1. 18 Jan, 2018 2 commits
    • Roberto Vargas's avatar
      bl2-el3: Don't include BL2 in fip for BL2 at EL3 · c9b31ae8
      Roberto Vargas authored
      
      
      It is better to not include BL2 in FIP when using `BL2 at EL3` as
      platforms using this config would not have the capability to parse the
      FIP format in Boot ROM and BL2 needs to be loaded independently. This
      patch does the required changes for the same.
      
      Change-Id: Iad285c247b3440e2d827fef97c3dd81f5c09cabc
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      c9b31ae8
    • Roberto Vargas's avatar
      bl2-el3: Add BL2_EL3 image · b1d27b48
      Roberto Vargas authored
      
      
      This patch enables BL2 to execute at the highest exception level
      without any dependancy on TF BL1. This enables platforms which already
      have a non-TF Boot ROM to directly load and execute BL2 and subsequent BL
      stages without need for BL1.  This is not currently possible because
      BL2 executes at S-EL1 and cannot jump straight to EL3.
      
      Change-Id: Ief1efca4598560b1b8c8e61fbe26d1f44e929d69
      Signed-off-by: default avatarRoberto Vargas <roberto.vargas@arm.com>
      b1d27b48
  2. 14 Dec, 2017 1 commit
  3. 30 Nov, 2017 1 commit
    • David Cunado's avatar
      Enable SVE for Non-secure world · 1a853370
      David Cunado authored
      
      
      This patch adds a new build option, ENABLE_SVE_FOR_NS, which when set
      to one EL3 will check to see if the Scalable Vector Extension (SVE) is
      implemented when entering and exiting the Non-secure world.
      
      If SVE is implemented, EL3 will do the following:
      
      - Entry to Non-secure world: SIMD, FP and SVE functionality is enabled.
      
      - Exit from Non-secure world: SIMD, FP and SVE functionality is
        disabled. As SIMD and FP registers are part of the SVE Z-registers
        then any use of SIMD / FP functionality would corrupt the SVE
        registers.
      
      The build option default is 1. The SVE functionality is only supported
      on AArch64 and so the build option is set to zero when the target
      archiecture is AArch32.
      
      This build option is not compatible with the CTX_INCLUDE_FPREGS - an
      assert will be raised on platforms where SVE is implemented and both
      ENABLE_SVE_FOR_NS and CTX_INCLUDE_FPREGS are set to 1.
      
      Also note this change prevents secure world use of FP&SIMD registers on
      SVE-enabled platforms. Existing Secure-EL1 Payloads will not work on
      such platforms unless ENABLE_SVE_FOR_NS is set to 0.
      
      Additionally, on the first entry into the Non-secure world the SVE
      functionality is enabled and the SVE Z-register length is set to the
      maximum size allowed by the architecture. This includes the use case
      where EL2 is implemented but not used.
      
      Change-Id: Ie2d733ddaba0b9bef1d7c9765503155188fe7dae
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      1a853370
  4. 29 Nov, 2017 2 commits
    • Soby Mathew's avatar
      ARM platforms: Fixup AArch32 builds · 5744e874
      Soby Mathew authored
      
      
      This patch fixes a couple of issues for AArch32 builds on ARM reference
      platforms :
      
      1. The arm_def.h previously defined the same BL32_BASE value for AArch64 and
         AArch32 build. Since BL31 is not present in AArch32 mode, this meant that
         the BL31 memory is empty when built for AArch32. Hence this patch allocates
         BL32 to the memory region occupied by BL31 for AArch32 builds.
      
         As a side-effect of this change, the ARM_TSP_RAM_LOCATION macro cannot
         be used to control the load address of BL32 in AArch32 mode which was
         never the intention of the macro anyway.
      
      2. A static assert is added to sp_min linker script to check that the progbits
         are within the bounds expected when overlaid with other images.
      
      3. Fix specifying `SPD` when building Juno for AArch32 mode. Due to the quirks
         involved when building Juno for AArch32 mode, the build option SPD needed to
         specifed. This patch corrects this and also updates the documentation in the
         user-guide.
      
