Socflash says the bmc is write protected.

Socflash says the bmc is write protected.

[Zheng Bao]

[-- Attachment #1: Type: text/plain, Size: 196 bytes --]

Hi, All,
I use socflash to update the BMC firmware. The original BMC firmware can be updated, but openbmc can not be.
Socflash says the BMC is protected. Does anybody know why?

Thanks.
Joe

[-- Attachment #2: Type: text/html, Size: 1064 bytes --]

Re: Socflash says the bmc is write protected.

[Oskar Senft]

[-- Attachment #1: Type: text/plain, Size: 735 bytes --]

Hi Joe

I assume this is happening due to the fixes for
https://github.com/openbmc/openbmc/issues/3475 (CVE-2019-6260), which
effectively disable all communication from the host to the BMC by default.

I'm not sure which interface socflash uses exactly, though, so I cannot
recommend on what you'd have to re-enable to make it work again. Having
said that, all of the interfaces mentioned in the CVE should really be
disabled for security reasons.

Oskar.

On Mon, Aug 19, 2019 at 8:51 AM Zheng Bao <fishbaoz@hotmail.com> wrote:

> Hi, All,
> I use socflash to update the BMC firmware. The original BMC firmware can
> be updated, but openbmc can not be.
> Socflash says the BMC is protected. Does anybody know why?
>
> Thanks.
> Joe
>

[-- Attachment #2: Type: text/html, Size: 1788 bytes --]

Re: Socflash says the bmc is write protected.

[James Mihm]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

The P2A Bridge that is used by the socflash utility has been disabled; see
https://nvd.nist.gov/vuln/detail/CVE-2019-6260 for details.

On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com> wrote:

> Hi, All,
> I use socflash to update the BMC firmware. The original BMC firmware can
> be updated, but openbmc can not be.
> Socflash says the BMC is protected. Does anybody know why?
>
> Thanks.
> Joe
>

[-- Attachment #2: Type: text/html, Size: 1372 bytes --]

RE: Socflash says the bmc is write protected.

[Neeraj Ladkani]

[-- Attachment #1: Type: text/plain, Size: 1091 bytes --]

Can anyone confirms if these locks persists during BMC reset?

Neeraj


From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> On Behalf Of James Mihm
Sent: Monday, August 19, 2019 7:26 AM
To: Zheng Bao <fishbaoz@hotmail.com>
Cc: openbmc@lists.ozlabs.org
Subject: Re: Socflash says the bmc is write protected.

The P2A Bridge that is used by the socflash utility has been disabled; see  https://nvd.nist.gov/vuln/detail/CVE-2019-6260<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-6260&data=02%7C01%7Cneladk%40microsoft.com%7C745cbb7bf95a416e39e808d724b2476e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637018220436896615&sdata=ZJb%2Bx8BQmenKs6K%2FV26iypu9JrMor1d4uliQJGe1YIk%3D&reserved=0> for details.

On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>> wrote:
Hi, All,
I use socflash to update the BMC firmware. The original BMC firmware can be updated, but openbmc can not be.
Socflash says the BMC is protected. Does anybody know why?

Thanks.
Joe

[-- Attachment #2: Type: text/html, Size: 4430 bytes --]

Re: Socflash says the bmc is write protected.

[Christian Svensson]

[-- Attachment #1: Type: text/plain, Size: 1315 bytes --]

Which type of reset are you referring to?

- Chris


On Mon, Aug 19, 2019 at 10:40 PM Neeraj Ladkani <neladk@microsoft.com>
wrote:

> Can anyone confirms if these locks persists during BMC reset?
>
>
>
> Neeraj
>
>
>
>
>
> *From:* openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> *On
> Behalf Of *James Mihm
> *Sent:* Monday, August 19, 2019 7:26 AM
> *To:* Zheng Bao <fishbaoz@hotmail.com>
> *Cc:* openbmc@lists.ozlabs.org
> *Subject:* Re: Socflash says the bmc is write protected.
>
>
>
> The P2A Bridge that is used by the socflash utility has been disabled;
> see  https://nvd.nist.gov/vuln/detail/CVE-2019-6260
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-6260&data=02%7C01%7Cneladk%40microsoft.com%7C745cbb7bf95a416e39e808d724b2476e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637018220436896615&sdata=ZJb%2Bx8BQmenKs6K%2FV26iypu9JrMor1d4uliQJGe1YIk%3D&reserved=0> for
> details.
>
>
>
> On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com> wrote:
>
> Hi, All,
>
> I use socflash to update the BMC firmware. The original BMC firmware can
> be updated, but openbmc can not be.
>
> Socflash says the BMC is protected. Does anybody know why?
>
>
>
> Thanks.
>
> Joe
>
>

[-- Attachment #2: Type: text/html, Size: 3595 bytes --]

RE: Socflash says the bmc is write protected.

