- 31 Mar, 2017 1 commit
-
-
Douglas Raillard authored
Introduce new build option ENABLE_STACK_PROTECTOR. It enables compilation of all BL images with one of the GCC -fstack-protector-* options. A new platform function plat_get_stack_protector_canary() is introduced. It returns a value that is used to initialize the canary for stack corruption detection. Returning a random value will prevent an attacker from predicting the value and greatly increase the effectiveness of the protection. A message is printed at the ERROR level when a stack corruption is detected. To be effective, the global data must be stored at an address lower than the base of the stacks. Failure to do so would allow an attacker to overwrite the canary as part of an attack which would void the protection. FVP implementation of plat_get_stack_protector_canary is weak as there is no real source of entropy on the FVP. It therefore relies on a timer's value, which could be predictable. Change-Id: Icaaee96392733b721fa7c86a81d03660d3c1bc06 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Introduce zeromem_dczva function on AArch64 that can handle unaligned addresses and make use of DC ZVA instruction to zero a whole block at a time. This zeroing takes place directly in the cache to speed it up without doing external memory access. Remove the zeromem16 function on AArch64 and replace it with an alias to zeromem. This zeromem16 function is now deprecated. Remove the 16-bytes alignment constraint on __BSS_START__ in firmware-design.md as it is now not mandatory anymore (it used to comply with zeromem16 requirements). Change the 16-bytes alignment constraints in SP min's linker script to a 8-bytes alignment constraint as the AArch32 zeromem implementation is now more efficient on 8-bytes aligned addresses. Introduce zero_normalmem and zeromem helpers in platform agnostic header that are implemented this way: * AArch32: * zero_normalmem: zero using usual data access * zeromem: alias for zero_normalmem * AArch64: * zero_normalmem: zero normal memory using DC ZVA instruction (needs MMU enabled) * zeromem: zero using usual data access Usage guidelines: in most cases, zero_normalmem should be preferred. There are 2 scenarios where zeromem (or memset) must be used instead: * Code that must run with MMU disabled (which means all memory is considered device memory for data accesses). * Code that fills device memory with null bytes. Optionally, the following rule can be applied if performance is important: * Code zeroing small areas (few bytes) that are not secrets should use memset to take advantage of compiler optimizations. Note: Code zeroing security-related critical information should use zero_normalmem/zeromem instead of memset to avoid removal by compilers' optimizations in some cases or misbehaving versions of GCC. Fixes ARM-software/tf-issues#408 Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 08 Jul, 2016 2 commits
-
-
Sandrine Bailleux authored
At the moment, all BL images share a similar memory layout: they start with their code section, followed by their read-only data section. The two sections are contiguous in memory. Therefore, the end of the code section and the beginning of the read-only data one might share a memory page. This forces both to be mapped with the same memory attributes. As the code needs to be executable, this means that the read-only data stored on the same memory page as the code are executable as well. This could potentially be exploited as part of a security attack. This patch introduces a new build flag called SEPARATE_CODE_AND_RODATA, which isolates the code and read-only data on separate memory pages. This in turn allows independent control of the access permissions for the code and read-only data. This has an impact on memory footprint, as padding bytes need to be introduced between the code and read-only data to ensure the segragation of the two. To limit the memory cost, the memory layout of the read-only section has been changed in this case. - When SEPARATE_CODE_AND_RODATA=0, the layout is unchanged, i.e. the read-only section still looks like this (padding omitted): | ... | +-------------------+ | Exception vectors | +-------------------+ | Read-only data | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script provides the limits of the whole read-only section. - When SEPARATE_CODE_AND_RODATA=1, the exception vectors and read-only data are swapped, such that the code and exception vectors are contiguous, followed by the read-only data. This gives the following new layout (padding omitted): | ... | +-------------------+ | Read-only data | +-------------------+ | Exception vectors | +-------------------+ | Code | +-------------------+ BLx_BASE In this case, the linker script now exports 2 sets of addresses instead: the limits of the code and the limits of the read-only data. Refer to the Firmware Design guide for more details. This provides platform code with a finer-grained view of the image layout and allows it to map these 2 regions with the appropriate access permissions. Note that SEPARATE_CODE_AND_RODATA applies to all BL images. Change-Id: I936cf80164f6b66b6ad52b8edacadc532c935a49
-
Sandrine Bailleux authored
This patch adds a new linker symbol in BL1's linker script named '__BL1_ROM_END__', which marks the end of BL1's ROM content. This covers BL1's code, read-only data and read-write data to relocate in Trusted SRAM. The address of this new linker symbol is exported to C code through the 'BL1_ROM_END' macro. The section related to linker symbols in the Firmware Design guide has been updated and improved. Change-Id: I5c442ff497c78d865ffba1d7d044511c134e11c7