      4. Exclude BL31 from the build and FIP when building Juno for AArch32 mode. As
         a result the previous assumption that BL31 must be always present is removed
         and the certificates for BL31 is only generated if `NEED_BL31` is defined.
      
      Change-Id: I1c39bbc0abd2be8fbe9f2dea2e9cb4e3e3e436a8
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      5744e874
    • Dimitris Papastamos's avatar
      Implement support for the Activity Monitor Unit on Cortex A75 · 0319a977
      Dimitris Papastamos authored
      
      
      The Cortex A75 has 5 AMU counters.  The first three counters are fixed
      and the remaining two are programmable.
      
      A new build option is introduced, `ENABLE_AMU`.  When set, the fixed
      counters will be enabled for use by lower ELs.  The programmable
      counters are currently disabled.
      
      Change-Id: I4bd5208799bb9ed7d2596e8b0bfc87abbbe18740
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      0319a977
  5. 24 Nov, 2017 1 commit
  6. 20 Nov, 2017 1 commit
    • Dimitris Papastamos's avatar
      Refactor Statistical Profiling Extensions implementation · 281a08cc
      Dimitris Papastamos authored
      
      
      Factor out SPE operations in a separate file.  Use the publish
      subscribe framework to drain the SPE buffers before entering secure
      world.  Additionally, enable SPE before entering normal world.
      
      A side effect of this change is that the profiling buffers are now
      only drained when a transition from normal world to secure world
      happens.  Previously they were drained also on return from secure
      world, which is unnecessary as SPE is not supported in S-EL1.
      
      Change-Id: I17582c689b4b525770dbb6db098b3a0b5777b70a
      Signed-off-by: default avatarDimitris Papastamos <dimitris.papastamos@arm.com>
      281a08cc
  7. 08 Nov, 2017 2 commits
    • Antonio Nino Diaz's avatar
      SPM: Introduce Secure Partition Manager · 2fccb228
      Antonio Nino Diaz authored
      
      
      A Secure Partition is a software execution environment instantiated in
      S-EL0 that can be used to implement simple management and security
      services. Since S-EL0 is an unprivileged exception level, a Secure
      Partition relies on privileged firmware e.g. ARM Trusted Firmware to be
      granted access to system and processor resources. Essentially, it is a
      software sandbox that runs under the control of privileged software in
      the Secure World and accesses the following system resources:
      
      - Memory and device regions in the system address map.
      - PE system registers.
      - A range of asynchronous exceptions e.g. interrupts.
      - A range of synchronous exceptions e.g. SMC function identifiers.
      
      A Secure Partition enables privileged firmware to implement only the
      absolutely essential secure services in EL3 and instantiate the rest in
      a partition. Since the partition executes in S-EL0, its implementation
      cannot be overly complex.
      
      The component in ARM Trusted Firmware responsible for managing a Secure
      Partition is called the Secure Partition Manager (SPM). The SPM is
      responsible for the following:
      
      - Validating and allocating resources requested by a Secure Partition.
      - Implementing a well defined interface that is used for initialising a
        Secure Partition.
      - Implementing a well defined interface that is used by the normal world
        and other secure services for accessing the services exported by a
        Secure Partition.
      - Implementing a well defined interface that is used by a Secure
        Partition to fulfil service requests.
      - Instantiating the software execution environment required by a Secure
        Partition to fulfil a service request.
      
      Change-Id: I6f7862d6bba8732db5b73f54e789d717a35e802f
      Co-authored-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      Co-authored-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      Co-authored-by: default avatarAchin Gupta <achin.gupta@arm.com>
      Co-authored-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      2fccb228
    • Etienne Carriere's avatar
      ARMv7 target is driven by ARM_ARCH_MAJOR==7 · 26e63c44
      Etienne Carriere authored
      
      
      External build environment shall sets directive ARM_ARCH_MAJOR to 7
      to specify a target ARMv7-A core.
      
      As ARM-TF expects AARCH to be set, ARM_ARCH_MAJOR==7 mandates
      AARCH=aarch32.
      
