Mount NFSv4.2 filesystem in barebox?

[Dan Shelton]

On Wed, 5 Mar 2025 at 14:55, David Jander <david at protonic.nl> wrote:
>
>
> Hi Ahmad,
>
> On Wed, 5 Mar 2025 13:51:51 +0100
> Ahmad Fatoum <a.fatoum at pengutronix.de> wrote:
>
> > Hi David,
> >
> > On 05.03.25 12:30, David Jander wrote:
> > > On Tue, 4 Mar 2025 22:50:00 +0100
> > > Martin Wege <martin.l.wege at gmail.com> wrote:
> > >> So yes, you would have customers for NFSv4.1 support in barebox.
> > >
> > > Just wanted to chime in to amplify this a bit, since we are also using NFSv4.2
> > > netboot (though only TFTP in barebox for now):
> > >
> > > Your arguments are solid, and make a lot of sense. If you are going to replace
> > > more and more microcontroller based nodes with Linux capable SoCs, because it
> > > makes a lot of economical sense (hardware costs are very similar nowadays, and
> > > software development is 10x easier and cheaper on Linux than on a uC), you
> > > will end up inevitably with a lot of Linux nodes inside of a machine or
> > > industrial plant, where you previously had uC's. So, do you want to continue
> > > using 1970's tech (RS485/modbus) or 1980's tech (CAN) to communicate between all
> > > those nodes, or will you use Linux's native language (TCP/IP) which also
> > > immediately means another 10x reduction in software development costs of the
> > > networking part? If you choose the latter, you will also get significant HW
> > > cost savings basically for free if you also net-boot (via NFS and/or TFTP).
> > >
> > > In other words, why are we not already doing this?
> > >
> > > At least we are. We are starting to use Single Pair Ethernet almost everywhere
> > > where there were other field-busses involved traditionally. So we noticed that
> > > we end up with a lot of boards running Linux connected together via anything
> > > from 10Base-T1L to 1000Base-T1. Replace the eMMC chip on all but one of them
> > > with a cheap 2MiB SPI-NOR flash to load barebox and netboot from one single
> > > board running an NFSv4.2 (and TFTP) server serving the kernel and rootfs for
> > > all the others from a single eMMC, that can be updated with a single RAUC
> > > bundle guaranteeing consistent software and trivially easy updates on all
> > > nodes at once. Not to mention the benefit of trivial repairs because all
> > > boards are basically dumb and don't need to be flashed with software that
> > > matches the machine they are being replaced in, etc...
> >
> > Which I think is very cool. :-)
>
> Thanks :-)
>
> > > To be fair though, it isn't strictly needed for barebox to have NFS support
> > > for our use-case, since it suffices to load the kernel (and possibly an
> > > initramfs) via TFTP and mount the nfsroot from the kernel, but IMHO it is
> > > certainly valuable to have basic NFSv4.2 support in barebox. It would
> > > facilitate the use of just 1 protocol instead of 2.
> >
> > Ack.
> >
> > > I also agree that NFSv3
> > > support in that regard offers little value since you really don't want to base
> > > everything on this obsolete version with all of its limitations.
> > >
> > > But also a bit of caution to be mindful of: Cybersecurity. Of course barebox
> > > can be made to only boot signed fit images, but are there other potential
> > > attack vectors?
> >
> > We have been fuzzing the security critical boot path and issues were found
> > and fixed. Our network stack and NFS implementation are not currently part
> > of that. The documentation now spells that out and explicitly advises
> > against using any unsigned file system at all (whether networked or not)
> > to contain a signed FIT image:
> >
> > https://www.barebox.org/doc/latest/user/security.html#avoiding-use-of-file-systems
> >
> > As we gain more confidence in the implementation (or rather import mptcp and focus
> > on fuzzing that), this will change, but as things stand now, it's is not advisable
> > to do network boot of signed images.
>
> Aha. Interesting. I suppose you mean network boot of signed images from
> something like NFS (a complex filesystem) as opposed to TFTP (which is more
> akin to a raw partition in terms of simplicity of the protocol)? Or is TFTP
> already outside of the security comfort zone of barebox?

TFTP is outside the comfort zone of almost every enterprise IT. Most
of Intel&Win&co label it as "legacy" for a reason

>
> > > What if the NFS server needs to be secured with with GSS and
> > > kerberos? Barebox possibly won't be able to access it unless it also supports
> > > that.
> >
> > Yes. I think HTTP(S) support may be a better investment of time, even
> > if it means having to use two protocols still.
>
> I agree that if secure-boot is involved, the net-boot solution for barebox
> should be the most simple protocol possible so that we always have some
> transport implementation that can be hardened with the lowest effort, whether
> that is TFTP or HTTP(S).

1. HTTPS is not always viable, in case of firewalls which unpack, add
headers or content, and then repack HTTPS traffic. Given that kind of
problem HTTPS is often unuseable. Plus, many managements no longer
trusts HTTPS, because it has become a jack of all trades, and a gaping
security hole for all trades.
2. Booting or getting a boot image via HTTPS is basically not a
standard, NFSv4 is at least IETF+RFC+already in use. barebox is just
late in that game

> It surely won't be NFSv4.2+kerberos or anything like
> that. Still, there are likely a lot of cases, where a physical access barrier
> is secure enough, and bare NFS can be used, so let's not immediately shoot
> down the idea of having an NFSv4 client in barebox ;-)

There is NFSv4+TLS, which should be pretty easy to implement, because
it is just sticking TLS in front of libtirpc

Dan
-- 
Dan Shelton - Cluster Specialist Win/Lin/Bsd