[PATCH u-boot v2019.04-aspeed-openbmc v4] aspeed: Disable backdoor interfaces
Joel Stanley
joel at jms.id.au
Mon May 9 18:38:16 AEST 2022
On Wed, 4 May 2022 at 00:47, Zev Weiss <zev at bewilderbeest.net> wrote:
>
> On ast2400 and ast2500 we now disable the various hardware backdoor
> interfaces as is done on ast2600. Two Kconfig options can selectively
> re-enable some of these interfaces: CONFIG_ASPEED_ENABLE_SUPERIO
> leaves the ast2x00 built-in Super I/O device enabled, as it is
> required for some systems, and CONFIG_ASPEED_ENABLE_DEBUG_UART leaves
> the hardware debug UART enabled, since it provides a relatively high
> ratio of utility to security risk during development.
>
> This patch is based on a patch by Andrew Jeffery for an older u-boot
> branch in the OpenBMC tree for the df-isolate-bmc distro feature flag.
>
> Signed-off-by: Zev Weiss <zev at bewilderbeest.net>
> Tested-by: Joel Stanley <joel at jms.id.au>
> Reviewed-by: Joel Stanley <joel at jms.id.au>
> ---
>
> Ian, if you want to test out this version note that you'll also need
> to add CONFIG_ASPEED_ALLOW_DANGEROUS_BACKDOORS=y now in addition to
> CONFIG_ASPEED_ENABLE_SUPERIO=y.
>
> Changes since v3 [2]:
> - added louder warnings to Kconfig help text and an additional "gate"
> option guarding the two "make my BMC vulnerable" options
Thanks Zev, I've applied this and pushed a bump to the openbmc repository:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/53576
Ian, if you get around to testing then please reply to this thread
with the results.
Thank you Zev for your work on this patch.
Cheers,
Joel
>
> Changes since v2 [1]:
> - made most of the changes unconditional/unconfigurable, but added
> Kconfig options to leave Super I/O and debug UART enabled
>
> Changes since v1 [0]:
> - extended to cover ast2400
> - inverted sense of Kconfig option, default (n) is now secure mode
> - renamed some register/bit macros more appropriately
>
> [0] https://lore.kernel.org/openbmc/20220414040448.27100-1-zev@bewilderbeest.net/
> [1] https://lore.kernel.org/openbmc/20220414224004.29703-1-zev@bewilderbeest.net/
> [2] https://lore.kernel.org/openbmc/20220419234202.8895-1-zev@bewilderbeest.net/
>
> arch/arm/include/asm/arch-aspeed/platform.h | 7 ++
> .../arm/include/asm/arch-aspeed/scu_ast2400.h | 7 ++
> .../arm/include/asm/arch-aspeed/scu_ast2500.h | 8 ++
> arch/arm/mach-aspeed/Kconfig | 39 ++++++++++
> arch/arm/mach-aspeed/ast2400/board_common.c | 66 +++++++++++++++++
> arch/arm/mach-aspeed/ast2500/board_common.c | 73 +++++++++++++++++++
> 6 files changed, 200 insertions(+)
>
> diff --git a/arch/arm/include/asm/arch-aspeed/platform.h b/arch/arm/include/asm/arch-aspeed/platform.h
> index f016bdaba3e7..f05747642f38 100644
> --- a/arch/arm/include/asm/arch-aspeed/platform.h
> +++ b/arch/arm/include/asm/arch-aspeed/platform.h
> @@ -15,24 +15,31 @@
> /*********************************************************************************/
> #if defined(CONFIG_ASPEED_AST2400)
> #define ASPEED_MAC_COUNT 2
> +#define ASPEED_SDRAM_CTRL 0x1e6e0000
> #define ASPEED_HW_STRAP1 0x1e6e2070
> #define ASPEED_REVISION_ID 0x1e6e207C
> #define ASPEED_SYS_RESET_CTRL 0x1e6e203C
> #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */
> +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180
> #define ASPEED_DRAM_BASE 0x40000000
> #define ASPEED_SRAM_BASE 0x1E720000
> +#define ASPEED_LPC_CTRL 0x1e789000
> #define ASPEED_SRAM_SIZE 0x8000
> #define ASPEED_FMC_CS0_BASE 0x20000000
> #elif defined(CONFIG_ASPEED_AST2500)
> #define ASPEED_MAC_COUNT 2
> +#define ASPEED_SDRAM_CTRL 0x1e6e0000
> +#define ASPEED_MISC1_CTRL 0x1e6e202C
> #define ASPEED_HW_STRAP1 0x1e6e2070
> #define ASPEED_HW_STRAP2 0x1e6e20D0
> #define ASPEED_REVISION_ID 0x1e6e207C
> #define ASPEED_SYS_RESET_CTRL 0x1e6e203C
> #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */
> +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180
> #define ASPEED_MAC_COUNT 2
> #define ASPEED_DRAM_BASE 0x80000000
> #define ASPEED_SRAM_BASE 0x1E720000
> +#define ASPEED_LPC_CTRL 0x1e789000
> #define ASPEED_SRAM_SIZE 0x9000
> #define ASPEED_FMC_CS0_BASE 0x20000000
> #elif defined(CONFIG_ASPEED_AST2600)
> diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h
> index 9c5d96ae84b9..55875fd8312f 100644
> --- a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h
> +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h
> @@ -8,6 +8,7 @@
> #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT)
> #define SCU_HWSTRAP_MAC1_RGMII (1 << 6)
> #define SCU_HWSTRAP_MAC2_RGMII (1 << 7)
