
Mon Sep 02, 2019 6:19 am
andrum99 wrote:
Sun Sep 01, 2019 7:06 pm
jamesh wrote:
Sun Sep 01, 2019 6:37 pm
Don't forget that a recovery.bin on a fresh SD card will ALWAYS recover the system and remove any malware that, in very unlikely circumstances, corrupt the EEPROM.

BTW, I know of no disgruntled Brcm employees. And there certainly are no RPi ones!
<fud> Since the VLI USB controller firmware is also rewriteable, it is possible to insert malware in there, and have it reinfect the EEPROM.</fud>
I don't believe that is technically possible as the VLI controller cannot access Arm Memory space, and therefore get at the eeprom. But will ask around.
The VLI EEPROM can / is updated over PCIe but that requires root privileges. I can't be bothered to find the link but there was a post where a beta VLI was shared.

From a security point of view the ROM will always load recovery.bin in preference to the the EEPROM. The means you can always boot a Pi4 from a clean SD-CARD and force both EEPROMs into a known good state before malware has any change to run.

VLI updates may move to recovery.bin to avoid the tedious PCI rescan/remove step but after network boot is at least in beta.

andrum99
Posts: 870
Joined: Fri Jul 20, 2012 2:41 pm

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 10:03 am

jamesh wrote:
Mon Sep 02, 2019 6:19 am
andrum99 wrote:
Sun Sep 01, 2019 7:06 pm
jamesh wrote:
Sun Sep 01, 2019 6:37 pm
Don't forget that a recovery.bin on a fresh SD card will ALWAYS recover the system and remove any malware that, in very unlikely circumstances, corrupt the EEPROM.

BTW, I know of no disgruntled Brcm employees. And there certainly are no RPi ones!
<fud> Since the VLI USB controller firmware is also rewriteable, it is possible to insert malware in there, and have it reinfect the EEPROM.</fud>
I don't believe that is technically possible as the VLI controller cannot access Arm Memory space, and therefore get at the eeprom. But will ask around.
Does this mean the code in the EEPROM runs on the ARM, or just that it is mapped into ARM memory space, in addition to VPU space?

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23980
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 11:10 am

andrum99 wrote:
Mon Sep 02, 2019 10:03 am
jamesh wrote:
Mon Sep 02, 2019 6:19 am
andrum99 wrote:
Sun Sep 01, 2019 7:06 pm

<fud> Since the VLI USB controller firmware is also rewriteable, it is possible to insert malware in there, and have it reinfect the EEPROM.</fud>
I don't believe that is technically possible as the VLI controller cannot access Arm Memory space, and therefore get at the eeprom. But will ask around.
Does this mean the code in the EEPROM runs on the ARM, or just that it is mapped into ARM memory space, in addition to VPU space?
Neither, but to program the EEPROM I think you usually go via the ARM.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

bjtheone
Posts: 326
Joined: Mon May 20, 2019 11:28 pm
Location: Kanata, Ontario, Canada

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 2:46 pm

asavah wrote:
Sun Sep 01, 2019 4:16 pm
bjtheone wrote:
Sun Sep 01, 2019 3:02 pm
If the EEPROM is writable and accessible it is hackable.
To make use of "hackable" EEPROM on the pi4 one would need to:
1a) hack the os remotely and gain root access.
or
1b) have local physical access

2) Have deep knowledge of VC4/6 hardware and software architecture and have knowledge of and access to all the needed tools to build their own bootloader code which is closed source and AFAIK is very peculiar architecture, I think the amount of people in the world capable of writing their own malicious vc4/6 bootloader is very small, like a dozen or two of persons.

Please stop spreading the FUD.
if there is external access and the device is rewrite-able it is hackable. Period. I am not spreading FUD. I did not say that it would be simple nor even likely. I find it sad when people try an label facts they are uncomfortable with as FUD. Please feel free to explain why in cannot be done, which is very different that it is unlikely to be done.

Do I think it likely that someone will spend the effort necessary to hack Pi's when there are much more lucrative targets available, no I don't. I personally am not worried about it, as my computers live behind a reasonable firewall, with strong passwords, whitelisting., with a solid backup strategy. I also don't download and run stuff that I cannot verify. Not running Windows on any computers also most a long way to avoiding malware. That is all the is required to stay safe from the run of the mill stuff.

