On 10:43-20231004, Manorit Chawdhry wrote:
These are required to remove the firewall configurations that are done by ROM, those are not the ones that are being handled by OIDs. The
I am not sure I understand this clearly. OIDs are setup to open up firewalls or close firewalls as the system requires and since it is authenticated, not compromiseable.- U-boot by itself (even if authenticated), is not a secure entity for it to dictate the firewall configuration (u-boot must be assumed to be compromised after authentication is complete). So, doing firewall configuration via APIs after boot, to me looks broken approach.
current series that is being worked on is to add additional firewalling support with OIDs that TIFS will be handling. The above patch is essentially added to have the same development experience on GP devices similar to HS after the secure boot is done so that people don't end up
huh? the code seems to blindly call the remove_fwl_configs(cbass_hc_cfg0_fwls, ARRAY_SIZE(cbass_hc_cfg0_fwls)); where is the distinction of HS vs GP here? This implementation looks completely broken to me at least.. please correct what I missed here.