Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp917723ybm; Wed, 27 May 2020 11:06:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx8u5HnQ6CKhIFIRPcVhXbNEfJ5OeNdcx+kVhBVKqE0d7wu7Isc6zhmtuBbOhc96KrykmW9 X-Received: by 2002:a17:906:2e9a:: with SMTP id o26mr5733443eji.538.1590602802006; Wed, 27 May 2020 11:06:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590602801; cv=none; d=google.com; s=arc-20160816; b=0ey3XlgsD9zpBIEVCi8OKa8mtGONUMRzWyAcslHnvAQ7GRlJQQkgX7T8/HoSniPAca eZ72dx9zSHHOc6ifuBcRIhXN1J2f2x4dBGN3/0gydUrOXzZp6O05NA2ddze2PBG49XQn wm25kFVUaRihMA5Lg/cQHJ/mFxtGPAw98AK6hJG9IxRNWEbv8bKoB4ZbxSxVZeU9xd2u mLtfwlKd0PVjPXCOm8W7tdGQdxhD7jZb5JM1EjZ9Td7iBX9iDtbyLMIZOPJbJ3ILh6/S tGAxWSTtfEcDW6j8cH8lli+KU6KIoQa750YBKGFPzeGx+rClx4TVtJqQKVTVsfkVTcWy OeYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=RwBssYCdylPGsOgn3X/u9t/p3hmJgSB9wPZA3K4kM4k=; b=Ii8U0NBsc2+TUcD9a8rieq6EUEQDzF1CQtpRWJy+kxXesSFutbFkQ5o6oammpPYZXH gZXbjL+bmFIvjhH8ic5JQqe6DwVmj1QgTGhH9seREpWwj0684XTp6m7T5XkwwSWVQ+kf XkaWoqm1IQIttIrxDRyxWP7TFKKMMmOYAerp99+zDWmG89RXM6x5a+0Yz5IKeLVijTaZ /h9M/aGFE+VnfbVKv0D7Ol7GtZ+yzxA7Zo3c0FtrniwnIK6webdyPMOlqc0vSjnWoXt/ hozUNW5k5bSCk506Jk6tHL5fSRe/F5Vid6Y5CQkIrueNa2edJ/1QepKXrJ31XO4przLF kLqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j7si2429322ejs.646.2020.05.27.11.06.18; Wed, 27 May 2020 11:06:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389207AbgE0OeT (ORCPT + 99 others); Wed, 27 May 2020 10:34:19 -0400 Received: from mout.kundenserver.de ([212.227.17.24]:37089 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389220AbgE0OeS (ORCPT ); Wed, 27 May 2020 10:34:18 -0400 Received: from mail-qk1-f180.google.com ([209.85.222.180]) by mrelayeu.kundenserver.de (mreue107 [212.227.15.145]) with ESMTPSA (Nemesis) id 1N1xZX-1iu3dm353p-012KMn for ; Wed, 27 May 2020 16:34:15 +0200 Received: by mail-qk1-f180.google.com with SMTP id q8so8049736qkm.12 for ; Wed, 27 May 2020 07:34:15 -0700 (PDT) X-Gm-Message-State: AOAM532XZf6hvJXZEoDX35zNfu2PiUDVyWh4TZInPqv0bzQ477J88SOT fQoZgVbr4fP21fyy6jdvqjqEHMk1NWkzAD6iQQU= X-Received: by 2002:a37:4c48:: with SMTP id z69mr4462545qka.138.1590590054575; Wed, 27 May 2020 07:34:14 -0700 (PDT) MIME-Version: 1.0 References: <13ca92165fab2827b6d439661e75f5b91ef083c2.1587485099.git.daniele.alessandrelli@intel.com> <20200501081002.GA1055721@kroah.com> <20200524212851.GG1192@bug> In-Reply-To: From: Arnd Bergmann Date: Wed, 27 May 2020 16:33:58 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/1] soc: keembay: Add Keem Bay IMR driver To: "Alessandrelli, Daniele" Cc: "pavel@ucw.cz" , "robh@kernel.org" , "Murphy, Paul J" , "gregkh@linuxfoundation.org" , "Shevchenko, Andriy" , "linux-kernel@vger.kernel.org" , "daniele.alessandrelli@linux.intel.com" Content-Type: text/plain; charset="UTF-8" X-Provags-ID: V03:K1:l4/GPB2ILu09kkV7XvWAVfsZeS+TnLTyig0qXH9kjw0osp/g9wC kj4ygUJaoaQibM6paQin4afYRdmPdTLpPuexPKuQbzGt1amoYqJKPKdN3io0C3nXCyzLOM9 QYuUh49j4NnifsifPOm+s421ZPR1KY5YuwjIk8nxGiwdXfoZ+x059+lCBQCzz2s/acEUulj NTb4qGXnHq0cCKfUfOK5w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:cjFL+2I6Xsg=:qNiL2f79VozEMCfa/jspXE w9j/5Mk3Nlaqfx+BS1/D0CeJepKALN6BuJ5YfGeBOdNzecwZsMoLhsJ7O7YkhSk9wa/Ub6y34 4IcInVVdIvb9EyV/D1CJ33PFblxSHNdBdY5vJnKYcOg3Z6T/1AAwsoY3ztxAblrZGrR8CQU/r DyrXWnPOooUYb8sNtSgNYcHkdtDkZCS7GYk6sJTFlKYOOiLAYqejmsX1g5zBA1SgYtYlpJFFv D48rK+lf97dxfS8MUyrkiLt8jvY1a2ndoKMa7x+PmZMTM8BBv4GPAN0n8960sShrgyoQeKcrC