commit 1f6f5afedafc5b34e1f75b5d6a37b3d098e0b360
author Kevin Peng <kevin.peng@arm.com> Thu Aug 27 15:07:58 2020 +0800
committer Máté Tóth-Pál <Mate.Toth-Pal@arm.com> Tue Sep 01 10:04:04 2020 +0000
tree 849e2359ea421ef316d13320124ddf64ae49261d
parent c5371398584dd919a209d28a00c916414e2681c9

SPM: Fix the sfn parameters check function of Lib Model

The tfm_core_check_sfn_parameters() function assumes all the secure
service callers to be unprivileged mode, which is not correct.

The privileged mode of NS Secure Service caller will be decided in
tfm_core_has_xx_access_to_region() functions, that's fine.

But the Secure caller can be only privileged mode because the whole
SPE is running under privileged mode.

This patch addresses this issue.

Change-Id: I16e016f1837d29bd0009f4404e02cb3b51732c45
Signed-off-by: Kevin Peng <kevin.peng@arm.com>

secure_fw/spm/cmsis_func/spm_func.c

diff --git a/secure_fw/spm/cmsis_func/spm_func.c b/secure_fw/spm/cmsis_func/spm_func.c
index eae55f0..4c91018 100644
--- a/secure_fw/spm/cmsis_func/spm_func.c
+++ b/secure_fw/spm/cmsis_func/spm_func.c
@@ -131,6 +131,7 @@
     struct psa_outvec *out_vec = (psa_outvec *)desc_ptr->args[2];
     size_t out_len;
     uint32_t i;
+    uint32_t privileged_mode = TFM_PARTITION_UNPRIVILEGED_MODE;
 
     if ((desc_ptr->args[1] < 0) || (desc_ptr->args[3] < 0)) {
         return TFM_ERROR_INVALID_PARAMETER;
@@ -139,6 +140,17 @@
     in_len = (size_t)(desc_ptr->args[1]);
     out_len = (size_t)(desc_ptr->args[3]);
 
+    /*
+     * Get caller's privileged mode:
+     * The privileged mode of NS Secure Service caller will be decided by the
+     * tfm_core_has_xxx_access_to_region functions.
+     * Secure caller can be only privileged mode because the whole SPE is
+     * running under privileged mode
+     */
+    if (!desc_ptr->ns_caller) {
+        privileged_mode = TFM_PARTITION_PRIVILEGED_MODE;
+    }
+
     /* The number of vectors are within range. Extra checks to avoid overflow */
     if ((in_len > PSA_MAX_IOVEC) || (out_len > PSA_MAX_IOVEC) ||
         (in_len + out_len > PSA_MAX_IOVEC)) {
@@ -152,7 +164,7 @@
         if ((in_vec == NULL) ||
             (tfm_core_has_write_access_to_region(in_vec,
                             sizeof(psa_invec)*in_len, desc_ptr->ns_caller,
-                            TFM_PARTITION_UNPRIVILEGED_MODE) != TFM_SUCCESS)) {
+                            privileged_mode) != TFM_SUCCESS)) {
             return TFM_ERROR_INVALID_PARAMETER;
         }
     } else {
@@ -164,7 +176,7 @@
         if ((out_vec == NULL) ||
             (tfm_core_has_write_access_to_region(out_vec,
                             sizeof(psa_outvec)*out_len, desc_ptr->ns_caller,
-                            TFM_PARTITION_UNPRIVILEGED_MODE) != TFM_SUCCESS)) {
+                            privileged_mode) != TFM_SUCCESS)) {
             return TFM_ERROR_INVALID_PARAMETER;
         }
     } else {
@@ -181,7 +193,7 @@
             if ((in_vec[i].base == NULL) ||
                 (tfm_core_has_read_access_to_region(in_vec[i].base,
                             in_vec[i].len, desc_ptr->ns_caller,
-                            TFM_PARTITION_UNPRIVILEGED_MODE) != TFM_SUCCESS)) {
+                            privileged_mode) != TFM_SUCCESS)) {
                 return TFM_ERROR_INVALID_PARAMETER;
             }
         }
@@ -191,7 +203,7 @@
             if ((out_vec[i].base == NULL) ||
                 (tfm_core_has_write_access_to_region(out_vec[i].base,
                             out_vec[i].len, desc_ptr->ns_caller,
-                            TFM_PARTITION_UNPRIVILEGED_MODE) != TFM_SUCCESS)) {
+                            privileged_mode) != TFM_SUCCESS)) {
                 return TFM_ERROR_INVALID_PARAMETER;
             }
         }