aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKen Liu <ken.liu@arm.com>2020-07-25 12:05:50 +0800
committerSoby Mathew <soby.mathew@arm.com>2020-10-16 17:02:07 +0100
commitc0b5f6dae81ad9158f08227bd03a26519e7b4848 (patch)
tree7c28e33cf28f5e97a6b2b444db09b45ee6ba4869
parent05e13bac2c5a0c035b51e5e9513d4a59a966ce5e (diff)
downloadtrusted-firmware-m-c0b5f6dae81ad9158f08227bd03a26519e7b4848.tar.gz
Stack_seal_mitigation: Seal thread stacks for IPC mode
Seal all thread stacks (PSP) by putting two seal words for IPC mode. It should be noted that stack sealing mitigation is mostly relevant for Trust zone based ARMv8-M CPUs wherein the attack is launched from the Non Secure side. For ARMv6-M and ARMv7-M, the stack sealing could be skipped. Change-Id: I74e287a4bf0d28b7d4fdd1302d6429175c1bf77f Signed-off-by: Ken Liu <ken.liu@arm.com>
-rw-r--r--secure_fw/spm/cmsis_psa/arch/tfm_arch.c4
-rw-r--r--secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h14
-rw-r--r--secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c1
-rw-r--r--secure_fw/spm/include/tfm_arch_v8m.h20
4 files changed, 36 insertions, 3 deletions
diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch.c b/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
index 962a4c5170..4709223161 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
@@ -62,8 +62,8 @@ void tfm_arch_init_context(struct tfm_arch_ctx_t *p_actx,
* For security consideration, set unused registers into ZERO;
* and only necessary registers are set here.
*/
- struct tfm_state_context_t *p_stat_ctx =
- (struct tfm_state_context_t *)stk_top;
+ struct tfm_state_context_t *p_stat_ctx=
+ (struct tfm_state_context_t *)tfm_arch_seal_thread_stack(stk_top);
/*
* Shift back SP to leave space for holding base context
diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
index 77d78060f6..25124db89b 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
@@ -10,6 +10,7 @@
#include <stdint.h>
#include <stdbool.h>
#include "cmsis_compiler.h"
+#include "utilities.h"
#if !TFM_MULTI_CORE_TOPOLOGY
#error "Armv6-M/Armv7-M can only support multi-core TF-M now."
@@ -97,6 +98,19 @@ __STATIC_INLINE void tfm_arch_set_psplim(uint32_t psplim)
}
/**
+ * \brief Seal the thread stack.
+ *
+ * \param[in] stk Thread stack address.
+ *
+ * \retval stack Updated thread stack address.
+ */
+__STATIC_INLINE uintptr_t tfm_arch_seal_thread_stack(uintptr_t stk)
+{
+ TFM_CORE_ASSERT((stk & 0x7) == 0);
+ return stk;
+}
+
+/**
* \brief Update architecture context value into hardware
*
* \param[in] p_actx Pointer of context data
diff --git a/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c b/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
index acc81407f5..32c2a9cc2e 100644
--- a/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
+++ b/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
@@ -104,7 +104,6 @@ void tfm_nspm_thread_entry(void)
"mov r10, r4 \n"
"mov r11, r4 \n"
"mov r12, r4 \n"
- "push {r0, r1} \n"
"bxns r0 \n"
);
}
diff --git a/secure_fw/spm/include/tfm_arch_v8m.h b/secure_fw/spm/include/tfm_arch_v8m.h
index a0912c4964..58576d3f7b 100644
--- a/secure_fw/spm/include/tfm_arch_v8m.h
+++ b/secure_fw/spm/include/tfm_arch_v8m.h
@@ -110,6 +110,26 @@ __STATIC_INLINE void tfm_arch_set_psplim(uint32_t psplim)
}
/**
+ * \brief Seal the thread stack.
+ *
+ * This function must be called only when the caller is using MSP.
+ *
+ * \param[in] stk Thread stack address.
+ *
+ * \retval stack Updated thread stack address.
+ */
+__STATIC_INLINE uintptr_t tfm_arch_seal_thread_stack(uintptr_t stk)
+{
+ TFM_CORE_ASSERT((stk & 0x7) == 0);
+ stk -= TFM_STACK_SEALED_SIZE;
+
+ *((uint32_t *)stk) = TFM_STACK_SEAL_VALUE;
+ *((uint32_t *)(stk + 4)) = TFM_STACK_SEAL_VALUE;
+
+ return stk;
+}
+
+/**
* \brief Update architecture context value into hardware
*
* \param[in] p_actx Pointer of context data