FIH: Protect tfm_hal_boundary_need_switch()
This function is called to decide whether to change the hardware
protection when switching between partitions. As such, it is vital
that it is actually called, so use FIH_CALL()/FIH_RET().
Signed-off-by: Chris Brand <chris.brand@cypress.com>
Change-Id: I9f77378f4499d8a86102aec5e813185d3987c3c7
diff --git a/platform/ext/target/arm/mps2/an521/tfm_hal_isolation.c b/platform/ext/target/arm/mps2/an521/tfm_hal_isolation.c
index a5e1a90..1d0a910 100644
--- a/platform/ext/target/arm/mps2/an521/tfm_hal_isolation.c
+++ b/platform/ext/target/arm/mps2/an521/tfm_hal_isolation.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2020-2024, Arm Limited. All rights reserved.
- * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
+ * Copyright (c) 2022-2024 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
*
@@ -663,16 +663,16 @@
}
}
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to)
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to)
{
if (boundary_from == boundary_to) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
if (((uint32_t)boundary_from & HANDLE_ATTR_PRIV_MASK) &&
((uint32_t)boundary_to & HANDLE_ATTR_PRIV_MASK)) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
- return true;
+ FIH_RET(fih_int_encode(true));
}
diff --git a/platform/ext/target/cypress/psoc64/tfm_hal_isolation.c b/platform/ext/target/cypress/psoc64/tfm_hal_isolation.c
index 70c5ad5..6eb67ca 100644
--- a/platform/ext/target/cypress/psoc64/tfm_hal_isolation.c
+++ b/platform/ext/target/cypress/psoc64/tfm_hal_isolation.c
@@ -156,16 +156,16 @@
FIH_RET(fih_int_encode(TFM_HAL_SUCCESS));
}
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to)
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to)
{
if (boundary_from == boundary_to) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
if (((uint32_t)boundary_from & HANDLE_ATTR_PRIV_MASK) &&
((uint32_t)boundary_to & HANDLE_ATTR_PRIV_MASK)) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
- return true;
+ FIH_RET(fih_int_encode(true));
}
diff --git a/platform/ext/target/nxp/common/tfm_hal_isolation.c b/platform/ext/target/nxp/common/tfm_hal_isolation.c
index c2f6cc2..3d70bc2 100644
--- a/platform/ext/target/nxp/common/tfm_hal_isolation.c
+++ b/platform/ext/target/nxp/common/tfm_hal_isolation.c
@@ -1,6 +1,9 @@
/*
* Copyright (c) 2020-2024, Arm Limited. All rights reserved.
* Copyright 2020-2022 NXP. All rights reserved.
+ * Copyright (c) 2024 Cypress Semiconductor Corporation (an Infineon
+ * company) or an affiliate of Cypress Semiconductor Corporation. All rights
+ * reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -572,18 +575,18 @@
}
}
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to)
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to)
{
if (boundary_from == boundary_to) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
if (((uint32_t)boundary_from & HANDLE_ATTR_PRIV_MASK) &&
((uint32_t)boundary_to & HANDLE_ATTR_PRIV_MASK)) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
- return true;
+ FIH_RET(fih_int_encode(true));
}
/*------------------- SAU/IDAU configuration functions -----------------------*/
diff --git a/platform/ext/target/stm/common/stm32h5xx/secure/tfm_hal_isolation.c b/platform/ext/target/stm/common/stm32h5xx/secure/tfm_hal_isolation.c
index 2b9928a..b22a892 100644
--- a/platform/ext/target/stm/common/stm32h5xx/secure/tfm_hal_isolation.c
+++ b/platform/ext/target/stm/common/stm32h5xx/secure/tfm_hal_isolation.c
@@ -1,5 +1,8 @@
/*
* Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+ * Copyright (c) 2024 Cypress Semiconductor Corporation (an Infineon
+ * company) or an affiliate of Cypress Semiconductor Corporation. All rights
+ * reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -548,16 +551,16 @@
}
}
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to)
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to)
{
if (boundary_from == boundary_to) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
if (((uint32_t)boundary_from & HANDLE_ATTR_PRIV_MASK) &&
((uint32_t)boundary_to & HANDLE_ATTR_PRIV_MASK)) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
- return true;
+ FIH_RET(fih_int_encode(true));
}
diff --git a/platform/ext/target/stm/common/stm32u5xx/secure/tfm_hal_isolation.c b/platform/ext/target/stm/common/stm32u5xx/secure/tfm_hal_isolation.c
index 3ed8ad6..41eb8fd 100644
--- a/platform/ext/target/stm/common/stm32u5xx/secure/tfm_hal_isolation.c
+++ b/platform/ext/target/stm/common/stm32u5xx/secure/tfm_hal_isolation.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2020-2024, Arm Limited. All rights reserved.
- * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
+ * Copyright (c) 2022-2024 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
*
@@ -491,16 +491,16 @@
}
}
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to)
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to)
{
if (boundary_from == boundary_to) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
if (((uint32_t)boundary_from & HANDLE_ATTR_PRIV_MASK) &&
((uint32_t)boundary_to & HANDLE_ATTR_PRIV_MASK)) {
- return false;
+ FIH_RET(fih_int_encode(false));
}
- return true;
+ FIH_RET(fih_int_encode(true));
}
diff --git a/platform/include/tfm_hal_isolation.h b/platform/include/tfm_hal_isolation.h
index 238a8fd..2ae0abb 100644
--- a/platform/include/tfm_hal_isolation.h
+++ b/platform/include/tfm_hal_isolation.h
@@ -122,8 +122,8 @@
* \return true - a switching is needed.
* false - do not need a switch.
*/
-bool tfm_hal_boundary_need_switch(uintptr_t boundary_from,
- uintptr_t boundary_to);
+FIH_RET_TYPE(bool) tfm_hal_boundary_need_switch(uintptr_t boundary_from,
+ uintptr_t boundary_to);
#ifdef __cplusplus
}
diff --git a/secure_fw/spm/core/backend_ipc.c b/secure_fw/spm/core/backend_ipc.c
index 9721b19..c50e529 100644
--- a/secure_fw/spm/core/backend_ipc.c
+++ b/secure_fw/spm/core/backend_ipc.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2021-2024, Arm Limited. All rights reserved.
- * Copyright (c) 2021-2023 Cypress Semiconductor Corporation (an Infineon
+ * Copyright (c) 2021-2024 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
*
@@ -15,6 +15,7 @@
#include "critical_section.h"
#include "compiler_ext_defs.h"
#include "ffm/psa_api.h"
+#include "fih.h"
#include "runtime_defs.h"
#include "stack_watermark.h"
#include "spm.h"
@@ -125,6 +126,7 @@
struct runtime_metadata_t *p_rt_meta;
service_fn_t *p_sfn_table;
uint32_t allocate_size;
+ FIH_RET_TYPE(bool) fih_rc;
p_pt_ldi = p_pt->p_ldinf;
p_srv_ldi = LOAD_INFO_SERVICE(p_pt_ldi);
@@ -145,7 +147,8 @@
#if TFM_ISOLATION_LEVEL == 1
p_rt_meta->psa_fns = &psa_api_thread_fn_call;
#else
- if (tfm_hal_boundary_need_switch(spm_boundary, p_pt->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_rc, spm_boundary, p_pt->boundary);
+ if (fih_not_eq(fih_rc, fih_int_encode(false))) {
p_rt_meta->psa_fns = &psa_api_svc;
} else {
p_rt_meta->psa_fns = &psa_api_thread_fn_call;
@@ -449,6 +452,7 @@
uint64_t ipc_schedule(uint32_t exc_return)
{
fih_int fih_rc = FIH_FAILURE;
+ FIH_RET_TYPE(bool) fih_bool;
AAPCS_DUAL_U32_T ctx_ctrls;
struct partition_t *p_part_curr, *p_part_next;
struct context_ctrl_t *p_curr_ctx;
@@ -499,8 +503,9 @@
* If required, let the platform update boundary based on its
* implementation. Change privilege, MPU or other configurations.
*/
- if (tfm_hal_boundary_need_switch(p_part_curr->boundary,
- p_part_next->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool,
+ p_part_curr->boundary, p_part_next->boundary);
+ if (fih_not_eq(fih_bool, fih_int_encode(false))) {
FIH_CALL(tfm_hal_activate_boundary, fih_rc,
p_part_next->p_ldinf, p_part_next->boundary);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
diff --git a/secure_fw/spm/core/interrupt.c b/secure_fw/spm/core/interrupt.c
index d99877b..9a96b43 100644
--- a/secure_fw/spm/core/interrupt.c
+++ b/secure_fw/spm/core/interrupt.c
@@ -1,6 +1,6 @@
/*
* Copyright (c) 2021-2024, Arm Limited. All rights reserved.
- * Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
+ * Copyright (c) 2022-2024 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
*
@@ -12,6 +12,7 @@
#include "bitops.h"
#include "current.h"
+#include "fih.h"
#include "svc_num.h"
#include "tfm_arch.h"
#include "tfm_hal_interrupt.h"
@@ -45,6 +46,7 @@
uintptr_t sp_base, sp_limit, curr_stack, ctx_stack;
struct context_ctrl_t flih_ctx_ctrl;
fih_int fih_rc = FIH_FAILURE;
+ FIH_RET_TYPE(bool) fih_bool;
/* Come too early before runtime setup, should not happen. */
if (!CURRENT_THREAD) {
@@ -64,8 +66,9 @@
ctx_stack = p_owner_sp->thrd.p_context_ctrl->sp;
}
- if (tfm_hal_boundary_need_switch(p_curr_sp->boundary,
- p_owner_sp->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool,
+ p_curr_sp->boundary, p_owner_sp->boundary);
+ if (fih_not_eq(fih_bool, fih_int_encode(false))) {
FIH_CALL(tfm_hal_activate_boundary, fih_rc,
p_owner_sp->p_ldinf, p_owner_sp->boundary);
}
@@ -93,13 +96,15 @@
struct context_flih_ret_t *p_ctx_flih_ret)
{
struct partition_t *p_prev_sp, *p_owner_sp;
+ FIH_RET_TYPE(bool) fih_bool;
fih_int fih_rc = FIH_FAILURE;
p_prev_sp = (struct partition_t *)(p_ctx_flih_ret->state_ctx.r2);
p_owner_sp = GET_CURRENT_COMPONENT();
- if (tfm_hal_boundary_need_switch(p_owner_sp->boundary,
- p_prev_sp->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool,
+ p_owner_sp->boundary, p_prev_sp->boundary);
+ if (fih_not_eq(fih_bool, fih_int_encode(false))) {
FIH_CALL(tfm_hal_activate_boundary, fih_rc,
p_prev_sp->p_ldinf, p_prev_sp->boundary);
}
@@ -150,6 +155,7 @@
psa_flih_result_t flih_result;
struct partition_t *p_part;
psa_status_t ret = 0;
+ FIH_RET_TYPE(bool) fih_bool;
if (!p_pt || !p_ildi) {
tfm_core_panic();
@@ -170,8 +176,9 @@
#if TFM_ISOLATION_LEVEL == 1
flih_result = p_ildi->flih_func();
#else
- if (!tfm_hal_boundary_need_switch(spm_boundary,
- p_part->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool,
+ spm_boundary, p_part->boundary);
+ if (fih_eq(fih_bool, fih_int_encode(false))) {
flih_result = p_ildi->flih_func();
} else {
flih_result = tfm_flih_deprivileged_handling(
diff --git a/secure_fw/spm/core/tfm_svcalls.c b/secure_fw/spm/core/tfm_svcalls.c
index b0f13bf..c43b98e 100644
--- a/secure_fw/spm/core/tfm_svcalls.c
+++ b/secure_fw/spm/core/tfm_svcalls.c
@@ -83,10 +83,12 @@
static uint32_t thread_mode_spm_return(uint32_t result)
{
fih_int fih_rc = FIH_FAILURE;
+ FIH_RET_TYPE(bool) fih_bool;
struct partition_t *p_part_next = GET_CURRENT_COMPONENT();
struct tfm_state_context_t *p_tctx = (struct tfm_state_context_t *)saved_psp;
- if (tfm_hal_boundary_need_switch(spm_boundary, p_part_next->boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool, spm_boundary, p_part_next->boundary);
+ if (fih_not_eq(fih_bool, fih_int_encode(false))) {
FIH_CALL(tfm_hal_activate_boundary, fih_rc,
p_part_next->p_ldinf, p_part_next->boundary);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
@@ -143,6 +145,7 @@
static int32_t prepare_to_thread_mode_spm(uint8_t svc_number, uint32_t *ctx, uint32_t exc_return)
{
fih_int fih_rc = FIH_FAILURE;
+ FIH_RET_TYPE(bool) fih_bool;
struct partition_t *p_curr_sp;
psa_api_svc_func_t svc_func = NULL;
uint8_t svc_idx = svc_number & TFM_SVC_NUM_INDEX_MSK;
@@ -168,7 +171,8 @@
saved_exc_return = exc_return;
p_curr_sp = GET_CURRENT_COMPONENT();
- if (tfm_hal_boundary_need_switch(p_curr_sp->boundary, spm_boundary)) {
+ FIH_CALL(tfm_hal_boundary_need_switch, fih_bool, p_curr_sp->boundary, spm_boundary);
+ if (fih_not_eq(fih_bool, fih_int_encode(false))) {
FIH_CALL(tfm_hal_activate_boundary, fih_rc, NULL, spm_boundary);
if (fih_not_eq(fih_rc, fih_int_encode(TFM_HAL_SUCCESS))) {
tfm_core_panic();