[Cryptech Tech] USB interface
Peter Stuge
peter at stuge.se
Wed Apr 8 01:42:55 UTC 2020
Rob Austein wrote:
> > > However, it would also be possible to wire both UART and e.g. SPI up,
> > > and only ever use UART to begin with. That works with no software change.
> >
> > I think this is a very intriguing idea.
>
> I also find this interesting, but allow me to continue playing
> hardware-clueless Devil's Advocate:
>
> 1) Assuming for purposes of discussion that an attacker captures the
> SADM11, what bad things can that attacker do using the SPI lines
> that the attacker couldn't already do via the UART?
The STM32 firmware decides what to do about any SPI activity just like
for the UART, so nothing new is possible because of the extra connection.
SPI consists of a chip select signal, a clock signal and two data signals,
one goes into the other end shift register, the other comes back out.
Until the STM32 firmware actually supports that connection, evil SAMD11
can do whatever it wants.
Executing code on a USB device such as the SAMD11 requires particularly
bad bugs in that firmware, the risk is comparable to that associated with
parsing the RPC protocol inside the STM32.
But if we continue to assume that evil code executes on SAMD11 then
perhaps it could create some relevant interference on VCCO_3V3, and
try to to influence the STM32 and/or the FMC/FPGA IOs.
That risk, however small, could be mitigated with a separate supply
rail for the SAMD11, and something like SN74LVC1T45 (or 2T45/4T245)
dual-supply buffers for the IO signals going across to STM32.
A roughly equivalent scheme is built-in to the FTDI chips.
If SAMD11 is to have its own supply then add another three components
to the schematic; VBUS input cap, LDO and output cap.
A benefit of that is that the USB device could always be visible on
the PC, even if the board is not currently powered. In that case I'd
suggest to add one more signal which tells SAMD11 when STM32 is
powered, so that the PC can get a meaningful error message.
> 2) Assuming for purposes of discussion that (1) includes any real
> threats, would it help to run those SPI lines through jumpers so
> that they could be physically disconnected?
Sure! 0-ohm resistors could be used for this, but actual jumpers work too.
> Yeah, that's what worries me. This is cool stuff but we should have
> been having this conversation months ago, at this point we may have
> missed the window for this board rev.
I remember making the case for a programmable USB interface before the
first Alpha boards and my rev03.pdf schematic file is almost 4 years old.
If a new board still uses FTDI chips then please PLEASE at least
add VCCO_3V3 and FT_RESET/FT_RESET1 to the daughterboard headers.
//Peter
More information about the Tech
mailing list