Message ID | 20220504004739.15829-1-zev@bewilderbeest.net |
---|---|
State | New |
Headers | show |
Series | [u-boot,v2019.04-aspeed-openbmc,v4] aspeed: Disable backdoor interfaces | expand |
On Wed, 4 May 2022 at 00:47, Zev Weiss <zev@bewilderbeest.net> wrote: > > On ast2400 and ast2500 we now disable the various hardware backdoor > interfaces as is done on ast2600. Two Kconfig options can selectively > re-enable some of these interfaces: CONFIG_ASPEED_ENABLE_SUPERIO > leaves the ast2x00 built-in Super I/O device enabled, as it is > required for some systems, and CONFIG_ASPEED_ENABLE_DEBUG_UART leaves > the hardware debug UART enabled, since it provides a relatively high > ratio of utility to security risk during development. > > This patch is based on a patch by Andrew Jeffery for an older u-boot > branch in the OpenBMC tree for the df-isolate-bmc distro feature flag. > > Signed-off-by: Zev Weiss <zev@bewilderbeest.net> > Tested-by: Joel Stanley <joel@jms.id.au> > Reviewed-by: Joel Stanley <joel@jms.id.au> > --- > > Ian, if you want to test out this version note that you'll also need > to add CONFIG_ASPEED_ALLOW_DANGEROUS_BACKDOORS=y now in addition to > CONFIG_ASPEED_ENABLE_SUPERIO=y. > > Changes since v3 [2]: > - added louder warnings to Kconfig help text and an additional "gate" > option guarding the two "make my BMC vulnerable" options Thanks Zev, I've applied this and pushed a bump to the openbmc repository: https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/53576 Ian, if you get around to testing then please reply to this thread with the results. Thank you Zev for your work on this patch. Cheers, Joel > > Changes since v2 [1]: > - made most of the changes unconditional/unconfigurable, but added > Kconfig options to leave Super I/O and debug UART enabled > > Changes since v1 [0]: > - extended to cover ast2400 > - inverted sense of Kconfig option, default (n) is now secure mode > - renamed some register/bit macros more appropriately > > [0] https://lore.kernel.org/openbmc/20220414040448.27100-1-zev@bewilderbeest.net/ > [1] https://lore.kernel.org/openbmc/20220414224004.29703-1-zev@bewilderbeest.net/ > [2] https://lore.kernel.org/openbmc/20220419234202.8895-1-zev@bewilderbeest.net/ > > arch/arm/include/asm/arch-aspeed/platform.h | 7 ++ > .../arm/include/asm/arch-aspeed/scu_ast2400.h | 7 ++ > .../arm/include/asm/arch-aspeed/scu_ast2500.h | 8 ++ > arch/arm/mach-aspeed/Kconfig | 39 ++++++++++ > arch/arm/mach-aspeed/ast2400/board_common.c | 66 +++++++++++++++++ > arch/arm/mach-aspeed/ast2500/board_common.c | 73 +++++++++++++++++++ > 6 files changed, 200 insertions(+) > > diff --git a/arch/arm/include/asm/arch-aspeed/platform.h b/arch/arm/include/asm/arch-aspeed/platform.h > index f016bdaba3e7..f05747642f38 100644 > --- a/arch/arm/include/asm/arch-aspeed/platform.h > +++ b/arch/arm/include/asm/arch-aspeed/platform.h > @@ -15,24 +15,31 @@ > /*********************************************************************************/ > #if defined(CONFIG_ASPEED_AST2400) > #define ASPEED_MAC_COUNT 2 > +#define ASPEED_SDRAM_CTRL 0x1e6e0000 > #define ASPEED_HW_STRAP1 0x1e6e2070 > #define ASPEED_REVISION_ID 0x1e6e207C > #define ASPEED_SYS_RESET_CTRL 0x1e6e203C > #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */ > +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180 > #define ASPEED_DRAM_BASE 0x40000000 > #define ASPEED_SRAM_BASE 0x1E720000 > +#define ASPEED_LPC_CTRL 0x1e789000 > #define ASPEED_SRAM_SIZE 0x8000 > #define ASPEED_FMC_CS0_BASE 0x20000000 > #elif defined(CONFIG_ASPEED_AST2500) > #define ASPEED_MAC_COUNT 2 > +#define ASPEED_SDRAM_CTRL 0x1e6e0000 > +#define ASPEED_MISC1_CTRL 0x1e6e202C > #define ASPEED_HW_STRAP1 0x1e6e2070 > #define ASPEED_HW_STRAP2 0x1e6e20D0 > #define ASPEED_REVISION_ID 0x1e6e207C > #define ASPEED_SYS_RESET_CTRL 0x1e6e203C > #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */ > +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180 > #define ASPEED_MAC_COUNT 2 > #define ASPEED_DRAM_BASE 0x80000000 > #define ASPEED_SRAM_BASE 0x1E720000 > +#define ASPEED_LPC_CTRL 0x1e789000 > #define ASPEED_SRAM_SIZE 0x9000 > #define ASPEED_FMC_CS0_BASE 0x20000000 > #elif defined(CONFIG_ASPEED_AST2600) > diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h > index 9c5d96ae84b9..55875fd8312f 100644 > --- a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h > +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h > @@ -8,6 +8,7 @@ > #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT) > #define SCU_HWSTRAP_MAC1_RGMII (1 << 6) > #define SCU_HWSTRAP_MAC2_RGMII (1 << 7) > +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20) > #define SCU_HWSTRAP_DDR4 (1 << 24) > #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23) > > @@ -104,6 +105,12 @@ > #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16 > #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT) > > +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1) > +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8) > +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9) > +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14) > + > + > struct ast2400_clk_priv { > struct ast2400_scu *scu; > }; > diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h > index 8fe4028e4ff0..06dc998afaa8 100644 > --- a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h > +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h > @@ -11,6 +11,7 @@ > #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT) > #define SCU_HWSTRAP_MAC1_RGMII (1 << 6) > #define SCU_HWSTRAP_MAC2_RGMII (1 << 7) > +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20) > #define SCU_HWSTRAP_DDR4 (1 << 24) > #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23) > > @@ -107,6 +108,13 @@ > #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16 > #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT) > > +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1) > +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8) > +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9) > +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14) > + > +#define SCU_MISC_DEBUG_UART_DISABLE (1 << 10) > + > struct ast2500_clk_priv { > struct ast2500_scu *scu; > }; > diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig > index 579a547df61e..edb5520aec7a 100644 > --- a/arch/arm/mach-aspeed/Kconfig > +++ b/arch/arm/mach-aspeed/Kconfig > @@ -45,6 +45,45 @@ config ASPEED_AST2600 > which is enabled by support of LPC and eSPI peripherals. > endchoice > > +config ASPEED_ALLOW_DANGEROUS_BACKDOORS > + bool "Expose options enabling dangerous Aspeed hardware backdoors" > + help > + This option exposes configuration settings that create > + critical security vulnerabilities by enabling dangerous > + hardware backdoors in Aspeed BMCs. Enable