      The toolchain target architecture/cpu is delegated after the platform
      configuration is parsed. Platform shall define target core through
      ARM_CORTEX_A<x>=yes, <x> being 5, 7, 9, 12, 15 and/or 17.
      
      Platform can bypass ARM_CORTEX_A<x>=yes directive and provide straight
      the toolchain target directive through MARCH32_DIRECTIVE.
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@linaro.org>
      26e63c44
  8. 06 Nov, 2017 1 commit
  9. 16 Oct, 2017 1 commit
    • Jeenu Viswambharan's avatar
      GIC: Add APIs to set interrupt type and query support · 74dce7fa
      Jeenu Viswambharan authored
      
      
      The back end GIC driver converts and assigns the interrupt type to
      suitable group.
      
      For GICv2, a build option GICV2_G0_FOR_EL3 is introduced, which
      determines to which type Group 0 interrupts maps to.
      
       - When the build option is set 0 (the default), Group 0 interrupts are
         meant for Secure EL1. This is presently the case.
      
       - Otherwise, Group 0 interrupts are meant for EL3. This means the SPD
         will have to synchronously hand over the interrupt to Secure EL1.
      
      The query API allows the platform to query whether the platform supports
      interrupts of a given type.
      
      API documentation updated.
      
      Change-Id: I60fdb4053ffe0bd006b3b20914914ebd311fc858
      Co-authored-by: default avatarYousuf A <yousuf.sait@arm.com>
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      74dce7fa
  10. 20 Sep, 2017 1 commit
    • Nishanth Menon's avatar
      Makefile: Add ability to build dtb · 03b397a8
      Nishanth Menon authored
      This is a revamp of the original approach in:
      https://github.com/ARM-software/arm-trusted-firmware/pull/747
      
      
      
      Current build system has no means to automatically generate dtbs from
      dts, instead, stores the dtbs in the fdts/ folder. While this makes
      perfect sense for many reference platforms, this becomes a minor
      breakage in development flow for newer platforms.
      
      However, this can be solved by providing a rule for the dtbs while
      building the ATF binaries by purely describing which dts sources we
      need.
      
      For example, with this change, we will now be able to describe the
      dtbs we need for the platform in the corresponding platform.mk file:
      FDT_SOURCES += fdts/abc.dts
      
      This should be able to generate the abc.dtb appropriately.
      
      Since device trees are specification of hardware, we don't tie the rule
      to any specific BL, instead a generic rule is introduced.
      
      Further, this approach allows us to generate appropriate dtbs which may be
      need to be regenerated when a common dtsi gets updated, by just
      restricting changes to the dtsi alone, instead of synchronizing all the
      dtbs as well.
      
      If dtc is not available in default paths, but is available in an
      alternate location, it can be chosen by overriding the DTC variable
      such as 'make DTC=~/dtc/dtc ....`
      
      NOTE: dtbs are built only with the explicit make dtbs command. The rule
      is only available if the platform defines a FDT_SOURCES variable.
      Signed-off-by: default avatarBenjamin Fair <b-fair@ti.com>
      Signed-off-by: default avatarNishanth Menon <nm@ti.com>
      03b397a8
  11. 11 Sep, 2017 1 commit
    • Soby Mathew's avatar
      Implement log framework · 7f56e9a3
      Soby Mathew authored
      
      
      This patch gives users control over logging messages printed from the C
      code using the LOG macros defined in debug.h Users now have the ability
      to reduce the log_level at run time using the tf_log_set_max_level()
      function. The default prefix string can be defined by platform by
      overriding the `plat_log_get_prefix()` platform API which is also
      introduced in this patch.
      
      The new log framework results in saving of some RO data. For example,
      when BL1 is built for FVP with LOG_LEVEL=LOG_LEVEL_VERBOSE, resulted
      in saving 384 bytes of RO data and increase of 8 bytes of RW data. The
      framework also adds about 108 bytes of code to the release build of FVP.
      
