Highlighting this change in a slightly different light:
[3.0.0+] does the following BEFORE allowing the GPU to DMA to the IRAM:
- The security engine address is setup
- Bit30 of offset 0x800 of the security engine is checked: if set, panic.
Therefore, on v1.0.0 through v2.3.0, the GPU is given permission to DMA to the IRAM ... before the security engine is setup.
If DMA to the IRAM could alter the control flow of the security engine, then this would be a significant security fix.
Note that this fix does
not mean an exploit using these permissions existed. It's also possible that this was identified and fixed prior to an exploit existing.