it only if > + absolutely required for a specific system or for debugging > + during development. > + > +if ASPEED_ALLOW_DANGEROUS_BACKDOORS > + > +config ASPEED_ENABLE_SUPERIO > + bool "Enable built-in AST2x00 Super I/O hardware" > + depends on ASPEED_AST2400 || ASPEED_AST2500 > + help > + The Aspeed AST2400 and AST2500 include a built-in Super I/O > + device that is normally disabled; say Y here to enable it. > + > + WARNING: this has serious security implications: it grants > + the host read access to the BMC's entire address space. > + This should thus be left disabled unless required by a > + specific system. > + > +config ASPEED_ENABLE_DEBUG_UART > + bool "Enable AST2500 hardware debug UART" > + depends on ASPEED_AST2500 > + help > + The Aspeed AST2500 include a hardware-supported, UART-based > + debug interface that is normally disabled; say Y here to > + enable it. > + > + Note that this has security implications: the debug UART > + provides read/write access to the BMC's entire address > + space. This should thus be left disabled on production > + systems, but may be useful to enable for debugging during > + development. > + > +endif > + > config ASPEED_PALLADIUM > bool "Aspeed palladium for simulation" > default n > diff --git a/arch/arm/mach-aspeed/ast2400/board_common.c b/arch/arm/mach-aspeed/ast2400/board_common.c > index 3829b069342e..7134105232cb 100644 > --- a/arch/arm/mach-aspeed/ast2400/board_common.c > +++ b/arch/arm/mach-aspeed/ast2400/board_common.c > @@ -4,14 +4,80 @@ > #include <ram.h> > #include <timer.h> > #include <asm/io.h> > +#include <asm/arch/platform.h> > +#include <asm/arch/scu_ast2400.h> > #include <asm/arch/timer.h> > #include <linux/err.h> > #include <dm/uclass.h> > > DECLARE_GLOBAL_DATA_PTR; > > +#define AST_LPC_HICR5 0x080 > +# define LPC_HICR5_ENFWH BIT(10) > +#define AST_LPC_HICRB 0x100 > +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6) > + > +#define AST_SDMC_PROTECT 0x00 > +# define SDRAM_UNLOCK_KEY 0xfc600309 > +#define AST_SDMC_GFX_PROT 0x08 > +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0) > +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1) > +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2) > +# define SDMC_GFX_PROT_VGA_CRT BIT(3) > +# define SDMC_GFX_PROT_PCIE BIT(16) > +# define SDMC_GFX_PROT_XDMA BIT(17) > + > +static void isolate_bmc(void) > +{ > + bool sdmc_unlocked; > + u32 val; > + > + /* iLPC2AHB */ > +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO) > + val = readl(ASPEED_HW_STRAP1); > + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS; > + writel(val, ASPEED_HW_STRAP1); > +#endif > + > + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB); > + val |= LPC_HICRB_SIO_ILPC2AHB_DIS; > + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB); > + > + /* P2A, PCIe BMC */ > + val = readl(ASPEED_PCIE_CONFIG_SET); > + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA > + | SCU_PCIE_CONFIG_SET_BMC_MMIO > + | SCU_PCIE_CONFIG_SET_BMC_EN > + | SCU_PCIE_CONFIG_SET_VGA_MMIO); > + writel(val, ASPEED_PCIE_CONFIG_SET); > + > + /* X-DMA */ > + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + if (!sdmc_unlocked) > + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + > + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); > + val |= (SDMC_GFX_PROT_VGA_CURSOR > + | SDMC_GFX_PROT_VGA_CG_READ > + | SDMC_GFX_PROT_VGA_ASCII_READ > + | SDMC_GFX_PROT_VGA_CRT > + | SDMC_GFX_PROT_PCIE > + | SDMC_GFX_PROT_XDMA); > + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); > + > + if (!sdmc_unlocked) > + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + > + /* LPC2AHB */ > + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5); > + val &= ~LPC_HICR5_ENFWH; > + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5); > +} > + > __weak int board_init(void) > { > + isolate_bmc(); > + > gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100; > > return 0; > diff --git a/arch/arm/mach-aspeed/ast2500/board_common.c b/arch/arm/mach-aspeed/ast2500/board_common.c > index ce541e88fb8e..c63fe466eb4b 100644 > --- a/arch/arm/mach-aspeed/ast2500/board_common.c > +++ b/arch/arm/mach-aspeed/ast2500/board_common.c > @@ -7,18 +7,91 @@ > #include <ram.h> > #include <timer.h> > #include <asm/io.h> > +#include <asm/arch/platform.h> > +#include <asm/arch/scu_ast2500.h> > +#include <asm/arch/sdram_ast2500.h> > #include <asm/arch/timer.h> > #include <linux/err.h> > #include <dm/uclass.h> > > DECLARE_GLOBAL_DATA_PTR; > > +#define AST_LPC_HICR5 0x080 > +# define LPC_HICR5_ENFWH BIT(10) > +#define AST_LPC_HICRB 0x100 > +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6) > + > +# define AST_SDMC_PROTECT 0x00 > +# define AST_SDMC_GFX_PROT 0x08 > +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0) > +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1) > +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2) > +# define SDMC_GFX_PROT_VGA_CRT BIT(3) > +# define SDMC_GFX_PROT_PCIE BIT(16) > +# define SDMC_GFX_PROT_XDMA BIT(17) > + > +static void isolate_bmc(void) > +{ > + bool sdmc_unlocked; > + u32 val; > + > + /* iLPC2AHB */ > +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO) > + val = readl(ASPEED_HW_STRAP1); > + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS; > + writel(val, ASPEED_HW_STRAP1); > +#endif > + > + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB); > + val |= LPC_HICRB_SIO_ILPC2AHB_DIS; > + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB); > + > + /* P2A, PCIe BMC */ > + val = readl(ASPEED_PCIE_CONFIG_SET); > + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA > + | SCU_PCIE_CONFIG_SET_BMC_MMIO > + | SCU_PCIE_CONFIG_SET_BMC_EN > + | SCU_PCIE_CONFIG_SET_VGA_MMIO); > + writel(val, ASPEED_PCIE_CONFIG_SET); > + > + /* Debug UART */ > +#if !defined(CONFIG_ASPEED_ENABLE_DEBUG_UART) > + val = readl(ASPEED_MISC1_CTRL); > + val |= SCU_MISC_DEBUG_UART_DISABLE; > + writel(val, ASPEED_MISC1_CTRL); > +#endif > + > + /* X-DMA */ > + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + if (!sdmc_unlocked) > + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + > + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); > + val |= (SDMC_GFX_PROT_VGA_CURSOR > + | SDMC_GFX_PROT_VGA_CG_READ > + | SDMC_GFX_PROT_VGA_ASCII_READ > + | SDMC_GFX_PROT_VGA_CRT > + | SDMC_GFX_PROT_PCIE > + | SDMC_GFX_PROT_XDMA); > + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); > + > + if (!sdmc_unlocked) > + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); > + > + /* LPC2AHB */ > + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5); > + val &= ~LPC_HICR5_ENFWH; > + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5); > +} > + > __weak int board_init(void) > { > struct udevice *dev; > int i; > int ret; > > + isolate_bmc(); > + > gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100; > > /* > -- > 2.36.0 >
