[PATCH] arm: mvebu: Espressobin: Disallow forwarding packets between wan and lan ports

[Andre Heider]

On 17/08/2020 16:36, Pali Rohár wrote:
> By default Topaz switch on Espressobin board forwards packets between all
> ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3).
> 
> This default U-Boot setup is unsuitable for using Espressobin as router as
> it opens security hole in forwarding all packets between wan and lan ports.
> E.g. dhcp packets from wan network leaks to lan network during small time
> window until U-Boot boots Linux kernel which loads network drivers which
> disallows forwarding between wan and lan.
> 
> This patch fixes above problem. For Espressobin board prior putting Topaz
> switch into forwarding mode, Topaz switch is reconfigured to allow
> forwarding packets from wan and lan ports only to CPU port. This ensures
> that packets from wan port are not forwarded to lan ports and vice-versa.
> Packets from CPU port are still forwarded to all other ports, so U-Boot
> network boot works with any ethernet port as before.
> 
> This problem was already discussed on Espressobin forum [1] and on
> Marvell's github issue tracker [2]. As a workaround people on Espressobin
> forum patched U-Boot to completely disable lan ports on Topaz switch which
> prevented forwarding packets. That workaround had an issue that U-Boot was
> unable to netboot via lan ports anymore. Change in this patch does not have
> such issue.
> 
> [1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/
> [2] - https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/issues/18
> 
> Signed-off-by: Pali Rohár <pali at kernel.org>

Tested-by: Andre Heider <a.heider at gmail.com>