Idea: ability (but not enforced) to clear (or R/W) CDI #186
Comments
|
It is possible to make the CDI writable in app-mode. It is also quite easy hardware wise. We have discussed this internally as well, to keep the CDI writable, but we have not landed in any decision. |
|
To make explicit what has not been said: |
|
We could allow an app to mark the CDI as read, used - which would then block any further read access from app mode. We could also trigger a wipe, zeroisation too, to ensure that the CDI is not present in the FPGA at all. |
|
Draft PR #204 adds the ability for device apps to lock down access to the CDI. The PR adds a new API-address ADDR_CDI_DONE. When written to will enforce that any future reads to the CDI returns an all zero value. The device must be reset to enable CDI read again. |
I'm posting this idea from software-development perspective. I may ask something that's hard to achieve or just an exceptional case.
Would it be possible to allow writing to the CDI addresses from the loaded program-binary? That would allow initialization to do the necessary processing, then afterwards clear the CDI. (An alternative would be to allow clearing the MMIO address pointers, although strictly speaking this introduces obscurity rather than security.)
The threat I'm thinking of, is when an attacker manages to manipulate a pointer address such that the CDI is addressed rather than any other arbitrary piece of memory. I can compute values on-the-fly and securely wipe them, but the CDI remains available.
I suspect one can argue for and against this idea. I suspect it depends on the way a program is developed whether this feature is useful.
The text was updated successfully, but these errors were encountered: