Re: [PATCH 1/1] soc: keembay: Add Keem Bay IMR driver

[Pavel Machek <pavel@denx.de>]

[-- Attachment #1: Type: text/plain, Size: 1587 bytes --]

Hi!

> > Agreed, this sounds like an incompatible extension of the boot
> > protocol
> > that we should otherwise not merge.
> > 
> > However, there is also a lot of missing information here, and it is
> > always
> > possible they are trying to something for a good reason. As long as
> > the
> > problem that the bootloader is trying to solve is explained well
> > enough
> > in the changelog, we can discuss it to see how it should be done
> > properly.
> 
> 
> Apologies, I should have provided more information. Here it is :)
> 
> Basically, at boot time U-Boot code and core memory (.text, .data,
> .bss, etc.) is protected by this Isolated Memory Region (IMR) which
> prevents any device or processing units other than the ARM CPU to
> access/modify the memory.
> 
> This is done for security reasons, to reduce the risks that a potential
> attacker can use "hijacked" HW devices to interfere with the boot
> process (and break the secure boot flow in place).

Dunno. You disable that after boot anyway. Whether it is disabled just
before starting kernel or just after it makes very little difference.

Plus, I'm not sure if this has much security value at all. If I can
corrupt data u-boot works _with_ (such as kernel, dtb), I'll take over
the system anyway.

IOW I believe the best/simplest way is to simply disable this in
u-boot before jumping to kernel entrypoint.

Best regards,
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]