[PATCH v4 02/16] arm: mach-k3: Add basic support for J784S4 SoC definition

Nishanth Menon nm at ti.com
Thu Oct 5 13:26:24 CEST 2023 

On 10:29-20231005, Manorit Chawdhry wrote:
> Hi Nishanth,
> 
> On 07:24-20231004, Nishanth Menon wrote:
> > On 10:43-20231004, Manorit Chawdhry wrote:
> > 
> > > These are required to remove the firewall configurations that are done
> > > by ROM, those are not the ones that are being handled by OIDs. The
> > 
> > I am not sure I understand this clearly. OIDs are setup to open up
> > firewalls or close firewalls as the system requires and since it
> > is authenticated, not compromiseable.- U-boot by itself (even if
> > authenticated), is not a secure entity for it to dictate the firewall
> > configuration (u-boot must be assumed to be compromised after
> > authentication is complete). So, doing firewall configuration via APIs
> > after boot, to me looks broken approach.
> > 
> 
> I know U-boot ain't that secure given the most trusted entity is always
> gonna be the software that starts up the system, we can't expect those
> to be doing all the work and based on that we have the secure boot
> designed to configure firewalls (that are not owned by anymore) and
> U-boot R5 being one of the early bootloaders do come as a part of it. 
> 
> Regarding the OIDs thing, I don't think the OID in question is looked by
> ROM and ROM always configures some firewalls for it's usecase that are
> present in those arrays. 
> 
> The OID that we are using in the series that you had shared is looked by
> TIFS instead of ROM and TIFS is the entity that is authenticating the
> binary along with setting up the firewalls.
> 
> > > current series that is being worked on is to add additional firewalling
> > > support with OIDs that TIFS will be handling.
> > > The above patch is
> > > essentially added to have the same development experience on GP devices
> > > similar to HS after the secure boot is done so that people don't end up
> > 
> > huh? the code seems to blindly call the remove_fwl_configs(cbass_hc_cfg0_fwls, ARRAY_SIZE(cbass_hc_cfg0_fwls));
> > where is the distinction of HS vs GP here? This implementation looks
> > completely broken to me at least.. please correct what I missed here.
> 
> Since this call is used across all SoCs there wasn't any point to make
> the differentiation between GP and HS here, remove_fwl_configs
> internally handles looking at the firewalls and disabling them if they
> are enabled ( Which would be only in the case of HS devices ), for GP it
> would automatically by a noop.

Correct me if I understand the security chain here:

ROM sets up firewalls that are needed by itself
TIFS (in multicertificate will setup it's own firewalls)
R5 SPL comes along and opens up other firewalls
Each stage beyond this: such as tispl.bin containing TFA/OPTEE uses OIDs to
set up firewalls to protect themselves (enforced by TIFS)
A53 SPL and U-boot itself startups but has no ability to change the
protection firewalls enforced by x509 OIDs.

Further, firewalls have lockdown bit that enforces the setting (and
cannot be over-ridden) till system restart is requested

Is this correct? If so, needs to be clearly documented.

-- 
Regards,
Nishanth Menon
Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3  1A34 DDB5 849D 1736 249D

More information about the U-Boot mailing list