TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / b78795ade2c43a4d1904b8a8a0bd881a4aef64a4^! / . / secure_fw / spm
commitb78795ade2c43a4d1904b8a8a0bd881a4aef64a4[log] [tgz]
authorJamie Fox <jamie.fox@arm.com>Mon Sep 28 20:39:06 2020 +0100
committerKen Liu <ken.liu@arm.com>Tue Oct 13 07:53:22 2020 +0000
treebe3c2e548c2ea4695eb8c4f2e0dca35dc6319156
parent366a8d6011ccacfa4b62bc466588f3b4ffe24a4f [diff]
Arch: Implement fault handlers to not return

Ensures secure HardFault, secure MemManage, BusFault and SecureFault
handlers are all explicitly implemented in arch code to not return.
These faults may indicate that Secure state has been corrupted, so
Non-secure should be prevented from executing after one is raised.
Never returning from the handlers is the simplest way to achieve this,
so this is the current solution.

These handlers override the default platform handlers with the weak
attribute, which are implemented as infinite loops anyway, so the
behaviour is unchanged but the intent is made explicit.

Change-Id: I7b91a652f222d307e1608c4d59594f3710a6687a
Signed-off-by: Jamie Fox <jamie.fox@arm.com>

diff --git a/secure_fw/spm/cmsis_func/arch.c b/secure_fw/spm/cmsis_func/arch.c
index 9ec1dd4..a44e5fc 100644
--- a/secure_fw/spm/cmsis_func/arch.c
+++ b/secure_fw/spm/cmsis_func/arch.c

@@ -342,3 +342,43 @@
     );
 }
 #endif
+
+__attribute__((naked)) void HardFault_Handler(void)
+{
+    /* A HardFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void MemManage_Handler(void)
+{
+    /* A MemManage fault may indicate corruption of secure state, so it is
+     * essential that Non-secure code does not regain control after one is
+     * raised. Returning from this exception could allow a pending NS exception
+     * to be taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void BusFault_Handler(void)
+{
+    /* A BusFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void SecureFault_Handler(void)
+{
+    /* A SecureFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}

diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_base.c b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_base.c
index 051a736..34c3641 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_base.c
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_base.c

@@ -97,6 +97,11 @@
      * a hard fault triggered directly, or another fault that has been
      * escalated.
      */
+    /* A HardFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
     while (1) {
         ;
     }

diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_main.c b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_main.c
index 7a7054a..f59a902 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_main.c
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v8m_main.c

@@ -83,6 +83,11 @@
 void SecureFault_Handler(void)
 {
     ERROR_MSG("Oops... Secure fault!!! You're not going anywhere!");
+    /* A SecureFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
     while (1) {
         ;
     }
@@ -109,15 +114,36 @@
 }
 
 /* Reserved for future usage */
+__attribute__((naked)) void HardFault_Handler(void)
+{
+    /* A HardFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
 __attribute__((naked)) void MemManage_Handler(void)
 {
+    /* A MemManage fault may indicate corruption of secure state, so it is
+     * essential that Non-secure code does not regain control after one is
+     * raised. Returning from this exception could allow a pending NS exception
+     * to be taken, so the current solution is not to return.
+     */
     __ASM volatile("b    .");
 }
 
 __attribute__((naked)) void BusFault_Handler(void)
 {
+    /* A BusFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
     __ASM volatile("b    .");
 }
+
 __attribute__((naked)) void UsageFault_Handler(void)
 {
     __ASM volatile("b    .");