MPU Flash write #205
MPU Flash write #205
Conversation
Since we now select HAS_DTS from the cortex-m Kconfig we don't need it in 96b_carbon_nrf51_defconfig. Signed-off-by: Kumar Gala <[email protected]>
As we now only support DTS for ARM based SoCs we can remove any associated !HAS_DTS bits in Kconfig. The Nordic NRF5 serial driver and the ARM CMSDK APB serial drivers had Kconfig bits related to !HAS_DTS builds. Signed-off-by: Kumar Gala <[email protected]>
Update Cube version for STM32L4XX family from version: V1.6.0 to version: V1.8.0 Add support for following soc: stm32l496xx stm32l4a6xx Signed-off-by: Neil Armstrong <[email protected]>
Add configuration and dts for the STM32L496 SoC STM32L4 variant. Signed-off-by: Neil Armstrong <[email protected]>
Add configuration, pinmux, dts and documentation for the STM32L496G Discovery board based on the STM32L496AG SoC. Signed-off-by: Neil Armstrong <[email protected]>
Add missing dts for STM32F407. Signed-off-by: Neil Armstrong <[email protected]>
Add configuration, documentation, flash script, pinmux and dts for the STM32F4DISCOVERY board. Signed-off-by: Neil Armstrong <[email protected]>
galak
changed the title
arch/arm/core/cortex_m/mpu/Kconfig
Outdated
| config MPU_ALLOW_FLASH_WRITE | ||
| bool "Add MPU access to write to flash" | ||
| depends on NXP_MPU | ||
| default n |
There was a problem hiding this comment.
Thanks a lot for submitting this! It will really help us.
What do people think about making this option default y if FLASH or so?
That seems less surprising; by default, asking for both the flash driver and the MPU driver would result in a config with fewer pointy edges. User effort would only be needed to get the flash driver and to allow flash reads, but not writes. @galak pointed out that this is a confusing configuration whose utility is a bit unclear, so perhaps that setup should take more effort to create.
There was a problem hiding this comment.
@mbolivar I agree with the approach.
There was a problem hiding this comment.
In theory, yes I agree. But I wonder if there are security implications? @agross-linaro
There was a problem hiding this comment.
Default options should not make things less secure. I'd rather the user have to jump through 1 more hoop if they want to specifically allow this. That's my two cents.
There was a problem hiding this comment.
It seems you're saying that asking for the MPU driver means getting a maximally locked down configuration (that can still run code), and any relaxations should require additional knobs. Is that right?
If so, it's a different point on the security / convenience curve, but that seems reasonable to me.
There was a problem hiding this comment.
This sounds fine, my only complaint is the naming. I don't like options where you have DISABLE and say Y. It's negative logic. I'd rather have a ENABLE=y, so FLASH_ENABLE_WRITE_SUPPORT.
There was a problem hiding this comment.
Sorry to chime in late here, but it sounds like we're going for a seemingly more secure, and definitely more surprising configuration.
Preventing writes to flash isn't really all that much of a security improvement. In order to actually have secure boot, the bootloader has to be protected by hardware. MPU is insufficient, because it is easy to break before it is set up and then just replace the main code.
Once the bootloader is running, there is no security issue with being able to write to the code space. The images must be signed in order to be bootable.
In addition, apps using the bootloader are going to want to do OTA, which will require flash writing.
I really don't see any scenario where the flash driver would be wanted, but writes not allowed to the flash device.
There was a problem hiding this comment.
Also, at least the k6x devices mentioned in the commit text have the ability to write protect flash regions, which is what will be needed to actually provide secure boot in a meaningful way.
There was a problem hiding this comment.
One last point, it seems that on NXP, just probing the flash driver requires write access, whether the app tries to write or not. It kind of makes having this selectable a moot point. If you enable the flash driver, with writes disabled, it faults before main is even reached.
|
@galak pushed against arm branch. |
samples/mpu_test/README.rst
Outdated
| @@ -46,6 +46,13 @@ single thread: :file:`prj_single.conf`: | |||
|
|
|||
| $ make BOARD=v2m_beetle CONF_FILE=prj_single.conf run | |||
|
|
|||
| To build the version that allows flash write, use the supplied configuration | |||
| file: :file:`prj_allow_flash_write.conf`: | |||
There was a problem hiding this comment.
no such file (there are prj_allow_flash_write_mcux.conf and prj_allow_flash_write_stm32.conf). Maybe use the same notation you use in the example below prj_allow_flash_write_.conf and tell them what the means.
There was a problem hiding this comment.
Ok I will change it. Thanks
| #if defined(CONFIG_MPU_ALLOW_FLASH_WRITE) | ||
| /* Required to initialize the flash driver */ | ||
| #define REGION_RAM_ATTR (MPU_REGION_READ | MPU_REGION_WRITE | \ | ||
| MPU_REGION_EXEC | MPU_REGION_SU) |
There was a problem hiding this comment.
I think we should bring more attention to the fact that not only are we enabling flash write, but also execution from ram. Can you mention this explicitly in the commit message? Is there a better config name to indicate this?
There was a problem hiding this comment.
Ok I will make it more clear. Thanks for pointing it out.
There was a problem hiding this comment.
I agree with Maureen. I'd think about a more descriptive config name if that is easy to deal with. Otherwise just deal with it in the commit msg.
arch/arm/core/cortex_m/mpu/Kconfig
Outdated
| config MPU_ALLOW_FLASH_WRITE | ||
| bool "Add MPU access to write to flash" | ||
| depends on NXP_MPU | ||
| default n |
There was a problem hiding this comment.
In theory, yes I agree. But I wonder if there are security implications? @agross-linaro
The stm32f4discovery was incorrectly named and should have been stm32f4_disco. Also added 96b_carbon_nrf51 that was missing from the list. Signed-off-by: Kumar Gala <[email protected]>
This patch adds the allow flash write CONFIG option to the NXP MPU configuration in privileged mode. Signed-off-by: Vincenzo Frascino <[email protected]>
This patch adds the allow flash write CONFIG option to the ARM MPU configuration in privileged mode. Signed-off-by: Vincenzo Frascino <[email protected]> Signed-off-by: Michael Scott <[email protected]>
This patch adds a configuration file that tests Flash writes with MPU enabled. Signed-off-by: Vincenzo Frascino <[email protected]>
|
Do we have an example that can be added to this PR for the case in which we want to allow flash_read() to work but not flash_write()? I feel like towards Andy's comment, that if we do allow for such an option, it would be DISABLE_WRITE_SUPPORT, and I'd think we'd make the API (flash_write) go away as part of it. |
galak
force-pushed
the
arm
branch
2 times, most recently
from
1d365cc to
0a8ad73
Compare
galak
force-pushed
the
arm
branch
5 times, most recently
from
c52d348 to
41c85d8
Compare
galak
force-pushed
the
arm
branch
4 times, most recently
from
f3f7aad to
a87804d
Compare
|
I've rebased these changes and put them in #654. We should close this PR and continue discussion there. |
galak
force-pushed
the
arm
branch
3 times, most recently
from
0f36cad to
1bc2fdc
Compare
galak
force-pushed
the
arm
branch
4 times, most recently
from
0723c92 to
38db4ed
Compare
|
Now that #654 has been approved, this should be closed. |
[build] Added feature to analyze.sh to generate prj.conf options
This PR depends on #54. Please do not merge directly.
The new patches are the last 3.