From: "Andrew Jeffery" <andrew@aj.id.au>
To: "Ryan Chen" <ryan_chen@aspeedtech.com>,
"Zev Weiss" <zev@bewilderbeest.net>,
"Joel Stanley" <joel@jms.id.au>,
"openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>
Cc: Lei Yu <yulei.sh@bytedance.com>,
Ian Woloschin <ian.woloschin@akamai.com>
Subject: Re: [PATCH u-boot v2019.04-aspeed-openbmc v3] aspeed: Disable backdoor interfaces
Date: Wed, 20 Apr 2022 13:04:36 +0930 [thread overview]
Message-ID: <2df6747e-068d-4488-be65-4b76715ed5f4@www.fastmail.com> (raw)
In-Reply-To: <HK0PR06MB3380C8FDEE1588E4BAE945B3F2F59@HK0PR06MB3380.apcprd06.prod.outlook.com>
On Wed, 20 Apr 2022, at 12:36, Ryan Chen wrote:
>> -----Original Message-----
>> From: Zev Weiss <zev@bewilderbeest.net>
>> Sent: Wednesday, April 20, 2022 7:42 AM
>> To: Joel Stanley <joel@jms.id.au>; openbmc@lists.ozlabs.org
>> Cc: Zev Weiss <zev@bewilderbeest.net>; Andrew Jeffery <andrew@aj.id.au>;
>> Ryan Chen <ryan_chen@aspeedtech.com>; Ian Woloschin
>> <ian.woloschin@akamai.com>; Lei Yu <yulei.sh@bytedance.com>
>> Subject: [PATCH u-boot v2019.04-aspeed-openbmc v3] aspeed: Disable
>> backdoor interfaces
>>
>> On ast2400 and ast2500 we now disable the various hardware backdoor
>> interfaces as is done on ast2600. Two Kconfig options can selectively
>> re-enable some of these interfaces: CONFIG_ASPEED_ENABLE_SUPERIO leaves
>> the ast2x00 built-in Super I/O device enabled, as it is required for some
>> systems, and CONFIG_ASPEED_ENABLE_DEBUG_UART leaves the hardware
>> debug UART enabled, since it provides a relatively high ratio of utility to
>> security risk during development.
>>
>> This patch is based on a patch by Andrew Jeffery for an older u-boot branch in
>> the OpenBMC tree for the df-isolate-bmc distro feature flag.
>>
>> Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
>> ---
>>
>> Tested on ast2500 and (hostless, BMC-only) ast2400.
>>
>> Ryan, are you OK with having an option (off by default) to leave the debug
>> UART enabled as in this version of the patch?
>>
> Thanks your submit.
> Again, my opinion still keep the direct patch to disable it.
> Not have config to enable it.
>
Ideally yes, but as Ian mentioned he has at least one system where the
SuperIO AHB bridge must be enabled to allow their BIOS to configure the
UARTs. So we need an option to cater to that.
I don't want people to have to patch the code to allow use of the
backdoors, that will just lead to other problems (e.g. reverting this
patch is the simplest thing, and opens up all the backdoors instead of
a targeted one).
Andrew
next prev parent reply other threads:[~2022-04-20 3:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-19 23:42 [PATCH u-boot v2019.04-aspeed-openbmc v3] aspeed: Disable backdoor interfaces Zev Weiss
2022-04-20 3:06 ` Ryan Chen
2022-04-20 3:34 ` Andrew Jeffery [this message]
2022-04-21 6:20 ` Joel Stanley
2022-05-02 8:11 ` Joel Stanley
2022-05-02 14:37 ` Woloschin, Ian
2022-05-04 0:21 ` Zev Weiss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2df6747e-068d-4488-be65-4b76715ed5f4@www.fastmail.com \
--to=andrew@aj.id.au \
--cc=ian.woloschin@akamai.com \
--cc=joel@jms.id.au \
--cc=openbmc@lists.ozlabs.org \
--cc=ryan_chen@aspeedtech.com \
--cc=yulei.sh@bytedance.com \
--cc=zev@bewilderbeest.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).