Opened 4 years ago

Closed 3 years ago

#10891 closed task (fixed)

OFW XO-1.75 - lockdown SPI FLASH writes

Reported by: wmb@… Owned by: wad
Priority: blocker Milestone: Future Release
Component: hardware Version: 1.75-A3
Keywords: Cc:
Blocked By: Blocking: #10914
Deployments affected: Action Needed: design
Verified: no

Description

Need to figure out how to protect the boot SPI FLASH from userland writes and thus implement protect-fw .

Change History (6)

comment:1 Changed 4 years ago by Quozl

  • Milestone changed from Not Triaged to 1.75-firmware

comment:2 Changed 4 years ago by wmb@…

  • Component changed from ofw - open firmware to hardware
  • Milestone changed from 1.75-firmware to Future Release
  • Owner changed from wmb@… to wad
  • Priority changed from normal to blocker
  • Version changed from 1.75-A2 to 1.75-A3

I think it's not possible to use the MMP2 security features to prevent writes to the SPI boot flash. While one can set the SSP1 module to secure mode, thus preventing access to it from the P4J core, I don't see any way to prevent the OS from using the MFPR registers to map GPIOs to those pins, thus enabling writes via a bit-banging driver.

I think we need to reinstate a hardware lockout flip-flop.

comment:3 Changed 4 years ago by martin.langhoff

  • Blocking 10914 added

comment:4 Changed 3 years ago by wmb@…

We also need to lock out EC FLASH writes via the EDI interface. In this case we might be able to just block the EDI chip select line or something, as, unlike the SPI boot FLASH, there is little need to read the EC code after it is write-locked.

comment:5 Changed 3 years ago by wmb@…

I checked the 3731 datasheet looking for ways to disable EDI reprogramming from software. No luck. There is a "disable EDI" command, but it is not permanent - having disabled the interface, you can easily re-enable it by repeating the EDI start sequence (empirically determined).

comment:6 Changed 3 years ago by Quozl

  • Resolution set to fixed
  • Status changed from new to closed

(hardware change was completed in b1, firmware support for it is in other tickets)

Note: See TracTickets for help on using tickets.