lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <11c3ceb2-8b8d-de59-a0be-0777a42f63a7@arm.com>
Date:   Tue, 27 Feb 2018 19:46:29 +0000
From:   Robin Murphy <robin.murphy@....com>
To:     Benjamin Gaignard <benjamin.gaignard@...aro.org>,
        Mark Rutland <mark.rutland@....com>
Cc:     devicetree@...r.kernel.org,
        Alexandre Torgue <alexandre.torgue@...com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Rob Herring <robh+dt@...nel.org>,
        Maxime Coquelin <mcoquelin.stm32@...il.com>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        Benjamin Gaignard <benjamin.gaignard@...com>
Subject: Re: [PATCH 0/3] STM32 Extended TrustZone Protection driver

On 27/02/18 19:16, Benjamin Gaignard wrote:
> 2018-02-27 18:11 GMT+01:00 Mark Rutland <mark.rutland@....com>:
>> On Tue, Feb 27, 2018 at 03:09:23PM +0100, Benjamin Gaignard wrote:
>>> On early boot stages STM32MP1 platform is able to dedicate some hardware blocks
>>> to a secure OS running in TrustZone.
>>> We need to avoid using those hardware blocks on non-secure context (i.e. kernel)
>>> because read/write access will all be discarded.
>>>
>>> Extended TrustZone Protection driver register itself as listener of
>>> BUS_NOTIFY_BIND_DRIVER and check, given the device address, if the hardware block
>>> could be used in a Linux context. If not it returns NOTIFY_BAD to driver core
>>> to stop driver probing.
>>
>> Huh?
>>
>> If these devices are not usable from the non-secure side, why are they
>> not removed form the DT (or marked disabled)?
>>
>> In other cases, where resources are carved out for the secure side (e.g.
>> DRAM carveouts), that's how we handle things.
>>
> 
> That true you can parse and disable a device a boot time but if DT doesn't
> exactly reflect etzpc status bits we will in trouble when try to get access to
> the device.

Well, yes. If the DT doesn't correctly represent the hardware, things 
will probably go wrong; that's hardly a novel concept, and it's 
certainly not unique to this particular SoC.

> Changing the DT is a software protection while etzpc is an hardware protection
> so we need to check it anyway.

There are several in-tree DT and code examples where devices are marked 
as disabled on certain boards/SoC variants/etc. because attempting to 
access them can abort/lock up/trigger a secure watchdog reset/etc. The 
only "special" thing in this particular situation is apparently that 
this device even allows its secure configuration to be probed from the 
non-secure side at all.

Implementing a boardfile so that you can "check" the DT makes very 
little sense to me; Linux is not a firmware validation suite.

Robin.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