      Fixes ARM-software/tf-issues#462
      
      Change-Id: I476013d9c3deedfdd4c8b0b0f125665ba6250554
      Co-authored-by: default avatarEleanor Bonnici <Eleanor.bonnici@arm.com>
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      7f56e9a3
  12. 08 Sep, 2017 1 commit
  13. 23 Aug, 2017 1 commit
  14. 01 Aug, 2017 1 commit
    • Jeenu Viswambharan's avatar
      CCI: Adapt for specific product at run time · e33fd445
      Jeenu Viswambharan authored
      
      
      The current build system and driver requires the CCI product to be
      specified at build time. The device constraints can be determined at run
      time from its ID registers, obviating the need for specifying them
      ahead.
      
      This patch adds changes to identify and validate CCI at run time. Some
      global variables are renamed to be in line with the rest of the code
      base.
      
      The build option ARM_CCI_PRODUCT_ID is now removed, and user guide is
      updated.
      
      Change-Id: Ibb765e349d3bc95ff3eb9a64bde1207ab710a93d
      Signed-off-by: default avatarJeenu Viswambharan <jeenu.viswambharan@arm.com>
      e33fd445
  15. 24 Jul, 2017 1 commit
  16. 06 Jul, 2017 1 commit
  17. 28 Jun, 2017 1 commit
    • Douglas Raillard's avatar
      Introduce TF_LDFLAGS · c2b8806f
      Douglas Raillard authored
      
      
      Use TF_LDFLAGS from the Makefiles, and still append LDFLAGS as well to
      the compiler's invocation. This allows passing extra options from the
      make command line using LDFLAGS.
      
      Document new LDFLAGS Makefile option.
      
      Change-Id: I88c5ac26ca12ac2b2d60a6f150ae027639991f27
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      c2b8806f
  18. 22 Jun, 2017 2 commits
    • Douglas Raillard's avatar
      Apply workarounds for A53 Cat A Errata 835769 and 843419 · a94cc374
      Douglas Raillard authored
      These errata are only applicable to AArch64 state. See the errata notice
      for more details:
      http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.epm048406/index.html
      
      
      
      Introduce the build options ERRATA_A53_835769 and ERRATA_A53_843419.
      Enable both of them for Juno.
      
      Apply the 835769 workaround as following:
      * Compile with -mfix-cortex-a53-835769
      * Link with --fix-cortex-a53-835769
      
      Apply the 843419 workaround as following:
      * Link with --fix-cortex-a53-843419
      
      The erratum 843419 workaround can lead the linker to create new sections
      suffixed with "*.stub*" and 4KB aligned. The erratum 835769 can lead the
      linker to create new "*.stub" sections with no particular alignment.
      
      Also add support for LDFLAGS_aarch32 and LDFLAGS_aarch64 in Makefile for
      architecture-specific linker options.
      
      Change-Id: Iab3337e338b7a0a16b0d102404d9db98c154f8f8
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      a94cc374
    • dp-arm's avatar
      aarch64: Enable Statistical Profiling Extensions for lower ELs · d832aee9
      dp-arm authored
      
      
      SPE is only supported in non-secure state.  Accesses to SPE specific
      registers from SEL1 will trap to EL3.  During a world switch, before
      `TTBR` is modified the SPE profiling buffers are drained.  This is to
      avoid a potential invalid memory access in SEL1.
      
      SPE is architecturally specified only for AArch64.
      
      Change-Id: I04a96427d9f9d586c331913d815fdc726855f6b0
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d832aee9
  19. 01 Jun, 2017 1 commit
  20. 24 May, 2017 5 commits
    • dp-arm's avatar
      build: Introduce ARM Compiler 6 support · 7559633b
      dp-arm authored
      
      
      Only the compiler is switched to ARM Compiler 6.  The assembler and linker
      are provided by the GCC toolchain.
      
      ARM Compiler 6 is used to build TF when the base name of the path assigned
      to `CC` matches the string 'armclang'.
      
      `CROSS_COMPILE` is still needed and should point to the appropriate
      GCC toolchain.
      
      Tested with ARM CC 6.7.
      