[Khetan, Sharad]

[-- Attachment #1: Type: text/plain, Size: 1816 bytes --]

Yes the locks will persist across any Resets (BMC or Host), to mitigate the vulnerability.

Thanks
-Sharad

From: openbmc <openbmc-bounces+sharad.khetan=intel.com@lists.ozlabs.org> On Behalf Of Christian Svensson
Sent: Monday, August 26, 2019 1:44 AM
To: Neeraj Ladkani <neladk@microsoft.com>
Cc: James Mihm <james.mihm@gmail.com>; openbmc@lists.ozlabs.org; Zheng Bao <fishbaoz@hotmail.com>
Subject: Re: Socflash says the bmc is write protected.

Which type of reset are you referring to?

- Chris


On Mon, Aug 19, 2019 at 10:40 PM Neeraj Ladkani <neladk@microsoft.com<mailto:neladk@microsoft.com>> wrote:
Can anyone confirms if these locks persists during BMC reset?

Neeraj


From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org<mailto:microsoft.com@lists.ozlabs.org>> On Behalf Of James Mihm
Sent: Monday, August 19, 2019 7:26 AM
To: Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>>
Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
Subject: Re: Socflash says the bmc is write protected.

The P2A Bridge that is used by the socflash utility has been disabled; see  https://nvd.nist.gov/vuln/detail/CVE-2019-6260<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-6260&data=02%7C01%7Cneladk%40microsoft.com%7C745cbb7bf95a416e39e808d724b2476e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637018220436896615&sdata=ZJb%2Bx8BQmenKs6K%2FV26iypu9JrMor1d4uliQJGe1YIk%3D&reserved=0> for details.

On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>> wrote:
Hi, All,
I use socflash to update the BMC firmware. The original BMC firmware can be updated, but openbmc can not be.
Socflash says the BMC is protected. Does anybody know why?

Thanks.
Joe

[-- Attachment #2: Type: text/html, Size: 7247 bytes --]

RE: Socflash says the bmc is write protected.

[Neeraj Ladkani]

[-- Attachment #1: Type: text/plain, Size: 2616 bytes --]

I tried to dig more and confirmed that ASPEED does not persists locks during SRST.


  1.  Existing FW solution is not viable.  Is it possible for host to hide/disable IO ports that are used by SocFlash?
  2.  Are there any HW design considerations to prevent this exploit?

Neeraj

From: Khetan, Sharad <sharad.khetan@intel.com>
Sent: Monday, August 26, 2019 7:38 AM
To: Christian Svensson <bluecmd@google.com>; Neeraj Ladkani <neladk@microsoft.com>
Cc: James Mihm <james.mihm@gmail.com>; openbmc@lists.ozlabs.org; Zheng Bao <fishbaoz@hotmail.com>
Subject: RE: Socflash says the bmc is write protected.

Yes the locks will persist across any Resets (BMC or Host), to mitigate the vulnerability.

Thanks
-Sharad

From: openbmc <openbmc-bounces+sharad.khetan=intel.com@lists.ozlabs.org<mailto:openbmc-bounces+sharad.khetan=intel.com@lists.ozlabs.org>> On Behalf Of Christian Svensson
Sent: Monday, August 26, 2019 1:44 AM
To: Neeraj Ladkani <neladk@microsoft.com<mailto:neladk@microsoft.com>>
Cc: James Mihm <james.mihm@gmail.com<mailto:james.mihm@gmail.com>>; openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>; Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>>
Subject: Re: Socflash says the bmc is write protected.

Which type of reset are you referring to?

- Chris


On Mon, Aug 19, 2019 at 10:40 PM Neeraj Ladkani <neladk@microsoft.com<mailto:neladk@microsoft.com>> wrote:
Can anyone confirms if these locks persists during BMC reset?

Neeraj


From: openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org<mailto:microsoft.com@lists.ozlabs.org>> On Behalf Of James Mihm
Sent: Monday, August 19, 2019 7:26 AM
To: Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>>
Cc: openbmc@lists.ozlabs.org<mailto:openbmc@lists.ozlabs.org>
Subject: Re: Socflash says the bmc is write protected.

The P2A Bridge that is used by the socflash utility has been disabled; see  https://nvd.nist.gov/vuln/detail/CVE-2019-6260<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-6260&data=02%7C01%7Cneladk%40microsoft.com%7C86c67159b4ca4c860aa008d72a3302e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637024270920460918&sdata=WHVK9sr7auwRAoA9kG6giMi4MYVNlfnXHxsdQeKGb9s%3D&reserved=0> for details.