-
- 25 Jun, 2015 1 commit
-
-
Juan Castillo authored
This patch adds the authentication framework that will be used as the base to implement Trusted Board Boot in the Trusted Firmware. The framework comprises the following modules: - Image Parser Module (IPM) This module is responsible for interpreting images, check their integrity and extract authentication information from them during Trusted Board Boot. The module currently supports three types of images i.e. raw binaries, X509v3 certificates and any type specific to a platform. An image parser library must be registered for each image type (the only exception is the raw image parser, which is included in the main module by default). Each parser library (if used) must export a structure in a specific linker section which contains function pointers to: 1. Initialize the library 2. Check the integrity of the image type supported by the library 3. Extract authentication information from the image - Cryptographic Module (CM) This module is responsible for verifying digital signatures and hashes. It relies on an external cryptographic library to perform the cryptographic operations. To register a cryptographic library, the library must use the REGISTER_CRYPTO_LIB macro, passing function pointers to: 1. Initialize the library 2. Verify a digital signature 3. Verify a hash Failing to register a cryptographic library will generate a build time error. - Authentication Module (AM) This module provides methods to authenticate an image, like hash comparison or digital signatures. It uses the image parser module to extract authentication parameters, the crypto module to perform cryptographic operations and the Chain of Trust to authenticate the images. The Chain of Trust (CoT) is a data structure that defines the dependencies between images and the authentication methods that must be followed to authenticate an image. The Chain of Trust, when added, must provide a header file named cot_def.h with the following definitions: - COT_MAX_VERIFIED_PARAMS Integer value indicating the maximum number of authentication parameters an image can present. This value will be used by the authentication module to allocate the memory required to load the parameters in the image descriptor. Change-Id: Ied11bd5cd410e1df8767a1df23bb720ce7e58178
-
- 22 Jan, 2015 1 commit
-
-
Soby Mathew authored
This patch extends the build option `USE_COHERENT_MEMORY` to conditionally remove coherent memory from the memory maps of all boot loader stages. The patch also adds necessary documentation for coherent memory removal in firmware-design, porting and user guides. Fixes ARM-Software/tf-issues#106 Change-Id: I260e8768c6a5c2efc402f5804a80657d8ce38773
-
- 19 Sep, 2014 1 commit
-
-
Juan Castillo authored
This patch fixes the incorrect value of the LENGTH attribute in the linker scripts. This attribute must define the memory size, not the limit address. Fixes ARM-software/tf-issues#252 Change-Id: I328c38b9ec502debe12046a8912d7dfc54610c46
-
- 20 Aug, 2014 1 commit
-
-
Soby Mathew authored
This patch introduces a framework which will allow CPUs to perform implementation defined actions after a CPU reset, during a CPU or cluster power down, and when a crash occurs. CPU specific reset handlers have been implemented in this patch. Other handlers will be implemented in subsequent patches. Also moved cpu_helpers.S to the new directory lib/cpus/aarch64/. Change-Id: I1ca1bade4d101d11a898fb30fea2669f9b37b956
-
- 12 Aug, 2014 1 commit
-
-
Juan Castillo authored
Secure ROM at address 0x0000_0000 is defined as FVP_TRUSTED_ROM Secure RAM at address 0x0400_0000 is defined as FVP_TRUSTED_SRAM Secure RAM at address 0x0600_0000 is defined as FVP_TRUSTED_DRAM BLn_BASE and BLn_LIMIT definitions have been updated and are based on these new memory regions. The available memory for each bootloader in the linker script is defined by BLn_BASE and BLn_LIMIT, instead of the complete memory region. TZROM_BASE/SIZE and TZRAM_BASE/SIZE are no longer required as part of the platform porting. FVP common definitions are defined in fvp_def.h while platform_def.h contains exclusively (with a few exceptions) the definitions that are mandatory in the porting guide. Therefore, platform_def.h now includes fvp_def.h instead of the other way around. Porting guide has been updated to reflect these changes. Change-Id: I39a6088eb611fc4a347db0db4b8f1f0417dbab05
-
- 23 May, 2014 3 commits
-
-
Dan Handley authored
Previously, platform.h contained many declarations and definitions used for different purposes. This file has been split so that: * Platform definitions used by common code that must be defined by the platform are now in platform_def.h. The exact include path is exported through $PLAT_INCLUDES in the platform makefile. * Platform definitions specific to the FVP platform are now in /plat/fvp/fvp_def.h. * Platform API declarations specific to the FVP platform are now in /plat/fvp/fvp_private.h. * The remaining platform API declarations that must be ported by each platform are still in platform.h but this file has been moved to /include/plat/common since this can be shared by all platforms. Change-Id: Ieb3bb22fbab3ee8027413c6b39a783534aee474a
-
Sandrine Bailleux authored
