Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Core dump does not take flash encryptioninto account (IDF-458) #2932

Closed
vulptex opened this issue Jan 9, 2019 · 5 comments
Closed

Core dump does not take flash encryptioninto account (IDF-458) #2932

vulptex opened this issue Jan 9, 2019 · 5 comments

Comments

@vulptex
Copy link

vulptex commented Jan 9, 2019

Environment

  • IDF version: e931fe9 (all versions)

Problem Description

Core dump does not take flash encryption into account. This is a huge security issue, in my point of view. When doing ssl connection handshakes or key exchanges someone can trigger watchdogs and force core dumps to flash (if enabled 👍 ).

Steps to repropduce

1 Enable flash encryption
2 Enable Coredump to flash
3 Enable watchdogs on threads

4 Block a thread until watchdogs triggers reboot
5 Use esptool to read core_dump partition

6 Read plain text stack variables :-D

Where is the issue

core_dump.c uses raw spi_flash_writes.

I am not sure if we can find out if the partiton is encrypted or not and if its safe to use encryption at that stage.
@Alvin1Zhang Alvin1Zhang changed the title Core dump does not take flash encryptioninto account [TW#28312] Core dump does not take flash encryptioninto account Jan 10, 2019
@igrr
Copy link
Member

igrr commented Jan 10, 2019

Hi @vulptex, do I understand correctly that you plan to enable core dump functionality in a production scenario, rather than in debugging?

@vulptex
Copy link
Author

vulptex commented Jan 10, 2019
edited
Loading

Hi @igrr, yes correct. We want to build a crash dump service, which uploads the core dump partition to our backend. There we can build an online debugging tool.

Does that make sense or is there any other possibility? Even a user registered write callback might help, so we can write to our own partition or stream directly the writes to the backend.

@igrr
Copy link
Member

igrr commented Jan 10, 2019

stream directly the writes to the backend

if by "backend" you mean "backend server", then there's a good chance this will not work — if the device has crashed then it is likely that there is memory corruption, or RTOS structures are in an invalid state, or the device is out of memory — in other words, something as complex as sending data over network is likely to not work.

We will add a check whether the core dump partition is marked as "encrypted" in the partition table, and use spi_flash_write_encrypted instead of spi_flash_write if this is the case.

Custom core dump backends are something we will consider — we are currently collecting features for the next iteration of work on core dump module.

@vulptex
Copy link
Author

vulptex commented Jan 10, 2019

Exactly, backend == backend server.
Idea was to upload after next boot + add some information, not when crash/panic occurs.

We will disable core dump to flash for now. Feel free to close this, or use this as follow up for your modification regarding spi_flash_write.

@projectgus projectgus changed the title [TW#28312] Core dump does not take flash encryptioninto account Core dump does not take flash encryptioninto account (IDF-458) Mar 12, 2019
@Alvin1Zhang
Copy link
Collaborator

@vulptex Thanks for reporting this issue. Would you help share if any updates for this issue? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@igrr @vulptex @Alvin1Zhang