tSP4fUWb42hfMl2GaFfEEAPSFvReffhC9VA8U2aIEI+wLq94a2bEZAPE1oXflplcAB/OnMe2o Nps54dpEBESqEkQCVlIICYQ5JSI7H4tcxx5Esf1uaJSi9tjn7IlhGwi050Y4xpHIHPWasVMjt FVWPsIs6ZLgDO9roG3T1ViU/KKjIajPvKAzTeHBk5D+nwk9QOTPf5sDU5e8JqjkapABsYYvUH h8nPdasgRTr+a72cl3K3VrQdMocXQVzmPf20w8RVm+v78F458bA4uxr961LmQABaav97KVyum oT+BRQ1dwOFbx48/S5Ur2P9I5qM9bVX4XsBA/PVYLZcL8nhw+r/46GSwFpXOnILegVPci4wmy wqJTrb0tjx7SWkIf0gVOppVSqT8LHMoSINOZy2kBRT8VAkFqZTAljqj/Iwu07UmX77B5FZRC+ ZIO2edlMDq+oXi6xFF4uQdbt/3105TRIWW4iX7Fd3139mDN1H3qXlL2gF/TzTmTfPcOYRBsTB PYKycy67oes3pxpQCETBxzpj8KERj3th9rgQVYg2QSNiU7d0cE= Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 27, 2020 at 3:31 PM Alessandrelli, Daniele wrote: > > > Alternatively, take that memory off the "memory available" maps, > > > and only re-add it once > > > it is usable. > > > > > > Anything else is dangerous. > > That sounds like an interesting solution, thanks! > > Do you know any code that I can use as a reference? > > Since, the protected memory is just a few megabytes large, I guess that > in theory we could just have U-Boot mark it as reserved memory and > forget about it; but if there's a way to re-add it back once in Linux > that would be great. Adding it back later on with a loadable device driver should not be a problem, as this is not a violation of the boot protocol. > > Agreed, this sounds like an incompatible extension of the boot > > protocol that we should otherwise not merge. > > > > However, there is also a lot of missing information here, and it is > > always possible they are trying to something for a good reason. > > As long as the problem that the bootloader is trying to solve is > > explained well enough in the changelog, we can discuss it to see > > how it should be done properly. > > Apologies, I should have provided more information. Here it is :) > > Basically, at boot time U-Boot code and core memory (.text, .data, > .bss, etc.) is protected by this Isolated Memory Region (IMR) which > prevents any device or processing units other than the ARM CPU to > access/modify the memory. > > This is done for security reasons, to reduce the risks that a potential > attacker can use "hijacked" HW devices to interfere with the boot > process (and break the secure boot flow in place). > > Before booting the Kernel, U-Boot sets up a new IMR to protect the > Kernel image (so that the kernel can benefit of a similar protection) > and then starts the kernel, delegating to the kernel the task of > switching off the U-Boot IMR. > > U-Boot doesn't turn off its own IMR because doing so would leave a > (tiny) window in which the boot execution flow is not protected. > > If you have any additional questions or feedback, just let me know. Thank you for the detailed explanation. I've never seen this done in the Linux boot flow, but I can see how it helps prevent certain kinds of attacks. It seems that just reserving the u-boot area and optionally freeing it later from a driver solves most of your problem. I have one related question though: if the kernel itself is protected, does that mean that any driver that does a DMA to statically allocated memory inside of the kernel is broken as well? I think this is something that a couple of USB drivers do, though it is fairly rare. Does u-boot protect both only the executable sections of the kernel or also data, and does the hardware block both read and write on the IMR, or just writes? Arnd