A Runtime Firmware Update Mechanism for RISC-V OpenSBI

Description

Modern device firmware offers more and more features which increases its complexity, making security vulnerabilities

more likely. Weaknesses at this level are especially dangerous because they offer almost complete control of the system.

Unfortunately, applying security patches to these firmware components needs a costly system restart and is therefore not

done regularly in many cases. This results in a growing number of unpatched systems with open firmware vulnerabilities.

To increase the rate of adoption for security critical firmware updates, we designed an update mechanism for the RISC-V

OpenSBI firmware implementation. Our mechanism allows the operating system kernel to replace the firmware at runtime.

Using that, outdated and potentially vulnerable low-level software can be overwritten with an up-to-date image without

restarting the system.

To further ease the deployment of security patches affecting only parts of the firmware, we present a modularization mechanism

for OpenSBI. It enables the operating system to load, unload and update firmware functionality dynamically at runtime. As practical

module example, we used the Keystone enclave framework, which implements trusted execution environments for RISC-V processors.

We modified the firmware component of Keystone to run as dynamically loadable OpenSBI module and adapted Keystone's remote

attestation mechanism to the updatable environment. Additionally, we present a proof-of-concept implementation of our firmware

update and modularization mechanism which has 26% memory overhead compared to the original OpenSBI implementation.

Because our firmware update mechanism can be applied without restarts, service maintainers have the possibility to update their

systems more frequently. This results in less vulnerable firmware implementations and therefore increases the overall security level

of the systems.