From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andre Heider Date: Thu, 27 Aug 2020 18:24:12 +0200 Subject: [PATCH] arm: mvebu: Espressobin: Disallow forwarding packets between wan and lan ports In-Reply-To: <20200817143638.5565-1-pali@kernel.org> References: <20200817143638.5565-1-pali@kernel.org> Message-ID: <6f1dd388-9f05-4957-d16e-fb7ec4e4e7fb@gmail.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 17/08/2020 16:36, Pali Roh?r wrote: > By default Topaz switch on Espressobin board forwards packets between all > ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3). > > This default U-Boot setup is unsuitable for using Espressobin as router as > it opens security hole in forwarding all packets between wan and lan ports. > E.g. dhcp packets from wan network leaks to lan network during small time > window until U-Boot boots Linux kernel which loads network drivers which > disallows forwarding between wan and lan. > > This patch fixes above problem. For Espressobin board prior putting Topaz > switch into forwarding mode, Topaz switch is reconfigured to allow > forwarding packets from wan and lan ports only to CPU port. This ensures > that packets from wan port are not forwarded to lan ports and vice-versa. > Packets from CPU port are still forwarded to all other ports, so U-Boot > network boot works with any ethernet port as before. > > This problem was already discussed on Espressobin forum [1] and on > Marvell's github issue tracker [2]. As a workaround people on Espressobin > forum patched U-Boot to completely disable lan ports on Topaz switch which > prevented forwarding packets. That workaround had an issue that U-Boot was > unable to netboot via lan ports anymore. Change in this patch does not have > such issue. > > [1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/ > [2] - https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/issues/18 > > Signed-off-by: Pali Roh?r Tested-by: Andre Heider