Difference between revisions of "Novena EVT to DVT changes"
(→ECO13: Reduce attack surface by making DDC_SCL unidirectional) |
(→ECO13: Reduce attack surface by making DDC_SCL unidirectional) |
||
Line 184: | Line 184: | ||
The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector. | The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector. | ||
− | Of course, the | + | Of course, if someone had it about them to break into your office and mod the I2C lines in your HDMI interface to your external monitor, they probably could just as easily smash your laptop, mod your AC adapter, or mess with your USB cables and cause you similar trouble. So I think this remaining attack surface is comparable to other existing attack surfaces, and therefore not a high priority to button up. |
{| class="wikitable sortable" | {| class="wikitable sortable" |
Revision as of 17:42, 19 March 2013
Contents
- 1 Novena EVT to DVT changes
- 1.1 ECO1: Inrush current limit
- 1.2 ECO2: FPGA boot fuse interference
- 1.3 ECO3: Gbit Ethernet Reset
- 1.4 ECO4: PCIe power on
- 1.5 ECO5: Improve magnetics termination
- 1.6 ECO6: Gbit reflcock SI
- 1.7 ECO7: HDMI HPD polarity
- 1.8 ECO8: Audio chip sucks (power)
- 1.9 ECO9: Reset pulse too short
- 1.10 ECO10: Input cap bleed
- 1.11 ECO11: Split audio record/playback clocks
- 1.12 ECO12: Add user switch on bottom side
- 1.13 ECO13: Reduce attack surface by making DDC_SCL unidirectional
- 1.14 ECO 14: Fix L11N footprint
- 1.15 ECO 15: Drop silicon mic feature
- 1.16 ECO 16: Drop Raspberry Pi header
- 1.17 ECO17: Refactor LCD connector
Novena EVT to DVT changes
This is a list of all the changes applied to the board from EVT1A to DVT1 release. If it's not on this list, it didn't happen.
Each change has the format of issue summary/resolution, and specific change
ECO1: Inrush current limit
The RC constant governing the turn-on/turn-off rates of the FET power switches needs tuning. In EVT, most switches are turning on too quickly for them to be effective. Resolution is to increase capacitance and resistance.
EVT | DVT | Notes |
---|---|---|
R38N 330, 1% / REC1005N | R38N 10k, 1% / RESC1005N | P3.3V_DELAYED |
C30N 0.1uF, 6.3V, X5R / CAPC0603N_B | C30N 1.0uF, 25V, 20% X5R / CAPC1608N | P3.3V_DELAYED |
R29N 330, 1% / REC1005N | R29N 10k, 1% / RESC1005N | P5.0V_DELAYED |
C27N 0.1uF, 6.3V, X5R / CAPC0603N_B | C27N 1.0uF, 25V, 20% X5R / CAPC1608N | P5.0V_DELAYED |
R11H 330, 1% / REC1005N | R11H 10k, 1% / RESC1005N | SATA_PWRON |
C10H 0.1uF, 6.3V, X5R / CAPC0603N_B | C10H 1.0uF, 25V, 20% X5R / CAPC1608N | SATA_PWRON |
C10X 0.1uF, 6.3V, X5R / CAPC0603N_B | C10X 1.0uF, 25V, 20% X5R / CAPC1608N | PCIE_PWRON |
R15L 1k, 1% / REC1005N | R15L 10k, 1% / RESC1005N | LCD_VCC_SW |
C14L 0.1uF, 6.3V, X5R / CAPC0603N_B | C14L 1.0uF, 25V, 20% X5R / CAPC1608N | LCD_VCC_SW |
C19L 0.1uF, 25V, X5R / CAPC1005N | C19L 1.0uF, 25V, 20% X5R / CAPC1608N | LCD_BL_VDD |
ECO2: FPGA boot fuse interference
FPGA's internal pull-ups on boot will yank boot fuses to the CPU, causing wrong boot source to be selected.
EVT | DVT | Notes |
---|---|---|
R12F 4.7k, 1% / REC1005N | R12F 4.7k, 1% (DNP) / RESC1005N | depop pull-down |
R13F 4.7k, 1% (DNP) / REC1005N | R13F 4.7k, 1% / RESC1005N | populate pull-up |
ECO3: Gbit Ethernet Reset
Default circuit recommended by reference design is bogus. Get rid of it.
EVT | DVT | Notes |
---|---|---|
C32G 10uF, 10V, X5R, 20% | removed | |
D11G BAT54T1G | removed | |
D12G BAT54T1G | removed | |
R20G 10k, 1% | R20G 10k, 1% (DNP) | also changed to pull to ground by default |
ECO4: PCIe power on
Wire PCI express power on line (gate of Q10X) to ball R1 / pad name GPIO_17 / "GPIO7[12] aka 6 * 32 + 12 = GPIO 204". Software change required
ECO5: Improve magnetics termination
The magnetics in the PHY are not terminated properly, causing ISSI.
EVT | DVT | Notes |
---|---|---|
R14G 0 ohm | R14G 0 ohm (DNP) | also move EN1G_3.3VA line to other side of decaps on CT |
ECO6: Gbit reflcock SI
Drive strength of U10G is not strong enough to overcome series terminator. Replace with shunt.
EVT | DVT | Notes |
---|---|---|
R21G 49.9, 1% RESC1005N | R21G 0 ohm RESC1005N | Double-check routing, consider RC shunt terminator |
ECO7: HDMI HPD polarity
HDMI HPD polarity is not software programmable, so need to buffer (not invert) incoming signal.
