Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp323138pxa; Wed, 19 Aug 2020 02:14:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyqGNp7DKXtxhFKwqwF1QPzc1pP3vnFAtA02k+o1R938LhFkFJBshVkmA2XTrj30MuxV0i2 X-Received: by 2002:a17:906:a84f:: with SMTP id dx15mr23948058ejb.377.1597828476186; Wed, 19 Aug 2020 02:14:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597828476; cv=none; d=google.com; s=arc-20160816; b=EoB0dcuQ4UOLaYAZFw2Hi8P51I0td+mLYAnVKhS+y3gZ+/u4w41X/QWSRhgxS8LldK /OxwqZBlIcd70QTKwgttHPBw0ouEbG+mLItXzHVY7jOV4NHeDNv23YaePptrqfcKsqWr rfJ7Fhf6vUm7EYYTZbS024F1aCf1UA5fMEW7z7/g/SDgBZ5JE2lhDezhJsMudLRkM0z4 R+KdB/8jTeK5YYx13tHg19ze0+QFOcuqZjJXDEUKKBZASBRhVvMhb0Z/0SVb9gxtYiK9 aDGwpVA6gfGGVJ13qtD9PqVGnRAwLhxrGF1f0xD/bSsx//KMXRZMiZfnriQzqa+5Zkgc Prxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=kd69ulxDGZrNP0qqvN6ardLBBS2yAlfl7xWpNmgMaJY=; b=idNQKzL1awD3lrx7iYrmCq0y/aoxwskL8J6pKHNgrW1MWtNXN53DgdeCH57Pj6Uitd W3JAPRebDtY4efi/XQ1JUJHYZINuJv5d96edG000H285qYD/qp2Iyr/H7YL5uUgNkmCm HHHXXWAav2vGjZr3SnsVPXZ9J6VNb/wtqrIWTubW4XMHMT7g4dBkO1lsX21MKUvvqPvb nBXQqrcUaTaXRQmtUpesdKIAehbmOphuLXbUvKzqAem+reptOx+NlMzJZHwLg9Pu8rTx Yq+m5ADdGE+4XGx+ZxNt2HDdpAivbYXBFlG72CN3AfPSeyllamLjWi/oMbMyL+5qBb/1 nc7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x22si15077498ejw.73.2020.08.19.02.14.12; Wed, 19 Aug 2020 02:14:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726972AbgHSJLb (ORCPT + 99 others); Wed, 19 Aug 2020 05:11:31 -0400 Received: from mga17.intel.com ([192.55.52.151]:15908 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726835AbgHSJL2 (ORCPT ); Wed, 19 Aug 2020 05:11:28 -0400 IronPort-SDR: QsYzwe0M1iVtTm8AbPsvfuKsDgYfcir7NkvoBQZs73aI/jI47j9ou2NFxQwC6mlu193mB/Y8jY bCUylQwDhl2w== X-IronPort-AV: E=McAfee;i="6000,8403,9717"; a="135143621" X-IronPort-AV: E=Sophos;i="5.76,330,1592895600"; d="scan'208";a="135143621" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Aug 2020 02:11:27 -0700 IronPort-SDR: ENF7eXhSGo6i+2qQww+BDD1amp8qQ1Y8+ja5GK/SWuR3FLvne13EtcQ39J2VweT2UGLDBlmEYu LIneF3ufd3CQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.76,330,1592895600"; d="scan'208";a="400770822" Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.163]) by fmsmga001.fm.intel.com with SMTP; 19 Aug 2020 02:11:24 -0700 Received: by lahna (sSMTP sendmail emulation); Wed, 19 Aug 2020 12:11:23 +0300 Date: Wed, 19 Aug 2020 12:11:23 +0300 From: Mika Westerberg To: Arnd Bergmann Cc: Daniel Gutson , Tudor Ambarus , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Boris Brezillon , linux-mtd , "linux-kernel@vger.kernel.org" , Alex Bazhaniuk , Richard Hughes , Greg Kroah-Hartman Subject: Re: [PATCH] mtd: spi-nor: intel-spi: Do not try to make the SPI flash chip writable Message-ID: <20200819091123.GE1375436@lahna.fi.intel.com> References: <20200819065721.GA1375436@lahna.fi.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 19, 2020 at 10:38:24AM +0200, Arnd Bergmann wrote: > On Wed, Aug 19, 2020 at 8:57 AM Mika Westerberg > wrote: > > > > On Tue, Aug 18, 2020 at 12:55:59PM -0300, Daniel Gutson wrote: > > > > If you care about other (malicious) code writing to the driver, please explain > > > > what the specific attack scenario is that you are worried about, and > > > > why you think > > > > this is not sufficient. What code would be able to write to the device > > > > if not the > > > > device driver itself? > > > > > > Maybe Mika can answer this better, but what I'm trying to do is to > > > limit the possibility of > > > damage, as explained in the Kconfig: > > > "Intel PCH/PCU SPI flash PCI driver (DANGEROUS)" > > > "Say N here unless you know what you are doing. Overwriting the > > > SPI flash may render the system unbootable." > > > > Right, the PCI part of the driver unconditionally (and wrongly) tried to > > set the chip writeable. > > > > What this whole thing tries to protect is that the user does not > > accidentally write to the flash chip. It contains BIOS and other > > important firmware so touching it (if it is not locked in the BIOS side) > > may potentially brick the system. That's why we also require that > > command line parameter so the user who knows what he or she is doing can > > enable it for writing. > > The same thing can happen with the platform driver if you load it > once with 'writeable=1' and then unload, leaving the chip in writeable > state. If you load it a second time without the module parameter, it > will be in the same state as the PCI driver: the hardware bit allows > writing, but the MTD layer prevents writes from being issued to the > device. Right. > > Actually thinking about this bit more, to make PCI and the platform > > parts consistent we can make the "writeable" control this for the PCI > > part as well. So what if we add a callback to struct intel_spi_boardinfo > > that the PCI driver populates and then the "core" driver uses to enable > > writing when "writeable" is set to 1. > > If you are really worried about the write protection being bypassed by > a different driver or code injection, the best way would seem to be to > only enable writing in the mtd write callback and disable it immediately > after the write is complete. I still don't see why this hardware would > be more susceptible to this kind of attack than other drivers though, > as it already has the safeguard against writing through the MTD layer > without the module parameter. Hmm, is there already a mechanism at the MTD level to prevent writes? If that's the case then sure we can use that instead.