      Change-Id: Ib359bf9c1e8aeed3f662668e44830864f3fe7b4a
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      7559633b
    • dp-arm's avatar
      build: Introduce clang support · d5461857
      dp-arm authored
      
      
      Only the compiler is switched to clang.  The assembler and linker are
      provided by the GCC toolchain.
      
      clang is used to build TF when the base name of the path assigned to
      `CC` contains the string 'clang'.
      
      `CROSS_COMPILE` is still needed and should point to the appropriate
      GCC toolchain.
      
      Tested with clang 3.9.x and 4.0.x.
      
      Change-Id: I53236d64e3c83ad27fc843bae5fcdae30f2e325e
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      d5461857
    • dp-arm's avatar
      build: Introduce HOSTCC flag · 72610c41
      dp-arm authored
      
      
      Tools are built using the compiler specified in `HOSTCC` instead of
      reusing the `CC` variable.  By default, gcc is used.
      
      Change-Id: I83636a375c61f4804b4e80784db9d061fe20af87
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      72610c41
    • dp-arm's avatar
      Switch default C environment from c99 to gnu99 · 344af656
      dp-arm authored
      
      
      Since TF uses GCC extensions, switch the C environment
      from c99 to gnu99.
      
      This change allows armclang to build TF.
      
      Change-Id: Iaacb2726ba1458af59faf607ae9405d6eedb9962
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      344af656
    • Antonio Nino Diaz's avatar
      Introduce `tf_snprintf` · da5241cb
      Antonio Nino Diaz authored
      
      
      This is a reduced version of `snprintf` that only supports formats '%d',
      '%i' and '%u'. It can be used when the full `snprintf` is not needed in
      order to save memory. If it finds an unknown format specifier, it
      prints an error message and panics.
      
      Change-Id: I2cb06fcdf74cda2c43caf73ae0762a91499fc04e
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      da5241cb
  21. 23 May, 2017 2 commits
    • Masahiro Yamada's avatar
      cert: move platform_oid.h to include/tools_share for all platforms · bb41eb7a
      Masahiro Yamada authored
      
      
      Platforms aligned with TBBR are supposed to use their own OIDs, but
      defining the same macros with different OIDs does not provide any
      value (at least technically).
      
      For easier use of TBBR, this commit allows platforms to reuse the OIDs
      obtained by ARM Ltd.  This will be useful for non-ARM vendors that
      do not need their own extension fields in their certificate files.
      
      The OIDs of ARM Ltd. have been moved to include/tools_share/tbbr_oid.h
      
      Platforms can include <tbbr_oid.h> instead of <platform_oid.h> by
      defining USE_TBBR_DEFS as 1.  USE_TBBR_DEFS is 0 by default to keep the
      backward compatibility.
      
      For clarification, I inserted a blank line between headers from the
      include/ directory (#include <...>) and ones from a local directory
      (#include "..." ).
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      bb41eb7a
    • Masahiro Yamada's avatar
      fip: move headers shared between TF and fiptool to include/tools_share · 2a6c1a8f
      Masahiro Yamada authored
      
      
      Some header files need to be shared between TF and host programs.
      For fiptool, two headers are copied to the tools/fiptool directory,
      but it looks clumsy.
      
      This commit introduces a new directory, include/tools_share, which
      collects headers that should be shared between TF and host programs.
      
      This will clarify the interface exposed to host tools.  We should
      add new headers to this directory only when we really need to do so.
      
      For clarification, I inserted a blank line between headers from the
      include/ directory (#include <...>) and ones from a local directory
      (#include "..." ).
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      2a6c1a8f
  22. 15 May, 2017 2 commits
  23. 12 May, 2017 1 commit
  24. 03 May, 2017 1 commit
  25. 02 May, 2017 1 commit
    • Evan Lloyd's avatar
      Build: Correct Unix specific echo commands · 052ab529
      Evan Lloyd authored
      
      
      Some recent changes have added direct use of the echo command without
      parameters.  This fails on a Windows shell, because echo without
      parameters reports the mode ("ECHO is on").
      This is corrected using the ECHO_BLANK_LINE macro already provided
      for that purpose.
      
