| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 11 Jan 2020 13:46:39 +0000
From: <Tudor.Ambarus@...rochip.com>
To: <linux-mtd@...ts.infradead.org>
CC: <michael@...le.cc>, <linux-kernel@...r.kernel.org>,
<vigneshr@...com>, <richard@....at>,
<boris.brezillon@...labora.com>, <miquel.raynal@...tlin.com>,
<marex@...x.de>
Subject: Re: [PATCH v2] mtd: spi-nor: keep lock bits if they are non-volatile
Hi, Michael,
On Saturday, January 4, 2020 12:12:29 AM EET Michael Walle wrote:
> Traditionally, linux unlocks the whole flash because there are legacy
> devices which has the write protections bits set by default at startup.
> If you actually want to use the flash protection bits, eg. because there
> is a read-only part for a bootloader, this automatic unlocking is
> harmful. If there is no hardware write protection in place (usually
> called WP#), a startup of the kernel just discards this protection.
>
> I've gone through the datasheets of all the flashes (except the Intel
> ones where I could not find any datasheet nor reference) which supports
> the unlocking feature and looked how the sector protection was
> implemented. The currently supported flashes can be divided into the
> following two categories:
> (1) block protection bits are non-volatile. Thus they keep their values
> at reset and power-cycle
> (2) flashes where these bits are volatile. After reset or power-cycle,
> the whole memory array is protected.
> (a) some devices needs a special "Global Unprotect" command, eg.
> the Atmel AT25DF041A.
> (b) some devices require to clear the BPn bits in the status
> register.
>
> Due to the reasons above, we do not want to clear the bits for flashes
> which belong to category (1). Fortunately for us, the flashes in (2a)
> and (2b) are compatible with each other in a sense that the "Global
> Unprotect" command will clear the block protection bits in all the (2b)
> flashes.
>
> This patch adds a new flag to indicate the case (2). Only if we have
> such a flash we perform a "Global Unprotect". Hopefully, this will clean
> up "unlock the entire flash for legacy devices" once and for all.
Thanks for the detailed explanation. Unlocking the flash at probe time was
badly designed from the beginning, we should disable the write protection only
on request, to avoid destructive commands during power-up.
Breaking the backward compatibility is a no-go, and looks like you break it,
by not treating case (1). We can indeed continue your idea and treat both (1)
and (2), thus disabling the write protection at power-up for all the flashes
that we support as of now (in order to not break backward compat), and to not
disable the block protection for the new flashes that will come. This means to
have some point in time before which some less fortunate flashes don't benefit
of write protection at power-up, and after which the others benefit. I
wouldn't got this way, I prefer a generic method that handles all the flashes
in the same way.
I see three choices:
1/ dt prop which gives a per flash granularity. The prop is related to hw
protection and there might be some chances to get this accepted, maybe it is
worth to involve Rob. But I tend to share Vignesh's opinion, this would
configure the flash and not describe it.
2/ kconfig option, the behavior would be enforced on all the flashes. It would
be similar to what we have with CONFIG_MTD_SPI_NOR_USE_4K_SECTORS. I did a
patch to address this some time ago: https://patchwork.ozlabs.org/patch/
1133278/
3/ module param, the behavior would be enforced on all the flashes.
Preferences or suggestions?
Cheers,
ta
Powered by blists - more mailing lists