mirror of
https://github.com/brain-hackers/u-boot-brain
synced 2024-07-12 14:16:17 +09:00
48f2c8a37f
By default Topaz switch on Espressobin board forwards packets between all ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3). This default U-Boot setup is unsuitable for using Espressobin as router as it opens security hole in forwarding all packets between wan and lan ports. E.g. dhcp packets from wan network leaks to lan network during small time window until U-Boot boots Linux kernel which loads network drivers which disallows forwarding between wan and lan. This patch fixes above problem. For Espressobin board prior putting Topaz switch into forwarding mode, Topaz switch is reconfigured to allow forwarding packets from wan and lan ports only to CPU port. This ensures that packets from wan port are not forwarded to lan ports and vice-versa. Packets from CPU port are still forwarded to all other ports, so U-Boot network boot works with any ethernet port as before. This problem was already discussed on Espressobin forum [1] and on Marvell's github issue tracker [2]. As a workaround people on Espressobin forum patched U-Boot to completely disable lan ports on Topaz switch which prevented forwarding packets. That workaround had an issue that U-Boot was unable to netboot via lan ports anymore. Change in this patch does not have such issue. This security issue has been dicussed here as well: [3]. [1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/ [2] - https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/issues/18 [3] - https://forum.armbian.com/topic/12635-espressobin-uboot-security-concerns-switch-init-portmask/ Signed-off-by: Pali Rohár <pali@kernel.org> Reviewed-by: Stefan Roese <sr@denx.de> Tested-by: Andre Heider <a.heider@gmail.com> |
||
|---|---|---|
| .. | ||
| aspenite | ||
| db-88f6281-bp | ||
| db-88f6720 | ||
| db-88f6820-amc | ||
| db-88f6820-gp | ||
| db-mv784mp-gp | ||
| db-xc3-24g4xg | ||
| dreamplug | ||
| gplugd | ||
| guruplug | ||
| mvebu_armada-8k | ||
| mvebu_armada-37xx | ||
| octeon_ebb7304 | ||
| octeontx | ||
| octeontx2 | ||
| openrd | ||
| sheevaplug | ||