[U-Boot] U-Boot TFTP protection
Hello, We have been looking at protecting U-Boot from (malicious) TFTP overwrites. We want to do this after our ARMv7 U-Boot has relocated.
The memory map looks like this (I hope):
--------------------------- Top of DRAM | U-Boot (Protected) | -------------------------- U_Boot_start | Heap (Protected) | -------------------------- Start_Heap = U_Boot_start - Heap_Size | Stack (Protected) | -------------------------- Start_Stack = Start_Heap - Stack_Size | Buffers (Protected) | -------------------------- ??? | Free DRAM (Not Protected) --------------------------- Start of DRAM
I seem to get lost in the code trying to find possible buffers, can you please give a hint how I can find the address "???"
Best Regards, Stefan
Hi Stefan,
Hello, We have been looking at protecting U-Boot from (malicious) TFTP overwrites. We want to do this after our ARMv7 U-Boot has relocated.
The memory map looks like this (I hope):
--------------------------- Top of DRAM | U-Boot (Protected) | -------------------------- U_Boot_start | Heap (Protected) | -------------------------- Start_Heap = U_Boot_start - Heap_Size | Stack (Protected) | -------------------------- Start_Stack = Start_Heap - Stack_Size | Buffers (Protected) | -------------------------- ??? | Free DRAM (Not Protected) --------------------------- Start of DRAM
I seem to get lost in the code trying to find possible buffers, can you please give a hint how I can find the address "???"
By default the tftp writes its data to the address pointed by the "loadaddr" env variable.
printenv loadaddr
Best Regards, Stefan
U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd@denx.de
Hi Stefan,
On 15 June 2018 at 00:44, Stefan Johansson stefan.j.johansson@verisure.com wrote:
Hello, We have been looking at protecting U-Boot from (malicious) TFTP overwrites. We want to do this after our ARMv7 U-Boot has relocated.
The memory map looks like this (I hope):
--------------------------- Top of DRAM | U-Boot (Protected) | -------------------------- U_Boot_start | Heap (Protected) | -------------------------- Start_Heap = U_Boot_start - Heap_Size | Stack (Protected) | -------------------------- Start_Stack = Start_Heap - Stack_Size | Buffers (Protected) | -------------------------- ??? | Free DRAM (Not Protected) --------------------------- Start of DRAM
I seem to get lost in the code trying to find possible buffers, can you please give a hint how I can find the address "???"
Well gd->start_addr_sp is the stop of the stack. The size of the stack is not necessarily fixed and will grow downwards from there. But I suppose you could set a particular size and protect from start of DRAM to to the assumed bottom of the stack area.
Regards, Simon
participants (3)
-
Lukasz Majewski -
Simon Glass -
Stefan Johansson