Mount NFSv4.2 filesystem in barebox?

[David Jander]

Hi Ahmad,

On Wed, 5 Mar 2025 13:51:51 +0100
Ahmad Fatoum <a.fatoum at pengutronix.de> wrote:

> Hi David,
> 
> On 05.03.25 12:30, David Jander wrote:
> > On Tue, 4 Mar 2025 22:50:00 +0100
> > Martin Wege <martin.l.wege at gmail.com> wrote:  
> >> So yes, you would have customers for NFSv4.1 support in barebox.  
> > 
> > Just wanted to chime in to amplify this a bit, since we are also using NFSv4.2
> > netboot (though only TFTP in barebox for now):
> > 
> > Your arguments are solid, and make a lot of sense. If you are going to replace
> > more and more microcontroller based nodes with Linux capable SoCs, because it
> > makes a lot of economical sense (hardware costs are very similar nowadays, and
> > software development is 10x easier and cheaper on Linux than on a uC), you
> > will end up inevitably with a lot of Linux nodes inside of a machine or
> > industrial plant, where you previously had uC's. So, do you want to continue
> > using 1970's tech (RS485/modbus) or 1980's tech (CAN) to communicate between all
> > those nodes, or will you use Linux's native language (TCP/IP) which also
> > immediately means another 10x reduction in software development costs of the
> > networking part? If you choose the latter, you will also get significant HW
> > cost savings basically for free if you also net-boot (via NFS and/or TFTP).
> > 
> > In other words, why are we not already doing this?
> > 
> > At least we are. We are starting to use Single Pair Ethernet almost everywhere
> > where there were other field-busses involved traditionally. So we noticed that
> > we end up with a lot of boards running Linux connected together via anything
> > from 10Base-T1L to 1000Base-T1. Replace the eMMC chip on all but one of them
> > with a cheap 2MiB SPI-NOR flash to load barebox and netboot from one single
> > board running an NFSv4.2 (and TFTP) server serving the kernel and rootfs for
> > all the others from a single eMMC, that can be updated with a single RAUC
> > bundle guaranteeing consistent software and trivially easy updates on all
> > nodes at once. Not to mention the benefit of trivial repairs because all
> > boards are basically dumb and don't need to be flashed with software that
> > matches the machine they are being replaced in, etc...  
> 
> Which I think is very cool. :-)

Thanks :-)

> > To be fair though, it isn't strictly needed for barebox to have NFS support
> > for our use-case, since it suffices to load the kernel (and possibly an
> > initramfs) via TFTP and mount the nfsroot from the kernel, but IMHO it is
> > certainly valuable to have basic NFSv4.2 support in barebox. It would
> > facilitate the use of just 1 protocol instead of 2.  
> 
> Ack.
> 
> > I also agree that NFSv3
> > support in that regard offers little value since you really don't want to base
> > everything on this obsolete version with all of its limitations.
> > 
> > But also a bit of caution to be mindful of: Cybersecurity. Of course barebox
> > can be made to only boot signed fit images, but are there other potential
> > attack vectors?  
> 
> We have been fuzzing the security critical boot path and issues were found
> and fixed. Our network stack and NFS implementation are not currently part
> of that. The documentation now spells that out and explicitly advises
> against using any unsigned file system at all (whether networked or not)
> to contain a signed FIT image:
> 
> https://www.barebox.org/doc/latest/user/security.html#avoiding-use-of-file-systems
> 
> As we gain more confidence in the implementation (or rather import mptcp and focus
> on fuzzing that), this will change, but as things stand now, it's is not advisable
> to do network boot of signed images.

Aha. Interesting. I suppose you mean network boot of signed images from
something like NFS (a complex filesystem) as opposed to TFTP (which is more
akin to a raw partition in terms of simplicity of the protocol)? Or is TFTP
already outside of the security comfort zone of barebox?

> > What if the NFS server needs to be secured with with GSS and
> > kerberos? Barebox possibly won't be able to access it unless it also supports
> > that.  
> 
> Yes. I think HTTP(S) support may be a better investment of time, even
> if it means having to use two protocols still.

I agree that if secure-boot is involved, the net-boot solution for barebox
should be the most simple protocol possible so that we always have some
transport implementation that can be hardened with the lowest effort, whether
that is TFTP or HTTP(S). It surely won't be NFSv4.2+kerberos or anything like
that. Still, there are likely a lot of cases, where a physical access barrier
is secure enough, and bare NFS can be used, so let's not immediately shoot
down the idea of having an NFSv4 client in barebox ;-)

A basic HTTP get-only client implementation is probably simple enough
without the (S) part if the sole purpose is to download a signed fit image?

Of course, the server part for boot purposes should probably also be a small,
trusted code-base and not something like a full-blown webserver, full of
enormous attack surfaces due to the lack of TLS.

> > P.S.: I am currently not subscribed to the barebox mailing list, so I don't
> > know if this email will get forwarded by the list server.  
> 
> The ML accepts mails from non-subscribers. Infradead is currently slow on
> delivering mail, though, but I hope it will soon show up on both
> lore.barebox.org/barebox and lore.kernel.org/barebox.

It already arrived :-)
Thanks.

Best regards,

-- 
David Jander