On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com<mailto:fishbaoz@hotmail.com>> wrote:
Hi, All,
I use socflash to update the BMC firmware. The original BMC firmware can be updated, but openbmc can not be.
Socflash says the BMC is protected. Does anybody know why?

Thanks.
Joe

[-- Attachment #2: Type: text/html, Size: 10804 bytes --]

Re: Socflash says the bmc is write protected.

[James Mihm]

[-- Attachment #1: Type: text/plain, Size: 2851 bytes --]

The best that can be done with the AST2500 is to disable the bridges very
early in the reset handler and in a ROM'd bootloader. This has been
mitigated in the AST2600 with an option to permanently disable the bridges.

On Mon, Aug 26, 2019 at 10:49 AM Neeraj Ladkani <neladk@microsoft.com>
wrote:

> I tried to dig more and confirmed that ASPEED does not persists locks
> during SRST.
>
>
>
>    1. Existing FW solution is not viable.  Is it possible for host to
>    hide/disable IO ports that are used by SocFlash?
>    2. Are there any HW design considerations to prevent this exploit?
>
>
>
> Neeraj
>
>
>
> *From:* Khetan, Sharad <sharad.khetan@intel.com>
> *Sent:* Monday, August 26, 2019 7:38 AM
> *To:* Christian Svensson <bluecmd@google.com>; Neeraj Ladkani <
> neladk@microsoft.com>
> *Cc:* James Mihm <james.mihm@gmail.com>; openbmc@lists.ozlabs.org; Zheng
> Bao <fishbaoz@hotmail.com>
> *Subject:* RE: Socflash says the bmc is write protected.
>
>
>
> Yes the locks will persist across any Resets (BMC or Host), to mitigate
> the vulnerability.
>
>
>
> Thanks
>
> -Sharad
>
>
>
> *From:* openbmc <openbmc-bounces+sharad.khetan=intel.com@lists.ozlabs.org>
> *On Behalf Of *Christian Svensson
> *Sent:* Monday, August 26, 2019 1:44 AM
> *To:* Neeraj Ladkani <neladk@microsoft.com>
> *Cc:* James Mihm <james.mihm@gmail.com>; openbmc@lists.ozlabs.org; Zheng
> Bao <fishbaoz@hotmail.com>
> *Subject:* Re: Socflash says the bmc is write protected.
>
>
>
> Which type of reset are you referring to?
>
>
>
> - Chris
>
>
>
>
>
> On Mon, Aug 19, 2019 at 10:40 PM Neeraj Ladkani <neladk@microsoft.com>
> wrote:
>
> Can anyone confirms if these locks persists during BMC reset?
>
>
>
> Neeraj
>
>
>
>
>
> *From:* openbmc <openbmc-bounces+neladk=microsoft.com@lists.ozlabs.org> *On
> Behalf Of *James Mihm
> *Sent:* Monday, August 19, 2019 7:26 AM
> *To:* Zheng Bao <fishbaoz@hotmail.com>
> *Cc:* openbmc@lists.ozlabs.org
> *Subject:* Re: Socflash says the bmc is write protected.
>
>
>
> The P2A Bridge that is used by the socflash utility has been disabled;
> see  https://nvd.nist.gov/vuln/detail/CVE-2019-6260
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-6260&data=02%7C01%7Cneladk%40microsoft.com%7C86c67159b4ca4c860aa008d72a3302e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637024270920460918&sdata=WHVK9sr7auwRAoA9kG6giMi4MYVNlfnXHxsdQeKGb9s%3D&reserved=0> for
> details.
>
>
>
> On Mon, Aug 19, 2019 at 5:51 AM Zheng Bao <fishbaoz@hotmail.com> wrote:
>
> Hi, All,
>
> I use socflash to update the BMC firmware. The original BMC firmware can
> be updated, but openbmc can not be.
>
> Socflash says the BMC is protected. Does anybody know why?
>
>
>
> Thanks.
>
> Joe
>
>

[-- Attachment #2: Type: text/html, Size: 7566 bytes --]

Re: Socflash says the bmc is write protected.

[Andrew Jeffery]

On Tue, 27 Aug 2019, at 04:16, James Mihm wrote:
> The best that can be done with the AST2500 is to disable the bridges 
> very early in the reset handler and in a ROM'd bootloader. This has 
> been mitigated in the AST2600 with an option to permanently disable the 
> bridges.

For the 2500 you can also do it before the first instruction is executed on
the ARM core by taking advantage of the firmware strapping function. This
is about a small a window as you're going to get though.

OpenBMC's approach of doing it early in u-boot is the pragmatic approach
as you can read/modify/write the registers, which isn't possible via the
firmware strapping method.

Andrew