summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPali Rohár <pali@kernel.org>2020-08-17 16:36:38 +0200
committerStefan Roese <sr@denx.de>2020-08-31 14:44:14 +0200
commit48f2c8a37f700859a7004dce5adb116597a45700 (patch)
treeb6e06467731987c522b9d02881361b2cfcec148c
parent9f04a634ef331b4fc6b3e677f276156192a413c7 (diff)
arm: mvebu: Espressobin: Disallow forwarding packets between wan and lan ports
By default Topaz switch on Espressobin board forwards packets between all ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3). This default U-Boot setup is unsuitable for using Espressobin as router as it opens security hole in forwarding all packets between wan and lan ports. E.g. dhcp packets from wan network leaks to lan network during small time window until U-Boot boots Linux kernel which loads network drivers which disallows forwarding between wan and lan. This patch fixes above problem. For Espressobin board prior putting Topaz switch into forwarding mode, Topaz switch is reconfigured to allow forwarding packets from wan and lan ports only to CPU port. This ensures that packets from wan port are not forwarded to lan ports and vice-versa. Packets from CPU port are still forwarded to all other ports, so U-Boot network boot works with any ethernet port as before. This problem was already discussed on Espressobin forum [1] and on Marvell's github issue tracker [2]. As a workaround people on Espressobin forum patched U-Boot to completely disable lan ports on Topaz switch which prevented forwarding packets. That workaround had an issue that U-Boot was unable to netboot via lan ports anymore. Change in this patch does not have such issue. This security issue has been dicussed here as well: [3]. [1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/ [2] - https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/issues/18 [3] - https://forum.armbian.com/topic/12635-espressobin-uboot-security-concerns-switch-init-portmask/ Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> Tested-by: Andre Heider <a.heider@gmail.com>
-rw-r--r--board/Marvell/mvebu_armada-37xx/board.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/board/Marvell/mvebu_armada-37xx/board.c b/board/Marvell/mvebu_armada-37xx/board.c
index 9bea1986d4..031de318c6 100644
--- a/board/Marvell/mvebu_armada-37xx/board.c
+++ b/board/Marvell/mvebu_armada-37xx/board.c
@@ -44,6 +44,7 @@ DECLARE_GLOBAL_DATA_PTR;
/* Switch Port Registers */
#define MVEBU_SW_LINK_CTRL_REG (1)
#define MVEBU_SW_PORT_CTRL_REG (4)
+#define MVEBU_SW_PORT_BASE_VLAN (6)
/* Global 2 Registers */
#define MVEBU_G2_SMI_PHY_CMD_REG (24)
@@ -207,8 +208,16 @@ int board_network_enable(struct mii_dev *bus)
* FIXME: remove this code once Topaz driver gets available
* A3720 Community Board Only
* Configure Topaz switch (88E6341)
+ * Restrict output to ports 1,2,3 only from port 0 (CPU)
* Set port 0,1,2,3 to forwarding Mode (through Switch Port registers)
*/
+ mii_multi_chip_mode_write(bus, 1, MVEBU_PORT_CTRL_SMI_ADDR(1),
+ MVEBU_SW_PORT_BASE_VLAN, BIT(0));
+ mii_multi_chip_mode_write(bus, 1, MVEBU_PORT_CTRL_SMI_ADDR(2),
+ MVEBU_SW_PORT_BASE_VLAN, BIT(0));
+ mii_multi_chip_mode_write(bus, 1, MVEBU_PORT_CTRL_SMI_ADDR(3),
+ MVEBU_SW_PORT_BASE_VLAN, BIT(0));
+
mii_multi_chip_mode_write(bus, 1, MVEBU_PORT_CTRL_SMI_ADDR(0),
MVEBU_SW_PORT_CTRL_REG, 0x7f);
mii_multi_chip_mode_write(bus, 1, MVEBU_PORT_CTRL_SMI_ADDR(1),