However, that is very different that saying that it can't be done. The most likely vector is some idiot making a broken image and convincing people to flash it via social engineering.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 23980
Joined: Sat Jul 30, 2011 7:41 pm

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 3:29 pm

bjtheone wrote:
Mon Sep 02, 2019 2:46 pm
asavah wrote:
Sun Sep 01, 2019 4:16 pm
bjtheone wrote:
Sun Sep 01, 2019 3:02 pm
If the EEPROM is writable and accessible it is hackable.
To make use of "hackable" EEPROM on the pi4 one would need to:
1a) hack the os remotely and gain root access.
or
1b) have local physical access

2) Have deep knowledge of VC4/6 hardware and software architecture and have knowledge of and access to all the needed tools to build their own bootloader code which is closed source and AFAIK is very peculiar architecture, I think the amount of people in the world capable of writing their own malicious vc4/6 bootloader is very small, like a dozen or two of persons.

Please stop spreading the FUD.
if there is external access and the device is rewrite-able it is hackable. Period. I am not spreading FUD. I did not say that it would be simple nor even likely. I find it sad when people try an label facts they are uncomfortable with as FUD. Please feel free to explain why in cannot be done, which is very different that it is unlikely to be done.

Do I think it likely that someone will spend the effort necessary to hack Pi's when there are much more lucrative targets available, no I don't. I personally am not worried about it, as my computers live behind a reasonable firewall, with strong passwords, whitelisting., with a solid backup strategy. I also don't download and run stuff that I cannot verify. Not running Windows on any computers also most a long way to avoiding malware. That is all the is required to stay safe from the run of the mill stuff.

However, that is very different that saying that it can't be done. The most likely vector is some idiot making a broken image and convincing people to flash it via social engineering.
Not sure anyone said it could not be done, what was said that it's not possible to brick it as you can ALWAYS recover the system to a known good state with the SD card with recovery.bin on it.

And of course you do need superuser write to write to the EEPROM in the first place, but social engineer would be possible.

Note that the bootloader is not ARM, it runs on the Videocore processor so uses Videocore instructions.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

ejolson
Posts: 3732
Joined: Tue Mar 18, 2014 11:47 am

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 4:36 pm

bjtheone wrote:
Mon Sep 02, 2019 2:46 pm
asavah wrote:
Sun Sep 01, 2019 4:16 pm
bjtheone wrote:
Sun Sep 01, 2019 3:02 pm
If the EEPROM is writable and accessible it is hackable.
To make use of "hackable" EEPROM on the pi4 one would need to:
1a) hack the os remotely and gain root access.
or
1b) have local physical access

2) Have deep knowledge of VC4/6 hardware and software architecture and have knowledge of and access to all the needed tools to build their own bootloader code which is closed source and AFAIK is very peculiar architecture, I think the amount of people in the world capable of writing their own malicious vc4/6 bootloader is very small, like a dozen or two of persons.

Please stop spreading the FUD.
However, that is very different that saying that it can't be done. The most likely vector is some idiot making a broken image and convincing people to flash it via social engineering.
If a sociable engineer posting for the first time claimed to have created a new EEPROM image that supported USB boot and gave a link here, how many people do you think would try it out? What if some virtual trolls posted that it actually worked and did indeed support USB boot?

Along different lines I've been thinking about how to create a second-stage kernel-based boot loader that could perform USB boot and secure network boot over SSL. However, it's likely to be slow and require enabling and disabling SMP on a running Linux kernel so that kexec chain loading works. I've already finished the most difficult part: finding a good name for the boot loader. Instead of grub, I've decided to call it slug.

bjtheone
Posts: 326
Joined: Mon May 20, 2019 11:28 pm
Location: Kanata, Ontario, Canada

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 5:17 pm

jamesh wrote:
Mon Sep 02, 2019 3:29 pm
Not sure anyone said it could not be done, what was said that it's not possible to brick it as you can ALWAYS recover the system to a known good state with the SD card with recovery.bin on it.

And of course you do need superuser write to write to the EEPROM in the first place, but social engineer would be possible.

Note that the bootloader is not ARM, it runs on the Videocore processor so uses Videocore instructions.
My issue was with the "stop spreading the FUD" comment someone made. Having a rational discussion about possibilities is not FUD. Unfortunately Debian is not the worlds most secure Linux distro, and Raspbian as shipped is even worse. I completely understand the security decisions RPT has made and do not disagree with them. However by default it has a known user/password and many folks will put it up on a network with open routers with factory passwords. Not a particularly high bar. The 4 is as far as I know the first one with a reflashable bootloader which opens up the possibilities of persistent hacks.

bjtheone
Posts: 326
Joined: Mon May 20, 2019 11:28 pm
Location: Kanata, Ontario, Canada

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 5:26 pm

ejolson wrote:
Mon Sep 02, 2019 4:36 pm
If a sociable engineer posting for the first time claimed to have created a new EEPROM image that supported USB boot and gave a link here, how many people do you think would try it out? What if some virtual trolls posted that it actually worked and did indeed support USB boot?
Sadly I don't agree with your assessment, if you are suggesting that no one would try it (is hard to figure out which way your statement should be taken). If such a person posted on the Raspberry Pi forums they would quickly be debunked. However, I still bet someone would try it before a moderator got to them. Many (most ?) people really do not have a clue about computers. They are magic black boxes that do stuff. Admittedly the bar is raised somewhat by the Pi not being a mainstream computer, but I am amazed by what people are willing to blindly run/try

There are unfortunately also lots of other venues to put up such crap and drive searches to.