Currently the platform code gets to define the base address of each boot loader image. However, the linker scripts couteract this flexibility by enforcing a fixed overall layout of the different images. For example, they require that the BL3-1 image sits below the BL2 image. Choosing BL3-1 and BL2 base addresses in such a way that it violates this constraint makes the build fail at link-time. This patch requires the platform code to now define a limit address for each image. The linker scripts check that the image fits within these bounds so they don't rely anymore on the position of a given image in regard to the others. Fixes ARM-software/tf-issues#163 Change-Id: I8c108646825da19a6a8dfb091b613e1dd4ae133c
-
Sandrine Bailleux authored
BL1 RO and RW base address used to be fixed, respectively to the first address of the Trusted ROM and the first address of the Trusted RAM. Introduce new platform defines to configure the BL1 RO and RW base addresses. Change-Id: If26616513a47798593a4bb845a4b0fb37c867cd6
-
- 26 Mar, 2014 1 commit
-
-
Andrew Thoelke authored
All common functions are being built into all binary images, whether or not they are actually used. This change enables the use of -ffunction-sections, -fdata-sections and --gc-sections in the compiler and linker to remove unused code and data from the images. Change-Id: Ia9f78c01054ac4fa15d145af38b88a0d6fb7d409
-
- 20 Mar, 2014 1 commit
-
-
Jeenu Viswambharan authored
At present, the entry point for each BL image is specified via the Makefiles and provided on the command line to the linker. When using a link script the entry point should rather be specified via the ENTRY() directive in the link script. This patch updates linker scripts of all BL images to specify the entry point using the ENTRY() directive. It also removes the --entry flag passed to the linker through Makefile. Fixes issue ARM-software/tf-issues#66 Change-Id: I1369493ebbacea31885b51185441f6b628cf8da0
-
- 20 Feb, 2014 2 commits
-
-
Achin Gupta authored
This patch factors out the ARM FVP specific code to create MMU translation tables so that it is possible for a boot loader stage to create a different set of tables instead of using the default ones. The default translation tables are created with the assumption that the calling boot loader stage executes out of secure SRAM. This might not be true for the BL3_2 stage in the future. A boot loader stage can define the `fill_xlation_tables()` function as per its requirements. It returns a reference to the level 1 translation table which is used by the common platform code to setup the TTBR_EL3. This patch is a temporary solution before a larger rework of translation table creation logic is introduced. Change-Id: I09a075d5da16822ee32a411a9dbe284718fb4ff6
-
Achin Gupta authored
This patch reworks BL2 to BL3-1 hand over interface by introducing a composite structure (bl31_args) that holds the superset of information that needs to be passed from BL2 to BL3-1. - The extents of secure memory available to BL3-1 - The extents of memory available to BL3-2 (not yet implemented) and BL3-3 - Information to execute BL3-2 (not yet implemented) and BL3-3 images This patch also introduces a new platform API (bl2_get_bl31_args_ptr) that needs to be implemented by the platform code to export reference to bl31_args structure which has been allocated in platform-defined memory. The platform will initialize the extents of memory available to BL3-3 during early platform setup in bl31_args structure. This obviates the need for bl2_get_ns_mem_layout platform API. BL2 calls the bl2_get_bl31_args_ptr function to get a reference to bl31_args structure. It uses the 'bl33_meminfo' field of this structure to load the BL3-3 image. It sets the entry point information for the BL3-3 image in the 'bl33_image_info' field of this structure. The reference to this structure is passed to the BL3-1 image. Also fixes issue ARM-software/tf-issues#25 Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517
-
- 17 Feb, 2014 2 commits
-
-
Achin Gupta authored
This patch ensures that VBAR_EL3 points to the simple stack-less 'early_exceptions' when the C runtime stack is not correctly setup to use the more complex 'runtime_exceptions'. It is initialised to 'runtime_exceptions' once this is done. This patch also moves all exception vectors into a '.vectors' section and modifies linker scripts to place all such sections together. This will minimize space wastage from alignment restrictions. Change-Id: I8c3e596ea3412c8bd582af9e8d622bb1cb2e049d
-
Jeenu Viswambharan authored
This patch moves the translation tables into their own section. This saves space that would otherwise have been lost in padding due to page table alignment constraints. The BL31 and BL32 bases have been consequently adjusted. Change-Id: Ibd65ae8a5ce4c4ea9a71a794c95bbff40dc63e65
-
- 17 Jan, 2014 1 commit
-
-
Dan Handley authored
Change-Id: Ic7fb61aabae1d515b9e6baf3dd003807ff42da60
-
- 05 Dec, 2013 2 commits
-
-
Dan Handley authored
- Add instructions for contributing to ARM Trusted Firmware. - Update copyright text in all files to acknowledge contributors. Change-Id: I9311aac81b00c6c167d2f8c889aea403b84450e5
-
Sandrine Bailleux authored
- Check at link-time that bootloader images will fit in memory at run time and that they won't overlap each other. - Remove text and rodata orphan sections. - Define new linker symbols to remove the need for platform setup code to know the order of sections. - Reduce the size of the raw binary images by cutting some sections out of the disk image and allocating them at load time, whenever possible. - Rework alignment constraints on sections. - Remove unused linker symbols. - Homogenize linker symbols names across all BLs. - Add some comments in the linker scripts. Change-Id: I47a328af0ccc7c8ab47fcc0dc6e7dd26160610b9
-
- 25 Oct, 2013 1 commit
-
-
Achin Gupta authored
-