Home Forums Software discussion Boot behavior of the switch, and security

Tagged: 

Viewing 6 posts - 31 through 36 (of 36 total)
  • Author
    Posts
  • #1786
    bakano
    Participant

    Thank you again SO much. I’ve noted and bookmarked your website and will absolutely pass along the information to anyone in need! My wife wants to visit Australia eventually, so maybe I will raise this thread from the dead someday! 😀

    -John Michael

    #5333
    spqr
    Participant

    Hi,

    Is it correct to assume the port-mask has changed on the v7 boards so that 0x3 would now be eth0 and lan1?
    To get the eth0 and wan only we need port-mask 0x9 ?

    #5359
    steveb
    Participant

    I haven’t looked at the v7 schematic, but it’s pretty straightfoward. The bits correspond to the switch chip ports so
    bit 0 is for port 0, bit 1 for port 1 etc. Just check the port connections and set the bits accordingly.

    Cheers,
    Steve

    #5592
    spqr
    Participant

    Thanks for the reply, that’s what I assumed. It should be 0x9 then… though I haven’t confirmed this yet.

    #7271
    dedrozeba
    Participant

    Hello.
    A bit of warning on the port-mask setting.
    I flashed my board with port-mask set in u-boot to 0x3 and tested the configuration leaving the boot in u-boot prompt.
    It turned out for me that the switch still allows outgoing packets from the disabled lan ports to leak the wan interface.
    The switch does not allow packets in response to get in back from wan though.
    I also tried extreme 0x1 port-mask – same thing, the switch still leaks. Lost bubt command as a result as expected and reflashed over WTP/UART.
    Does anybody observe the same or is it me screwing something?

    The next thing was to remove port forwardings in board/Marvell/mvebu_armada-37xx/board.c (I am using the latest branch) like steveb suggested and suprisingly this change had absolutely no effect.
    Any ideas?

    #38549
    taggart
    Participant

    Currently the u-boot images posted at

    https://dl.armbian.com/espressobin/u-boot/

    have a posting date of 2019-05-21. With that firmware installed on my v7 I get the following on boot:

    TIM-1.0
    WTMI-devel-18.12.1-e6bb176
    WTMI: system early-init
    SVC REV: 4, CPU VDD voltage: 1.027V
    NOTICE:  Booting Trusted Firmware
    NOTICE:  BL1: v1.5(release):1f8ca7e (Marvell-devel-18.12.2)
    NOTICE:  BL1: Built : 16:26:08, May 21 2019
    NOTICE:  BL1: Booting BL2
    NOTICE:  BL2: v1.5(release):1f8ca7e (Marvell-devel-18.12.2)
    NOTICE:  BL2: Built : 16:26:10, May 21 2019
    NOTICE:  BL1: Booting BL31
    NOTICE:  BL31: v1.5(release):1f8ca7e (Marvell-devel-18.12.2)
    NOTICE:  BL31: Built : 16:26:13
    
    U-Boot 2018.03-devel-18.12.3-gc9aa92c-armbian (Feb 20 2019 - 09:45:04 +0100)

    At https://github.com/MarvellEmbeddedProcessors/u-boot-marvell/

    the latest branch is “u-boot-2018.03-armada-18.12” (which the above appears to be using).

    I don’t know how the armbian folks build their images (although @igorp probably does) and if they are adjusting the port-mask mentioned in this thread and if so that value they are adjusting it to. @steveb seems to say that v7 might need a different value?

    I am trying to use my v7 as a openwrt router and my preference is that the network be disabled (or at the very least not forwarding) until linux brings it up. That seems like a sane default for most cases. The only case I can think of for enabling the network at u-boot time would be network boot, which is probably rare. I can’t think of _any_ good reason to do forwarding at u-boot time (but maybe someone else can?).

    Is there a way with u-boot env settings to disable network or forwarding on startup? If not, could maybe the available images be adjusted to do this (or have separate images available)?

Viewing 6 posts - 31 through 36 (of 36 total)
  • You must be logged in to reply to this topic.
Signup to our newsletter

Technical specification tables can not be displayed on mobile. Please view on desktop