User avatar
Gavinmc42
Posts: 3936
Joined: Wed Aug 28, 2013 3:31 am

Re: Raspberry Pi 4 usb boot?

Mon Sep 02, 2019 11:56 pm

I've already finished the most difficult part: finding a good name for the boot loader. Instead of grub, I've decided to call it slug.
Have you got a mascot logo for that yet?
It might run faster than you think,- Turboslug?
Rats, that name is taken :lol:
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

NOsen
Posts: 15
Joined: Wed Feb 06, 2013 11:08 pm

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 2:40 pm

Hey,

Anyone figured out why it wont find usbstick when it plugged into the usb3 ports but works from the usb2 ports? (boot from sd card system on usb)

User avatar
clicky
Posts: 413
Joined: Thu Oct 25, 2012 7:34 am

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 4:23 pm

NOsen wrote:
Fri Sep 06, 2019 2:40 pm
Hey,

Anyone figured out why it wont find usbstick when it plugged into the usb3 ports but works from the usb2 ports? (boot from sd card system on usb)
Maybe you need (bigger?) delay. I've just checked - I have:

Code: Select all

 rootdelay=5
at the end of /boot/cmtline.txt

hippy
Posts: 6108
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 6:46 pm

asavah wrote:
Sun Sep 01, 2019 4:16 pm
To make use of "hackable" EEPROM on the pi4 one would need to:
1a) hack the os remotely and gain root access.
or
1b) have local physical access
Or just convince someone to run a Python program. Or any program which does what would be needed.

A more determined miscreant would perhaps pursue getting what's needed installed via a hacked repository or dependency, sit back and wait for that to trickle down to users.
asavah wrote:
Sun Sep 01, 2019 4:16 pm
2) Have deep knowledge of VC4/6 hardware and software architecture and have knowledge of and access to all the needed tools to build their own bootloader code which is closed source and AFAIK is very peculiar architecture, I think the amount of people in the world capable of writing their own malicious vc4/6 bootloader is very small, like a dozen or two of persons.
I believe it could be more than that, though it depends on what level of maliciousness one is talking about.

It is easy enough to be a nuisance by getting one's own Boot Eeprom code written and in there, but it is harder to see how one could make it truly malicious, basically because it is only a bootloader.

I can think of some very petty things to do which could be extremely frustrating before the user reflashed a Boot Eeprom with recovery.bin to get things working properly again. There could potentially be things done which rendered a Pi unbootable after a re-boot.

In terms of something which hides in the Boot Eeprom, persists once the system is booted and running, effectively 'backdooring it' in some way; maybe it is possible but that would be well beyond my pay grade and most others.

dickon
Posts: 533
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 8:14 pm

'only a bootloader'! -- you get to load the kernel, any initrd, dtb, and commandline into RAM, edit them as you see fit (the dtb in particular is actually required to be altered by the bootloader, and that has the addresses of all sorts of entertaining devices embedded within it), and, if you're feeling malicious, fiddle with any or all of those as you see fit, within the constraints of whatever resources you have to play with. You can patch the running kernel, invisibly, with whatever you wish. Not happy with the exception vectors? Fine. Replace them. Not happy with the UART driver? Have fun.

You can do a lot with a bootloader, particularly with unsigned binaries. UEFI Secure Boot was designed to overcome this. Don't get me started on it, however...

hippy
Posts: 6108
Joined: Fri Sep 09, 2011 10:34 pm
Location: UK

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 8:39 pm

dickon wrote:
Fri Sep 06, 2019 8:14 pm
'only a bootloader'! -- you get to load the kernel, any initrd, dtb, and commandline into RAM, edit them as you see fit ...
I was under the impression the Boot Eprom only kicks things off and there is a whole chain of things which push earlier parts of the chain out of the way as the system actually comes up.

Thus the Boot Eprom code would have relinquished control long before what it would have to do to be truly malicious could be done. I am not even sure the ARM cores would be running when the Boot Eprom code relinquishes control.

