aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTamas Ban <tamas.ban@arm.com>2020-11-27 12:58:39 +0000
committerDavid Hu <david.hu@arm.com>2021-03-19 15:08:13 +0800
commitd28286ec9d383738351097c387f4903618ea3e2d (patch)
treec224ca2397263b689cb54ff59dee41115a05f6f5
parentb881bea86f7c41d5ddc46803fa31282b1d610016 (diff)
downloadtrusted-firmware-m-d28286ec9d383738351097c387f4903618ea3e2d.tar.gz
Platform: Adjust HAL API to fit for FI hardening
The FI hardening code requires to have a special return type of the protected functions: fih_int. Modify critical HAL and memory isolation APIs to use this return type when TFM_FIH_PROFILE is enabled. Signed-off-by: Tamas Ban <tamas.ban@arm.com> Co-authorized-by: David Hu <david.hu@arm.com> Change-Id: I592bf3b365354f04f37eff5fad20bdefaa5b8978
-rwxr-xr-xplatform/CMakeLists.txt1
-rw-r--r--platform/include/tfm_hal_defs.h14
-rw-r--r--platform/include/tfm_hal_isolation.h72
-rw-r--r--platform/include/tfm_plat_defs.h8
-rw-r--r--platform/include/tfm_spm_hal.h60
5 files changed, 126 insertions, 29 deletions
diff --git a/platform/CMakeLists.txt b/platform/CMakeLists.txt
index 236f44e147..f239f39f7c 100755
--- a/platform/CMakeLists.txt
+++ b/platform/CMakeLists.txt
@@ -56,6 +56,7 @@ target_sources(platform_s
target_link_libraries(platform_s
PUBLIC
platform_region_defs
+ tfm_fih
PRIVATE
psa_interface
tfm_secure_api
diff --git a/platform/include/tfm_hal_defs.h b/platform/include/tfm_hal_defs.h
index 34a0a8ea68..c5e836bcfa 100644
--- a/platform/include/tfm_hal_defs.h
+++ b/platform/include/tfm_hal_defs.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -13,12 +13,12 @@
enum tfm_hal_status_t {
TFM_HAL_ERROR_MEM_FAULT = SCHAR_MIN,
- TFM_HAL_ERROR_MAX_VALUE,
- TFM_HAL_ERROR_BAD_STATE,
- TFM_HAL_ERROR_NOT_SUPPORTED,
- TFM_HAL_ERROR_INVALID_INPUT,
- TFM_HAL_ERROR_NOT_INIT,
- TFM_HAL_ERROR_GENERIC,
+ TFM_HAL_ERROR_MAX_VALUE = SCHAR_MIN + 0x3A5C,
+ TFM_HAL_ERROR_BAD_STATE = SCHAR_MIN + 0x55A3,
+ TFM_HAL_ERROR_NOT_SUPPORTED = SCHAR_MIN + 0xA3C5,
+ TFM_HAL_ERROR_INVALID_INPUT = SCHAR_MIN + 0xC35A,
+ TFM_HAL_ERROR_NOT_INIT = SCHAR_MIN + 0x33CA5,
+ TFM_HAL_ERROR_GENERIC = SCHAR_MIN + 0x3C5A,
TFM_HAL_SUCCESS = 0
};
diff --git a/platform/include/tfm_hal_isolation.h b/platform/include/tfm_hal_isolation.h
index 442abd72ba..18a8c5001d 100644
--- a/platform/include/tfm_hal_isolation.h
+++ b/platform/include/tfm_hal_isolation.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -10,6 +10,7 @@
#include <stddef.h>
#include <stdint.h>
+#include "fih.h"
#include "tfm_hal_defs.h"
#ifdef __cplusplus
@@ -24,6 +25,7 @@ extern "C" {
#define TFM_HAL_ACCESS_DEVICE (1UL << 4)
#define TFM_HAL_ACCESS_NS (1UL << 5)
+#ifdef TFM_FIH_PROFILE_ON
/**
* \brief Sets up the static isolation boundaries which are constant throughout
* the runtime of the system, including the SPE/NSPE and partition
@@ -32,27 +34,39 @@ extern "C" {
* \return TFM_HAL_SUCCESS - the isolation boundaries have been set up.
* TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundaries.
*/
-enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(void);
+fih_int tfm_hal_set_up_static_boundaries(void);
+#if TFM_LVL == 3
/**
- * \brief This API checks if the memory region defined by base and size
- * matches the given attributes - attr.
- * The attributes can include NSPE access, privileged mode, and
- * read-write permissions.
+ * \brief Updates the partition isolation boundary for isolation level 3.
+ * The boundary protects the private data of the running partition.
+ * The boundary is updated with SPM switching partition in level 3.
*
- * \param[in] base The base address of the region.
- * \param[in] size The size of the region.
- * \param[in] attr The memory access attributes.
+ * \param[in] start start address of the partition boundary.
+ * \param[in] end end address of the partition boundary.
*
- * \return TFM_HAL_SUCCESS - The memory region has the access permissions.
- * TFM_HAL_ERROR_MEM_FAULT - The memory region has not the access
- * permissions.
- * TFM_HAL_ERROR_INVALID_INPUT - Invalid inputs.
- * TFM_HAL_ERROR_GENERIC - An error occurred.
+ * \return TFM_HAL_SUCCESS - the isolation boundary has been set up.
+ * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundary.
+ *
+ * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be
+ * wrapped and protected in \ref fih_int structure.
*/
-enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base,
- size_t size,
- uint32_t attr);
+fih_int tfm_hal_mpu_update_partition_boundary(uintptr_t start,
+ uintptr_t end);
+#endif
+#else /* TFM_FIH_PROFILE_ON */
+/**
+ * \brief Sets up the static isolation boundaries which are constant throughout
+ * the runtime of the system, including the SPE/NSPE and partition
+ * boundaries.
+ *
+ * \return TFM_HAL_SUCCESS - the isolation boundaries have been set up.
+ * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundaries.
+ *
+ * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be
+ * wrapped and protected in \ref fih_int structure.
+ */
+enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(void);
#if TFM_LVL == 3
/**
@@ -65,10 +79,34 @@ enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base,
*
* \return TFM_HAL_SUCCESS - the isolation boundary has been set up.
* TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundary.
+ *
+ * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be
+ * wrapped and protected in \ref fih_int structure.
*/
enum tfm_hal_status_t tfm_hal_mpu_update_partition_boundary(uintptr_t start,
uintptr_t end);
#endif
+#endif /* TFM_FIH_PROFILE_ON */
+
+/**
+ * \brief This API checks if the memory region defined by base and size
+ * matches the given attributes - attr.
+ * The attributes can include NSPE access, privileged mode, and
+ * read-write permissions.
+ *
+ * \param[in] base The base address of the region.
+ * \param[in] size The size of the region.
+ * \param[in] attr The memory access attributes.
+ *
+ * \return TFM_HAL_SUCCESS - The memory region has the access permissions.
+ * TFM_HAL_ERROR_MEM_FAULT - The memory region has not the access
+ * permissions.
+ * TFM_HAL_ERROR_INVALID_INPUT - Invalid inputs.
+ * TFM_HAL_ERROR_GENERIC - An error occurred.
