commit b78795ade2c43a4d1904b8a8a0bd881a4aef64a4
author Jamie Fox <jamie.fox@arm.com> Mon Sep 28 20:39:06 2020 +0100
committer Ken Liu <ken.liu@arm.com> Tue Oct 13 07:53:22 2020 +0000
tree be3c2e548c2ea4695eb8c4f2e0dca35dc6319156
parent 366a8d6011ccacfa4b62bc466588f3b4ffe24a4f

Arch: Implement fault handlers to not return

Ensures secure HardFault, secure MemManage, BusFault and SecureFault
handlers are all explicitly implemented in arch code to not return.
These faults may indicate that Secure state has been corrupted, so
Non-secure should be prevented from executing after one is raised.
Never returning from the handlers is the simplest way to achieve this,
so this is the current solution.

These handlers override the default platform handlers with the weak
attribute, which are implemented as infinite loops anyway, so the
behaviour is unchanged but the intent is made explicit.

Change-Id: I7b91a652f222d307e1608c4d59594f3710a6687a
Signed-off-by: Jamie Fox <jamie.fox@arm.com>

secure_fw/spm/cmsis_func/arch.c

diff --git a/secure_fw/spm/cmsis_func/arch.c b/secure_fw/spm/cmsis_func/arch.c
index 9ec1dd4..a44e5fc 100644
--- a/secure_fw/spm/cmsis_func/arch.c
+++ b/secure_fw/spm/cmsis_func/arch.c
@@ -342,3 +342,43 @@
     );
 }
 #endif
+
+__attribute__((naked)) void HardFault_Handler(void)
+{
+    /* A HardFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void MemManage_Handler(void)
+{
+    /* A MemManage fault may indicate corruption of secure state, so it is
+     * essential that Non-secure code does not regain control after one is
+     * raised. Returning from this exception could allow a pending NS exception
+     * to be taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void BusFault_Handler(void)
+{
+    /* A BusFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}
+
+__attribute__((naked)) void SecureFault_Handler(void)
+{
+    /* A SecureFault may indicate corruption of secure state, so it is essential
+     * that Non-secure code does not regain control after one is raised.
+     * Returning from this exception could allow a pending NS exception to be
+     * taken, so the current solution is not to return.
+     */
+    __ASM volatile("b    .");
+}