diff --git a/docs/plat/rpi3.rst b/docs/plat/rpi3.rst index 902da944b2bbb9d603e4d997ecf1acff3cbbc2a8..80515ba278998b7d1f02067aa0adee31504f0cb2 100644 --- a/docs/plat/rpi3.rst +++ b/docs/plat/rpi3.rst @@ -212,6 +212,9 @@ instructions in `Setup SD card`_. The following build options are supported: +- ``ENABLE_STACK_PROTECTOR``: Disabled by default. It uses the hardware RNG of + the board. + - ``PRELOADED_BL33_BASE``: Specially useful because the file ``kernel8.img`` can be loaded anywhere by modifying the file ``config.txt``. It doesn't have to contain a kernel, it could have any arbitrary payload. diff --git a/plat/rpi3/platform.mk b/plat/rpi3/platform.mk index 3ad7114ce84b95b87a18e72b1077b20d98510c66..2f18af6a87381fca0fec099530b8bd1d0d9cc2f5 100644 --- a/plat/rpi3/platform.mk +++ b/plat/rpi3/platform.mk @@ -90,6 +90,9 @@ WORKAROUND_CVE_2017_5715 := 0 # Disable the PSCI platform compatibility layer by default ENABLE_PLAT_COMPAT := 0 +# Disable stack protector by default +ENABLE_STACK_PROTECTOR := 0 + # Reset to BL31 isn't supported RESET_TO_BL31 := 0 @@ -146,6 +149,11 @@ ifeq (${ARCH},aarch32) $(error Error: AArch32 not supported on rpi3) endif +ifneq ($(ENABLE_STACK_PROTECTOR), 0) +PLAT_BL_COMMON_SOURCES += plat/rpi3/rpi3_rng.c \ + plat/rpi3/rpi3_stack_protector.c +endif + ifeq (${SPD},opteed) BL2_SOURCES += \ lib/optee/optee_utils.c diff --git a/plat/rpi3/rpi3_stack_protector.c b/plat/rpi3/rpi3_stack_protector.c new file mode 100644 index 0000000000000000000000000000000000000000..d939cd391788413e68a01aa5e1c8bd9d27f61543 --- /dev/null +++ b/plat/rpi3/rpi3_stack_protector.c @@ -0,0 +1,27 @@ +/* + * Copyright (c) 2017-2018, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include + +#include "rpi3_private.h" + +/* Get 128 bits of entropy and fuse the values together to form the canary. */ +#define TRNG_NBYTES 16U + +u_register_t plat_get_stack_protector_canary(void) +{ + size_t i; + u_register_t buf[TRNG_NBYTES / sizeof(u_register_t)]; + u_register_t ret = 0U; + + rpi3_rng_read(buf, sizeof(buf)); + + for (i = 0U; i < ARRAY_SIZE(buf); i++) + ret ^= buf[i]; + + return ret; +}