Project

General

Profile

ModemIsolationResearch » History » Version 44

Denis 'GNUtoo' Carikli, 01/05/2020 10:47 AM
fix link that was (accidentally?) pointing to a redirector

1 18 Denis 'GNUtoo' Carikli
h1. Modem shared memory
2 1 Denis 'GNUtoo' Carikli
3 17 Denis 'GNUtoo' Carikli
This section documents in more details the architecture of system on a chip and devices that have shared memory between the modem and the processor running Android. Since the modem runs (only) proprietary software, devices that doesn't have any mechanism that prevent the modem from taking control of the processor running Android are a grave concern for users freedom ans security.
4 4 Denis 'GNUtoo' Carikli
5 17 Denis 'GNUtoo' Carikli
This section focuses on that issue. Some Qualcomm System On a Chip that are affected by this issue also have other issues that aren't mentioned here but in [[Qualcomm_SOCs|the Qualcomm System On a Chip page]].
6 4 Denis 'GNUtoo' Carikli
7 5 Denis 'GNUtoo' Carikli
Documenting the issue more in depth might allow us to understand if some devices with shared memory between the modem and the processor running Android might be able to be used safely.
8
9 15 Denis 'GNUtoo' Carikli
h2. Requirements
10
11 16 Denis 'GNUtoo' Carikli
Having the modem and the processor running Android in separate chip, connected through a bus (like USB) that doesn't allow the modem to access the Android processor's memory offers pretty good guarantee that the modem cannot take the control of the processor running Android at a hardware level. 
12
When the modem and the Android processor are in the same chip or when they use shared memory to communicate, and that memory is also used by the processor operating system, such guarantees are gone.
13 15 Denis 'GNUtoo' Carikli
14 16 Denis 'GNUtoo' Carikli
Several hardware mechanism that can bring them back exist:
15 15 Denis 'GNUtoo' Carikli
* Some smartphones manufacturer could connect the modem to the processor running Android with separate dedicated memory that is not used for things other than enabling them to communicate.
16
* IOMMUs are hardware dedicated to prevent peripherals (like a modem) from taking control of the processor (that is here running Android). To have enough guarantee, such hardware should have good technical documentation and the code using it should have good peer review (It should be good enough if it is in upstream Linux).
17
18 6 Denis 'GNUtoo' Carikli
h2. System on a chip
19
20
This lists system on a chip that also Include a modem and have shared memory between the modem and the processor running Android, and the way the modem and the processor running Android are isolated or not.
21 1 Denis 'GNUtoo' Carikli
22 13 Denis 'GNUtoo' Carikli
|_. Vendor |_. System on a chip |_. Isolation |_. Market share |_. References |
23 2 Denis 'GNUtoo' Carikli
| Qualcomm | Mobile Station Modem (MSM) Snapdragon 7x30 | Bad:
24 3 Denis 'GNUtoo' Carikli
* The modem is in charge of loading the bootloader of the processor running Android. Because of that it can temper with that bootloader and take control of the processor running Android.
25
* The modem can access the memory of the processor running Android, and can take control of it through that way.
26
* The modem has access to the storage of the processor running Android, so it can take control of it through that.
27 13 Denis 'GNUtoo' Carikli
| ? | "boot process":http://tjworld.net/wiki/Android/HTC/Vision/BootProcess |
28 14 Denis 'GNUtoo' Carikli
| Qualcomm | Snapdragon S4 | Unknown:
29
* The modem is booted by the processor running Android (which in turn is booted by a separate boot processor called RPM)
30
* There is not enough public documentation to understand if there is enough isolation between the modem and the processor running android.
31
 | ? |
32 10 Denis 'GNUtoo' Carikli
*"Boot process":https://forum.xda-developers.com/showthread.php?t=1769411&page=25
33 13 Denis 'GNUtoo' Carikli
*"The Security of chip fabric page of rpw-pacsec2013-hexagon.pdf":https://web.archive.org/web/20131224103934if_/https://rpw.io/slides/rpw-pacsec2013-hexagon.pdf |
34 7 Denis 'GNUtoo' Carikli
35
h2. Devices
36
37
This lists devices that have the modem and the processor running Android in separate chips and use shared memory between them, along with the way the processor running Android is isolated from the modem, or not.
38
39 9 Denis 'GNUtoo' Carikli
|_. Vendor |_. Device |_. Isolation |_. References |
40 7 Denis 'GNUtoo' Carikli
| Samsung | Nexus S | ? | ? |
41
| Samsung | Galaxy S | ? | ? |
42 19 Denis 'GNUtoo' Carikli
43
h1. Isolated modems
44
45
h2. Supported devices
46
47 23 Denis 'GNUtoo' Carikli
|_. Vendor |_. Device |_. Link |_. Isolation |_. References |
48 39 Denis 'GNUtoo' Carikli