> +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20)
> #define SCU_HWSTRAP_DDR4 (1 << 24)
> #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23)
>
> @@ -104,6 +105,12 @@
> #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16
> #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT)
>
> +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1)
> +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8)
> +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9)
> +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14)
> +
> +
> struct ast2400_clk_priv {
> struct ast2400_scu *scu;
> };
> diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h
> index 8fe4028e4ff0..06dc998afaa8 100644
> --- a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h
> +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h
> @@ -11,6 +11,7 @@
> #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT)
> #define SCU_HWSTRAP_MAC1_RGMII (1 << 6)
> #define SCU_HWSTRAP_MAC2_RGMII (1 << 7)
> +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20)
> #define SCU_HWSTRAP_DDR4 (1 << 24)
> #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23)
>
> @@ -107,6 +108,13 @@
> #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16
> #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT)
>
> +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1)
> +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8)
> +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9)
> +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14)
> +
> +#define SCU_MISC_DEBUG_UART_DISABLE (1 << 10)
> +
> struct ast2500_clk_priv {
> struct ast2500_scu *scu;
> };
> diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig
> index 579a547df61e..edb5520aec7a 100644
> --- a/arch/arm/mach-aspeed/Kconfig
> +++ b/arch/arm/mach-aspeed/Kconfig
> @@ -45,6 +45,45 @@ config ASPEED_AST2600
> which is enabled by support of LPC and eSPI peripherals.
> endchoice
>
> +config ASPEED_ALLOW_DANGEROUS_BACKDOORS
> + bool "Expose options enabling dangerous Aspeed hardware backdoors"
> + help
> + This option exposes configuration settings that create
> + critical security vulnerabilities by enabling dangerous
> + hardware backdoors in Aspeed BMCs. Enable it only if
> + absolutely required for a specific system or for debugging
> + during development.
> +
> +if ASPEED_ALLOW_DANGEROUS_BACKDOORS
> +
> +config ASPEED_ENABLE_SUPERIO
> + bool "Enable built-in AST2x00 Super I/O hardware"
> + depends on ASPEED_AST2400 || ASPEED_AST2500
> + help
> + The Aspeed AST2400 and AST2500 include a built-in Super I/O
> + device that is normally disabled; say Y here to enable it.
> +
> + WARNING: this has serious security implications: it grants
> + the host read access to the BMC's entire address space.
> + This should thus be left disabled unless required by a
> + specific system.
> +
> +config ASPEED_ENABLE_DEBUG_UART
> + bool "Enable AST2500 hardware debug UART"
> + depends on ASPEED_AST2500
> + help
> + The Aspeed AST2500 include a hardware-supported, UART-based
> + debug interface that is normally disabled; say Y here to
> + enable it.
> +
> + Note that this has security implications: the debug UART
> + provides read/write access to the BMC's entire address
> + space. This should thus be left disabled on production
> + systems, but may be useful to enable for debugging during
> + development.
> +
> +endif
> +
> config ASPEED_PALLADIUM
> bool "Aspeed palladium for simulation"
> default n
> diff --git a/arch/arm/mach-aspeed/ast2400/board_common.c b/arch/arm/mach-aspeed/ast2400/board_common.c
> index 3829b069342e..7134105232cb 100644
> --- a/arch/arm/mach-aspeed/ast2400/board_common.c
> +++ b/arch/arm/mach-aspeed/ast2400/board_common.c
> @@ -4,14 +4,80 @@
> #include <ram.h>
> #include <timer.h>
> #include <asm/io.h>
> +#include <asm/arch/platform.h>
> +#include <asm/arch/scu_ast2400.h>
> #include <asm/arch/timer.h>
> #include <linux/err.h>
> #include <dm/uclass.h>
>
> DECLARE_GLOBAL_DATA_PTR;
>
> +#define AST_LPC_HICR5 0x080
> +# define LPC_HICR5_ENFWH BIT(10)
> +#define AST_LPC_HICRB 0x100
> +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6)
> +
> +#define AST_SDMC_PROTECT 0x00
> +# define SDRAM_UNLOCK_KEY 0xfc600309
> +#define AST_SDMC_GFX_PROT 0x08
> +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0)
> +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1)
> +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2)
> +# define SDMC_GFX_PROT_VGA_CRT BIT(3)
> +# define SDMC_GFX_PROT_PCIE BIT(16)
> +# define SDMC_GFX_PROT_XDMA BIT(17)
> +
