Ticket #207 (closed defect: wontfix)

Opened 12 years ago

Last modified 11 years ago

DFU mode should only be enabled when in "911 key" mode

Reported by: laforge@… Owned by: michael@…
Priority: high Milestone:
Component: u-boot Version: current svn head
Severity: major Keywords:
Cc: buglog@… Blocked By:
Blocking: Estimated Completion (week):
HasPatchForReview: PatchReviewResult:
Reproducible:

Description

In order to minimize the security threat posed by DFU mode (everyone can just
read or write to all of the phone flash!), we should make sure that it is only
enabled in the "911 key" bootup mode, i.e. when both 911 and power buttons are
pressed at system start.

This is still no real protection, though. Unfortunately the USB DFU spec
doesn't provide for any authentication mechanism, so we will just stay with the
standard for now.

Change History

comment:1 Changed 12 years ago by elrond+bugzilla.openmoko.org@…

In the none-AUX-button mode, there is still the CDC-ACM usb-serial console,
which lets you do exactly the same without any authentication.
So making DFU only available in AUX-button-mode is only a light barrier.

Also after adding the udfu signaure on the u-boot images, the major risk with
DFU is only at the "destroy kernel/rootfs/env" level. Which is a lot better.

Nevertheless, if this request gets implemented, I'd like a "dfu enable" command
inside u-bnoot, so I don't need to press the aux button when I just want to do
DFU after a reboot. (I do that sometimes to test kernels by just loading them
into RAM and booting them there, lots faster than flashing them.)

comment:2 Changed 11 years ago by mickey@…

I don't quite understand. You mean, U-Boot accepts a dfu-upload during the (very
small) interval while it got booted, loads the kernel and hands control over to it?

comment:3 Changed 11 years ago by mickey@…

Ok, reading 604 confirms that. In that case I agree, it shouldn't listen to DFU
if in normal bootup.

comment:4 Changed 11 years ago by laforge@…

well, the problem is not straight-forward to solve the way how DFU works.

Basically we would need yet another set of usb device/configuration descriptors,
one that hides the fact that this device supports DFU at all (i.e. no dfu
functional descriptor present).

Now we bascially have three different descriptors,

1) default descriptor set (ACM) without DFU capability
2) ACM descriptor set, with DFU capability
3) DFU mode descriptor, no ACM

btw: the kernel flashing usually works quite fine in that short time interval,
since it is sufficient to only partially modify the flash (first 1 or two
eraseblocks) before they are read to ram. The result will have an invalid CRC,
so booting is aborted and you can finish the transfer.

doesn't work for rootfs that way, though.

comment:5 Changed 11 years ago by willie_chen@…

  • Owner changed from laforge@… to michael@…

Now DFU mode is only supported in u-boot. For GTA01, it need to be pressed 911
key and power key. For GTA02, we don't have 911 key function. So you need to
stay in uboot console and refresh image.

comment:6 Changed 11 years ago by andy

  • Status changed from new to closed
  • Resolution set to wontfix

Evidently this is not going to get any more fixed than it already was 7 months ago.

Note: See TracTickets for help on using tickets.