      Change-Id: I5fd7192861b4496f6f46b4f096e80a752cd135d6
      Signed-off-by: default avatarEvan Lloyd <evan.lloyd@arm.com>
      052ab529
  26. 20 Apr, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Remove build option `ASM_ASSERTION` · 044bb2fa
      Antonio Nino Diaz authored
      
      
      The build option `ENABLE_ASSERTIONS` should be used instead. That way
      both C and ASM assertions can be enabled or disabled together.
      
      All occurrences of `ASM_ASSERTION` in common code and ARM platforms have
      been replaced by `ENABLE_ASSERTIONS`.
      
      ASM_ASSERTION has been removed from the user guide.
      
      Change-Id: I51f1991f11b9b7ff83e787c9a3270c274748ec6f
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      044bb2fa
  27. 19 Apr, 2017 2 commits
    • Antonio Nino Diaz's avatar
      Add `ENABLE_ASSERTIONS` build option · cc8b5632
      Antonio Nino Diaz authored
      
      
      Add the new build option `ENABLE_ASSERTIONS` that controls whether or
      not assert functions are compiled out. It defaults to 1 for debug builds
      and to 0 for release builds.
      
      Additionally, a following patch will be done to allow this build option
      to hide auxiliary code used for the checks done in an `assert()`. This
      code is is currently under the DEBUG build flag.
      
      Assert messages are now only printed if LOG_LEVEL >= LOG_LEVEL_INFO,
      which is the default for debug builds.
      
      This patch also updates the User Guide.
      
      Change-Id: I1401530b56bab25561bb0f274529f1d12c5263bc
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      cc8b5632
    • Soby Mathew's avatar
      PSCI: Build option to enable D-Caches early in warmboot · bcc3c49c
      Soby Mathew authored
      
      
      This patch introduces a build option to enable D-cache early on the CPU
      after warm boot. This is applicable for platforms which do not require
      interconnect programming to enable cache coherency (eg: single cluster
      platforms). If this option is enabled, then warm boot path enables
      D-caches immediately after enabling MMU.
      
      Fixes ARM-Software/tf-issues#456
      
      Change-Id: I44c8787d116d7217837ced3bcf0b1d3441c8d80e
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      bcc3c49c
  28. 05 Apr, 2017 1 commit
    • Masahiro Yamada's avatar
      Build: add generic way to include SCP_BL2 into FIP image · 4d045d0e
      Masahiro Yamada authored
      
      
      If SCP_BL2 is passed in from the command line, it is recognized by
      make_helpers/tbbr/tbbr_tools.mk, and the cert_create tool generates
      the corresponding key and content certificates.
      
      On the other hand, the top-level Makefile does not care SCP_BL2, so
      the --scp-fw option is not passed to the fiptool.  As far as I see
      plat/arm/css/common/css_common.mk, it looks like a platform's job to
      add $(eval $(call FIP_ADD_IMG,SCP_BL2,--scp-fw)).
      
      We can make the top-level Makefile kind enough to take care of it.
      This is useful when we want to have optional SCP_BL2 firmware.
      
      Adjust css_common.mk so that Juno still requires SCP_BL2 by default.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      4d045d0e
  29. 31 Mar, 2017 1 commit
    • Douglas Raillard's avatar
      Add support for GCC stack protection · 51faada7
      Douglas Raillard authored
      
      
      Introduce new build option ENABLE_STACK_PROTECTOR. It enables
      compilation of all BL images with one of the GCC -fstack-protector-*
      options.
      
      A new platform function plat_get_stack_protector_canary() is introduced.
      It returns a value that is used to initialize the canary for stack
      corruption detection. Returning a random value will prevent an attacker
      from predicting the value and greatly increase the effectiveness of the
      protection.
      
      A message is printed at the ERROR level when a stack corruption is
      detected.
      
      To be effective, the global data must be stored at an address
      lower than the base of the stacks. Failure to do so would allow an
      attacker to overwrite the canary as part of an attack which would void
      the protection.
      
      FVP implementation of plat_get_stack_protector_canary is weak as
      there is no real source of entropy on the FVP. It therefore relies on a
      timer's value, which could be predictable.
      
      Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      51faada7