diff options
author | Tamas Ban <tamas.ban@arm.com> | 2020-11-27 12:58:39 +0000 |
---|---|---|
committer | David Hu <david.hu@arm.com> | 2021-03-19 15:08:13 +0800 |
commit | d28286ec9d383738351097c387f4903618ea3e2d (patch) | |
tree | c224ca2397263b689cb54ff59dee41115a05f6f5 /platform/include | |
parent | b881bea86f7c41d5ddc46803fa31282b1d610016 (diff) | |
download | trusted-firmware-m-d28286ec9d383738351097c387f4903618ea3e2d.tar.gz |
Platform: Adjust HAL API to fit for FI hardening
The FI hardening code requires to have a special return type of the
protected functions: fih_int. Modify critical HAL and memory isolation
APIs to use this return type when TFM_FIH_PROFILE is enabled.
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
Co-authorized-by: David Hu <david.hu@arm.com>
Change-Id: I592bf3b365354f04f37eff5fad20bdefaa5b8978
Diffstat (limited to 'platform/include')
-rw-r--r-- | platform/include/tfm_hal_defs.h | 14 | ||||
-rw-r--r-- | platform/include/tfm_hal_isolation.h | 72 | ||||
-rw-r--r-- | platform/include/tfm_plat_defs.h | 8 | ||||
-rw-r--r-- | platform/include/tfm_spm_hal.h | 60 |
4 files changed, 125 insertions, 29 deletions
diff --git a/platform/include/tfm_hal_defs.h b/platform/include/tfm_hal_defs.h index 34a0a8ea68..c5e836bcfa 100644 --- a/platform/include/tfm_hal_defs.h +++ b/platform/include/tfm_hal_defs.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, Arm Limited. All rights reserved. + * Copyright (c) 2020-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -13,12 +13,12 @@ enum tfm_hal_status_t { TFM_HAL_ERROR_MEM_FAULT = SCHAR_MIN, - TFM_HAL_ERROR_MAX_VALUE, - TFM_HAL_ERROR_BAD_STATE, - TFM_HAL_ERROR_NOT_SUPPORTED, - TFM_HAL_ERROR_INVALID_INPUT, - TFM_HAL_ERROR_NOT_INIT, - TFM_HAL_ERROR_GENERIC, + TFM_HAL_ERROR_MAX_VALUE = SCHAR_MIN + 0x3A5C, + TFM_HAL_ERROR_BAD_STATE = SCHAR_MIN + 0x55A3, + TFM_HAL_ERROR_NOT_SUPPORTED = SCHAR_MIN + 0xA3C5, + TFM_HAL_ERROR_INVALID_INPUT = SCHAR_MIN + 0xC35A, + TFM_HAL_ERROR_NOT_INIT = SCHAR_MIN + 0x33CA5, + TFM_HAL_ERROR_GENERIC = SCHAR_MIN + 0x3C5A, TFM_HAL_SUCCESS = 0 }; diff --git a/platform/include/tfm_hal_isolation.h b/platform/include/tfm_hal_isolation.h index 442abd72ba..18a8c5001d 100644 --- a/platform/include/tfm_hal_isolation.h +++ b/platform/include/tfm_hal_isolation.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2020, Arm Limited. All rights reserved. + * Copyright (c) 2020-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -10,6 +10,7 @@ #include <stddef.h> #include <stdint.h> +#include "fih.h" #include "tfm_hal_defs.h" #ifdef __cplusplus @@ -24,6 +25,7 @@ extern "C" { #define TFM_HAL_ACCESS_DEVICE (1UL << 4) #define TFM_HAL_ACCESS_NS (1UL << 5) +#ifdef TFM_FIH_PROFILE_ON /** * \brief Sets up the static isolation boundaries which are constant throughout * the runtime of the system, including the SPE/NSPE and partition @@ -32,27 +34,39 @@ extern "C" { * \return TFM_HAL_SUCCESS - the isolation boundaries have been set up. * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundaries. */ -enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(void); +fih_int tfm_hal_set_up_static_boundaries(void); +#if TFM_LVL == 3 /** - * \brief This API checks if the memory region defined by base and size - * matches the given attributes - attr. - * The attributes can include NSPE access, privileged mode, and - * read-write permissions. + * \brief Updates the partition isolation boundary for isolation level 3. + * The boundary protects the private data of the running partition. + * The boundary is updated with SPM switching partition in level 3. * - * \param[in] base The base address of the region. - * \param[in] size The size of the region. - * \param[in] attr The memory access attributes. + * \param[in] start start address of the partition boundary. + * \param[in] end end address of the partition boundary. * - * \return TFM_HAL_SUCCESS - The memory region has the access permissions. - * TFM_HAL_ERROR_MEM_FAULT - The memory region has not the access - * permissions. - * TFM_HAL_ERROR_INVALID_INPUT - Invalid inputs. - * TFM_HAL_ERROR_GENERIC - An error occurred. + * \return TFM_HAL_SUCCESS - the isolation boundary has been set up. + * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundary. + * + * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be + * wrapped and protected in \ref fih_int structure. */ -enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base, - size_t size, - uint32_t attr); +fih_int tfm_hal_mpu_update_partition_boundary(uintptr_t start, + uintptr_t end); +#endif +#else /* TFM_FIH_PROFILE_ON */ +/** + * \brief Sets up the static isolation boundaries which are constant throughout + * the runtime of the system, including the SPE/NSPE and partition + * boundaries. + * + * \return TFM_HAL_SUCCESS - the isolation boundaries have been set up. + * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundaries. + * + * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be + * wrapped and protected in \ref fih_int structure. + */ +enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(void); #if TFM_LVL == 3 /** @@ -65,10 +79,34 @@ enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base, * * \return TFM_HAL_SUCCESS - the isolation boundary has been set up. * TFM_HAL_ERROR_GENERIC - failed to set up the isolation boundary. + * + * \note When FIH_ENABLE_DOUBLE_VARS is enabled, the return code will be + * wrapped and protected in \ref fih_int structure. */ enum tfm_hal_status_t tfm_hal_mpu_update_partition_boundary(uintptr_t start, uintptr_t end); #endif +#endif /* TFM_FIH_PROFILE_ON */ + +/** + * \brief This API checks if the memory region defined by base and size + * matches the given attributes - attr. + * The attributes can include NSPE access, privileged mode, and + * read-write permissions. + * + * \param[in] base The base address of the region. + * \param[in] size The size of the region. + * \param[in] attr The memory access attributes. + * + * \return TFM_HAL_SUCCESS - The memory region has the access permissions. + * TFM_HAL_ERROR_MEM_FAULT - The memory region has not the access + * permissions. + * TFM_HAL_ERROR_INVALID_INPUT - Invalid inputs. + * TFM_HAL_ERROR_GENERIC - An error occurred. + */ +enum tfm_hal_status_t tfm_hal_memory_has_access(uintptr_t base, + size_t size, + uint32_t attr); #ifdef __cplusplus } diff --git a/platform/include/tfm_plat_defs.h b/platform/include/tfm_plat_defs.h index 808a6d3edb..6a2a14d797 100644 --- a/platform/include/tfm_plat_defs.h +++ b/platform/include/tfm_plat_defs.h @@ -17,10 +17,10 @@ enum tfm_plat_err_t { TFM_PLAT_ERR_SUCCESS = 0, - TFM_PLAT_ERR_SYSTEM_ERR, - TFM_PLAT_ERR_MAX_VALUE, - TFM_PLAT_ERR_INVALID_INPUT, - TFM_PLAT_ERR_UNSUPPORTED, + TFM_PLAT_ERR_SYSTEM_ERR = 0x3A5C, + TFM_PLAT_ERR_MAX_VALUE = 0x55A3, + TFM_PLAT_ERR_INVALID_INPUT = 0xA3C5, + TFM_PLAT_ERR_UNSUPPORTED = 0xC35A, /* Following entry is only to ensure the error code of int size */ TFM_PLAT_ERR_FORCE_INT_SIZE = INT_MAX }; diff --git a/platform/include/tfm_spm_hal.h b/platform/include/tfm_spm_hal.h index bfe84267dd..7aaafeba6b 100644 --- a/platform/include/tfm_spm_hal.h +++ b/platform/include/tfm_spm_hal.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018-2020, Arm Limited. All rights reserved. + * Copyright (c) 2018-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -9,6 +9,7 @@ #define __TFM_SPM_HAL_H__ #include <stdint.h> +#include "fih.h" #include "tfm_secure_api.h" #ifdef TFM_MULTI_CORE_TOPOLOGY #include "tfm_multi_core.h" @@ -57,6 +58,62 @@ struct tfm_spm_partition_memory_data_t }; #endif +#ifdef TFM_FIH_PROFILE_ON +#ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT +/** + * \brief This function initialises the HW used for isolation, and sets the + * default configuration for them. + * This function is called during TF-M core early startup, after DB init + * + * \return Returns values as specified by FIH specific platform error code. + */ +fih_int tfm_spm_hal_setup_isolation_hw(void); +#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */ + +/** + * \brief Configure peripherals for a partition based on the platform data and + * partition index from the DB + * + * This function is called during partition initialisation (before calling the + * init function for the partition) + * + * \param[in] partition_idx The index of the partition that this peripheral + * is assigned to. + * \param[in] platform_data The platform fields of the partition DB record to + * be used for configuration. + * + * \return Returns values as specified by FIH specific platform error code + */ +fih_int tfm_spm_hal_configure_default_isolation( + uint32_t partition_idx, + const struct platform_data_t *platform_data); +/** + * \brief Configures the system debug properties. + * The default configuration of this function should disable secure debug + * when either DAUTH_NONE or DAUTH_NS_ONLY define is set. It is up to the + * platform owner to decide if secure debug can be turned on in their + * system, if DAUTH_FULL define is present. + * The DAUTH_CHIP_DEFAULT define should not be considered a safe default + * option unless explicitly noted by the chip vendor. + * The implementation has to expect that one of those defines is going to + * be set. Otherwise, a compile error needs to be triggered. + * + * \return Returns values as specified by FIH specific platform error code + */ +fih_int tfm_spm_hal_init_debug(void); + +/** + * \brief This function verifies the settings of HW used for memory isolation, + * to make sure that important settings was not skipped due to fault + * injection attacks. + * + * This function is called during TF-M core late startup, before passing + * execution to non-secure code. + * + * \return Returns values as specified by FIH specific platform error code + */ +fih_int tfm_spm_hal_verify_isolation_hw(void); +#else /* TFM_FIH_PROFILE_ON */ #ifdef CONFIG_TFM_ENABLE_MEMORY_PROTECT /** * \brief This function initialises the HW used for isolation, and sets the @@ -99,6 +156,7 @@ enum tfm_plat_err_t tfm_spm_hal_configure_default_isolation( * \return Returns values as specified by the \ref tfm_plat_err_t */ enum tfm_plat_err_t tfm_spm_hal_init_debug(void); +#endif /* TFM_FIH_PROFILE_ON */ /** * \brief Enables the fault handlers and sets priorities. |