Difference between revisions of "Novena EVT to DVT changes"

From Studio Kousagi Wiki
Jump to: navigation, search
(ECO13: Reduce attack surface by making DDC_SCL unidirectional)
(ECO13: Reduce attack surface by making DDC_SCL unidirectional)
Line 184: Line 184:
 
The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector.  
 
The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector.  
  
Of course, the actual chance of this attack being executed is small to none.  
+
Of course, if someone had it about them to break into your office and mod the I2C lines in your HDMI interface to your external monitor, they probably could just as easily smash your laptop, mod your AC adapter, or mess with your USB cables and cause you similar trouble. So I think this remaining attack surface is comparable to other existing attack surfaces, and therefore not a high priority to button up.
  
 
{| class="wikitable sortable"
 
{| class="wikitable sortable"

Revision as of 17:42, 19 March 2013

Novena EVT to DVT changes

This is a list of all the changes applied to the board from EVT1A to DVT1 release. If it's not on this list, it didn't happen.

Each change has the format of issue summary/resolution, and specific change

ECO1: Inrush current limit

The RC constant governing the turn-on/turn-off rates of the FET power switches needs tuning. In EVT, most switches are turning on too quickly for them to be effective. Resolution is to increase capacitance and resistance.

EVT DVT Notes
R38N 330, 1% / REC1005N R38N 10k, 1% / RESC1005N P3.3V_DELAYED
C30N 0.1uF, 6.3V, X5R / CAPC0603N_B C30N 1.0uF, 25V, 20% X5R / CAPC1608N P3.3V_DELAYED
R29N 330, 1% / REC1005N R29N 10k, 1% / RESC1005N P5.0V_DELAYED
C27N 0.1uF, 6.3V, X5R / CAPC0603N_B C27N 1.0uF, 25V, 20% X5R / CAPC1608N P5.0V_DELAYED
R11H 330, 1% / REC1005N R11H 10k, 1% / RESC1005N SATA_PWRON
C10H 0.1uF, 6.3V, X5R / CAPC0603N_B C10H 1.0uF, 25V, 20% X5R / CAPC1608N SATA_PWRON
C10X 0.1uF, 6.3V, X5R / CAPC0603N_B C10X 1.0uF, 25V, 20% X5R / CAPC1608N PCIE_PWRON
R15L 1k, 1% / REC1005N R15L 10k, 1% / RESC1005N LCD_VCC_SW
C14L 0.1uF, 6.3V, X5R / CAPC0603N_B C14L 1.0uF, 25V, 20% X5R / CAPC1608N LCD_VCC_SW
C19L 0.1uF, 25V, X5R / CAPC1005N C19L 1.0uF, 25V, 20% X5R / CAPC1608N LCD_BL_VDD

ECO2: FPGA boot fuse interference

FPGA's internal pull-ups on boot will yank boot fuses to the CPU, causing wrong boot source to be selected.

EVT DVT Notes
R12F 4.7k, 1% / REC1005N R12F 4.7k, 1% (DNP) / RESC1005N depop pull-down
R13F 4.7k, 1% (DNP) / REC1005N R13F 4.7k, 1% / RESC1005N populate pull-up

ECO3: Gbit Ethernet Reset

Default circuit recommended by reference design is bogus. Get rid of it.

EVT DVT Notes
C32G 10uF, 10V, X5R, 20% removed
D11G BAT54T1G removed
D12G BAT54T1G removed
R20G 10k, 1% R20G 10k, 1% (DNP) also changed to pull to ground by default

ECO4: PCIe power on

Wire PCI express power on line (gate of Q10X) to ball R1 / pad name GPIO_17 / "GPIO7[12] aka 6 * 32 + 12 = GPIO 204". Software change required

ECO5: Improve magnetics termination

The magnetics in the PHY are not terminated properly, causing ISSI.

EVT DVT Notes
R14G 0 ohm R14G 0 ohm (DNP) also move EN1G_3.3VA line to other side of decaps on CT

ECO6: Gbit reflcock SI

Drive strength of U10G is not strong enough to overcome series terminator. Replace with shunt.

EVT DVT Notes
R21G 49.9, 1% RESC1005N R21G 0 ohm RESC1005N Double-check routing, consider RC shunt terminator

ECO7: HDMI HPD polarity

HDMI HPD polarity is not software programmable, so need to buffer (not invert) incoming signal.

EVT DVT Notes
R28L 0 ohm R28L 0 ohm (DNP)
R27L 0 ohm (DNP) R27L 0 ohm
Q17L 2N7002W (DNP) Q17L 2N7002W
R29L 10k, 1% (DNP) R29L 10k, 1%

ECO8: Audio chip sucks (power)

During power down, audio chip totally leaks power through the I2C bus. Need to really strengthen the pull-down to fully reset the chip and fight the pull-ups on I2C.

EVT DVT Notes
R21A 100, 1% R21A 20 ohms, 1%,0402 10 ohm on EVT1A, but should be effective at 20 ohms. 10 ohms would be a new component, if lower value is needed go to 8.06 1% (from R10N)

ECO9: Reset pulse too short

The PFUZE PMIC reset cycle is too short, approx 2 ms after VGEN6 (last supply) rises. Since there are other supplies slaved off of VGEN5/6 enables stabilizing, reset pulse needs to be lengthened. Use a standard reset monitor on the +5V line, which ensures a minimum 100ms total reset pulse width from 5V stable; provides plenty of margin for system to stabilize (~50ms or so).