The Boot Eprom code could of course hack stuff it is loading and relinquishing control to to hack things later in the chain and all the way down but that seems a huge undertaking. And one would be up against the limited Boot Eprom capacity. It may be possible but, as I said; beyond my pay grade.

dickon
Posts: 533
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 9:33 pm

Doesn't really matter, TBH. The way these things tend to run, the likes of Google's Project Zero *will* find a way to exploit what you think is unexploitable. A first-stage bootloader has the ability to alter *everything* that comes after it. It's a deeply powerful position to be in.

jcyr
Posts: 463
Joined: Sun Apr 23, 2017 1:31 pm
Location: Atlanta

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 10:32 pm

How far off topic can this thread possibly get? :roll:
It's um...uh...well it's kinda like...and it's got a bit of...

dickon
Posts: 533
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: Raspberry Pi 4 usb boot?

Fri Sep 06, 2019 10:37 pm

TBH, the question was asked, answered ('yeah, soon'), and we've had a further 11.5 pages of rubbish since. If the mods haven't locked it by now -- and they haven't, yet -- well, personally, I consider it fair game.

It hasn't been entirely fruitless.

And for the record, I consider what I suggested above vanishingly unlikely. Possible, but won't happen.

NOsen
Posts: 15
Joined: Wed Feb 06, 2013 11:08 pm

Re: Raspberry Pi 4 usb boot?

Sat Sep 07, 2019 8:39 am

clicky wrote:
Fri Sep 06, 2019 4:23 pm
NOsen wrote:
Fri Sep 06, 2019 2:40 pm
Hey,

Anyone figured out why it wont find usbstick when it plugged into the usb3 ports but works from the usb2 ports? (boot from sd card system on usb)
Maybe you need (bigger?) delay. I've just checked - I have:

Code: Select all

 rootdelay=5


at the end of /boot/cmtline.txt


Thanks I'll give it a try!

User avatar
Gavinmc42
Posts: 3936
Joined: Wed Aug 28, 2013 3:31 am

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 9:01 am

Do/will the USB3 ports get checked before the USB2 ones.
I supposed most would prefer to boot from USB3?
I'm dancing on Rainbows.
Raspberries are not Apples or Oranges

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2131
Joined: Thu Jul 11, 2013 2:37 pm

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 3:44 pm

The question is moot - in the existing implementation on Pi3B+, all connected USB devices are enumerated and probed to get a list of mass-storage devices. The first device that has a valid bootcode.bin is used to boot from. An analogue of this will be used on Pi 4, so as to not break USB disk images that can boot on a Pi3b+ or a Pi4.

I can't think of a plausible situation in which you would have connected 2 SSDs with Pi bootloaders on and need to switch between the two.
Rockets are loud.
https://astro-pi.org

ejolson
Posts: 3732
Joined: Tue Mar 18, 2014 11:47 am

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 4:02 pm

jdb wrote:
Sun Sep 08, 2019 3:44 pm
I can't think of a plausible situation in which you would have connected 2 SSDs with Pi bootloaders on and need to switch between the two.
It seems likely to me that even a single disk might have multiple Pi boot directories that one would like to choose from. After searching, a grand unified bootloader could enumerate all of them, make a menu to choose from and then timeout to a preselected default if no choice is made.

At the moment I'm having trouble with kexec for the slug boot loader. Is there any documentation how NOOBS (and similarly PINN) switches back and forth between the installer and the selected operating system image?
Gavinmc42 wrote:
Mon Sep 02, 2019 11:56 pm
I've already finished the most difficult part: finding a good name for the boot loader. Instead of grub, I've decided to call it slug.
Have you got a mascot logo for that yet?
Do you think UCSC would let me borrow their mascot?
Image

jdb
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 2131
Joined: Thu Jul 11, 2013 2:37 pm

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 5:29 pm

Then make a chainloader. USB boot is intentionally limited in scope to "find the first valid boot disk and boot from it".
Rockets are loud.
https://astro-pi.org

ejolson
Posts: 3732
Joined: Tue Mar 18, 2014 11:47 am

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 7:15 pm

jdb wrote:
Sun Sep 08, 2019 5:29 pm
Then make a chainloader. USB boot is intentionally limited in scope to "find the first valid boot disk and boot from it".
I'm trying to make a chain loader. It will be called slug.

Do you have any idea how to make kexec work on the Raspberry Pi?

How does NOOBS do it?

User avatar
rpdom
Posts: 15460
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Raspberry Pi 4 usb boot?

Sun Sep 08, 2019 7:36 pm

ejolson wrote:
Sun Sep 08, 2019 7:15 pm
jdb wrote:
Sun Sep 08, 2019 5:29 pm
Then make a chainloader. USB boot is intentionally limited in scope to "find the first valid boot disk and boot from it".
I'm trying to make a chain loader. It will be called slug.

Do you have any idea how to make kexec work on the Raspberry Pi?

How does NOOBS do it?
NOOBS doesn't use kexec. It uses a flag in the SoC (somewhere under /sys) that specifies which partition to use for the next boot, then performs a reboot.

Return to “General discussion”