Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp408915ybm;
        Thu, 28 May 2020 06:03:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyLQxbksbAm7xwRvCAws3ETVgweFX53UC6bqTTfEIuLjmISpCHUHq/63qBmvPP5SkBrGnuO
X-Received: by 2002:a17:906:4306:: with SMTP id j6mr2750607ejm.229.1590671010884;
        Thu, 28 May 2020 06:03:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590671010; cv=none;
        d=google.com; s=arc-20160816;
        b=TT9XvAc5uWNvSVrW+U+7sDBPwE6Qa//X7mQMGJSyrRtp4itsqHDYn/0E6Xzf/DrU07
         nYgzkXVBcXZEjAwxAEM78XQBJ+VT23TgxknFSVZQ2lzZbgxK13RthVfe60B5zQ1IrdoL
         2MvT6spq0TYRI/wONYSRK6KTp4/nqHRd0XIJ44jUbAc6m/hZEzTqq46Q328lxFsb8utM
         v+cQ88j7/xLz6lpu2kGn3onXQOEO7aE+ieqEPqC58YoEq3fkC1TdQK6PKRVS2yFOC5DV
         yGk1YVosSttJtY8hURtu5eX1H0Kl6/QzcUlgBoBlRl7w/qIpMOcbq7JVaYULQBtQPtvz
         jACw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:ironport-sdr:ironport-sdr;
        bh=6Oi3AwgTVZoFnVre+/T6xMgfNzsycacPWSIqsTVborM=;
        b=tIdoA726FuUspfylQU8GzYopP9XypofetyuA2pLO5M5TiTcWCgVe2qN+Njy4eyfmyd
         Xhr8I6fhFyiMQ8Hw9hlw6Auf1pa1xBH9O0sJkW1rm7CFMbaHG2obA+Iro3tY2SC46cDz
         Nx56cVpAHaQMifn5UcJVe7XyCb205/+2OYkrmviL4EVOWmPSflQFwVbnNmTvjvK5od1H
         rzQQJkoM6kDeAyLifLF4Een/vcWYPXtb63oFPXZh0XEi2K0S9fMWsGMdvqtrDsKvS3pZ
         7EO5zN/EO0IxPez8LKmorRKqyeaf52J5zvBKW/XcNc+3r0wxjZrW4tf/e8mFT6DBJdVw
         s3CQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f30si3508065edj.524.2020.05.28.06.02.55;
        Thu, 28 May 2020 06:03:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390011AbgE1NAg (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Thu, 28 May 2020 09:00:36 -0400
Received: from mga01.intel.com ([192.55.52.88]:48839 "EHLO mga01.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389954AbgE1NAg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 May 2020 09:00:36 -0400
IronPort-SDR: 02pW02f1rdmgCM4gslr5i2a5pW+uhdEIb7y7Zanxo1gl24nhvl8jqsrl46d4lvmiszretFyPRf
 Y27gMsoMZwqg==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 May 2020 06:00:35 -0700
IronPort-SDR: hxb+UYqB8FrmnMs1FjY/zGUfF1Iq94qe4NxTXvK1A15ltbAqsRewE0lAHkW6dIHf+U80+vHSfa
 OiVHQzeOz13A==
X-IronPort-AV: E=Sophos;i="5.73,444,1583222400"; 
   d="scan'208";a="442939274"
Received: from cmccarth-mobl.ger.corp.intel.com ([10.252.7.149])
  by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 May 2020 06:00:32 -0700
Message-ID: <b674e0b3900c4ac6b9a67cf9e041c642c0639679.camel@linux.intel.com>
Subject: Re: [PATCH 1/1] soc: keembay: Add Keem Bay IMR driver
From:   Daniele Alessandrelli <daniele.alessandrelli@linux.intel.com>
To:     Pavel Machek <pavel@denx.de>
Cc:     "arnd@arndb.de" <arnd@arndb.de>,
        "robh@kernel.org" <robh@kernel.org>,
        "Murphy, Paul J" <paul.j.murphy@intel.com>,
        "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "Shevchenko, Andriy" <andriy.shevchenko@intel.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Date:   Thu, 28 May 2020 14:00:29 +0100
In-Reply-To: <20200528112231.GA22054@duo.ucw.cz>
References: <cover.1587485099.git.daniele.alessandrelli@intel.com>
         <13ca92165fab2827b6d439661e75f5b91ef083c2.1587485099.git.daniele.alessandrelli@intel.com>
         <20200501081002.GA1055721@kroah.com>
         <f60aece195cd0700728fc38b0398949a82b72fc3.camel@linux.intel.com>
         <20200524212851.GG1192@bug>
         <CAK8P3a225pqBfzQ19e6Gt0s_tYBp29xLb8EG==hhz=1wc7aVCA@mail.gmail.com>
         <ac0534138facc25c4cbcbbff68fc0ba3c2de87b6.camel@linux.intel.com>
         <20200528112231.GA22054@duo.ucw.cz>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.2 (3.36.2-1.fc32) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 2020-05-28 at 13:22 +0200, Pavel Machek wrote:
> Hi!
> 
> > > Agreed, this sounds like an incompatible extension of the boot
> > > protocol
> > > that we should otherwise not merge.
> > > 
> > > However, there is also a lot of missing information here, and it
> > > is
> > > always
> > > possible they are trying to something for a good reason. As long
> > > as
> > > the
> > > problem that the bootloader is trying to solve is explained well
> > > enough
> > > in the changelog, we can discuss it to see how it should be done
> > > properly.
> > 
> > Apologies, I should have provided more information. Here it is :)
> > 
> > Basically, at boot time U-Boot code and core memory (.text, .data,
> > .bss, etc.) is protected by this Isolated Memory Region (IMR) which
> > prevents any device or processing units other than the ARM CPU to
> > access/modify the memory.
> > 
> > This is done for security reasons, to reduce the risks that a
> > potential
> > attacker can use "hijacked" HW devices to interfere with the boot
> > process (and break the secure boot flow in place).
> 
> Dunno. You disable that after boot anyway. Whether it is disabled
> just before starting kernel or just after it makes very little
> difference.

Not sure I get your point. Disabling it while U-Boot is still running
poses a security risk (even if arguably tiny), while doing it once the
the Kernel is running is  totally safe. So, I'd prefer to do it in the
Kernel, unless practical reasons prevent it.

> 
> Plus, I'm not sure if this has much security value at all. If I can
> corrupt data u-boot works _with_ (such as kernel, dtb), I'll take
> over the system anyway.

True, U-Boot data needs to be protected too and, in fact, we're trying
to do that as well. Other IMRs are used to protect the kernel, dtb, and
other critical memory sections.

> 
> IOW I believe the best/simplest way is to simply disable this in
> u-boot before jumping to kernel entrypoint.

Yes, that's definitely the simplest solution, but, IMO, not the safest
one. So, I'd prefer to build on your initial suggestion and Arnd's
advice and create a new device driver to disable the IMR once Linux is
running. But, yes, if that eventually proves unfeasible, I might just
have the bootloader disable the protection right before booting the OS.

> 
> Best regards,
> 									
> Pavel
>