Hi Nishanth,
On 07:24-20231004, Nishanth Menon wrote:
On 10:43-20231004, Manorit Chawdhry wrote:
These are required to remove the firewall configurations that are done by ROM, those are not the ones that are being handled by OIDs. The
I am not sure I understand this clearly. OIDs are setup to open up firewalls or close firewalls as the system requires and since it is authenticated, not compromiseable.- U-boot by itself (even if authenticated), is not a secure entity for it to dictate the firewall configuration (u-boot must be assumed to be compromised after authentication is complete). So, doing firewall configuration via APIs after boot, to me looks broken approach.
I know U-boot ain't that secure given the most trusted entity is always gonna be the software that starts up the system, we can't expect those to be doing all the work and based on that we have the secure boot designed to configure firewalls (that are not owned by anymore) and U-boot R5 being one of the early bootloaders do come as a part of it.
Regarding the OIDs thing, I don't think the OID in question is looked by ROM and ROM always configures some firewalls for it's usecase that are present in those arrays.
The OID that we are using in the series that you had shared is looked by TIFS instead of ROM and TIFS is the entity that is authenticating the binary along with setting up the firewalls.
current series that is being worked on is to add additional firewalling support with OIDs that TIFS will be handling. The above patch is essentially added to have the same development experience on GP devices similar to HS after the secure boot is done so that people don't end up
huh? the code seems to blindly call the remove_fwl_configs(cbass_hc_cfg0_fwls, ARRAY_SIZE(cbass_hc_cfg0_fwls)); where is the distinction of HS vs GP here? This implementation looks completely broken to me at least.. please correct what I missed here.
Since this call is used across all SoCs there wasn't any point to make the differentiation between GP and HS here, remove_fwl_configs internally handles looking at the firewalls and disabling them if they are enabled ( Which would be only in the case of HS devices ), for GP it would automatically by a noop.
Regards, Manorit
-- Regards, Nishanth Menon Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3 1A34 DDB5 849D 1736 249D