CSS: Prevent SCP_BL2/2U from overwriting BL1 RW data

On ARM CSS platforms, the SCP_BL2/2U image is loaded below BL1 read-write data. This same memory is used to load BL31 later on. But sufficient checks were not done to ensure that the SCP_BL2 would not overwrite BL1 rw data. This patch adds the required CASSERT checks to prevent overwrite into BL1 or BL2 memory by load of SCP_BL2/2U. Also the size of BL31 is increased and SCP_BL2/2U size is decreased to accomodate it within the allocated region. Change-Id: I23b28b5e1589e91150852a06452bd52b273216ee Signed-off-by: Soby Mathew <soby.mathew@arm.com>

CSS: Prevent SCP_BL2/2U from overwriting BL1 RW data
On ARM CSS platforms, the SCP_BL2/2U image is loaded below BL1 read-write data. This same memory is used to load BL31 later on. But sufficient checks were not done to ensure that the SCP_BL2 would not overwrite BL1 rw data. This patch adds the required CASSERT checks to prevent overwrite into BL1 or BL2 memory by load of SCP_BL2/2U. Also the size of BL31 is increased and SCP_BL2/2U size is decreased to accomodate it within the allocated region. Change-Id: I23b28b5e1589e91150852a06452bd52b273216ee Signed-off-by: Soby Mathew <soby.mathew@arm.com>
1ea63d77 · Soby Mathew · 74d44a49 · 1ea63d77 · 1ea63d77
Commit 1ea63d77 authored Jun 13, 2017 by Soby Mathew
--- a/include/plat/arm/css/common/css_def.h
+++ b/include/plat/arm/css/common/css_def.h
@@ -128,16 +128,22 @@
 * an SCP_BL2/SCP_BL2U image.
 */
 #if CSS_LOAD_SCP_IMAGES
+#if ARM_BL31_IN_DRAM
+#error "SCP_BL2 is not expected to be loaded by BL2 for ARM_BL31_IN_DRAM config"
+#endif
 /*
 * Load address of SCP_BL2 in CSS platform ports
- * SCP_BL2 is loaded to the same place as BL31.  Once SCP_BL2 is transferred to the
+ * SCP_BL2 is loaded to the same place as BL31 but it shouldn't overwrite BL1
- * SCP, it is discarded and BL31 is loaded over the top.
+ * rw data.  Once SCP_BL2 is transferred to the SCP, it is discarded and BL31
+ * is loaded over the top.
 */
-#define SCP_BL2_BASE			BL31_BASE
+#define SCP_BL2_BASE			(BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2_SIZE)
-#define SCP_BL2_LIMIT			(SCP_BL2_BASE + PLAT_CSS_MAX_SCP_BL2_SIZE)
+#define SCP_BL2_LIMIT			BL1_RW_BASE
-#define SCP_BL2U_BASE			BL31_BASE
+#define SCP_BL2U_BASE			(BL1_RW_BASE - PLAT_CSS_MAX_SCP_BL2U_SIZE)
-#define SCP_BL2U_LIMIT			(SCP_BL2U_BASE + PLAT_CSS_MAX_SCP_BL2U_SIZE)
+#define SCP_BL2U_LIMIT			BL1_RW_BASE
 #endif /* CSS_LOAD_SCP_IMAGES */
 /* Load address of Non-Secure Image for CSS platform ports */

--- a/plat/arm/css/drivers/scp/css_bom_bootloader.c
+++ b/plat/arm/css/drivers/scp/css_bom_bootloader.c
@@ -6,6 +6,7 @@
 #include <arch_helpers.h>
 #include <assert.h>
+#include <cassert.h>
 #include <css_def.h>
 #include <debug.h>
 #include <platform.h>
@@ -44,6 +45,18 @@ typedef struct {
 	uint32_t block_size;
 } cmd_data_payload_t;
+/*
+ * All CSS platforms load SCP_BL2/SCP_BL2U just below BL rw-data and above
+ * BL2/BL2U (this is where BL31 usually resides except when ARM_BL31_IN_DRAM is
+ * set. Ensure that SCP_BL2/SCP_BL2U do not overflow into BL1 rw-data nor
+ * BL2/BL2U.
+ */
+CASSERT(SCP_BL2_LIMIT <= BL1_RW_BASE, assert_scp_bl2_overwrite_bl1);
+CASSERT(SCP_BL2U_LIMIT <= BL1_RW_BASE, assert_scp_bl2u_overwrite_bl1);
+CASSERT(SCP_BL2_BASE >= BL2_LIMIT, assert_scp_bl2_overwrite_bl2);
+CASSERT(SCP_BL2U_BASE >= BL2U_LIMIT, assert_scp_bl2u_overwrite_bl2u);
 static void scp_boot_message_start(void)
 {
 	mhu_secure_message_start(BOM_MHU_SLOT_ID);