| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <541539db-0015-41de-837f-aabbea68486a@gmail.com> Date: Wed, 5 Mar 2025 00:58:47 +0200 From: Laurentiu Mihalcea <laurentiumihalcea111@...il.com> To: Marco Felsch <m.felsch@...gutronix.de> Cc: Rob Herring <robh@...nel.org>, Krzysztof Kozlowski <krzk+dt@...nel.org>, Conor Dooley <conor+dt@...nel.org>, Shawn Guo <shawnguo@...nel.org>, Sascha Hauer <s.hauer@...gutronix.de>, Fabio Estevam <festevam@...il.com>, Daniel Baluta <daniel.baluta@....com>, Shengjiu Wang <shengjiu.wang@....com>, Frank Li <Frank.li@....com>, imx@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org, Pengutronix Kernel Team <kernel@...gutronix.de>, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2 0/5] imx8mp: add support for the IMX AIPSTZ bridge On 2/27/2025 1:28 PM, Marco Felsch wrote: > Hi Laurentiu, > > On 25-02-26, Marco Felsch wrote: >> Hi, >> >> On 25-02-26, Laurentiu Mihalcea wrote: >>> From: Laurentiu Mihalcea <laurentiu.mihalcea@....com> >>> >>> The AIPSTZ bridge offers some security-related configurations which can >>> be used to restrict master access to certain peripherals on the bridge. >>> >>> Normally, this could be done from a secure environment such as ATF before >>> Linux boots but the configuration of AIPSTZ5 is lost each time the power >>> domain is powered off and then powered on. Because of this, it has to be >>> configured each time the power domain is turned on and before any master >>> tries to access the peripherals (e.g: AP, CM7, DSP, on i.MX8MP). >> My question still stands: >> >> Setting these bits requires very often that the core is running at EL3 >> (e.g. secure-monitor) which is not the case for Linux. Can you please >> provide more information how Linux can set these bits? > Sorry I didn't noticed your response: > > https://lore.kernel.org/all/a62ab860-5e0e-4ebc-af1f-6fb7ac621e2b@gmail.com/ > > If EL1 is allowed to set the security access configuration of the IP > cores doesn't this mean that a backdoor can be opened? E.g. your > secure-boot system configures one I2C IP core to be accessible only from > secure-world S-EL1 (OP-TEE) and after the power-domain was power-cycled > it's accessible from EL1 again. This doesn't seem right. Why should a > user be able to limit the access permissions to an IP core to only be > accessible from secure-world if the IP core is accessible from > normal-world after the power-domain was power-cycled. > > Regards, > Marco I'm no security expert so please feel free to correct me if I get something wrong. This isn't about S/NS world. The bridge AC doesn't offer any configurations for denying access to peripherals based on S/NS world. AFAIK that's the job of the CSU (central security unit), which is a different IP. Perhaps I shouldn't have used the term "trusted" as it might have ended up creating more confusion? If so, please do let me know so I can maybe add a comment about it in one of the commit messages. In this context, "master X is trusted for read/writes" means "master X is allowed to perform read/write transactions". Even if the bridge is configured to allow read/write transactions from a master (i.e: master is marked as trusted for read/writes) that wouldn't be very helpful. You'd still have to bypass the CSU configuration which as far as I understand is also used by the bridge to deny access to peripherals (e.g: if transaction is secure+privileged then forward to peripheral, otherwise abort it). See the "4.7.6.1 Security Block" and "4.7.4 Access Protections" chapters from the IMX8MP RM. Given all of this, I think the purpose of this IP's AC is to add some extra, light, security features on top of the CSU.
Powered by blists - more mailing lists