Fun with CSF firmware (RK3588 GPU firmware)

Summary

Published: Mon 12 September 2022 By Icecream95 In RE. Those of us who have been trying to make use of the "v10" Mali GPUs from Arm, such as the Mali-G610 in Rockchip's RK3588 will surely have noticed by now the requirement of firmware—kbase requires mali_csffw.bin to be present in one of the firmware directories (such as /lib/firmware) for the GPU to be usable. Part 1: What is this firmware and how does it work? The firmware runs on a microcontroller inside the GPU and handles many tasks required to work the GPU that were previously handled inside the kernel. The MCU ("Microcontroller unit") is, as Alyssa Rosenzweig correctly guessed, a Cortex-M7 (r1p2, with no FPU, ECC cache, nor TCM), which I have found runs off the GPU clock, allowing for an impressive 990 MHz on RK3588. (That speed was measured on my board; maximum clock speeds on the RK3588 vary a bit from chip to chip.) While the MCU is 32-bit, the GPU supports sixteen eight 48-bit virtual address spaces. So how can it access all of this memory? Arm decided on the obvious method here: simply let the MCU control its own page tables! Calm down, it isn't quite that bad. Memory mappings To access memory, there are three layers that must be navigated: The MCU's integrated MPU (memory protection unit) The MCU memory mappings The GPU MMU Only the first two of these are controlled by the MCU, so exploits cannot access memory that is not mapped for access by the GPU. An attacker would have better luck using the BASE_MEM_MMU_DUMP_HANDLE cookie from userspace to dump the physical adresses of the page tables, so that a kernel exploit can change page tables from the CPU. To see how these layers fit together, let's try to access the memory at 0x5fffe05080 inside Address Space 3 from the MCU: uint64_t va = 0x5fffe05080; unsigned as = 3; /* The memory mapped GPU registers starting at this offset control the * MCU memory mapping for the 128 MiB region starting at 0x08000000 */ volatile void *map_reg_base = 0x40022100; volatile...