From: Petr Vorel <email@example.com>
To: Konrad Dybcio <firstname.lastname@example.org>
Cc: Bjorn Andersson <email@example.com>,
Linus Walleij <firstname.lastname@example.org>,
Andy Gross <email@example.com>, Rob Herring <firstname.lastname@example.org>,
Ricardo Ribalda <email@example.com>,
"open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS"
Subject: Re: [PATCH 1/1] arm64: dts: qcom: msm8994: Reserve gpio ranges
Date: Sat, 10 Apr 2021 19:20:05 +0200 [thread overview]
Message-ID: <YHHeRfAWrrusE/gB@pevik> (raw)
> > Konrad, is there any public docs about GPIOs on this secure peripherals?
> > It it somehow related to Chain of Trust? . I guess it's not, because once we
> > boot Linux all bootloader stuff is over.
> No, Qualcomm pretty much does security through obscurity. It's *probably* not even that very secure considering how big in size their TZ+HYP stack is - number of bugs rises exponentially with code size. But not many people tried breaking into it considering the complexity and QCOM's legal team size.
> There is no public documentation on that, and even if there were - you are not allowed to flash the "secure" partitions on *your device that you unlocked the bootloader of by choice* (which is absurd).
> Also, while "all bootloader stuff is over", the platform is still under control of the proprietary hypervisor and the "Trust Zone". For example if you try to write to some IOMMU registers on certain platforms, the hypervisor will treat that as a security violation and shut down the entire device.
> This is essentially the same as your issue. You're trying to poke a thing that Qualcomm *really* doesn't want you to (the fingerprint SPI pins) and since *they* are in control, they say "nonono" and your device dies. All you can do is comply with that (or find a way to replace the blobs or politely ask Google to release a set of unsecure binaries for your Nexus - which they won't do).
Again, thanks a lot for info. I looked into downstream sources to see that
really pins 85-88 (which I've sent a patch to add into gpio-reserved-ranges) are
used for fingerprint. I also wonder if downstream commit d45c35c7b586 ("angler:
fingerprint: remove all the code about spi")  confirms that also downstream
kernel would reset or it's a security (it would not reset, thus they removed
the access). It's probably aosp issue tracker , but "Access denied" for me.
I also did some testing and this is maximum range which can be disabled:
gpio-reserved-ranges = <0 4>, <6 139> and it does not help to solve second
reset (in loop_init() or later when starting initramfs).
Removing access to GPIO 4 or 5 causes reset right immediately (no message from
I still don't understand what changed in a99163e9e708 ("Merge tag
'devicetree-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux")
I checked both 882d6edfc45c cb8be8b4b27f, which it merges and they're ok.
next prev parent reply other threads:[~2021-04-10 17:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-05 20:02 [PATCH 1/1] arm64: dts: qcom: msm8994: Reserve gpio ranges Petr Vorel
2021-04-05 20:09 ` Ricardo Ribalda Delgado
2021-04-05 20:15 ` Petr Vorel
2021-04-05 22:52 ` Bjorn Andersson
2021-04-06 4:38 ` Petr Vorel
2021-04-08 7:17 ` Linus Walleij
2021-04-08 19:02 ` Petr Vorel
2021-04-08 20:05 ` Konrad Dybcio
2021-04-08 21:40 ` Linus Walleij
2021-04-09 3:19 ` Petr Vorel
2021-04-09 3:37 ` Bjorn Andersson
2021-04-10 5:52 ` Petr Vorel
2021-04-10 9:16 ` Konrad Dybcio
2021-04-10 17:20 ` Petr Vorel [this message]
2021-04-12 17:48 ` Petr Vorel
2021-04-08 21:35 ` Linus Walleij
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).