EVT | DVT | Notes |
---|---|---|
R28L 0 ohm | R28L 0 ohm (DNP) | |
R27L 0 ohm (DNP) | R27L 0 ohm | |
Q17L 2N7002W (DNP) | Q17L 2N7002W | |
R29L 10k, 1% (DNP) | R29L 10k, 1% |
ECO8: Audio chip sucks (power)
During power down, audio chip totally leaks power through the I2C bus. Need to really strengthen the pull-down to fully reset the chip and fight the pull-ups on I2C.
EVT | DVT | Notes |
---|---|---|
R21A 100, 1% | R21A 20 ohms, 1%,0402 | 10 ohm on EVT1A, but should be effective at 20 ohms. 10 ohms would be a new component, if lower value is needed go to 8.06 1% (from R10N) |
ECO9: Reset pulse too short
The PFUZE PMIC reset cycle is too short, approx 2 ms after VGEN6 (last supply) rises. Since there are other supplies slaved off of VGEN5/6 enables stabilizing, reset pulse needs to be lengthened. Use a standard reset monitor on the +5V line, which ensures a minimum 100ms total reset pulse width from 5V stable; provides plenty of margin for system to stabilize (~50ms or so).
EVT | DVT | Notes |
---|---|---|
(none) | U14N APX803-44-SAG-7 or RT9818CXXGVL 4.2V-4.38V setpoint | multiple parts can serve this role |
(none) | C33N 0.1uF, 25V, X5R |
ECO10: Input cap bleed
If there is an error condition on U11N, the chip goes into shut down. The leakage in protect mode is sufficiently small that it takes several seconds for the input caps to bleed down to a point where the error condition is cleared. This can lead to a bad user experience. For fixed installations, a 2.2k resistor is installed to bleed current on the input. This wastes about 65mW of power, but the capacitors now discharge in under a second. For battery/mobile installations, the resistor should *not* be installed, and instead the battery board should either guarantee sufficient time for a power cycle or there should be a switched pull-down on the battery board side to clear the error condition.
EVT | DVT | Notes |
---|---|---|
(none) | R31N 2.2k, 1% |
ECO11: Split audio record/playback clocks
The audio codec requires independent clocks for record and playback (in part to allow for dissimilar sample rates during full duplex operation).
- ALRCK is connected to what is currently LCD_BL_ON
- LCD_BL_ON is connected to what is currently KEY_ROW4
- User switch is no longer bridging GPIOs, it's now a button shorting a pull-up to ground
EVT | DVT | Notes |
---|---|---|
(none) | R15S 10k, 1% | software change required -- key col4 is normally pulled up, and goes low when user switch is hit |
(none) | C15S 0.1uF, 6.3V, X5R |
ECO12: Add user switch on bottom side
Add a user switch (mirror image) on bottom side of PCB to be compatible with new ID
EVT | DVT | Notes |
---|---|---|
(none) | SW11S TS-1187A, Chi Fung |
ECO13: Reduce attack surface by making DDC_SCL unidirectional
HDMI DDC and PMIC share the same I2C bus. This means that a hostile HDMI device could commandeer the I2C bus and attempt to reprogram the PMIC with values that can potentially cause permanent damage to the board. Prevent this by turning the DDC device into a slave only. This is accomplished by changing the level shifter on the bus into a unidirectional buffer. This prevents the trivial attack scenario on the board, where programmable I2C interface on an HDMI plug could be used to destroy a Novena (i.e., a simple software patch loaded into certain TV sets (particularly ones that grab updates via the internet) could accomplish this). Instead, a custom I2C-busting device (like an NeTV or bus pirate) must be made and physically connected to attack Novena using the remaining attack surface.
The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector.
Of course, if someone had it about them to break into your office and mod the I2C lines in your HDMI interface to your external monitor, they probably could just as easily smash your laptop, mod your AC adapter, or mess with your USB cables and cause you similar trouble. So I think this remaining attack surface is comparable to other existing attack surfaces, and therefore not a high priority to button up.
EVT | DVT | Notes |
---|---|---|
(none) | R33L 47k, 1% | set to a high value to prevent leakage, but should still be fast enough for I2C use |
(none) | Q19L BSS138 |
ECO 14: Fix L11N footprint
Footprint for L11N was mistakenly set to MSS1048; should be sized for XAL4020.
EVT | DVT | Notes |
---|---|---|
L11N Wurth 7447797050 0.50uH 8.5A / COILCRAFT_MSS1048 | L11N Coilcraft 0.60uH 10.4A XAL4020-601ME / COILCRAFT_XAL4020 |
ECO 15: Drop silicon mic feature
Silicon mic built-into motherboard is being dropped. If a microphone is required, one must plug in an android or iphone compatible hands-free headset that contains a mic. The silicon mic is dropped in part due to privacy concerns.
Note that connector to support an add-on board for an external silicon mic is still provisioned.
EVT | DVT | Notes |
---|---|---|
U13A MP34DT01 | U13A MP34DT01 (DNP) |
ECO 16: Drop Raspberry Pi header
No value is seen in keeping the Rpi header; it takes a lot of space, has an inferior pin-out, and probably nobody will actually use it. The board space will instead be allocated to a new header that more intelligently uses the high-speed differential pairs available on the FPGA for expansion and prototyping.
EVT | DVT | Notes |
---|---|---|
P13D Male 13x2 2.54mm header | (none) | |
C13D 0.1uF, 25V, X5R | (none) | |
C12D 0.1uF, 25V, X5R | (none) |
ECO17: Refactor LCD connector
Instead of relying on a discrete-wire cable, flex circuit headers will be used to connect to the LCD. These are cheaper and easier to make in small quantities than the discrete-wire cables. This enables a multiplicity of displays to be adapted to the board with a lower overhead cost.
EVT | DVT | Notes |
---|---|---|
JP10L HRS FX15S-41S-0.5SH | TBD |