|/8. Samsung | Galaxy Nexus (I9250) |/3. MIPI |/3. * With MIPI it's most probably not possible for the peripheral to access the host RAM | * "board-tuna.c:":https://git.replicant.us/replicant/kernel_samsung_tuna/plain/arch/arm/mach-omap2/board-tuna.c
49 22 Denis 'GNUtoo' Carikli
<pre>
50
#ifdef CONFIG_OMAP_HSI_DEVICE
51
        if (TUNA_TYPE_MAGURO == omap4_tuna_get_type())
52 1 Denis 'GNUtoo' Carikli
                omap_hsi_init();
53 22 Denis 'GNUtoo' Carikli
#endif
54 23 Denis 'GNUtoo' Carikli
</pre>
55 1 Denis 'GNUtoo' Carikli
* "modem_link_device_mipi.c":https://git.replicant.us/replicant/kernel_samsung_tuna/plain/drivers/misc/modem_if/modem_link_device_mipi.c |
56 39 Denis 'GNUtoo' Carikli
| Galaxy Tab 2 7.0 (P31xx) |/2. * "espresso_defconfig:":https://git.replicant.us/replicant/kernel_samsung_espresso10/plain/arch/arm/configs/espresso_defconfig?h=replicant-6.0 CONFIG_LINK_DEVICE_MIPI=y |
57
| Galaxy Tab 2 10.1 (P51xx) |
58 37 Denis 'GNUtoo' Carikli
| Galaxy S 3 (I9300) |/5. HSIC |/5. * HSIC is a subset of the USB protocol  => the peripheral has no access to the host RAM
59 44 Denis 'GNUtoo' Carikli
* The device cannot change USB IDs "without the host powering up and down the bus":https://github.com/fourkbomb/linux/commit/5c71c549206351c16412d23c38e3d8d62763f454 |/5. * "lineageos_i9300_defconfig:":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/configs/lineageos_i9300_defconfig CONFIG_MODEM_M0
60 37 Denis 'GNUtoo' Carikli
* "lineageos_i7000_defconfig:":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/configs/lineageos_i7000_defconfig CONFIG_LINK_DEVICE_HSIC=y
61 35 Denis 'GNUtoo' Carikli
* "lineageos_i7100_defconfig:":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/configs/lineageos_i7100_defconfig CONFIG_MODEM_M0
62 1 Denis 'GNUtoo' Carikli
* "lineageos_i5100_defconfig:":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/configs/lineageos_i5100_defconfig CONFIG_MODEM_M0
63 33 Denis 'GNUtoo' Carikli
* "lineageos_i9100_defconfig:":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/configs/lineageos_i9100_defconfig CONFIG_LINK_DEVICE_HSIC=y
64 36 Denis 'GNUtoo' Carikli
* "board-m0-modems.c":https://git.replicant.us/replicant/kernel_samsung_smdk4412/plain/arch/arm/mach-exynos/board-m0-modems.c |
65 37 Denis 'GNUtoo' Carikli
| Galaxy Note (N7000) |
66
| Galaxy Note 2 (N7100) |
67 34 Denis 'GNUtoo' Carikli
| Galaxy Note 8.0 (N51xx) |
68
| Galaxy S 2 (I9100) |
69 40 Denis 'GNUtoo' Carikli
70
h2. Powering off the modem
71
72 42 Denis 'GNUtoo' Carikli
h3. Android airplane mode interface
73 40 Denis 'GNUtoo' Carikli
74
The "RIL_REQUEST_RADIO_POWER command":https://git.replicant.us/LineageOS-mirror/android_hardware_ril/tree/include/telephony/ril.h#n2112 is used by the airplane mode.
75
76 42 Denis 'GNUtoo' Carikli
h3. current libsamsung-ril and libsamsung-ipc implementation
77 1 Denis 'GNUtoo' Carikli
78
"In libsamsung-ril, RIL_REQUEST_RADIO_POWER":https://git.replicant.us/replicant/hardware_ril_samsung-ril/tree/samsung-ril.c#n262 is implemneted in the "ril_request_radio_power":https://git.replicant.us/replicant/hardware_ril_samsung-ril/tree/power.c#n72 function which doesn't turn off the modem but asks it not to transmit by asking it to go in low power mode. This looks very similar to the AT command AT+CFUN.
79 42 Denis 'GNUtoo' Carikli
80
h3. Better implementation
81
82
The airplane mode could be implemented in another way where the modem is powered off. The advantage of using the airplane mode for that is that it's already implemented in the Android GUI.
83
84
We would also need to explain users that we implemented it this way, but that other Android distributions might have different implementations as their goal might differ. Doing again a full modem bootstrap will take longer than just asking the modem to go out of low power mode.
85 43 Denis 'GNUtoo' Carikli
86
To do that we would need to understand what exactly the kernel modem power off interface do in hardware, and look at the kernel APIs that could be used to do that.
87
88
On Replicant 9, at the time of writing a GPIO interface (/sys/devices/platform/xmm6262/modem_power) is available for that, but we would need to look deeper into it to understand what it does exactly at the hardware level. That interface may change when the modem drivers are modified, for instance during the work to mainline them.
89
90
On Samsung kernel, the interface is different but probably expose the same hardware controls but in a different way.
91
92
At this point, libsamsung-ipc will need to be modified to use such interfaces instead.
93
Libsamsung-ipc and libsamsung-ril might also need to be modified to take into account the fact that the modem needs to be re-bootstraped again.