> +static void isolate_bmc(void)
> +{
> + bool sdmc_unlocked;
> + u32 val;
> +
> + /* iLPC2AHB */
> +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO)
> + val = readl(ASPEED_HW_STRAP1);
> + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS;
> + writel(val, ASPEED_HW_STRAP1);
> +#endif
> +
> + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB);
> + val |= LPC_HICRB_SIO_ILPC2AHB_DIS;
> + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB);
> +
> + /* P2A, PCIe BMC */
> + val = readl(ASPEED_PCIE_CONFIG_SET);
> + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA
> + | SCU_PCIE_CONFIG_SET_BMC_MMIO
> + | SCU_PCIE_CONFIG_SET_BMC_EN
> + | SCU_PCIE_CONFIG_SET_VGA_MMIO);
> + writel(val, ASPEED_PCIE_CONFIG_SET);
> +
> + /* X-DMA */
> + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> + if (!sdmc_unlocked)
> + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> +
> + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT);
> + val |= (SDMC_GFX_PROT_VGA_CURSOR
> + | SDMC_GFX_PROT_VGA_CG_READ
> + | SDMC_GFX_PROT_VGA_ASCII_READ
> + | SDMC_GFX_PROT_VGA_CRT
> + | SDMC_GFX_PROT_PCIE
> + | SDMC_GFX_PROT_XDMA);
> + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT);
> +
> + if (!sdmc_unlocked)
> + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> +
> + /* LPC2AHB */
> + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5);
> + val &= ~LPC_HICR5_ENFWH;
> + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5);
> +}
> +
> __weak int board_init(void)
> {
> + isolate_bmc();
> +
> gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100;
>
> return 0;
> diff --git a/arch/arm/mach-aspeed/ast2500/board_common.c b/arch/arm/mach-aspeed/ast2500/board_common.c
> index ce541e88fb8e..c63fe466eb4b 100644
> --- a/arch/arm/mach-aspeed/ast2500/board_common.c
> +++ b/arch/arm/mach-aspeed/ast2500/board_common.c
> @@ -7,18 +7,91 @@
> #include <ram.h>
> #include <timer.h>
> #include <asm/io.h>
> +#include <asm/arch/platform.h>
> +#include <asm/arch/scu_ast2500.h>
> +#include <asm/arch/sdram_ast2500.h>
> #include <asm/arch/timer.h>
> #include <linux/err.h>
> #include <dm/uclass.h>
>
> DECLARE_GLOBAL_DATA_PTR;
>
> +#define AST_LPC_HICR5 0x080
> +# define LPC_HICR5_ENFWH BIT(10)
> +#define AST_LPC_HICRB 0x100
> +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6)
> +
> +# define AST_SDMC_PROTECT 0x00
> +# define AST_SDMC_GFX_PROT 0x08
> +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0)
> +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1)
> +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2)
> +# define SDMC_GFX_PROT_VGA_CRT BIT(3)
> +# define SDMC_GFX_PROT_PCIE BIT(16)
> +# define SDMC_GFX_PROT_XDMA BIT(17)
> +
> +static void isolate_bmc(void)
> +{
> + bool sdmc_unlocked;
> + u32 val;
> +
> + /* iLPC2AHB */
> +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO)
> + val = readl(ASPEED_HW_STRAP1);
> + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS;
> + writel(val, ASPEED_HW_STRAP1);
> +#endif
> +
> + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB);
> + val |= LPC_HICRB_SIO_ILPC2AHB_DIS;
> + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB);
> +
> + /* P2A, PCIe BMC */
> + val = readl(ASPEED_PCIE_CONFIG_SET);
> + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA
> + | SCU_PCIE_CONFIG_SET_BMC_MMIO
> + | SCU_PCIE_CONFIG_SET_BMC_EN
> + | SCU_PCIE_CONFIG_SET_VGA_MMIO);
> + writel(val, ASPEED_PCIE_CONFIG_SET);
> +
> + /* Debug UART */
> +#if !defined(CONFIG_ASPEED_ENABLE_DEBUG_UART)
> + val = readl(ASPEED_MISC1_CTRL);
> + val |= SCU_MISC_DEBUG_UART_DISABLE;
> + writel(val, ASPEED_MISC1_CTRL);
> +#endif
> +
> + /* X-DMA */
> + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> + if (!sdmc_unlocked)
> + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> +
> + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT);
> + val |= (SDMC_GFX_PROT_VGA_CURSOR
> + | SDMC_GFX_PROT_VGA_CG_READ
> + | SDMC_GFX_PROT_VGA_ASCII_READ
> + | SDMC_GFX_PROT_VGA_CRT
> + | SDMC_GFX_PROT_PCIE
> + | SDMC_GFX_PROT_XDMA);
> + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT);
> +
> + if (!sdmc_unlocked)
> + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT);
> +
> + /* LPC2AHB */
> + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5);
> + val &= ~LPC_HICR5_ENFWH;
> + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5);
> +}
> +
> __weak int board_init(void)
> {
> struct udevice *dev;
> int i;
> int ret;
>
> + isolate_bmc();
> +
> gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100;
>
> /*
> --
> 2.36.0
>
More information about the openbmc
mailing list