• Petre-Ionut Tudor's avatar
    Read-only xlat tables for BL31 memory · 60e8f3cf
    Petre-Ionut Tudor authored
    
    
    This patch introduces a build flag which allows the xlat tables
    to be mapped in a read-only region within BL31 memory. It makes it
    much harder for someone who has acquired the ability to write to
    arbitrary secure memory addresses to gain control of the
    translation tables.
    
    The memory attributes of the descriptors describing the tables
    themselves are changed to read-only secure data. This change
    happens at the end of BL31 runtime setup. Until this point, the
    tables have read-write permissions. This gives a window of
    opportunity for changes to be made to the tables with the MMU on
    (e.g. reclaiming init code). No changes can be made to the tables
    with the MMU turned on from this point onwards. This change is also
    enabled for sp_min and tspd.
    
    To make all this possible, the base table was moved to .rodata. The
    penalty we pay is that now .rodata must be aligned to the size of
    the base table (512B alignment). Still, this is better than putting
    the base table with the higher level tables in the xlat_table
    section, as that would cost us a full 4KB page.
    
    Changing the tables from read-write to read-only cannot be done with
    the MMU on, as the break-before-make sequence would invalidate the
    descriptor which resolves the level 3 page table where that very
    descriptor is located. This would make the translation required for
    writing the changes impossible, generating an MMU fault.
    
    The caches are also flushed.
    Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
    Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
    60e8f3cf
xlat_tables_context.c 7.2 KB