EVT DVT Notes
(none) U14N APX803-44-SAG-7 or RT9818CXXGVL 4.2V-4.38V setpoint multiple parts can serve this role
(none) C33N 0.1uF, 25V, X5R

ECO10: Input cap bleed

If there is an error condition on U11N, the chip goes into shut down. The leakage in protect mode is sufficiently small that it takes several seconds for the input caps to bleed down to a point where the error condition is cleared. This can lead to a bad user experience. For fixed installations, a 2.2k resistor is installed to bleed current on the input. This wastes about 65mW of power, but the capacitors now discharge in under a second. For battery/mobile installations, the resistor should *not* be installed, and instead the battery board should either guarantee sufficient time for a power cycle or there should be a switched pull-down on the battery board side to clear the error condition.

EVT DVT Notes
(none) R31N 2.2k, 1%

ECO11: Split audio record/playback clocks

The audio codec requires independent clocks for record and playback (in part to allow for dissimilar sample rates during full duplex operation).

  • ALRCK is connected to what is currently LCD_BL_ON
  • LCD_BL_ON is connected to what is currently KEY_ROW4
  • User switch is no longer bridging GPIOs, it's now a button shorting a pull-up to ground
EVT DVT Notes
(none) R15S 10k, 1% software change required -- key col4 is normally pulled up, and goes low when user switch is hit
(none) C15S 0.1uF, 6.3V, X5R

ECO12: Add user switch on bottom side

Add a user switch (mirror image) on bottom side of PCB to be compatible with new ID

EVT DVT Notes
(none) SW11S TS-1187A, Chi Fung

ECO13: Reduce attack surface by making DDC_SCL unidirectional

HDMI DDC and PMIC share the same I2C bus. This means that a hostile HDMI device could commandeer the I2C bus and attempt to reprogram the PMIC with values that can potentially cause permanent damage to the board. Prevent this by turning the DDC device into a slave only. This is accomplished by changing the level shifter on the bus into a unidirectional buffer. This prevents the trivial attack scenario on the board, where programmable I2C interface on an HDMI plug could be used to destroy a Novena (i.e., a simple software patch loaded into certain TV sets (particularly ones that grab updates via the internet) could accomplish this). Instead, a custom I2C-busting device (like an NeTV or bus pirate) must be made and physically connected to attack Novena using the remaining attack surface.

The remaining attack surface consists of monitoring the SCL/SDA lines and attempting to modify the I2C bus on-the-fly by overriding the SDA line's value using a very strong driver. This can be accomplished by simply waiting for any transaction on the bus where SCL is toggled, and modifying both the destination address and data packets (this is done by an NeTV, for example). One work around is to disable all traffic to the PMIC's I2C bus as long as an HDMI device is plugged in. This is not a totally unreasonable scenario, as it basically means the device is locked in the "on" state if it's driving an external projector.

Of course, if someone had it about them to break into your office and mod the I2C lines in your HDMI interface to your external monitor, they probably could just as easily smash your laptop, mod your AC adapter, or mess with your USB cables and cause you similar trouble. So I think this remaining attack surface is comparable to other existing attack surfaces, and therefore not a high priority to button up.

EVT DVT Notes
(none) R33L 47k, 1% set to a high value to prevent leakage, but should still be fast enough for I2C use
(none) Q19L BSS138

ECO 14: Fix L11N footprint

Footprint for L11N was mistakenly set to MSS1048; should be sized for XAL4020.

EVT DVT Notes
L11N Wurth 7447797050 0.50uH 8.5A / COILCRAFT_MSS1048 L11N Coilcraft 0.60uH 10.4A XAL4020-601ME / COILCRAFT_XAL4020

ECO 15: Drop silicon mic feature

Silicon mic built-into motherboard is being dropped. If a microphone is required, one must plug in an android or iphone compatible hands-free headset that contains a mic. The silicon mic is dropped in part due to privacy concerns.

Note that connector to support an add-on board for an external silicon mic is still provisioned.

EVT DVT Notes
U13A MP34DT01 U13A MP34DT01 (DNP)

ECO 16: Drop Raspberry Pi header

No value is seen in keeping the Rpi header; it takes a lot of space, has an inferior pin-out, and probably nobody will actually use it. The board space will instead be allocated to a new header that more intelligently uses the high-speed differential pairs available on the FPGA for expansion and prototyping.

EVT DVT Notes
P13D Male 13x2 2.54mm header (none)
C13D 0.1uF, 25V, X5R (none)
C12D 0.1uF, 25V, X5R (none)

ECO17: Refactor LCD connector

Instead of relying on a discrete-wire cable, flex circuit headers will be used to connect to the LCD. These are cheaper and easier to make in small quantities than the discrete-wire cables. This enables a multiplicity of displays to be adapted to the board with a lower overhead cost.

EVT DVT Notes
JP10L HRS FX15S-41S-0.5SH TBD