diff --git a/arch/arm/include/asm/arch-aspeed/platform.h b/arch/arm/include/asm/arch-aspeed/platform.h index f016bdaba3e7..f05747642f38 100644 --- a/arch/arm/include/asm/arch-aspeed/platform.h +++ b/arch/arm/include/asm/arch-aspeed/platform.h @@ -15,24 +15,31 @@ /*********************************************************************************/ #if defined(CONFIG_ASPEED_AST2400) #define ASPEED_MAC_COUNT 2 +#define ASPEED_SDRAM_CTRL 0x1e6e0000 #define ASPEED_HW_STRAP1 0x1e6e2070 #define ASPEED_REVISION_ID 0x1e6e207C #define ASPEED_SYS_RESET_CTRL 0x1e6e203C #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */ +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180 #define ASPEED_DRAM_BASE 0x40000000 #define ASPEED_SRAM_BASE 0x1E720000 +#define ASPEED_LPC_CTRL 0x1e789000 #define ASPEED_SRAM_SIZE 0x8000 #define ASPEED_FMC_CS0_BASE 0x20000000 #elif defined(CONFIG_ASPEED_AST2500) #define ASPEED_MAC_COUNT 2 +#define ASPEED_SDRAM_CTRL 0x1e6e0000 +#define ASPEED_MISC1_CTRL 0x1e6e202C #define ASPEED_HW_STRAP1 0x1e6e2070 #define ASPEED_HW_STRAP2 0x1e6e20D0 #define ASPEED_REVISION_ID 0x1e6e207C #define ASPEED_SYS_RESET_CTRL 0x1e6e203C #define ASPEED_VGA_HANDSHAKE0 0x1e6e2040 /* VGA fuction handshake register */ +#define ASPEED_PCIE_CONFIG_SET 0x1e6e2180 #define ASPEED_MAC_COUNT 2 #define ASPEED_DRAM_BASE 0x80000000 #define ASPEED_SRAM_BASE 0x1E720000 +#define ASPEED_LPC_CTRL 0x1e789000 #define ASPEED_SRAM_SIZE 0x9000 #define ASPEED_FMC_CS0_BASE 0x20000000 #elif defined(CONFIG_ASPEED_AST2600) diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h index 9c5d96ae84b9..55875fd8312f 100644 --- a/arch/arm/include/asm/arch-aspeed/scu_ast2400.h +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2400.h @@ -8,6 +8,7 @@ #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT) #define SCU_HWSTRAP_MAC1_RGMII (1 << 6) #define SCU_HWSTRAP_MAC2_RGMII (1 << 7) +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20) #define SCU_HWSTRAP_DDR4 (1 << 24) #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23) @@ -104,6 +105,12 @@ #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16 #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT) +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1) +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8) +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9) +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14) + + struct ast2400_clk_priv { struct ast2400_scu *scu; }; diff --git a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h index 8fe4028e4ff0..06dc998afaa8 100644 --- a/arch/arm/include/asm/arch-aspeed/scu_ast2500.h +++ b/arch/arm/include/asm/arch-aspeed/scu_ast2500.h @@ -11,6 +11,7 @@ #define SCU_HWSTRAP_VGAMEM_MASK (3 << SCU_HWSTRAP_VGAMEM_SHIFT) #define SCU_HWSTRAP_MAC1_RGMII (1 << 6) #define SCU_HWSTRAP_MAC2_RGMII (1 << 7) +#define SCU_HWSTRAP_LPC_SIO_DEC_DIS (1 << 20) #define SCU_HWSTRAP_DDR4 (1 << 24) #define SCU_HWSTRAP_CLKIN_25MHZ (1 << 23) @@ -107,6 +108,13 @@ #define SCU_CLKDUTY_RGMII2TXCK_SHIFT 16 #define SCU_CLKDUTY_RGMII2TXCK_MASK (0x7f << SCU_CLKDUTY_RGMII2TXCK_SHIFT) +#define SCU_PCIE_CONFIG_SET_VGA_MMIO (1 << 1) +#define SCU_PCIE_CONFIG_SET_BMC_EN (1 << 8) +#define SCU_PCIE_CONFIG_SET_BMC_MMIO (1 << 9) +#define SCU_PCIE_CONFIG_SET_BMC_DMA (1 << 14) + +#define SCU_MISC_DEBUG_UART_DISABLE (1 << 10) + struct ast2500_clk_priv { struct ast2500_scu *scu; }; diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig index 579a547df61e..edb5520aec7a 100644 --- a/arch/arm/mach-aspeed/Kconfig +++ b/arch/arm/mach-aspeed/Kconfig @@ -45,6 +45,45 @@ config ASPEED_AST2600 which is enabled by support of LPC and eSPI peripherals. endchoice +config ASPEED_ALLOW_DANGEROUS_BACKDOORS + bool "Expose options enabling dangerous Aspeed hardware backdoors" + help + This option exposes configuration settings that create + critical security vulnerabilities by enabling dangerous + hardware backdoors in Aspeed BMCs. Enable it only if + absolutely required for a specific system or for debugging + during development. + +if ASPEED_ALLOW_DANGEROUS_BACKDOORS + +config ASPEED_ENABLE_SUPERIO + bool "Enable built-in AST2x00 Super I/O hardware" + depends on ASPEED_AST2400 || ASPEED_AST2500 + help + The Aspeed AST2400 and AST2500 include a built-in Super I/O + device that is normally disabled; say Y here to enable it. + + WARNING: this has serious security implications: it grants + the host read access to the BMC's entire address space. + This should thus be left disabled unless required by a + specific system. + +config ASPEED_ENABLE_DEBUG_UART + bool "Enable AST2500 hardware debug UART" + depends on ASPEED_AST2500 + help + The Aspeed AST2500 include a hardware-supported, UART-based + debug interface that is normally disabled; say Y here to + enable it. + + Note that this has security implications: the debug UART + provides read/write access to the BMC's entire address + space. This should thus be left disabled on production + systems, but may be useful to enable for debugging during + development. + +endif + config ASPEED_PALLADIUM bool "Aspeed palladium for simulation" default n diff --git a/arch/arm/mach-aspeed/ast2400/board_common.c b/arch/arm/mach-aspeed/ast2400/board_common.c index 3829b069342e..7134105232cb 100644 --- a/arch/arm/mach-aspeed/ast2400/board_common.c +++ b/arch/arm/mach-aspeed/ast2400/board_common.c @@ -4,14 +4,80 @@ #include <ram.h> #include <timer.h> #include <asm/io.h> +#include <asm/arch/platform.h> +#include <asm/arch/scu_ast2400.h> #include <asm/arch/timer.h> #include <linux/err.h> #include <dm/uclass.h> DECLARE_GLOBAL_DATA_PTR; +#define AST_LPC_HICR5 0x080 +# define LPC_HICR5_ENFWH BIT(10) +#define AST_LPC_HICRB 0x100 +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6) + +#define AST_SDMC_PROTECT 0x00 +# define SDRAM_UNLOCK_KEY 0xfc600309 +#define AST_SDMC_GFX_PROT 0x08 +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0) +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1) +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2) +# define SDMC_GFX_PROT_VGA_CRT BIT(3) +# define SDMC_GFX_PROT_PCIE BIT(16) +# define SDMC_GFX_PROT_XDMA BIT(17) + +static void isolate_bmc(void) +{ + bool sdmc_unlocked; + u32 val; + + /* iLPC2AHB */ +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO) + val = readl(ASPEED_HW_STRAP1); + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS; + writel(val, ASPEED_HW_STRAP1); +#endif + + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB); + val |= LPC_HICRB_SIO_ILPC2AHB_DIS; + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB); + + /* P2A, PCIe BMC */ + val = readl(ASPEED_PCIE_CONFIG_SET); + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA + | SCU_PCIE_CONFIG_SET_BMC_MMIO + | SCU_PCIE_CONFIG_SET_BMC_EN + | SCU_PCIE_CONFIG_SET_VGA_MMIO); + writel(val, ASPEED_PCIE_CONFIG_SET); + + /* X-DMA */ + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + if (!sdmc_unlocked) + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); + val |= (SDMC_GFX_PROT_VGA_CURSOR + | SDMC_GFX_PROT_VGA_CG_READ + | SDMC_GFX_PROT_VGA_ASCII_READ + | SDMC_GFX_PROT_VGA_CRT + | SDMC_GFX_PROT_PCIE + | SDMC_GFX_PROT_XDMA); + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); + + if (!sdmc_unlocked) + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + + /* LPC2AHB */ + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5); + val &= ~LPC_HICR5_ENFWH; + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5); +} + __weak int board_init(void) { + isolate_bmc(); + gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100; return 0; diff --git a/arch/arm/mach-aspeed/ast2500/board_common.c b/arch/arm/mach-aspeed/ast2500/board_common.c index ce541e88fb8e..c63fe466eb4b 100644 --- a/arch/arm/mach-aspeed/ast2500/board_common.c +++ b/arch/arm/mach-aspeed/ast2500/board_common.c @@ -7,18 +7,91 @@ #include <ram.h> #include <timer.h> #include <asm/io.h> +#include <asm/arch/platform.h> +#include <asm/arch/scu_ast2500.h> +#include <asm/arch/sdram_ast2500.h> #include <asm/arch/timer.h> #include <linux/err.h> #include <dm/uclass.h> DECLARE_GLOBAL_DATA_PTR; +#define AST_LPC_HICR5 0x080 +# define LPC_HICR5_ENFWH BIT(10) +#define AST_LPC_HICRB 0x100 +# define LPC_HICRB_SIO_ILPC2AHB_DIS BIT(6) + +# define AST_SDMC_PROTECT 0x00 +# define AST_SDMC_GFX_PROT 0x08 +# define SDMC_GFX_PROT_VGA_CURSOR BIT(0) +# define SDMC_GFX_PROT_VGA_CG_READ BIT(1) +# define SDMC_GFX_PROT_VGA_ASCII_READ BIT(2) +# define SDMC_GFX_PROT_VGA_CRT BIT(3) +# define SDMC_GFX_PROT_PCIE BIT(16) +# define SDMC_GFX_PROT_XDMA BIT(17) + +static void isolate_bmc(void) +{ + bool sdmc_unlocked; + u32 val; + + /* iLPC2AHB */ +#if !defined(CONFIG_ASPEED_ENABLE_SUPERIO) + val = readl(ASPEED_HW_STRAP1); + val |= SCU_HWSTRAP_LPC_SIO_DEC_DIS; + writel(val, ASPEED_HW_STRAP1); +#endif + + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICRB); + val |= LPC_HICRB_SIO_ILPC2AHB_DIS; + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICRB); + + /* P2A, PCIe BMC */ + val = readl(ASPEED_PCIE_CONFIG_SET); + val &= ~(SCU_PCIE_CONFIG_SET_BMC_DMA + | SCU_PCIE_CONFIG_SET_BMC_MMIO + | SCU_PCIE_CONFIG_SET_BMC_EN + | SCU_PCIE_CONFIG_SET_VGA_MMIO); + writel(val, ASPEED_PCIE_CONFIG_SET); + + /* Debug UART */ +#if !defined(CONFIG_ASPEED_ENABLE_DEBUG_UART) + val = readl(ASPEED_MISC1_CTRL); + val |= SCU_MISC_DEBUG_UART_DISABLE; + writel(val, ASPEED_MISC1_CTRL); +#endif + + /* X-DMA */ + sdmc_unlocked = readl(ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + if (!sdmc_unlocked) + writel(SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + + val = readl(ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); + val |= (SDMC_GFX_PROT_VGA_CURSOR + | SDMC_GFX_PROT_VGA_CG_READ + | SDMC_GFX_PROT_VGA_ASCII_READ + | SDMC_GFX_PROT_VGA_CRT + | SDMC_GFX_PROT_PCIE + | SDMC_GFX_PROT_XDMA); + writel(val, ASPEED_SDRAM_CTRL + AST_SDMC_GFX_PROT); + + if (!sdmc_unlocked) + writel(~SDRAM_UNLOCK_KEY, ASPEED_SDRAM_CTRL + AST_SDMC_PROTECT); + + /* LPC2AHB */ + val = readl(ASPEED_LPC_CTRL + AST_LPC_HICR5); + val &= ~LPC_HICR5_ENFWH; + writel(val, ASPEED_LPC_CTRL + AST_LPC_HICR5); +} + __weak int board_init(void) { struct udevice *dev; int i; int ret; + isolate_bmc(); + gd->bd->bi_boot_params = CONFIG_SYS_SDRAM_BASE + 0x100; /*