+ */
+enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base,
+ size_t size,
+ uint32_t attr);
#ifdef __cplusplus
}
diff --git a/platform/include/tfm_plat_defs.h b/platform/include/tfm_plat_defs.h
index 808a6d3edb..6a2a14d797 100644
--- a/platform/include/tfm_plat_defs.h
+++ b/platform/include/tfm_plat_defs.h
@@ -17,10 +17,10 @@
enum tfm_plat_err_t {
TFM_PLAT_ERR_SUCCESS = 0,
- TFM_PLAT_ERR_SYSTEM_ERR,
- TFM_PLAT_ERR_MAX_VALUE,
- TFM_PLAT_ERR_INVALID_INPUT,
- TFM_PLAT_ERR_UNSUPPORTED,
+ TFM_PLAT_ERR_SYSTEM_ERR = 0x3A5C,
+ TFM_PLAT_ERR_MAX_VALUE = 0x55A3,
+ TFM_PLAT_ERR_INVALID_INPUT = 0xA3C5,
+ TFM_PLAT_ERR_UNSUPPORTED = 0xC35A,
/* Following entry is only to ensure the error code of int size */
TFM_PLAT_ERR_FORCE_INT_SIZE = INT_MAX
};
diff --git a/platform/include/tfm_spm_hal.h b/platform/include/tfm_spm_hal.h
index bfe84267dd..7aaafeba6b 100644
--- a/platform/include/tfm_spm_hal.h
+++ b/platform/include/tfm_spm_hal.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -9,6 +9,7 @@
#define __TFM_SPM_HAL_H__
#include <stdint.h>
+#include "fih.h"
#include "tfm_secure_api.h"
#ifdef TFM_MULTI_CORE_TOPOLOGY
#include "tfm_multi_core.h"
@@ -57,6 +58,62 @@ struct tfm_spm_partition_memory_data_t
};
#endif
+#ifdef TFM_FIH_PROFILE_ON
+#ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT
+/**
+ * \brief This function initialises the HW used for isolation, and sets the
+ * default configuration for them.
+ * This function is called during TF-M core early startup, after DB init
+ *
+ * \return Returns values as specified by FIH specific platform error code.
+ */
+fih_int tfm_spm_hal_setup_isolation_hw(void);
+#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
+
+/**
+ * \brief Configure peripherals for a partition based on the platform data and
+ * partition index from the DB
+ *
+ * This function is called during partition initialisation (before calling the
+ * init function for the partition)
+ *
+ * \param[in] partition_idx The index of the partition that this peripheral
+ * is assigned to.
+ * \param[in] platform_data The platform fields of the partition DB record to
+ * be used for configuration.
+ *
+ * \return Returns values as specified by FIH specific platform error code
+ */
+fih_int tfm_spm_hal_configure_default_isolation(
+ uint32_t partition_idx,
+ const struct platform_data_t *platform_data);
+/**
+ * \brief Configures the system debug properties.
+ * The default configuration of this function should disable secure debug
+ * when either DAUTH_NONE or DAUTH_NS_ONLY define is set. It is up to the
+ * platform owner to decide if secure debug can be turned on in their
+ * system, if DAUTH_FULL define is present.
+ * The DAUTH_CHIP_DEFAULT define should not be considered a safe default
+ * option unless explicitly noted by the chip vendor.
+ * The implementation has to expect that one of those defines is going to
+ * be set. Otherwise, a compile error needs to be triggered.
+ *
+ * \return Returns values as specified by FIH specific platform error code
+ */
+fih_int tfm_spm_hal_init_debug(void);
+
+/**
+ * \brief This function verifies the settings of HW used for memory isolation,
+ * to make sure that important settings was not skipped due to fault
+ * injection attacks.
+ *
+ * This function is called during TF-M core late startup, before passing
+ * execution to non-secure code.
+ *
+ * \return Returns values as specified by FIH specific platform error code
+ */
+fih_int tfm_spm_hal_verify_isolation_hw(void);
+#else /* TFM_FIH_PROFILE_ON */
#ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT
/**
* \brief This function initialises the HW used for isolation, and sets the
@@ -99,6 +156,7 @@ enum tfm_plat_err_t tfm_spm_hal_configure_default_isolation(
* \return Returns values as specified by the \ref tfm_plat_err_t
*/
enum tfm_plat_err_t tfm_spm_hal_init_debug(void);
+#endif /* TFM_FIH_PROFILE_ON */
/**
* \brief Enables the fault handlers and sets priorities.