Stack_seal_mitigation: Seal thread stacks for IPC mode
Seal all thread stacks (PSP) by putting two seal words for IPC mode.
It should be noted that stack sealing mitigation is mostly relevant
for Trust zone based ARMv8-M CPUs wherein the attack is launched from
the Non Secure side. For ARMv6-M and ARMv7-M, the stack sealing could
be skipped.
Change-Id: I74e287a4bf0d28b7d4fdd1302d6429175c1bf77f
Signed-off-by: Ken Liu <ken.liu@arm.com>
diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch.c b/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
index 962a4c5..4709223 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch.c
@@ -62,8 +62,8 @@
* For security consideration, set unused registers into ZERO;
* and only necessary registers are set here.
*/
- struct tfm_state_context_t *p_stat_ctx =
- (struct tfm_state_context_t *)stk_top;
+ struct tfm_state_context_t *p_stat_ctx=
+ (struct tfm_state_context_t *)tfm_arch_seal_thread_stack(stk_top);
/*
* Shift back SP to leave space for holding base context
diff --git a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
index 77d7806..25124db 100644
--- a/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
+++ b/secure_fw/spm/cmsis_psa/arch/tfm_arch_v6m_v7m.h
@@ -10,6 +10,7 @@
#include <stdint.h>
#include <stdbool.h>
#include "cmsis_compiler.h"
+#include "utilities.h"
#if !TFM_MULTI_CORE_TOPOLOGY
#error "Armv6-M/Armv7-M can only support multi-core TF-M now."
@@ -97,6 +98,19 @@
}
/**
+ * \brief Seal the thread stack.
+ *
+ * \param[in] stk Thread stack address.
+ *
+ * \retval stack Updated thread stack address.
+ */
+__STATIC_INLINE uintptr_t tfm_arch_seal_thread_stack(uintptr_t stk)
+{
+ TFM_CORE_ASSERT((stk & 0x7) == 0);
+ return stk;
+}
+
+/**
* \brief Update architecture context value into hardware
*
* \param[in] p_actx Pointer of context data
diff --git a/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c b/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
index acc8140..32c2a9c 100644
--- a/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
+++ b/secure_fw/spm/cmsis_psa/tfm_nspm_ipc.c
@@ -104,7 +104,6 @@
"mov r10, r4 \n"
"mov r11, r4 \n"
"mov r12, r4 \n"
- "push {r0, r1} \n"
"bxns r0 \n"
);
}
diff --git a/secure_fw/spm/include/tfm_arch_v8m.h b/secure_fw/spm/include/tfm_arch_v8m.h
index a0912c4..58576d3 100644
--- a/secure_fw/spm/include/tfm_arch_v8m.h
+++ b/secure_fw/spm/include/tfm_arch_v8m.h
@@ -110,6 +110,26 @@
}
/**
+ * \brief Seal the thread stack.
+ *
+ * This function must be called only when the caller is using MSP.
+ *
+ * \param[in] stk Thread stack address.
+ *
+ * \retval stack Updated thread stack address.
+ */
+__STATIC_INLINE uintptr_t tfm_arch_seal_thread_stack(uintptr_t stk)
+{
+ TFM_CORE_ASSERT((stk & 0x7) == 0);
+ stk -= TFM_STACK_SEALED_SIZE;
+
+ *((uint32_t *)stk) = TFM_STACK_SEAL_VALUE;
+ *((uint32_t *)(stk + 4)) = TFM_STACK_SEAL_VALUE;
+
+ return stk;
+}
+
+/**
* \brief Update architecture context value into hardware
*
* \param[in] p_actx Pointer of context data